Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Troubleshooting > Troubleshooting
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Integration with XPage Embedded Experiences

XPages can be leveraged as embedded experiences in Notes and iNotes. This article outlines the considerations one should make to enable this functionality.

Gadget data flow

OpenSocial Component functionality in Notes and iNotes relies on several different pieces of data, including proxy rules, OAuth consumer information, and gadget capability information. This article outlines how this data is used and how its use can be customized.

Collecting support data

In the event that verification of the OpenSocial Component fails an administrator will need to collect support data. This article outlines how an administrator can collect support data for Notes, iNotes, and Domino.

Verification

Once the OpenSocial Component is installed and configured, administrators need to verify that their environment is working properly. This article outlines how an administrator can do such verification.

Troubleshooting

In the event that verification of the OpenSocial Component fails an administrator may need to troubleshoot his or her environment. This article outlines how an administrator can do such troubleshooting.
Community articleTroubleshooting
Added by ~Vera Umponetexings | Edited by ~Lisa Elfanalyettu on May 21, 2014 | Version 131
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
In the event that verification of the OpenSocial Component fails an administrator may need to troubleshoot his or her environment. This article outlines how an administrator can do such troubleshooting.
ShowTable of Contents
HideTable of Contents
  • 1 How to use this troubleshooting guide
    • 1.1 What are symptoms?
    • 1.2 What are problems?
    • 1.3 What are solutions?
  • 2 Symptoms
    • 2.1 Administrator Symptoms
      • 2.1.1 The Credential Store database is not configured or not available
      • 2.1.2 Agent error: NotesException: Database has not been opened yet
    • 2.2 Notes Client Symptoms
      • 2.2.1 When rendering an Embedded Experience e-mail or an OpenSocial Widget in Notes, I see the "Something Went Wrong" page
      • 2.2.2 When opening the XPage rendering of the Widget Catalog in Notes, I see the "Sorry, there is a problem" page
      • 2.2.3 When authorizing the IBM Connections gadgets, I see the "We are unable to process your request" page
      • 2.2.4 When rendering an Embedded Experience e-mail in Notes, I see the HTML version of the e-mail instead
      • 2.2.5 On Windows, rendering an Embedded Experience e-mail in Notes takes a long time
      • 2.2.6 When rendering an Embedded Experience or OpenSocial widget in Notes, I see a blank page
      • 2.2.7 This gadget is not allowed to render as it is not trusted.
      • 2.2.8 Showing the error page because our on render event was not called in 60000 ms
      • 2.2.9 The browser timed out trying to connect to the remote container page
      • 2.2.10 CWPNW0012E: Login failed
      • 2.2.11 CLPEE2012E: An error occurred obtaining a security token to access the server. java.net.UnknownHostException
      • 2.2.12 CLPEE2012E: An error occurred obtaining a security token to access the server. java.io.IOException
      • 2.2.13 CLPEE6017W: Error preloading the gadget at {URL to the OpenSocial Gadget XML}
      • 2.2.14 Exception in IdUtil
    • 2.3 iNotes Client Symptoms
      • 2.3.1 When opening the XPage rendering of the Widget Catalog in iNotes, I see the "Sorry, there is a problem" page
      • 2.3.2 When rendering an Embedded Experience e-mail in iNotes, I see the HTML version of the e-mail instead
      • 2.3.3 Neither the gadget nor url Embedded Experience are trusted to render
      • 2.3.4 Status was not 2xx
      • 2.3.5 OpenSocial Container failed to load:
      • 2.3.6 When rendering an Embedded Experience or OpenSocial widget in iNotes, I see a "page not found" error from the browser
      • 2.3.7 Error executing widget profile action "GetAll": Bad content type: -1
      • 2.3.8 Error trying to render gadget: Unable to retrieve spec for {URL to the OpenSocial Gadget XML}. HTTP 502
    • 2.4 iNotes Server Symptoms
      • 2.4.1 Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
    • 2.5 Domino Server with Shindig Symptoms
      • 2.5.1 CLPEE1008E: An error occurred obtaining the credential store name.
      • 2.5.2 CLPEE1010E: The key is either null or empty
      • 2.5.3 SRVE0283E: Exception caught while initializing context: {0}
      • 2.5.4 CLPEE1017W: SecurityTokenServlet - responding with error: (401) CLPEE1018W: Anonymous access is not allowed
      • 2.5.5 There was an issue setting the configuration parameter maxBytesLocalHeap in ShindigCM to
      • 2.5.6 There was an issue setting the configuration parameter maxBytesLocalDisk in ShindigCM to
      • 2.5.7 BMWPX0006E: The URL {URL to the OpenSocial Gadget XML} cannot be accessed through the proxy
      • 2.5.8 CLFWW2017E: null. Anonymous.
      • 2.5.9 An HTTP 502 error occurred when fetching service methods
      • 2.5.10 BMWPX0017E: The Secure Socket Layer (SSL) certificate of the target host is not trusted.
      • 2.5.11 Number of Available connections for host XXX exceeded
      • 2.5.12 org.apache.shindig.gadgets.preload.PreloadException
  • 3 Problems
    • 3.1 The Widget Catalog has not been configured for the Credential Store
    • 3.2 The Widget Catalog design has been corrupted
    • 3.3 The Notes embedded browser has been disabled for MIME emails
    • 3.4 The OpenSocial Widget is not approved by a trusted administrator
    • 3.5 The Notes client timed out trying to connect to the Domino Server with Shindig's container page
    • 3.6 The Notes client timed out trying to connect to the Domino Server with Shindig's locked or unlocked domains
    • 3.7 The Notes client system's DNS cannot resolve the Domino Server with Shindig's hostname
    • 3.8 The Notes client was not able to SSO with the Domino Sever with Shindig
    • 3.9 The OpenSocial Component's proxy is rejecting the request to the Gadget XML URL because it is not whitelisted
    • 3.10 The Notes client was unable to generate an OpenSocial ID for the current user
    • 3.11 The redirect_uri parameter does not match the callback url registered with IBM Connections
    • 3.12 The Embedded Experience is not trusted to render in the iNotes client
    • 3.13 Embedded Experiences in iNotes has not been enabled
    • 3.14 OpenSocial in iNotes has not been enabled
    • 3.15 Widgets in iNotes has not been enabled
    • 3.16 The iNotes proxy is rejecting a request
    • 3.17 The Credential Store has been improperly clustered
    • 3.18 The Credential Store has been improperly replicated to a server or cluster on which it was not created
    • 3.19 The Credential Store has been improperly removed from a cluster in which it was created
    • 3.20 The security token encryption key was not created in the Credential Store
    • 3.21 The "Total cache in memory" setting has been set incorrectly
    • 3.22 The "Total cache on disk" setting has been set incorrectly
    • 3.23 Locked domains have been enabled, but the locked domain suffix is not a valid in the DNS
    • 3.24 Locked domains have not been enabled, but the unlocked domain is not a valid in the DNS
    • 3.25 The current user does not have an authenticated session established with Domino
    • 3.26 Internet Explorer Local Area Network settings are causing performance issues
    • 3.27 The SSL certificate used by the server hosting the OpenSocial Gadget XML is invalid or not trusted
    • 3.28 The Domino Server with Shindig cannot communicate to itself over HTTPS
    • 3.29 The iNotes server cannot proxy to the Domino Server with Shindig over HTTPS
    • 3.30 Number of available connections for host exceeded
    • 3.31 HTTP disabled on the Domino Server with Shindig
  • 4 Solutions
    • 4.1 Configure the Widget Catalog for the Credential Store
    • 4.2 Clean and re-build the Widget Catalog in Domino Designer
    • 4.3 Replace the design of the Widget Catalog
    • 4.4 Enable the Notes embedded browser for MIME mail
    • 4.5 Approve widgets in the Widget Catalog as an administrator
    • 4.6 Install approved Widgets from the Widget Catalog
    • 4.7 Add the Widget Catalog administrator to the ECL in the Notes client
    • 4.8 Set the Gadget Server URL in the Widgets desktop settings policy
    • 4.9 Verify the Gadget Server URL references a valid hostname
    • 4.10 Setup a managed account and push it to Notes clients by policy
    • 4.11 Verify the managed SSO account Domino single sign-on server
    • 4.12 Verify the proxy rules for the Widget allow access to the Gadget XML file
    • 4.13 Update the Notes client's local replica of the Widget Catalog
    • 4.14 Add an internet address in the person document for the current user
    • 4.15 Verify the OpenSocial component OAuth configuration matches the application registered on IBM Connections
    • 4.16 Set the iNotes_WA_EnableEE=1 notes.ini setting for the iNotes server
    • 4.17 Set the iNotes_WA_OpenSocial=1 notes.ini setting for the iNotes server
    • 4.18 Set the iNotes_WA_Widgets=1 notes.ini setting for the iNotes server
    • 4.19 Configure a whitelist in the Proxies configuration the security settings policy
    • 4.20 Ensure the Credential Store was created properly in a clustered environment
    • 4.21 Ensure the Credential Store was properly moved to/from a cluster
    • 4.22 Create the security token encryption key in the Credential Store
    • 4.23 Set the "Total cache in memory" field to a non-empty value
    • 4.24 Set the "Total cache on disk" field to a non-empty value
    • 4.25 Ensure the "Total cache in memory" field is set to a valid value
    • 4.26 Ensure the "Total cache on disk" field is set to a valid value
    • 4.27 In development, test, or proof of concept environments, disable locked domains
    • 4.28 Verify the locked domain suffix is valid
    • 4.29 Verify the unlocked domain is valid
    • 4.30 Enable Domino session authentication
    • 4.31 Disable Internet Explorer automatic LAN detection settings
    • 4.32 Add the Widget Catalog server as a Trusted Server in the Domino Server with Shindig's server document
    • 4.33 Use IBM HTTP Server or another reverse proxy that supports TLS for inbound HTTPS requests
    • 4.34 Enable SSLv3 for outbound HTTPS requests on Domino
    • 4.35 Import the internet certifier and create a cross certificate in the Domino directory
    • 4.36 Add the site certificate to the Domino JVM cacerts keystore
    • 4.37 Ensure ENABLE_EE is present in the Notes client's notes.ini file
    • 4.38 Update the Shindig proxy metadata
    • 4.39 gadgets.osDataUri field should be overwritten

Cookbook Contents


How to use this troubleshooting guide


This troubleshooting guide has three main sections: symptoms, problems, and solutions. When encountering an issue with the OpenSocial Component, one should cross reference the list of symptoms with the particular issue being seen. Each symptom will reference one or more problems that are indicated by the symptom. Each problem will reference one or more solutions that may fix the problem. Each solution will outline an action that can be taken.

This guide will rely heavily upon information gathered by collecting support data. Many symptoms will be defined in terms of particular errors seen in the logs.

One may also find Notes / Domino Policy Troubleshooting Flow Chart very useful when debugging the policies that are used as part of the OpenSocial Component deployment cookbook.

IMPORTANT: This guide is a work in progress. It will grow continue to grow well after the first version is published.
IMPORTANT: This guide is limited. It is not feasible to document all problems and solutions on this page; rather, only common problems and solutions will be documented. This guide should not take the place of problem reporting systems.

What are symptoms?


Symptoms, in the context of this guide, are things that end users encounter when using OpenSocial Component features or that administrators encounter when configuring the OpenSocial Component. A symptom may be something these users see in the UI or in the logs. A symptom can also be something these users do not see in the UI or in the logs when something was expected. If a symptom is related to a specific entry in the trace logs, the symptom title will simply be the code for that error, e.g., CLPEE2012E.

A symptom will reference one or more problems.

What are problems?


Problems, in the context of this guide, are the root causes of symptoms. For instance, a symptom that manifests itself as an error in a log file may be caused by a problem with a configuration setting. A problem may have one or more symptoms that reference it. All of the symptoms should be taken into account when diagnosing if a given problem is the root cause of the symptom users are seeing. A problem will reference solutions that can be used to solve the problem.

A problem will reference one or more symptoms.

A problem will reference one or more solutions.

What are solutions?


Solutions, in the context of this guide, consist of an action or set of actions that can be taken to help remedy a problem. Solutions will often refer to the parent cookbook and its articles.

Symptoms


Administrator Symptoms




The Credential Store database is not configured or not available


Possible problems
The Widget Catalog has not been configured for the Credential Store

Supporting details
Widget cannot be approved - The Credential Store database is not configured or not available.



Agent error: NotesException: Database has not been opened yet


Possible problems
The Widget Catalog has not been configured for the Credential Store

Supporting details
From the Domino console logs or log.nsf:
Agent error: NotesException: Database has not been opened yet
Agent error: at lotus.domino.local.Database.NgetView(Native Method)
Agent error: at lotus.domino.local.Database.getView(Unknown Source)
Agent error: at JavaAgent.pushProxyToCredStore(Unknown Source)
Agent error: at JavaAgent.processProxy(Unknown Source)
Agent error: at JavaAgent.NotesMain(Unknown Source)
Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
Agent error: at lotus.domino.NotesThread.run(Unknown Source)

Agent error: NotesException: Database has not been opened yet
Agent error: at lotus.domino.local.Database.NgetView(Native Method)
Agent error: at lotus.domino.local.Database.getView(Unknown Source)
Agent error: at JavaAgent.cleanOAuthConsumerDoc(Unknown Source)
Agent error: at JavaAgent.processOAuth(Unknown Source)
Agent error: at JavaAgent.NotesMain(Unknown Source)
Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
Agent error: at lotus.domino.NotesThread.run(Unknown Source)

Agent error: NotesException: Database has not been opened yet
Agent error: at lotus.domino.local.Database.NgetView(Native Method)
Agent error: at lotus.domino.local.Database.getView(Unknown Source)
Agent error: at JavaAgent.pushCapsToCredStore(Unknown Source)
Agent error: at JavaAgent.processCaps(Unknown Source)
Agent error: at JavaAgent.NotesMain(Unknown Source)
Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
Agent error: at lotus.domino.NotesThread.run(Unknown Source)

Agent error: NotesException: Database has not been opened yet
Agent error: at lotus.domino.local.Database.NgetProfileDocument(Native Method)
Agent error: at lotus.domino.local.Database.getProfileDocument(Unknown Source)
Agent error: at JavaAgent.processGlobalMetaData(Unknown Source)
Agent error: at JavaAgent.NotesMain(Unknown Source)
Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
Agent error: at lotus.domino.NotesThread.run(Unknown Source)



Notes Client Symptoms




When rendering an Embedded Experience e-mail or an OpenSocial Widget in Notes, I see the "Something Went Wrong" page


This is the most common symptom in the Notes client. This is a "catch all" error page that can occur for any number of errors. There is no single problem that causes this symptom. Generally, checking the client trace logs will reveal other symptoms that can be used to identify the problem.

Check the other symptoms in this troubleshooting document after identifying other symptoms in the logs.

Note: You may need to enable extra logging to see some of the symptoms. Refer to collecting support data for more information.

In Notes and iNotes version 9.0.1, we enabled better error handling in which certain error conditions details will be displayed on the "Something Went Wrong" page. There will be a twistie which, upon clicking, will display the detailed error.
Something Went Wrong - Verify that you have a working internet connection. If this problem persists, contact your administrator.



When opening the XPage rendering of the Widget Catalog in Notes, I see the "Sorry, there is a problem" page


This is a common symptom when there is an issue with the XPage rendering of the Widget Catalog in Notes. Clicking the "Show full error message" link on this error page will provide more information to aid in troubleshooting the issue.

Possible problems
The Widget Catalog design has been corrupted

Supporting details
Note: The full error message may differ
Sorry there is a problem - There is a problem with the catalog.  Click the back button and try again.  If this doesn't work, report the problem to your organization's help desk.



When authorizing the IBM Connections gadgets, I see the "We are unable to process your request" page


This is a common symptom when there is an issue with OAuth and the IBM Connections server. In addition to the client-side logs, logging from the IBM Connections server may be useful in debugging.

Possible problems
The redirect_uri parameter does not match the callback url registered with IBM Connections

Supporting details
We are unable to process your request



When rendering an Embedded Experience e-mail in Notes, I see the HTML version of the e-mail instead


Possible problems
The Notes embedded browser has been disabled for MIME emails



On Windows, rendering an Embedded Experience e-mail in Notes takes a long time


Possible problems
Internet Explorer Local Area Network settings are causing performance issues



When rendering an Embedded Experience or OpenSocial widget in Notes, I see a blank page


Possible problems
  • Locked domains have been enabled, but the locked domain suffix is not a valid in the DNS
  • Locked domains have not been enabled, but the unlocked domain is not a valid in the DNS



This gadget is not allowed to render as it is not trusted.


Possible problems
The OpenSocial Widget is not approved by a trusted administrator

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
FINESTcom.ibm.rcp.opensocial.container.CommonContainerViewerHelper
navigateGadget
This gadget is not allowed to render as it is not trusted.



Showing the error page because our on render event was not called in 60000 ms


Possible problems
The Notes client timed out trying to connect to the Domino Server with Shindig's locked or unlocked domains

Supporting details
Error displayed in the user interface: renderGadget.window.setTimeout.Failure_OnRenderTimeOut

From the Notes trace logs:
Severity
Source Class.Method
Message
FINESTcom.ibm.rcp.opensocial.container.CommonContainer$13
handle
Showing the error page because our on render event was not called in 60000 ms



The browser timed out trying to connect to the remote container page


Possible problems
The Notes client timed out trying to connect to the Domino Server with Shindig's container page

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
WARNINGcom.ibm.rcp.opensocial.container.CommonContainer
runInUIThread
The browser timed out trying to connect to the remote container page.




CWPNW0012E: Login failed


Possible problems
  • The Notes client system's DNS cannot resolve the Domino Server with Shindig's hostname
  • The Notes client was not able to SSO with the Domino Sever with Shindig

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.rcp.net.http.internal.URLConnectionFactory
getURLConnection
CWPNW0012E: Login failed.
javax.security.auth.login.LoginException: Server Unavailable.
at com.ibm.rcp.security.auth.service.AbstractLoginService.login(Unknown Source)
at com.ibm.rcp.accounts.internal.AccountsLoginContextServiceImpl.login(Unknown Source)
at com.ibm.rcp.net.http.internal.URLConnectionFactory.getURLConnection(Unknown Source)
at com.ibm.rcp.net.http.internal.URLConnectionFactory.getURLConnection(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.HttpURLConnection.(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.HttpHandler.createURLConnection(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.BaseHandler.openConnection(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.BaseHandler.openConnection(Unknown Source)
at org.eclipse.osgi.framework.internal.protocol.URLStreamHandlerProxy.openConnection(Unknown Source)
at java.net.URL.openConnection(Unknown Source)
at java.net.URL.openStream(Unknown Source)
at com.ibm.fiesta.notes.security.ContainerSecurityTokenProvider$2.run(Unknown Source)
at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)




CLPEE2012E: An error occurred obtaining a security token to access the server. java.net.UnknownHostException


Possible problems
The Notes client system's DNS cannot resolve the Domino Server with Shindig's hostname

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.fiesta.notes.security.ContainerSecurityTokenProvider createRemoteSecurityTokenCLPEE2012E: An error occurred obtaining a security token to access the server.
java.net.UnknownHostException: <Hostname for the Domino Server with Shindig>
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.http.HttpClient.New(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.HttpURLConnection.reAuthenticate(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.HttpURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(Unknown Source)
at com.ibm.fiesta.notes.security.ContainerSecurityTokenProvider$2.run(Unknown Source)
at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)



CLPEE2012E: An error occurred obtaining a security token to access the server. java.io.IOException


Possible problems
The Notes client was not able to SSO with the Domino Sever with Shindig

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.fiesta.notes.security.ContainerSecurityTokenProvider createRemoteSecurityTokenCLPEE2012E: An error occurred obtaining a security token to access the server.
java.io.IOException: Server returned HTTP response code: 401 for URL: http://<Hostname for the Domino Server with Shindig>/fiesta/container/stgen?<Several query parameters>
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
at java.security.AccessController.doPrivileged(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getChainedException(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at com.ibm.rcp.net.http.internal.protocol.HttpURLConnection.getInputStream(Unknown Source)
at java.net.URL.openStream(Unknown Source)
at com.ibm.fiesta.notes.security.ContainerSecurityTokenProvider$2.run(Unknown Source)
at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)





CLPEE6017W: Error preloading the gadget at {URL to the OpenSocial Gadget XML}


Possible problems
The OpenSocial Component's proxy is rejecting the request to the Gadget XML URL because it is not whitelisted

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
FINERcom.ibm.fiesta.commons.internal.ProxiedHttpFetcher
fetch
RETURN 403
WARNINGcom.ibm.rcp.opensocial.container.CommonContainer$9
handle
Failed to preload gadget <URL to the OpenSocial Gadget XML>.
WARNINGcom.ibm.rcp.opensocial.container.CommonContainer$9
handle
It took ### ms to preload the URL(s) <URL to the OpenSocial Gadget XML>.
WARNINGcom.ibm.rcp.opensocial.container.CommonContainer
preloadGadget
CLPEE6017W: Error preloading the gadget at <URL to the OpenSocial Gadget XML> {"message":"Unable to retrieve spec for <URL to the OpenSocial Gadget XML>. HTTP error 403","code":403}



Exception in IdUtil


Possible problems
The Notes client was unable to generate an OpenSocial ID for the current user

Supporting details
From the Notes trace logs:
Severity
Source Class.Method
Message
SEVERE com.ibm.rcp.opensocial.container.CommonContainer
createSecurityToken
Exception in IdUtil.

NotesException: Item or Match not found
at lotus.domino.local.DirectoryNavigator.NgetFirstItemValue(Native Method)
at lotus.domino.local.DirectoryNavigator.getFirstItemValue(Unknown Source)
at com.ibm.fiesta.commons.DefaultEmailAddressProvider.getPrimaryEmailAddress(Unknown Source)
at com.ibm.fiesta.notes.security.NotesEmailAddressProvider.getPrimaryEmailAddress(Unknown Source)
at com.ibm.fiesta.commons.DefaultEmailAddressProvider.getPrimaryEmailAddress(Unknown Source)
at com.ibm.fiesta.commons.IdUtil.getShindigId(Unknown Source)
at com.ibm.rcp.opensocial.container.CommonContainer$21.runInNotesThread(Unknown Source)
at com.ibm.notes.java.api.util.NotesSessionJob.runIt(Unknown Source)
at com.ibm.notes.java.api.util.NotesSessionJob.run(Unknown Source)
at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)




iNotes Client Symptoms




When opening the XPage rendering of the Widget Catalog in iNotes, I see the "Sorry, there is a problem" page


This is a common symptom when there is an issue with the XPage rendering of the Widget Catalog in iNotes. Clicking the "Show full error message" link on this error page will provide more information to aid in troubleshooting the issue.

Possible problems
The Widget Catalog design has been corrupted

Supporting details
Note: The full error message may differ
Sorry there is a problem - There is a problem with the catalog.  Click the back button and try again.  If this doesn't work, report the problem to your organization's help desk.



When rendering an Embedded Experience e-mail in iNotes, I see the HTML version of the e-mail instead


Possible problems
  • The Embedded Experience is not trusted to render in the iNotes client
  • Embedded Experiences in iNotes has not been enabled
  • OpenSocial in iNotes has not been enabled
  • Widgets in iNotes has not been enabled



Neither the gadget nor url Embedded Experience are trusted to render


Possible problems
The Embedded Experience is not trusted to render in the iNotes client

Supporting details
From the iNotes client logs:
Logged at the "Info" level: "Neither the gadget nor url Embedded Experience are trusted to render."



Status was not 2xx


Possible problems
The iNotes proxy is rejecting a request

Note: This symptom can also occur if the Domino Server with Shindig's web application failed to start. Please check the Domino Server with Shindig's logs and cross reference them with the Domino Server with Shindig Symptoms in this troubleshooting document.



OpenSocial Container failed to load:


Possible problems
The iNotes proxy is rejecting a request

Note: This symptom can also occur if the Domino Server with Shindig's web application failed to start. Please check the Domino Server with Shindig's logs and cross reference them with the Domino Server with Shindig Symptoms in this troubleshooting document.



When rendering an Embedded Experience or OpenSocial widget in iNotes, I see a "page not found" error from the browser


Possible problems
  • Locked domains have been enabled, but the locked domain suffix is not a valid in the DNS
  • Locked domains have not been enabled, but the unlocked domain is not a valid in the DNS

Supporting details
Note: Different browsers will surface this type of error differently. This screenshot is from Firefox.




Error executing widget profile action "GetAll": Bad content type: -1


Possible problems
The current user does not have an authenticated session established with Domino

Supporting details
From the iNotes client logs:
Logged at the "Error" level: "Error executing widget profile action "GetAll": Bad content type: -1"



Error trying to render gadget: Unable to retrieve spec for {URL to the OpenSocial Gadget XML}. HTTP 502


Possible problems
The SSL certificate used by the server hosting the OpenSocial Gadget XML is invalid or not trusted

Supporting details
From the iNotes client logs:
Logged at the "Error" level: "Error trying to render gadget: Unable to retrieve spec for <URL to the OpenSocial Gadget XML>. HTTP error 502"




iNotes Server Symptoms




Server chose SSLv3, but that protocol version is not enabled or not supported by the client.


Possible problems
The iNotes server cannot proxy to the Domino Server with Shindig over HTTPS

Supporting details
From the iNotes Server's trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.commons.log.AbstractLogMgr
log
Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
at com.ibm.jsse2.lb.serverHello(lb.java:368)
at com.ibm.jsse2.lb.a(lb.java:570)
at com.ibm.jsse2.kb.s(kb.java:167)
at com.ibm.jsse2.kb.a(kb.java:484)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:686)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:704)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:802)
at com.ibm.jsse2.k.write(k.java:15)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter

.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1525)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.ibm.domino.servlets.proxy.BasicProxy.executeMethod(BasicProxy.java:643)
at com.ibm.domino.servlets.proxy.BasicProxy.doGet(BasicProxy.java:130)
at com.ibm.domino.servlets.proxy.BasicProxy.service(BasicProxy.java:365)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule.invokeServlet(OSGIModule.java:165)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule.access$0(OSGIModule.java:151)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule$1.invokeServlet(OSGIModule.java:132)
at com.ibm.domino.xsp.adapter.osgi.AbstractOSGIModule.invokeServletWithNotesContext(AbstractOSGIModule.java:179)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule.doService(OSGIModule.java:126)
at com.ibm.domino.xsp.adapter.osgi.OSGIService.doService(OSGIService.java:415)
at com.ibm.designer.runtime.domino.adapter.LCDEnvironment.doService(LCDEnvironment.java:350)
at com.ibm.designer.runtime.domino.adapter.LCDEnvironment.service(LCDEnvironment.java:306)
at com.ibm.domino.xsp.bridge.http.engine.XspCmdManager.service(XspCmdManager.java:272)




Domino Server with Shindig Symptoms




CLPEE1008E: An error occurred obtaining the credential store name.


Possible problems
  • The Credential Store has been improperly clustered
  • The Credential Store has been improperly replicated to a server or cluster on which it was not created
  • The Credential Store has been improperly removed from a cluster in which it was created

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.fiesta.inotes.internal.ConfigDBUtils
getConfigDBName
CLPEE1008E: An error occurred obtaining the credential store name.
com.ibm.designer.domino.napi.NotesAPIException: Error while retrieving the credstore name for application tag=<App Tag>, serviceTag=<Service Tag>
This server is not configured for a cluster.
at com.ibm.designer.domino.napi.NotesSecurity.NGetCredStoreName(Native Method)
at com.ibm.designer.domino.napi.NotesSecurity.getCredStoreName(NotesSecurity.java:30)
at com.ibm.fiesta.inotes.internal.ConfigDBUtils.getConfigDBName(ConfigDBUtils.java:53)
at com.ibm.fiesta.inotes.internal.ConfigDBUtils.getKey(ConfigDBUtils.java:79)
at com.ibm.fiesta.inotes.internal.config.DominoKeyCallable.call(DominoKeyCallable.java:34)
at com.ibm.fiesta.inotes.internal.config.DominoKeyCallable.call(DominoKeyCallable.java:1)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:314)
at java.util.concurrent.FutureTask.run(FutureTask.java:149)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:897)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:919)
at java.lang.Thread.run(Thread.java:738)



CLPEE1010E: The key is either null or empty


Possible problems
The security token encryption key was not created in the Credential Store

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.fiesta.inotes.internal.ConfigDBUtils
getKey
CLPEE1010E: The key is either null or empty



SRVE0283E: Exception caught while initializing context: {0}


This symptom is common among many problems that occur when the OpenSocial Component's web application starts on the Domino Server with Shindig. The exception and accompanying stack trace will contain more information that should be referenced against other symptoms in this troubleshooting document.

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.ws.webcontainer.webapp.WebApp
notifyServletContextCreated
SRVE0283E: Exception caught while initializing context: {0}
com.google.inject.CreationException: Guice creation errors:
<A large exception with a lengthy stack trace>



CLPEE1017W: SecurityTokenServlet - responding with error: (401) CLPEE1018W: Anonymous access is not allowed


Possible problems
The Notes client was not able to SSO with the Domino Sever with Shindig

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
WARNINGcom.ibm.fiesta.inotes.internal.servlet.SecurityTokenServlet
doGet
CLPEE1017W: SecurityTokenServlet - responding with error: (401) CLPEE1018W: Anonymous access is not allowed



There was an issue setting the configuration parameter maxBytesLocalHeap in ShindigCM to


Possible problems
The "Total cache in memory" setting has been set incorrectly

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
CONFIGcom.ibm.fiesta.inotes.internal.cache.INotesEhCacheCacheProvider
getConfiguration
There was an issue setting the configuration parameter maxBytesLocalHeap in ShindigCM to

<A large exception with a lengthy stack trace>



There was an issue setting the configuration parameter maxBytesLocalDisk in ShindigCM to


Possible problems
The "Total cache on disk" setting has been set incorrectly

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
CONFIGcom.ibm.fiesta.inotes.internal.cache.INotesEhCacheCacheProvider
getConfiguration
There was an issue setting the configuration parameter maxBytesLocalDisk in ShindigCM to

<A large exception with a lengthy stack trace>



BMWPX0006E: The URL {URL to the OpenSocial Gadget XML} cannot be accessed through the proxy


Possible problems
The OpenSocial Component's proxy is rejecting the request to the Gadget XML URL because it is not whitelisted

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
FINERcom.ibm.mashups.proxy.connection.HttpURLConnectionFilter
setError(sc, msg)
ENTRY 403 BMWPX0006E: The URL cannot be accessed through the proxy.
FINERcom.ibm.mm.proxy.connection.base.EndpointConnection
encodeDataString(iString)
ENTRY BMWPX0006E: The URL cannot be accessed through the proxy.
FINERcom.ibm.mm.proxy.connection.base.EndpointConnection
encodeDataString(iString)
RETURN BMWPX0006E: The URL cannot be accessed through the proxy.
FINERcom.ibm.fiesta.commons.internal.ProxiedHttpFetcher
fetch
RETURN 403



CLFWW2017E: null. Anonymous.


Possible problems
The current user does not have an authenticated session established with Domino

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
SEVEREcom.ibm.domino.servlets.widgets.INotesMailFileUtil
getMailFile
CLFWW2017E: null. Anonymous.
NotesException: User Anonymous cannot open database <path to mailfile>
at lotus.domino.local.Session.NgetDatabase(Native Method)
at lotus.domino.local.Session.getDatabase(Unknown Source)
at com.ibm.domino.servlets.widgets.INotesMailFileUtil.getMailFile(INotesMailFileUtil.java:81)
at com.ibm.domino.common.widgets.WidgetUtils.getUserDBUtil(WidgetUtils.java:319)
at com.ibm.domino.servlets.widgets.WidgetServlet.doPost(WidgetServlet.java:135)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at org.eclipse.equinox.http.registry.internal.ServletManager$ServletWrapper.service(ServletManager.java:180)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule.invokeServlet(OSGIModule.java:165)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule.access$0(OSGIModule.java:151)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule$1.invokeServlet(OSGIModule.java:132)
at com.ibm.domino.xsp.adapter.osgi.AbstractOSGIModule.invokeServletWithNotesContext(AbstractOSGIModule.java:179)
at com.ibm.domino.xsp.adapter.osgi.OSGIModule.doService(OSGIModule.java:126)
at com.ibm.domino.xsp.adapter.osgi.OSGIService.doService(OSGIService.java:415)
at com.ibm.designer.runtime.domino.adapter.LCDEnvironment.doService(LCDEnvironment.java:350)
at com.ibm.designer.runtime.domino.adapter.LCDEnvironment.service(LCDEnvironment.java:306)
at com.ibm.domino.xsp.bridge.http.engine.XspCmdManager.service(XspCmdManager.java:272)



An HTTP 502 error occurred when fetching service methods


Possible problems
The Domino Server with Shindig cannot communicate to itself over HTTPS

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
FINERcom.ibm.fiesta.commons.internal.ProxiedHttpFetcher
fetch
RETURN 502
SEVEREorg.apache.shindig.gadgets.render.DefaultServiceFetcher
retrieveServices
An HTTP 502 error occurred when fetching service methods from the https://<Locked or unlocked domain for the Domino Server with Shindig>/fiesta/rpc endpoint.



BMWPX0017E: The Secure Socket Layer (SSL) certificate of the target host is not trusted.


Possible problems
The SSL certificate used by the server hosting the OpenSocial Gadget XML is invalid or not trusted

Supporting details
From the Domino Server with Shindig's trace logs:
Severity
Source Class.Method
Message
FINERcom.ibm.mashups.proxy.connection.HttpURLConnectionFilter
setError(sc, msg)
ENTRY 502 BMWPX0017E: The Secure Socket Layer (SSL) certificate of the target host is not trusted.
FINERcom.ibm.fiesta.commons.internal.ProxiedHttpFetcher
fetch
RETURN 502



Number of Available connections for host XXX exceeded


Possible problems
The gadget host has exceeded the number of connections allocated

Supporting details
From the Domino Server with Shindig's trace logs:

Severity
Source Class.Method
Message
FINERcom.ibm.mashups.proxy.connection.HttpURLConnectionFilter
setError(sc, msg)
ENTRY 503 The number of available connections for the requested remote host exceeded. Please try again later!
WARNING com.ibm.mm.proxy.connection.filter.endpoint.URLConnectionEndpointFilter
connect
Number of available connections for host XXX exceeded!



org.apache.shindig.gadgets.preload.PreloadException



Possible problems
Connections EE Gadget Fails to render when HTTP is disabled on the Domino server with Shindig

Supporting details
From the Domino Server with Shindig's trace logs:

org.apache.shindig.gadgets.preload.PreloadException: org.apache.commons.json.JSONException: Expecting '{' on line 1, column 0 instead, obtained token: 'Token: EOF'
at org.apache.shindig.gadgets.preload.ConcurrentPreloads$FailedPreload.toJson(ConcurrentPreloads.java:101)
at org.apache.shindig.gadgets.preload.PipelineExecutor.execute(PipelineExecutor.java:131)
at org.apache.shindig.gadgets.rewrite.PipelineDataGadgetRewriter.rewrite(PipelineDataGadgetRewriter.java:72)
at org.apache.shindig.gadgets.render.HtmlRenderer.render(HtmlRenderer.java:88)
at org.apache.shindig.gadgets.render.Renderer.render(Renderer.java:101)
at org.apache.shindig.gadgets.servlet.GadgetRenderingServlet.render(GadgetRenderingServlet.java:107)
at org.apache.shindig.gadgets.servlet.GadgetRenderingServlet.doGet(GadgetRenderingServlet.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1661)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1595)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:131)
at com.ibm.fiesta.inotes.internal.servlet.OpenSocialComponentEnablementFilter.doFilter(OpenSocialComponentEnablementFilter.java:44)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
at org.apache.shindig.auth.AuthenticationServletFilter.callChain(AuthenticationServletFilter.java:186)
at org.apache.shindig.auth.AuthenticationServletFilter.doFilter(AuthenticationServletFilter.java:97)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
at org.apache.shindig.common.servlet.HostFilter.doFilter(HostFilter.java:38)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:188)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:116)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:77)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:895)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:932)
at com.ibm.pvc.internal.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:85)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:500)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:864)
at com.ibm.pvc.internal.webcontainer.WebContainerBridge.handleRequest(WebContainerBridge.java:25)
at com.ibm.domino.osgi.core.webContainer.WebApplicationsTracker.doService(WebApplicationsTracker.java:141)
at sun.reflect.GeneratedMethodAccessor157.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.ibm.domino.xsp.adapter.osgi.webContainer.OSGIWebContainerModule.invokeWebAppContainerService(OSGIWebContainerModule.java:207)
at com.ibm.domino.xsp.adapter.osgi.webContainer.OSGIWebContainerModule.doService(OSGIWebContainerModule.java:178)
at com.ibm.domino.xsp.adapter.osgi.OSGIService.doService(OSGIService.java:417)
at com.ibm.designer.runtime.domino.adapter.LCDEnvironment.doService(LCDEnvironment.java:350)
at com.ibm.designer.runtime.domino.adapter.LCDEnvironment.service(LCDEnvironment.java:306)
at com.ibm.domino.xsp.bridge.http.engine.XspCmdManager.service(XspCmdManager.java:272)
Caused by: org.apache.commons.json.JSONException: Expecting '{' on line 1, column 0 instead, obtained token: 'Token: EOF'
at org.apache.commons.json.internal.Parser.parseObject(Parser.java:183)
at org.apache.commons.json.internal.Parser.parse(Parser.java:120)
at org.apache.commons.json.internal.Parser.parse(Parser.java:85)
at org.apache.commons.json.JSONObject.(JSONObject.java:128)
at org.apache.shindig.gadgets.preload.PipelinedDataPreloader.parseSocialResponse(PipelinedDataPreloader.java:213)
at org.apache.shindig.gadgets.preload.PipelinedDataPreloader$SocialPreloadTask.call(PipelinedDataPreloader.java:186)
at org.apache.shindig.gadgets.preload.PipelinedDataPreloader$SocialPreloadTask.call(PipelinedDataPreloader.java:139)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:314)
at java.util.concurrent.FutureTask.run(FutureTask.java:149)
at org.apache.shindig.gadgets.preload.ConcurrentPreloaderService.preload(ConcurrentPreloaderService.java:62)
at org.apache.shindig.gadgets.preload.PipelineExecutor.execute(PipelineExecutor.java:128)
... 38 more



Problems


The Widget Catalog has not been configured for the Credential Store


Symptoms of this problem
  • The Credential Store database is not configured or not available
  • Agent error: NotesException: Database has not been opened yet

Possible solutions
Configure the Widget Catalog for the Credential Store


The Widget Catalog design has been corrupted


Symptoms of this problem
  • When opening the XPage rendering of the Widget Catalog in Notes, I see the "Sorry, there is a problem" page
  • When opening the XPage rendering of the Widget Catalog in iNotes, I see the "Sorry, there is a problem" page
Possible solutions
  1. Clean and re-build the Widget Catalog in Domino Designer
  2. Replace the design of the Widget Catalog


The Notes embedded browser has been disabled for MIME emails


Symptoms of this problem
When rendering an Embedded Experience e-mail in Notes, I see the HTML version of the e-mail instead

Possible solutions
Enable the Notes embedded browser for MIME mail


The OpenSocial Widget is not approved by a trusted administrator


Symptoms of this problem
This gadget is not allowed to render as it is not trusted.

Possible solutions
  • Approve widgets in the Widget Catalog as an administrator
  • Install approved Widgets from the Widget Catalog
  • Add the Widget Catalog administrator to the ECL in the Notes client
  • Ensure ENABLE_EE is present in the Notes client's notes.ini file


The Notes client timed out trying to connect to the Domino Server with Shindig's container page


Symptoms of this problem
The browser timed out trying to connect to the remote container page

Possible solutions
Verify the Gadget Server URL references a valid hostname


The Notes client timed out trying to connect to the Domino Server with Shindig's locked or unlocked domains


Symptoms of this problem
Showing the error page because our on render event was not called in 60000 ms

Possible solutions
  • Verify the locked domain suffix is valid
  • Verify the unlocked domain is valid
  • In development, test, or proof of concept environments, disable locked domains


The Notes client system's DNS cannot resolve the Domino Server with Shindig's hostname


Symptoms of this problem
  • CLPEE2012E: An error occurred obtaining a security token to access the server. java.net.UnknownHostException
  • CWPNW0012E: Login failed

Possible solutions
  • Verify the Gadget Server URL references a valid hostname
  • Verify the managed SSO account Domino single sign-on server


The Notes client was not able to SSO with the Domino Sever with Shindig


Symptoms of this problem
  • CLPEE2012E: An error occurred obtaining a security token to access the server. java.io.IOException
  • CLPEE1017W: SecurityTokenServlet - responding with error: (401) CLPEE1018W: Anonymous access is not allowed
  • CWPNW0012E: Login failed

Possible solutions
  • Setup a managed account and push it to Notes clients by policy
  • Verify the managed SSO account Domino single sign-on server


The OpenSocial Component's proxy is rejecting the request to the Gadget XML URL because it is not whitelisted


Symptoms of this problem
  • CLPEE6017W: Error preloading the gadget at {URL to the OpenSocial Gadget XML}
  • BMWPX0006E: The URL {URL to the OpenSocial Gadget XML} cannot be accessed through the proxy

Possible solutions
  • Verify the proxy rules for the Widget allow access to the Gadget XML file
  • Update the Notes client's local replica of the Widget Catalog (for Notes local rendering only)
  • Add the Widget Catalog server as a Trusted Server in the Domino Server with Shindig's server document


The Notes client was unable to generate an OpenSocial ID for the current user


Symptoms of this problem
Exception in IdUtil

Possible solutions
Add an internet address in the person document for the current user


The redirect_uri parameter does not match the callback url registered with IBM Connections


Symptoms of this problem
When authorizing the IBM Connections gadgets, I see the "We are unable to process your request" page

Possible solutions
Verify the OpenSocial component OAuth configuration matches the application registered on IBM Connections


The Embedded Experience is not trusted to render in the iNotes client


Symptoms of this problem
  • When rendering an Embedded Experience e-mail in iNotes, I see the HTML version of the e-mail instead
  • Neither the gadget nor url Embedded Experience are trusted to render

Possible solutions
  • Approve widgets in the Widget Catalog as an administrator
  • Install approved Widgets from the Widget Catalog


Embedded Experiences in iNotes has not been enabled


Symptoms of this problem
When rendering an Embedded Experience e-mail in iNotes, I see the HTML version of the e-mail instead

Possible solutions
  • Set the iNotes_WA_EnableEE=1 notes.ini setting for the iNotes server
  • Set the iNotes_WA_OpenSocial=1 notes.ini setting for the iNotes server
  • Set the iNotes_WA_Widgets=1 notes.ini setting for the iNotes server


OpenSocial in iNotes has not been enabled


Symptoms of this problem
When rendering an Embedded Experience e-mail in iNotes, I see the HTML version of the e-mail instead

Possible solutions
  • Set the iNotes_WA_OpenSocial=1 notes.ini setting for the iNotes server
  • Set the iNotes_WA_Widgets=1 notes.ini setting for the iNotes server


Widgets in iNotes has not been enabled


Symptoms of this problem
When rendering an Embedded Experience e-mail in iNotes, I see the HTML version of the e-mail instead

Possible solutions
Set the iNotes_WA_Widgets=1 notes.ini setting for the iNotes server


The iNotes proxy is rejecting a request


Symptoms of this problem
  • Status was not 2xx
  • OpenSocial Container failed to load:

Possible solutions
Configure a whitelist in the Proxies configuration the security settings policy


The Credential Store has been improperly clustered


Symptoms of this problem
CLPEE1008E: An error occurred obtaining the credential store name.

Possible solutions
Ensure the Credential Store was created properly in a clustered environment


The Credential Store has been improperly replicated to a server or cluster on which it was not created


Symptoms of this problem
CLPEE1008E: An error occurred obtaining the credential store name.

Possible solutions
Ensure the Credential Store was properly moved to/from a cluster


The Credential Store has been improperly removed from a cluster in which it was created


Symptoms of this problem
CLPEE1008E: An error occurred obtaining the credential store name.

Possible solutions
Ensure the Credential Store was properly moved to/from a cluster


The security token encryption key was not created in the Credential Store


Symptoms of this problem
CLPEE1010E: The key is either null or empty

Possible solutions
Create the security token encryption key in the Credential Store


The "Total cache in memory" setting has been set incorrectly


Symptoms of this problem
There was an issue setting the configuration parameter maxBytesLocalHeap in ShindigCM to

Possible solutions
  • Set the "Total cache in memory" field to a non-empty value
  • Ensure the "Total cache in memory" field is set to a valid value


The "Total cache on disk" setting has been set incorrectly


Symptoms of this problem
There was an issue setting the configuration parameter maxBytesLocalDisk in ShindigCM to

Possible solutions
  • Set the "Total cache on disk" field to a non-empty value
  • Ensure the "Total cache on disk" field is set to a valid value


Locked domains have been enabled, but the locked domain suffix is not a valid in the DNS


Symptoms of this problem
  • When rendering an Embedded Experience or OpenSocial widget in iNotes, I see a "page not found" error from the browser
  • When rendering an Embedded Experience or OpenSocial widget in Notes, I see a blank page

Possible solutions
  • In development, test, or proof of concept environments, disable locked domains
  • Verify the locked domain suffix is valid


Locked domains have not been enabled, but the unlocked domain is not a valid in the DNS


Symptoms of this problem
  • When rendering an Embedded Experience or OpenSocial widget in iNotes, I see a "page not found" error from the browser
  • When rendering an Embedded Experience or OpenSocial widget in Notes, I see a blank page

Possible solutions
Verify the unlocked domain is valid


The current user does not have an authenticated session established with Domino


Symptoms of this problem
  • CLFWW2017E: null. Anonymous.
  • Error executing widget profile action "GetAll": Bad content type: -1

Possible solutions
Enable Domino session authentication


Internet Explorer Local Area Network settings are causing performance issues


Symptoms of this problem
On Windows, rendering an Embedded Experience e-mail in Notes takes a long time

Possible solutions
Disable Internet Explorer automatic LAN detection settings


The SSL certificate used by the server hosting the OpenSocial Gadget XML is invalid or not trusted


Symptoms of this problem
  • BMWPX0017E: The Secure Socket Layer (SSL) certificate of the target host is not trusted.
  • Error trying to render gadget: Unable to retrieve spec for {URL to the OpenSocial Gadget XML}. HTTP 502

Possible solutions
  1. Import the internet certifier and create a cross certificate in the Domino directory
  2. Add the site certificate to the Domino JVM cacerts keystore

Possible solutions if the OpenSocial Gadget XML is hosted on a Domino Server
  1. Use IBM HTTP Server or another reverse proxy that supports TLS for inbound HTTPS requests
  2. Enable SSLv3 for outbound HTTPS requests on Domino


The Domino Server with Shindig cannot communicate to itself over HTTPS


Symptoms of this problem
An HTTP 502 error occurred when fetching service methods

Possible solutions
  1. Use IBM HTTP Server or another reverse proxy that supports TLS for inbound HTTPS requests
  2. Enable SSLv3 for outbound HTTPS requests on Domino


The iNotes server cannot proxy to the Domino Server with Shindig over HTTPS


Symptoms of this problem
Server chose SSLv3, but that protocol version is not enabled or not supported by the client.

Possible solutions
Use IBM HTTP Server or another reverse proxy that supports TLS for inbound HTTPS requests



Number of available connections for host exceeded


Symptoms of this problem
The Number of available connections for the host has been exceeded.

Possible solutions
Update the Shindig proxy metadata




HTTP disabled on the Domino Server with Shindig


Symptoms of this problem
PreloadException in the Domino Server with Shindig trace logs

Possible solutions
Overwrite gadgets.osDataUri value



Solutions


Configure the Widget Catalog for the Credential Store


See #1 in the Configure the Widget Catalog section of the deployment cookbook


Clean and re-build the Widget Catalog in Domino Designer


  1. Open the Widget Catalog in Domino Designer
  2. Click the Project -> Clean... menu
  3. In the resulting dialog, select the "Clean projects selected below" radio button
  4. Ensure that the "Start build immediately" checkbox is checked
  5. Choose to "Build only the selected projects"
  6. Click "OK"
  7. Designer will report the progress of the clean and build operations.


Replace the design of the Widget Catalog


Replace the design of the Widget Catalog via the usual means, referring to steps 8-10 on the Creating a widget catalog page to ensure the correct catalog is used. Also refer to Updating Widget Catalog Designexternal link for other implications of updating the Widget Catalog design.

Once the design has been replaced, one needs to do two things:
  1. Re-enable agents in the catalog. See Enabling agents in the widget catalog for more information.
  2. Re-set launch options on the catalog. See Setting launch options for the widget catalog for more information


Enable the Notes embedded browser for MIME mail


  1. Open the Notes client preferences
  2. Go to Basic Notes Client Configuration
  3. In the "Additional options" section, ensure that "Disable embedded browser for MIME mail" is unchecked.
Ensure that Disabled embedded browser for MIME mail is unchecked in the


Approve widgets in the Widget Catalog as an administrator


Users with the "[Admins]" role in the Widget Catalog must approve Widgets. See Approving a Widget in the Widget Catalog for more information.


Install approved Widgets from the Widget Catalog


Widgets that are approved in the Widget Catalog must be installed in the Notes and iNotes clients from the Widget Catalog in order to be trusted. Browse to the Widget Catalog and drag and drop to install approved Widgets.

In Notes, Widgets can be installed from other places aside from the Widget Catalog, e.g., from an e-mail. These Widgets will not be trusted.


Add the Widget Catalog administrator to the ECL in the Notes client


The Widget Catalog administrator who approves Widgets must be in the ECL in the Notes client and have the "Configure Widget Capabilities" ability. See Notes Security Policy Settings for more information.


Set the Gadget Server URL in the Widgets desktop settings policy


See Widgets Desktop Settings for more information on the "Gadget Server URL" field.


Verify the Gadget Server URL references a valid hostname


Verify that the "Gadget Server URL" set in Widgets Desktop Settings is a valid hostname. The Notes client machine needs to be able to resolve the hostname to an IP address. Debugging DNS issues is outside of the scope of this troubleshooting document, but one may be interested in tools such as nslookupexternal link and Digexternal link


Setup a managed account and push it to Notes clients by policy


For more information see the Managed Account page for more information.


Verify the managed SSO account Domino single sign-on server


When creating the managed SSO account, make sure the Domino single sign-on server setting is accurate and that the Notes client is able to resolve the server.
For more information see the Managed Account page for more information.


Verify the proxy rules for the Widget allow access to the Gadget XML file


See Table 1 in Approving a widget created from an OpenSocial gadget to understand the proxy rules and how they need to be configured.
See Editing proxy settings for an approved widget to view and edit existing proxy rules.
See Adding proxy settings to an approved widget to learn how to add new proxy rules if they are missing.


Update the Notes client's local replica of the Widget Catalog


Per the Gadget rendering process and Proxy Rules in Notes documentation, proxy rules for local rendering are read from the local replica of the Widget Catalog. Run the "Update Widgets" action in the My Widgets sidebar in the Notes client or replicate the local Widget Catalog from the "Replication and Sync" page to update the proxy information.


Add an internet address in the person document for the current user


The OpenSocial Component requires internet addresses to be populated for any user wishing to use the OpenSocial component functionality. See Domino Directory Requirementsexternal link for more information on this requirement and how to populate internet addresses.


Verify the OpenSocial component OAuth configuration matches the application registered on IBM Connections


As part of the OAuth authorization process, the Domino Server with Shindig generates a "redirect URI" which is passed as a query parameter to Connections. It is used to redirect the OAuth authorization flow back to the Domino Server with Shindig. If the redirect URI does not match exactly the callback URL registered with Connections when the OAuth account was registered, the authorization process will fail.

Information on how this redirect URI is generated can be found in the Shindig server(s) host nameexternal link section. As mentioned in that section, these URLs default to "HTTPS". One can see the redirect URI being used by inspecting the "redirect_uri" query parameter when authorizing with Connections.

To view the callback URL that was registered with Connections, one can refer to the Managing the client application listexternal link documentation. The redirect_uri is shown in the application data that can be viewed.


Set the iNotes_WA_EnableEE=1 notes.ini setting for the iNotes server


For more information, see Using notes.ini settings to enable widgets, live text, and OpenSocial features.


Set the iNotes_WA_OpenSocial=1 notes.ini setting for the iNotes server


For more information, see Using notes.ini settings to enable widgets, live text, and OpenSocial features.


Set the iNotes_WA_Widgets=1 notes.ini setting for the iNotes server


For more information, see Using notes.ini settings to enable widgets, live text, and OpenSocial features.


Configure a whitelist in the Proxies configuration the security settings policy


See iNotes Security Policy Settingsexternal link for detailed instructions on creating a whitelist for the traffic that must flow through the proxy.


Ensure the Credential Store was created properly in a clustered environment


If one wishes to create a Credential Store application on a clustered server, one must follow the instructions for Creating the credential store application in a clusterexternal link


Ensure the Credential Store was properly moved to/from a cluster


If one wishes to move a Credential Store application or change, one must follow the instructions for Moving the credential store applicationexternal link. Many scenarios are outlined on that page given the requirements of the move.


Create the security token encryption key in the Credential Store


See Configuring the Credential Storeexternal link and the articles to which it links for precise steps on creating the security token encryption key in the Credential Store


Set the "Total cache in memory" field to a non-empty value


See Domino Server with Shindig - Basicsexternal link for information on CONFIG level logging that may be seen if the "Total cache in memory" field is left blank.


Set the "Total cache on disk" field to a non-empty value


See Domino Server with Shindig - Basicsexternal link for information on CONFIG level logging that may be seen if the "Total cache on disk" field is left blank.


Ensure the "Total cache in memory" field is set to a valid value


The popup help for the "Total cache in memory" field in the "Basics" tab within the "Social Edition" tab of the Configuration Settings document has a description of the valid format for this field.


Ensure the "Total cache on disk" field is set to a valid value


The popup help for the "Total cache on disk" field in the "Basics" tab within the "Social Edition" tab of the Configuration Settings document has a description of the valid format for this field.

Note: In 9.0, there is a known issue that if this field is set to anything less than 20m one will receive an error. The workaround is to leave the field blank or set it to something greater than 20m.


In development, test, or proof of concept environments, disable locked domains


See Server-centric settings - Locked Domainsexternal link for more information.


Verify the locked domain suffix is valid


Review the information on the locked domain suffixexternal link field and verify the hostname there is valid.

Debugging DNS issues is outside of the scope of this troubleshooting document, but one may be interested in tools such as nslookupexternal link and Digexternal link


Verify the unlocked domain is valid


Review the information on the unlocked domainexternal link field and verify the hostname there is valid.

Debugging DNS issues is outside of the scope of this troubleshooting document, but one may be interested in tools such as nslookupexternal link and Digexternal link


Enable Domino session authentication


Domino session authentication needs to be enabled. For more information about the requirements and how to enable session authentication, see Web SSO Configurationexternal link.


Disable Internet Explorer automatic LAN detection settings


See Improving Performance of OpenSocial Gadget rendering in Notes on Windows platformsexternal link for more information.


Add the Widget Catalog server as a Trusted Server in the Domino Server with Shindig's server document


The Widget Catalog server must be trusted by the Domino Server with Shindig in order for data to flow to the credential store application from the widget catalog application. See Widget Catalog server must be trusted by the Domino Server with Shindigexternal link for more information.


Use IBM HTTP Server or another reverse proxy that supports TLS for inbound HTTPS requests


See Option 1 of OpenSocial Component on Domino using TLS or SSLexternal link to change the Domino Server with Shindig to accept TLSv1 when accepting inbound HTTPS requests, even from itself.


Enable SSLv3 for outbound HTTPS requests on Domino


See Option 2 of OpenSocial Component on Domino using TLS or SSLexternal link to change the Domino Server with Shindig to use SSLv3 when making outbound HTTPS requests, even to itself.


Import the internet certifier and create a cross certificate in the Domino directory


See Importing an Internet certifier into the Domino Directoryexternal link and Creating an Internet cross-certificate in the Domino Directory from a certifier documentexternal link for more information.


Add the site certificate to the Domino JVM cacerts keystore


See Add Site Certificates to the Lotus Domino JVM cacerts Keystore for more information.


Ensure ENABLE_EE is present in the Notes client's notes.ini file


ENABLE_EE=1 must be in the notes.ini file on the client in order for Widgets to be trusted. See Notes Desktop Policy - Custom Settings Tabexternal link of this cookbook for links to detailed steps.


Update the Shindig proxy metadata



See Configure the default Shindig proxy settings.external link


gadgets.osDataUri field should be overwritten



To fix this problem add gadgets.osDataUri to the container.js tab of the Social Edition tab of the Configuration document of the Domino server with Shindig and set its value to https:///fiesta/rpc. Then restart the Domino server with Shindig.


Cookbook Contents


  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (131)May 21, 2014, 4:26:34 PM~Lisa Elfanalyettu  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility