Meet the Experts: Stephen Hardison on IBM Lotus and WebSphere Portal

This question and answer article features Stephen Hardison of the IBM Software Services for Lotus team. He discusses how you can integrate Lotus collaboration tools with WebSphere Portal.


Stephen Hardison, I/T Architect, IBM Software Services for Lotus , Atlanta, Georgia

Stephen Hardison is an I/T Architect in IBM Software Services for Lotus , Atlanta, Georgia. He is a cross-brand architect, specializing in the integration of Lotus Software products with WebSphere Portal.

07 July 2003

Photo: Stephen Hardison

This month we ask IBM ® Lotus® expert Stephen Hardison to answer your questions about integrating Lotus collaboration tools with WebSphere® Portal. IBM Lotus Team Workplace (QuickPlace 3) provides teams with secure workspaces where they can reach consensus through discussions, collaboration on documents, and coordination of plans, tasks, and resources. Steve Hardison is a cross-brand architect with IBM Software Services for Lotus, specializing in the integration of Lotus Software products with WebSphere Portal. For more information, see developerWorks: Lotus.

Question: I am trying to implement the people finder feature. But the setup of LDAP connector via http://<Fully_Qualified_ServerName>/PFDirectoryConnector yields page not found. Any suggestion on troubleshooting this? Also, where can I find guidelines for setting the "People Finder"? I am using Domino LDAP as my source. (submitted by XY)

Answer: At the end of the Lotus Collaboration Center installation process, the install script displays a dialog indicating that you can configure the People Finder using the Directory Connector application via the URL you have listed above. Unfortunately, this is an error because the URL given is incomplete. The correct URL is:


If this does not work, make sure you restart the WebSphere Application Server using the Admin Console and try the URL again. If the Collaboration Center was correctly installed, the People Finder configuration screen should appear.

For details on configuring the People Finder portlet, try the following posting in the "LDD Today" section of Lotus Developer Domain: Configuring the WebSphere Portal Collaboration Center People Finder portlet.

Question: How can I change the password of the admin in the Domino Server 5.0 and WebSphere Application Server? (submitted by "XY")

Answer: Changing the administration password is a simple process. Log on to WebSphere Portal using the admin ID, then:

  1. Click the Edit my profile link in the upper right of the screen.
  2. Enter your new password in the dialog that appears.
  3. Click Continue to submit the change.

The portal's Security Cache Timeout is 600 seconds, so it may take up to 10 minutes for the change to become active.

If you receive an error when you try to submit the change, or if you are not using portal at all, you need to change the password manually using your LDAP directory management tool. For Domino LDAP, this is the Domino Administrator client. Launch the client and then:

  1. Select File -> Open Server from the menu and select the server hosting your LDAP service.
  2. When the server has been opened, select the People & Groups tab.
  3. Click on the People link, and find the administrator's name in the view displayed.
  4. Select the administrator's name and click Edit.
  5. Enter the new password in the Internet Password field, then click Save & Close to commit the change.

If you have used the admin ID as your bind ID in WebSphere's Security Center, the change process is more complex. For details, see WebSphere Portal 4.2 Infocenter - Changing the wpsbind password.

Question: Can WSAD for iSeries be used with the Domino Toolkit for WSAD? (submitted by "XY")

Answer: Lotus Domino Toolkit 1.0 for WebSphere Studio has been released with Domino 6.0.2 and is available for the Windows and Linux versions of WebSphere Studio Application Developer 5.0. There are currently no plans to provide Domino Toolkit 1.0 to work seamlessly on WebSphere Studio Site Developer for iSeries.

Question: To setup QP and ST in the same domain as the LDAP domain (Domino LDAP), certain modifications have to be made at the ST server. We have to modify the replication formula so that it doesn't get any person documents. Essentially, we have to ensure that there are no person documents in the ST server.

After doing that, no database on our ST server is accessible. We are getting this error when we try to access anything on the ST Server: "Server Error: Your public key was not found in the Names and Address book." Your advice? (no name submitted)

Answer: This appears to be related to the behavior of a single sign-on under Domino. The LTPA protocol assumes there is a unique name in the directory for the Distinguished Name (DN) that is passed in the LTPA token. Because Domino can have multiple trusted authentication sources by using Directory Assistance, you are virtually guaranteed to have duplicate entries if your LDAP server is in the same Domino domain as your Sametime server. Note that this is also a problem with Domino mail or application servers, Domino.Doc, QuickPlace 2.x, or any other Domino-based application server participating in this SSO realm.

The solution is to eliminate the duplicate entries. You can do this using the selective replication method you described. However, because the Domino server is unable to validate the certificate in the user's ID file against their Person Document in the primary Domino Directory, these users are unable to access the server with their Notes clients, as you have noted above.

Another approach is to leave the Person documents in the primary directory and delete the trusted link to the LDAP directory in the Directory Assistance database. The Sametime services are still configured to authenticate using the LDAP server, but Notes users and Domino Web users are authenticated against the names.nsf. As long as the the LDAP server and the Sametime server replicate at a decent interval, the user's Internet passwords between the two systems remain in synch.

Question: In Lotus Notes release 5.0.10, can we import an address book from a file like a Microsoft Excel, Windows, or .pst files? This file may be generated by Microsoft Outlook. (submitted by Dany Riopel)

Answer: You can import contact information into your personal address book using a Microsoft Excel spreadsheet, but it requires some knowledge of the field names in the Contacts form. To import a spreadsheet that contains rows of address book entries into a Notes Personal Address Book, follow these steps:

  1. In Domino Designer, open a test copy of the Personal Address Book (or you can open the Personal Address Book template), then under the Forms view, choose the Contact form and open it.
  2. With a copy of the Excel spreadsheet open, take the first entry in each column where you have the column heading entries and rename these entries to the corresponding field name in the Contact form of the Personal Address Book. For example, you would change INEM to MailAddress, INFN to FirstName, and so on.
  3. In Excel, save the .xls spreadsheet as a Lotus 1-2-3 file with the .wk4 extension.
  4. In Notes, open the address book into where you want to import the data.
  5. Select File, Import... from the Notes menu and select Lotus 1-2-3 as Files of type: and browse to and select the .wk4 file you want to import.
  6. Next, in the Worksheet Import Settings dialog box, choose the Contact form, select WKS Title Defined for the Column format. Place a check in the Calculate fields on form during document import checkbox.
  7. Click OK.

Note that null values (a value that is blank without any characters) for entries in the CompanyName column of the spreadsheet can cause the following error message:

Field: 'DisplayAddress': Incorrect data type for operator or @Function: Text expected

After placing either a blank space or period in the entries with null values and saving the spreadsheet, the spreadsheet imports without errors.

Question: We are using a Domino LDAP to authenticate to WebSphere Portal 4.2. Some of our users authenticate very quickly, while others take a very long time. Any suggestions on how to troubleshoot this?

Answer: You can enable user management and access control tracing in the Portal to accumulate a detailed listing of what is taking place during the user authentication process. This log output is written to the Portal Server's LOGS directory. Note that enabling these two trace options creates a massive output to the logs, so enable them while performing your tests, and then disable them immediately.

When a user logs on, the Portal builds a session profile that includes all groups to which that user belongs. The method to perform this action is findNestedGroupByUser. This method identifies each group to which the user belongs, and then performs an LDAP lookup of that group to see if it is nested in a different group. It continues this process until it reaches the top level of the nesting. The larger the number of groups and the deeper the nesting, the longer it takes to complete the method call.

To minimize the time consumed by this process, try to "flatten" the group structure as much as possible, or limit the number of groups to which the user belongs.

Question: I am trying to configure the NotesView portlet, but I when I am editing the portlet properties, I can't browse the server's data directory and get a list of databases, or get a list of views in a given database. If I manually enter a database path and a view name, the portlet works fine.

Answer: The configuration of many of the Notes portlets require the Domino IIOP process be enabled on the server. For this to load and operate properly, you must configure the Domino server to support it.

Edit the server document of each Domino server that must run Domino IIOP:

  1. On the Basics tab, ensure that the Fully qualified Internet host name field contains the server's host name, and it can be resolved from the server (in DNS or in the server's HOSTS file).
  2. On the Security tab, enter the distinguished names or the group names of all users authorized to access the server from the Portal in the Run restricted Java/Javascript/COM field.
  3. On the Ports -> Internet Ports -> DIIOP tab, ensure that the TCP/IP port number is 63148 (for Linux, use 60148), and that the TCP/IP port status is Enabled.
  4. Select Save & Close to commit the changes.

Next, ensure that each server's NOTES.INI configuration file is updated to load the Domino IIOP task at startup. Edit the file, search for the line that starts ServerTasks=, and append DIIOP to the end of the line. Make sure that there is an entry for HTTP that precedes DIIOP in the list of tasks that load at startup.

For the portlet to browse the data directory on a Domino R5 server, it is also necessary to make one other change to the server document. On the Internet Protocols -> HTTP tab, the Allow HTTP clients to browse databases field must be set to Enabled. This field is disabled by default, and most Domino administrators may object to enabling it for security reasons.

Question: I have enabled single sign-on between WebSphere Portal and Domino via LTPA, but I am having trouble accessing databases on the Domino server using the Notes portlets. If I use a Web Page portlet and access the same databases via iFrame, I have no problems.

Answer: Check the identity you are logging on with. If it exists in one of the trusted directories that Domino is using for authentication, but the password is different from the one you log into the Portal with, authentication through the Notes portlets fails. This occurs even if you have a valid LTPA token with the correct Distinguished Name for the user.

When you log into the WebSphere Portal, the Portal caches the user ID and password you used to log on with for the duration of the session so they are used for authentication for their back end applications. Several of the Notes portlets take advantage of this capability by recalling these cached identities and passing them to the Domino server to authenticate the user. If there is an entry in the Domino directory for the ID passed, these portlets do not use LTPA for authentication.

To get around this issue, either eliminate the sign-on ID's from Person documents, or make sure the Internet passwords are synchronized between the Portal's LDAP directory and the Domino directory.

Question: I need to change the administrator of our QuickPlace server to a new user. What is the best way to do it?

Answer: For QuickPlace 2.0.8, you can use a command line utility to add a Super User that will have administrative rights to the QuickPlace server and all places defined on that server. The executable is in the QuickPlace program directory (by default, C:\QuickPlace). The syntax to add a new Super User is:

nquickplaceadmin superuser -u <username>

To add a group with Super User rights, the syntax is:

nquickplaceadmin superuser -u <groupname> -g

For QuickPlace 3.0, the assignment of the Super User access is controlled using the qpconfig.xml file. The following shows an example of the xml file:

	<super_user enabled="true"> 
		<dn>cn=John Doe,ou=Foo,o=Bar</dn> 

There are two caveats regarding the assignment of super users:

  1. You must use a unique user name or group name in the directory.
  2. You cannot use a name that is already a member of any place on the server.

Question: Can Sametime and QuickPlace be run on the same server?

Answer: Installing Sametime 3.0 and QuickPlace 3.0 on the same server is only supported on the iSeries servers. However, it is recommended that you install each product in a separate Domino partition.

Running Sametime 3.0 and QuickPlace 3.0 on the same AIX server is not supported.

Running Sametime 3.0 and QuickPlace 3.0 on the same Windows server is not possible.

It is possible to install Quickplace 2.0.8 and Sametime 2.x on the same Windows server, but you must install the components in the following sequence:

  1. Install Domino 5.0.8.
  2. Install Sametime 2.x and confirm that Sametime works correctly.
  3. Install QuickPlace 2.0.8.

Again, while technically possible, this configuration is not recommended or supported.

Question: I am a Lotus Notes developer currently exploring the possibility of using WebSphere Portal in our company's error management system. Can I get in touch with you for detailed information please? (submitted by Rena)

Answer: If you send your email address to, we will put you in touch with our technical sales rep.

About Meet the Experts

Meet the Experts is a monthly feature on WSDD. We give you access to the best minds in IBM WebSphere, product experts and executives who are waiting to answer your questions. You submit the questions, and we post the answers to the most popular questions.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into WebSphere on developerWorks

ArticleTitle=Meet the Experts: Stephen Hardison on IBM Lotus and WebSphere Portal