Open Text Transactional Content Processing 10.0.1 Administration Guide

Open Text Transactional Content
Processing
Administration Guide
This guide describes the administration of all basic components

for Open Text Transactional Content Processing. This includes
Open Text Process Administrator, TCP Application Server, TCP
Context Server, Open Text User Management Server, Enterprise
Process Services, TCP Pipelines and TCP Web Client.
TCP100001-AGD-EN-5
Open Text Transactional Content Processing
Administration Guide
TCP100001-AGD-EN-5
Rev.: 12. Dec. 2011
This documentation has been created for software version 10.0.1.
It is also valid for subsequent software versions as long as no new document version is shipped with the product or is
published at https://knowledge.opentext.com.
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Email: support@opentext.com
FTP: ftp://ftp.opentext.com
For more information, visit http://www.opentext.com
Copyright © by Open Text Corporation, Open Text Inc.

Open Text Corporation is the owner of the trademarks Open Text, OpenText, The Content Experts, OpenText ECM Suite,
OpenText eDOCS, eDOCS, OpenText FirstClass, FirstClass, OpenText Exceed, OpenText HostExplorer, OpenText Exceed
OnDemand, OpenText Exceed 3D, OpenText Exceed Freedom, OpenText Exceed PowerSuite, OpenText Exceed XDK,
OpenText NFS Solo, OpenText NFS Client, OpenText NFS Server, OpenText NFS Gateway, OpenText Everywhere, OpenText
Real Time, OpenText Eloquent Media Server, OpenText Integrated Document Management, OpenText IDM, OpenText
DocuLink, Livelink, Livelink ECM, Artesia, RedDot, RightFax, RKYV, DOMEA, Alchemy, Vignette, Vizible, Nstein,
LegalKEY, Picdar, Hummingbird, IXOS, Alis Gist-in-Time, Eurocortex, Gauss, Captaris, Spicer, Genio, Vista Plus, Burntsand,
New Generation Consulting, Momentum Systems, DOKuStar, and RecoStar among others. This list is not exhaustive.
All other products or company names are used for identification purposes only, and are trademarks of their respective own-
ers. All rights reserved.
Table of Contents
PRE Introduction 15
i What is Open Text Transactional Content Processing? ........................ 15
ii About this documentation ...................................................................... 18
ii.i Target Readership ................................................................................. 18
ii.ii Structure of this documentation ............................................................. 18
ii.iii Documentation overview........................................................................ 23
ii.iv Further documentation ........................................................................... 24
ii.v How to find documentation .................................................................... 24
ii.vi Conventions ........................................................................................... 25
iii Contact information ................................................................................ 26
Part 1 Open Text Process Administrator 27
1 Getting started......................................................................... 31
1.1 Starting Process Administrator and logging on...................................... 31
1.2 Exiting Process Administrator ................................................................ 31
2 Introducing Process Administrator........................................ 33

2.1 Program window .................................................................................... 33
2.2 Status bar ............................................................................................... 35
2.3 Paging and sorting search results.......................................................... 35
2.4 Working with the context menu.............................................................. 35
2.5 Viewing audits ........................................................................................ 36
2.6 Viewing comments ................................................................................. 36
2.7 Viewing graph ........................................................................................ 37
2.8 Refreshing information ........................................................................... 38
3 Defining settings ..................................................................... 39

3.1 Customizing the view of the list area ..................................................... 39
3.1.1 Adding or removing columns ................................................................. 39
3.1.2 Changing column order.......................................................................... 39
3.2 Assigning permissions ........................................................................... 40
3.3 Changing password ............................................................................... 40
3.4 Specifying system properties ................................................................. 41
3.4.1 Configuring connection to Enterprise Process Services........................ 41
TCP100001-AGD-EN-5 Open Text Transactional Content Processing iii

Table of Contents
3.4.2 Setting time interval for connection response........................................ 41

3.4.3 Testing connection to Enterprise Process Services .............................. 41
3.4.4 Setting the number of items per page.................................................... 42
4 Managing systems...................................................................43
4.1 Adding new system ................................................................................ 43
4.2 Deleting system...................................................................................... 44
4.3 Logging on to a system .......................................................................... 44
5 Managing projects ...................................................................45

5.1 Opening or closing projects ................................................................... 45
6 Managing process groups ......................................................47

6.1 Displaying process groups..................................................................... 47
6.2 Adding new process groups................................................................... 48
6.3 Deleting process groups ........................................................................ 48
6.4 Editing process group permissions ........................................................ 48
6.5 Viewing process group audits ................................................................ 48
7 Managing process classes......................................................49

7.1 Displaying process classes.................................................................... 50
7.2 Changing process class status .............................................................. 50
7.3 Viewing process class audits ................................................................. 51
7.4 Viewing process class attributes............................................................ 51
7.5 Editing process class attributes ............................................................. 51
7.6 Viewing process class permissions ....................................................... 52
7.7 Viewing process class graph ................................................................. 52
7.8 Creating a custom view for a process class .......................................... 52
8 Managing process instances ..................................................53

8.1 Displaying process instances................................................................. 53
8.2 Changing process instance status ......................................................... 54
8.3 Viewing process instance audits............................................................ 55
8.4 Viewing process instance attributes....................................................... 55
8.5 Viewing process instance status............................................................ 56
8.6 Viewing process instance comments..................................................... 56
9 Managing work items ..............................................................57

9.1 Displaying work items ............................................................................ 58
9.2 Changing work item status..................................................................... 58
9.3 Editing current user of work items.......................................................... 59
9.4 Unreserving work items ......................................................................... 60
9.5 Resuming work items............................................................................. 60
9.6 Viewing work item audits ....................................................................... 60
iv Open Text Transactional Content Processing TCP100001-AGD-EN-5

Table of Contents
9.7 Viewing work item attributes .................................................................. 61

9.8 Editing values of work item attributes .................................................... 61
9.9 Viewing work item properties ................................................................. 62
9.10 Viewing work item status ....................................................................... 63
9.11 Viewing work item comments ................................................................ 63
10 Managing custom views ......................................................... 65

10.1 Displaying custom views ........................................................................ 65
10.2 Creating custom views ........................................................................... 66
10.2.1 Adding custom views ............................................................................. 66
10.2.2 Creating a custom view of an existing process class, process
instance or work item ............................................................................. 66
10.3 Editing custom views.............................................................................. 67
10.4 Cloning custom views ............................................................................ 68
10.5 Deleting custom views ........................................................................... 68
10.6 Filtering process classes, process instances and work items ............... 68
10.6.1 Adding new filter conditions ................................................................... 68
10.6.2 Editing filter conditions ........................................................................... 69
10.7 Searching with filter conditions .............................................................. 70
11 Managing work queues........................................................... 73

11.1 Displaying work queues ......................................................................... 73
11.2 Creating new work queue ...................................................................... 74
11.3 Deleting work queues............................................................................. 79
11.4 Editing work queues............................................................................... 80
12 Managing BAM reports ........................................................... 81

12.1 Displaying BAM reports ......................................................................... 81
12.2 Deleting BAM reports ............................................................................. 81
12.3 Updating BAM reports............................................................................ 82
13 Managing jobs ......................................................................... 83

13.1 Displaying jobs ....................................................................................... 84
13.2 Creating new jobs .................................................................................. 84
13.3 Deleting jobs .......................................................................................... 91
13.4 Starting jobs ........................................................................................... 91
13.5 Stopping jobs ......................................................................................... 91
13.6 Editing jobs............................................................................................. 92
14 Managing agents ..................................................................... 93

14.1 Displaying agents................................................................................... 93
14.2 Registering agents ................................................................................. 94
14.3 Unregistering agents .............................................................................. 95
14.4 Starting agents ....................................................................................... 95
TCP100001-AGD-EN-5 Administration Guide v

Table of Contents
14.5 Stopping agents ..................................................................................... 96

14.6 Clearing counters ................................................................................... 96
14.7 Editing agents ........................................................................................ 96
14.8 Viewing agent audits .............................................................................. 96
15 Inflight changes .......................................................................97

15.1 Connecting class.................................................................................... 97
15.2 Re-link instances.................................................................................. 101
15.3 Re-link exceptions................................................................................ 102
16 Transporting settings ............................................................105

16.1 Transporting process class definition .................................................. 105
16.2 Transporting work queue configurations.............................................. 105
16.2.1 Exporting work queue configurations................................................... 106
16.2.2 Importing work queue configurations ................................................... 106
16.3 Transporting report configurations ....................................................... 106
16.3.1 Exporting report configurations ............................................................ 106
16.3.2 Importing report configurations ............................................................ 107
16.4 Transporting job configurations............................................................ 107
16.4.1 Exporting job configurations................................................................. 107
16.4.2 Importing job configurations................................................................. 107
16.5 Transporting agent registrations .......................................................... 108
16.5.1 Exporting agent registrations ............................................................... 108
16.5.2 Importing agent registrations ............................................................... 108
17 Reference ...............................................................................109
17.1 Icons..................................................................................................... 109
17.2 Filter fields............................................................................................ 110
Part 2 Open Text TCP Application Server administration 115
18 Prerequisites ..........................................................................117
18.1 Managing system users ....................................................................... 117
18.2 Working with TCP Application Manager (PDMS UI only) .................... 117
19 Administering audit entries...................................................121

19.1 Finding and displaying audit entries..................................................... 121
19.1.1 Displaying audit entries for a particular record/document ................... 121
19.1.2 Displaying audit entries that match certain criteria .............................. 122
19.1.3 Displaying audit entries for deleted items ............................................ 123
19.2 Deleting audit entries ........................................................................... 124
19.2.1 Deleting an individual entry.................................................................. 124
19.2.2 Deleting several obsolete audit entries ................................................ 124
19.3 Exporting and printing lists of audit entries .......................................... 125
vi Open Text Transactional Content Processing TCP100001-AGD-EN-5

Table of Contents
20 Administering classification................................................. 127

20.1 Creating new classifications................................................................. 127
20.2 Editing classifications ........................................................................... 128
20.3 Deleting classifications......................................................................... 128
20.4 Displaying classifications ..................................................................... 129
20.4.1 Displaying the hit list of classifications ................................................. 129
20.4.2 Displaying the classification tree.......................................................... 130
20.5 Assigning classifications to an item ..................................................... 130
21 Administering Open Text TCP.............................................. 133

21.1 Starting TCP Configuration .................................................................. 133
21.1.1 The TCP Configuration GUI................................................................. 134
21.1.2 Changing password ............................................................................. 135
21.1.3 Projects overview ................................................................................. 135
21.2 Managing projects................................................................................ 136
21.3 General project settings ....................................................................... 138
21.4 Configuring Single Sign-On (SSO) for PDMS UI ................................. 142
21.4.1 Configuring NTLM settings on the clients ............................................ 144
21.5 Logging ................................................................................................ 145
21.5.1 General ................................................................................................ 145
21.5.2 Configuring the logging categories ...................................................... 146
21.5.2.1 Log levels ............................................................................................. 148
21.5.2.2 Logging subcategories ......................................................................... 148
21.5.2.3 Configuring the log file entries ............................................................. 151
21.5.3 Configuring the profiling categories ..................................................... 152
21.5.3.1 Profiling log level .................................................................................. 154
21.5.3.2 Profiling subcategories......................................................................... 154
21.5.3.3 Configuring the profiling log file entries................................................ 156
21.5.4 Configuring the monitoring categories ................................................. 156
21.5.4.1 Monitoring log level .............................................................................. 158
21.5.4.2 Monitoring subcategories ..................................................................... 158
21.5.4.3 Configuring the monitoring log file entries ........................................... 159
22 Re-configuring TCP Application Server............................... 161

22.1 Configuring Enterprise Process Services application (PS).................. 161
23 Configuring and customizing the TCP application ............. 167

23.1 General mechanism ............................................................................. 167
23.1.1 Custom TCP installation directory........................................................ 167
23.1.2 Rebuilding and deploying of the TCP application ................................ 169
23.2 Configuring additional custom agents.................................................. 169
23.3 Configuring additional plugins.............................................................. 169
23.4 Configuring additional repository bridge SPI ....................................... 170
23.5 Configuring calendar service ............................................................... 170
23.6 Configuring an additional certificate store............................................ 173
TCP100001-AGD-EN-5 Administration Guide vii

Table of Contents
Part 3 Open Text TCP Context Server administration 175
24 Major administration tasks....................................................177

25 Administering TCP Context Server ......................................179
25.1 Getting started...................................................................................... 179
25.1.1 Starting the TCP Context Server administration.................................. 179
25.1.2 Starting the Archiving and Storage Administration .............................. 179
25.2 Managing system information .............................................................. 180
25.2.1 Viewing server information................................................................... 180
25.2.2 Viewing log files, caches and Java VM information in the TCP
Context Server core ............................................................................. 180
25.3 Managing archives ............................................................................... 181
25.3.1 Displaying Archiving Services information........................................... 181
25.3.2 Configuring the archive access............................................................ 182
25.4 Administrating forms ............................................................................ 183
25.4.1 Viewing forms....................................................................................... 183
25.4.2 Creating a form .................................................................................... 184
25.4.3 Testing a form ...................................................................................... 185
25.4.4 Changing a form................................................................................... 185
25.5 Managing access for ArchiveLink calls ................................................ 186
25.5.1 Setting a default ACL for newly archived documents .......................... 186
25.5.2 Protecting the archive server connection............................................. 187
25.5.3 Protecting the client connection ........................................................... 188
25.6 Using jobs to perform administrative tasks .......................................... 190
25.6.1 Standard jobs ....................................................................................... 191
25.6.2 Executing jobs manually using TCP Context Server administration
Web GUI .............................................................................................. 197
25.6.3 Executing scheduled jobs using Open Text Administration................. 198
25.6.3.1 Installing dmsremotecmd ..................................................................... 198
25.6.3.2 Setting communication parameters on the archive server .................. 198
25.6.3.3 Scheduling TCP Context Server jobs .................................................. 199
25.7 Logging ................................................................................................ 199
25.8 Unlocking records and undoing changes............................................. 201
25.9 Searching with the query builder.......................................................... 202
25.10 Managing Fulltext Servers ................................................................... 203
25.10.1 Configuring Fulltext Server on TCP Context Server side .................... 203
25.10.2 Using the Fulltext Server error queues ................................................ 207
25.11 Managing Rendition Servers................................................................ 210
25.11.1 Configuring Rendition Server on TCP Context Server side................. 210
25.11.1.1 Rendition Server configuration in the TCP Context Server
administration....................................................................................... 211
25.11.1.2 Customizing TCP Context Server to use Rendition Server ................. 212
25.11.1.3 Creating rendition jobs in TCP Context Server administration ............ 213
25.11.1.4 Customizing the supported source MIME types .................................. 214
25.11.2 Using the Rendition Server error queues ............................................ 216
viii Open Text Transactional Content Processing TCP100001-AGD-EN-5

Table of Contents
26 Administering the database.................................................. 217

26.1 Reorganizing the database and updating statistics ............................. 217
26.2 Performing consistency checks for tables and folders......................... 217
26.3 Debugging the database ...................................................................... 218
26.3.1 Viewing the status of the database ...................................................... 218
26.3.2 Viewing the entity type hierarchy ......................................................... 219
26.3.3 Viewing the ACL cache ........................................................................ 219
26.3.4 Viewing the query cache ...................................................................... 219
26.3.5 Viewing the database connections ...................................................... 220
26.3.6 Searching component information ....................................................... 220
26.3.7 Searching table information ................................................................. 221
27 Re-configuring TCP Context Server via configuration

packages................................................................................ 223
27.1 Configuring configuration and logging directories (ROOT).................. 223
27.2 Configuring the database access (DBM) ............................................. 224
27.3 Maintaining the Apache Tomcat data sources..................................... 225
27.4 Configuring static logging (COMMON) ................................................ 229
27.5 Configuring archive settings (ARCHIVE) ............................................. 229
27.5.1 Configuring connection to the primary archive server ......................... 229
27.5.2 Configuring connection to further archive servers ............................... 231
27.6 Configuring connection to User Management Server (UMS) .............. 231
27.7 Configuring Context Server (DMSCORE)............................................ 232
27.8 Configuring cluster settings for TCP Context Server (CLUSTER)....... 235
27.9 Configuring filters for Fulltext Server and Rendition Server (FILTER). 236
27.10 Configuring the Records Management (RM) ....................................... 237
27.11 Changing password for TCP Context Server....................................... 238
Part 4 Open Text User Management Server administration 239
28 Working with User Management Client................................ 241

28.1 Starting User Management Client........................................................ 241
28.1.1 Integration into Microsoft Management Console ................................. 241
28.1.2 Connecting to a second User Management Server............................. 242
28.2 Program window .................................................................................. 243
28.2.1 Window elements................................................................................. 243
28.2.2 Objects of User Management .............................................................. 244
28.2.3 Working with the context menu............................................................ 245
28.3 Changing properties............................................................................. 245
28.4 Adding additional and multi-value properties ....................................... 246
28.5 Deleting properties ............................................................................... 248
28.6 Using filters .......................................................................................... 248
28.7 Reference............................................................................................. 249
TCP100001-AGD-EN-5 Administration Guide ix

Table of Contents
29 Working with User Management...........................................253

29.1 User management concept.................................................................. 253
29.2 Administration levels ............................................................................ 253
29.3 Managing the system ........................................................................... 254
29.3.1 Defining the ROOT administrators....................................................... 255
29.3.2 Adding organizations ........................................................................... 255
29.3.3 Adding an external User Management system.................................... 256
29.3.4 Displaying the members of external groups ........................................ 257
29.3.5 Displaying the URLs and status of cluster nodes ................................ 257
29.3.6 Configuring the SSO checkers............................................................. 257
29.3.7 Configuring caching ............................................................................. 260
29.3.8 Configuring session management ....................................................... 262
29.3.9 Configuring auditing ............................................................................. 262
29.4 Managing the organization................................................................... 263
29.4.1 Defining the organization settings........................................................ 263
29.4.2 Referencing groups and users from an external domain..................... 263
29.4.3 Adding new users................................................................................. 265
29.4.4 Adding a certificate user ...................................................................... 265
29.4.5 Configuring the certificate user ............................................................ 266
29.4.6 Changing/resetting user password ...................................................... 266
29.4.7 Adding new groups .............................................................................. 266
29.4.8 Assigning users or groups to other groups .......................................... 267
29.4.9 Disabling obsolete users or groups...................................................... 268
29.4.10 Enabling eSign for administrators and users ....................................... 268
29.4.11 Enabling the proxy mechanism............................................................ 269
29.5 Managing Enterprise Process Services ............................................... 269
29.5.1 Adding new principals .......................................................................... 269
29.5.2 Assigning users to security groups ...................................................... 270
29.5.3 Defining the hierarchical structure ....................................................... 270
29.5.3.1 Defining hierarchy structure of departments........................................ 270
29.5.3.2 Defining the temporary structure of projects........................................ 271
29.6 Troubleshooting ................................................................................... 272
30 Re-configuring User Management Server ............................273

30.1 Configuring configuration and logging directories (ROOT).................. 274
30.2 Configuring the database access (DBU) ............................................. 274
30.3 Configuring static logging (COMMON) ................................................ 276
30.4 Defining UMS access information and audit settings (UMS) ............... 277
30.5 Changing password for User Management Server.............................. 278
31 Managing configuration parameters ....................................279

31.1 Managing parameters for external domains ........................................ 279
31.1.1 Configuring a domain for Livelink ECM – Enterprise Server user
management ........................................................................................ 279
31.1.2 Configuring a domain for LDAP directory server ................................. 280
31.1.3 Configuring a LDIF enrichment provider to extend attributes .............. 280
31.1.4 Configuring CAP/UMS integration ....................................................... 284
31.2 Managing parameters for SSO contexts.............................................. 285
x Open Text Transactional Content Processing TCP100001-AGD-EN-5

Table of Contents
31.2.1 Configuring checker context for internal session ID token .................. 285
31.2.2 Configuring checker context for SSO with SAP Enterprise Portal....... 285
31.2.3 Configuring checker context for signed URL ....................................... 285
31.2.4 Configuring checker context for signed user ....................................... 286
31.3 Managing parameters for the root organization................................... 286
31.4 Managing parameters for organizations .............................................. 287
31.5 Managing parameters for users ........................................................... 288
31.6 Managing parameters for groups......................................................... 290
Part 5 Open Text TCP Web Client administration 291
32 Configuring TCP Web Client................................................. 293

32.1 Setting the ASP.NET version............................................................... 293
32.2 Changing security settings ................................................................... 293
32.3 Starting ASP.NET State Service.......................................................... 294
32.4 Changing user-specific settings ........................................................... 294
32.5 Configuring application settings for large uploads ............................... 295
32.6 Configuring the viewers ....................................................................... 296
32.7 Configuring log file ............................................................................... 298
32.8 Configuring Single Sign-On (SSO) ...................................................... 299
32.8.1 Creating a certificate ............................................................................ 299
32.8.2 Configuring the checker module on User Management Server........... 301
32.8.3 Configuring User Management Server ................................................ 302
32.8.4 Updating TCP Web Client configuration .............................................. 303
32.8.5 Changing Internet Information Services (IIS) Manager settings .......... 303
32.8.6 Setting folder permissions.................................................................... 306
32.8.7 Adding external domain and users ...................................................... 306
32.9 Installing multiple TCP Web Clients..................................................... 306
Part 6 TCP Document Pipelines administration 309
33 Overview of TCP Document Pipelines for TCP Context

Server ..................................................................................... 311
34 Functional description of the TCP DocTools ...................... 313
34.1 Prepdoc, dmsPrepdoc ......................................................................... 314
34.2 doctodms.............................................................................................. 315
34.3 Inbox .................................................................................................... 315
34.3.1 Parameters in DT_INBOX.Setup ......................................................... 316
34.3.2 Parameters in the COMMANDS file..................................................... 318
34.3.3 Archive mode ....................................................................................... 319
34.4 Psdt ...................................................................................................... 319
34.4.1 Archive Mode configuration ................................................................. 321
TCP100001-AGD-EN-5 Administration Guide xi

Table of Contents
35 Permissions for the indexing scenarios ..............................325

36 Sample batch import files for TCP Context Server
pipelines .................................................................................329
Part 7 Databases administration 331
37 Monitoring the database........................................................333

38 Performing a database backup .............................................335
38.1 Backing up an Oracle database........................................................... 336
38.2 Backing up Microsoft SQL Server databases ...................................... 337
38.2.1 Backing up the transaction logs of an Microsoft SQL Server
database .............................................................................................. 338
38.2.2 Backing up the db_name and the msdb database .............................. 339
Part 8 Security in TCP 341
39 Standard groups and users ..................................................345

39.1 Standard groups................................................................................... 345
39.2 Grantee groups and revokee groups ................................................... 346
39.3 Standard users..................................................................................... 350
40 Changing passwords of end users and standard users .....355

40.1 Resetting passwords of end users....................................................... 355
40.2 Changing passwords of standard users .............................................. 355
41 Security measures .................................................................363

42 Configuration of the TCP certificate user.............................365
43 Security settings for TCP Application Server ......................367
44 Configuration for a Web proxy server ..................................371
45 Configuration for SSL............................................................373
45.1 Configuring Apache Tomcat for SSL ................................................... 375
45.2 Exporting the Apache Tomcat SSL certificate ..................................... 377
45.3 Configuring SSL communication between TCP Context Server and
User Management Server.................................................................... 379
45.4 Configuring SSL communication between TCP Application Server
and User Management Server............................................................. 383
45.5 Configuring SSL communication between TCP Application Server
and TCP Context Server ...................................................................... 385
45.6 Configuring JBoss for SSL................................................................... 387
xii Open Text Transactional Content Processing TCP100001-AGD-EN-5

Table of Contents
45.7 Configuring SSL communication between TCP Web Client and TCP
Application Server ................................................................................ 389
45.7.1 Preparing TCP Application Server ....................................................... 389
45.7.2 Exporting the SSL certificate of the TCP Application Server ............... 390
45.7.3 Securing the ArchiveLink communication ............................................ 391
45.7.4 Securing the Web Service communication .......................................... 391
45.8 Configuring SSL communication between browser and TCP Web
Client .................................................................................................... 393
45.9 For Websphere/AIX only: Configuring IAIK Security Provider ............. 393
46 Configuration for SecKeys and signed URLs...................... 395
GLS Glossary 399
IDX Index 403
TCP100001-AGD-EN-5 Administration Guide xiii

Preface
Introduction
i What is Open Text Transactional Content

Processing?
Transactional content management is the basis of many core business processes in
any organization. These core business processes are high volume, and highly
repetitive in nature, therefore, requiring structured processing. They span from clerk
style user interaction to application integration.
Transactional Content Processing focuses the structured processing of transactional
content and addresses the following key problem areas:
Open Text Transactional Content Processing (or short TCP) addresses the following
main problem areas:
• Managing the paper burden
• Automating content-centric business processes
• Providing independent access to transactional content being stored by leading
applications (like SAP)
Businesses with a large number of relationships (for example customers) will benefit
in leveraging Open Text’s TCP technology. TCP is an application that has been
deployed in many businesses such as automotive, manufacturing, banking,
insurance and retail.
Managing the The act of manually retrieving information is a slow business process preventing
paper burden rapid access to content that might be used for critical, business decision support in a
customer case inquiry. Undoubtedly, this archaic approach of obtaining information
will render any organization uncompetitive.
Another real world scenario is the catastrophic event, for example, a fire, an
earthquake, or a flood where information will be lost irretrievably if business
continuity guidelines are not pre-established.
In all, paper based information must be available instantly to authorized personnel
throughout the entire organization regardless of whether they operate across
departments, in a centralized or even a distributed environment.
To manage millions of documents, critical metadata describing the documents or
document sections must to be captured and stored. This allows the fast and precise
retrieval of information by employees processing the business transactions. Sample
applications are enterprise archiving initiatives and folder solutions like Electronic
Case Management or Insurance Folders.
TCP100001-AGD-EN-5 Open Text Transactional Content Processing xv

Introduction
Automating Content-centric business processes are often customer facing (internal or external).
content-centric These customer facing processes are often highly repetitive, driven by fixed content
processes
and require integration into existing applications. To provide a faster customer case
management response, organizations are required to react immediately on changing
market requirements and new regulations. The management of transactional
content improves process efficiency, cuts processing cost (that is cost per
transaction), shortens elapsed time, enables change, and provides an audit log and
management overview of transactional processes. Sample applications are Accounts
Payable, Claims Management and Digital Mailroom solutions.
Independent Open Text TCP provides an infrastructure for access to transactional content,
access to independent of third-party software. For example, SAP documents can be accessed
transactional
content securely and consistent by internal or external business entities. Thus, the amount of
inquiries and paper mail will be drastically reduced, leading to cost reduction and
compliance with internal and mandated regulations. Sample applications are self-
service solutions, supplier portals, and compliant internal (or external) access to SAP
documents.
In addition, elaborate user management specifies access rights on various levels, to
meet security policies.
Web-based A TCP application is accessible via a Web browser. Thus, no client installation is
interface needed and you can access the application via intranet, extranet or internet.
System TCP consists of several components each with its unique functionality.
architecture
xvi Open Text Transactional Content Processing TCP100001-AGD-EN-5

Introduction
Figure 1: TCP system architecture
Presentation layer
There are two ways to access a TCP application:
• TCP Web Client – TCP Web Client is what you see, when you access a TCP
application in a Web browser. It is your interface to the system and lets you
interact.
• Enterprise Connect – With Enterprise Connect, you can upload and access
Open Text TCP documents using Microsoft Office and Windows Explorer.
Application layer
TCP Application Server – TCP Application Server is the core of TCP. It controls
the services for document archiving and retrieving. The services communicate
with the connected repositories and handle requests, such as queries from the
TCP application.
Enterprise Process Services – As a member of the Open Text Content Services
family, Enterprise Process Services provides functionality for managing
structured business processes functionality. Enterprise Process Services is a
multi-purpose process engine that drives business processes and brings all
required documents to each process step. Through the technical interface of
Enterprise Process Services - available as Web Service (SOAP) - other systems
can interact and utilize its functionality. Enterprise Process Services is tightly
TCP100001-AGD-EN-5 Administration Guide xvii

Introduction
integrated into TCP and provides tools for designing, running, monitoring and
analyzing business processes.
Repository layer
TCP Context Server along with the process database and other external
repositories (databases and other data sources) stores all data except for attached
content files. These are stored by Open Text Enterprise Library Services.
Customization and Administration tools
Customization and Administration tools help you to set up, customize and
manage the system.
• TCP Modeler – creates and customizes a TCP application.
• Process Designer – implements business processes for a TCP application.
• Process Administrator – monitors and administers the process flow.
• TCP Configuration (Web-based) – allows the administrator to control
access to the system and to the documents contained within it. Furthermore,
general project administration and availability is handled here.
• TCP Context Server Administration / Context Server Configuration – are
two Web-based tools for administering TCP Context Server.
• User Management Client – is the administration tool for configuring User
Management Server.
ii About this documentation

This documentation describes the administration of TCP, which involves managing
processes with the Process Administrator, administering TCP Application Server,
TCP Context Server, the User Management and TCP Web Client.
ii.i Target Readership

This documentation is intended for system administrators of TCP. It assumes
knowledge of the administration of a network system, and a basic knowledge of
TCP and database administration corresponding to the OpenText training course.
Recommended OpenText recommends that you read the following documentation before you start
reading administering TCP: Open Text Transactional Content Processing - User Guide
(TCP100001-UGD) and OpenText Transactional Content Processing - System Overview
Guide (TCP-GGD).
ii.ii Structure of this documentation

This documentation consists of parts, each describing the administration of one
segment of the TCP system landscape.
xviii Open Text Transactional Content Processing TCP100001-AGD-EN-5

Introduction
Part “Open Text Process Administrator”

This part describes the administration of processes using Process Administrator. It
consists of the following chapters:
“Getting started” on page 31
This chapter describes how to start and connect to other systems.
“Introducing Process Administrator” on page 33
This chapter describes the elements of the graphical user interface of Process
Administrator.
“Defining settings” on page 39
This chapter describes the main settings for Process Administrator.
“Managing systems” on page 43
This chapter describes how you manage several systems with Process
Administrator.
“Managing process groups” on page 47
This chapter describes how to work with process groups which can be
referenced in a process using Process Designer.
“Managing process classes” on page 49
This chapter describes the management of defined processes (or more precisely,
process classes). These process classes first have to be created in Process
Designer.
“Managing process instances” on page 53
When a user starts a new process, a new process instance of this process class is
created. This chapter explains how to monitor processes that are already
underway.
“Managing work items” on page 57
A process instance contains work items. This chapter explains how to work with
these.
“Managing custom views” on page 65
This chapter describes how to create custom views which filter specific process
classes and process instances.
“Managing work queues” on page 73
This chapter describes the creation and the management of work queues.
“Managing BAM reports” on page 81
This chapter describes Business Activity Monitoring (short: BAM) that provides
business intelligence to your TCP solution.
“Managing jobs” on page 83
This chapter describes the management of jobs, that are periodically executed
tasks.
“Managing agents” on page 93
This chapter describes the management of agents. Agents do some background
working, such as execute java scripts.
TCP100001-AGD-EN-5 Administration Guide xix

Introduction
“Inflight changes” on page 97

This chapter describes how to set a superior class for a single process instance or
a complete custom view.
“Transporting settings” on page 105
This chapter describes how to transport settings and processes from one system
to another, for example from a test system to a productive system.
“Reference” on page 109
This chapter gives an overview of all icons, fields an properties of Process
Administrator.
Part “Open Text TCP Application Server administration”

This part describes the setup of a TCP application and the re-configuration of the
TCP Application Server. It consists of the following chapters:
“Prerequisites” on page 117
This chapter describes how to set up the effective system user and how to deploy
the TCP Application Manager.
“Administering audit entries” on page 121
This chapter explains how to set up and manage the auditing functionality.
“Administering classification” on page 127
This chapter explains how to manage the classification functionality.
“Administering Open Text TCP” on page 133
This chapter describes how to monitor and administer TCP using the TCP
Configuration. It also contains a section about the re-configuration of TCP
Application Server.
“Re-configuring TCP Application Server” on page 161
This chapter describes the re-configuration of TCP Application Server using the
TCP Configuration Web GUI or TCP installer.
“Configuring and customizing the TCP application” on page 167
This chapter describes how to configure the TCP application via changes of the
configuration files. It is also explained how the application can be rebuilt and
deployed.
Part “Open Text TCP Context Server administration”

This part describes how to administer TCP Context Server. It consists of the
following chapters:
“Major administration tasks” on page 177
This chapter gives an overview of the major administration tasks.
“Administering TCP Context Server” on page 179
This chapter contains the administration task which must be performed on TCP
Context Server
“Searching with the query builder” on page 202
This chapter explains how to build valid SQL statements with the query builder
xx Open Text Transactional Content Processing TCP100001-AGD-EN-5

Introduction
“Administering the database” on page 217

This chapter contains maintenance tasks for the databases, such as back up.
“Re-configuring TCP Context Server via configuration packages” on page 223
This chapter explains how to re-configure certain functions of TCP Context
Server.
Part “Open Text User Management Server administration”

This part describes the administration of the User Management. It consists of the
following chapters:
“Working with User Management” on page 253
This chapter explains the different administration tasks for the User
Management.
“Working with User Management Client” on page 241
This chapter describes the graphical user interface for the administration of the
User Management.
“Managing configuration parameters” on page 279
This chapter provides configuration parameters for external domains, Single
Sign-On, organizations, groups, and users.
Part “Open Text TCP Web Client administration”

This part describes the administration of TCP Web Client.
“Setting the ASP.NET version” on page 293
This chapter explains how to set the ASP.NET version.
“Changing security settings” on page 293
This chapter describes how to change security settings.
“Starting ASP.NET State Service” on page 294
This chapter explains how to start ASP.NET State Service and changing further
ASP.NET configuration settings.
“Changing user-specific settings” on page 294
This chapter explains how to configure user-specific settings such as the length
of breadcrumbs or the Out of office functionality
“Configuring application settings for large uploads” on page 295
This chapter explains how to support the upload of large files.
“Configuring the viewers” on page 296
This chapter explains how to change the Java Viewer URL.
“Configuring log file” on page 298
This chapter explains how to configure the log file.
“Configuring Single Sign-On (SSO)” on page 299
This chapter describes how to configure Single-Sign-On.
TCP100001-AGD-EN-5 Administration Guide xxi

Introduction
“Installing multiple TCP Web Clients” on page 306

This chapter explains how you install more than one TCP Web Client on a
system.
Part “TCP Document Pipelines administration”

This part describes the administration of Open Text TCP Document Pipelines. It
consists of the following chapters:
“Overview of TCP Document Pipelines for TCP Context Server” on page 311
This chapter introduces the various pipelines.
“Functional description of the TCP DocTools” on page 313
This chapter contains detailed information about DocTools.
“Permissions for the indexing scenarios” on page 325
This chapter describes the permissions for indexing scenarios.
“Sample batch import files for TCP Context Server pipelines” on page 329
This chapter lists the files for a batch import.
Part “Databases administration”

This part describes the monitoring and the backup of TCP databases. It consists of
the following chapters:
“Monitoring the database” on page 333
This chapter explains how to regularly monitor databases.
“Performing a database backup” on page 335
This chapter describes how to backup databases.
Part “Security in TCP”

This part describes the standard groups and users, the password change as well as
the security measures available when working with TCP and the settings they
require. It consists of the following chapters:
“Standard groups and users” on page 345
This chapter describes the standard groups and standard users.
“Changing passwords of end users and standard users” on page 355
This chapter where and how to change the passwords apart from User
Management.
“Security measures” on page 363
This chapter gives a brief overview of the security measures used in TCP.
“Configuration of the TCP certificate user” on page 365
This chapter describes the settings for the certificate user which is used for
impersonation and security settings.
“Security settings for TCP Application Server” on page 367
This chapter describes the security settings for TCP Application Server.
xxii Open Text Transactional Content Processing TCP100001-AGD-EN-5

Introduction
“Configuration for a Web proxy server” on page 371

This chapter describes the required settings if you want to use a Web proxy
server for TCP.
“Configuration for SSL” on page 373
This chapter describes how you configure SSL for TCP.
“Configuration for SecKeys and signed URLs” on page 395
This chapter describes the configuration for SecKeys and signed URLs.
ii.iii Documentation overview

The following documentation is available for Transactional Content Processing
10.0.1:
Note: In the documentation titles, TCP100001 stands for Transactional Content
Processing 10.0.1.
Release Notes
The Release Notes describe in detail the software supported by the product and
important dependencies, as well as any last-minute changes regarding the
documentation which should be made known. The current version of the Release
Notes is available in the OpenText Knowledge Center.
Open Text Transactional Content Processing - System Overview Guide
(TCP100001-GGD)
This guide provides an initial overview of the concepts, components and the
environment of TCP.
Open Text Transactional Content Processing - Installation Guide (TCP100001-IGD)
This guide describes the installation of all TCP components.
Open Text Transactional Content Processing - Upgrade Guide (TCP100001-DGD)
This guide describes the upgrade to the current version of TCP for all
components, also from BPM and the predecessor PDMS.
Open Text TCP Modeler - Customization Guide (TCP100001-CGD)
This guide describes the customization of TCP projects. It deals with conceptual
and practical topics, including the use of TCP Modeler.
Open Text Process Designer - Customizing Guide (PR100001-CPD)
This guide describes how processes can be designed graphically, for an
organization in general and for TCP Web Client in particular. Furthermore, it
provides information on Web Reporting.
Open Text Transactional Content Processing - Scenario Guide (TCP100001-GCS)
This guide describes:
• Installation and configuration of Records Management
• Installation and configuration of the fulltext solution for TCP.
• Implementation of Business Activity Monitoring
TCP100001-AGD-EN-5 Administration Guide xxiii

Introduction
• Scenarios for attaching records (documents) to processes.

Open Text Transactional Content Processing - Administration Guide (TCP100001-
AGD)
This guide describes the administration of all TCP components, such as Process
Administrator, TCP Context Server, TCP Configuration, User Management and
TCP Document Pipelines.
Open Text Transactional Content Processing - User Guide (TCP100001-UGD)
This guide describes how to use a TCP application. It describes the use with the
current TCP interface as well as with PDMS Web Client (PDMS UI).
API documentation
The API documentation introduces you into the concepts and basics of the
programming interfaces of TCP. It also provides references, programming
examples and other stuff that will help you getting started. The entry point to the
API documentation is the Open Text Transactional Content Processing -
Programming Guide (TCP100001-PGD).
The Open Text TCP Context Server - Programming Guide for the Open Text TCP
Context Server API (TCP100001-PDA) gives an introduction to the TCP Context
Server API. It helps the programmer to get a first overview of the comprehensive
class library and provides the basics and working principles as well as an
overview of the accompanying sample programs.
Note: The TCP Modeler Quick Start Guide is integrated in the assistance area
of TCP Modeler, see section 3.2.1 "Main areas" in Open Text TCP Modeler -
Customization Guide (TCP100001-CGD).
ii.iv Further documentation

Administrators who are already familiar with Open Text Archive and Storage
Services (short: Archive and Storage Services) will have no difficulties learning the
administration tasks for TCP Context Server.
However, administrators who have no experience with Archive and Storage
Services should also read the OpenText Archive Server - Administration Guide (AR-
ACN).
Note: Consider, that a server where Archive and Storage Services are
performed is called archive server.
ii.v How to find documentation

You can find the product documentation as follows:
• The product ISO image comprises the complete product CD-ROM in one *.iso
file. The product ISO image is available in the OpenText Knowledge Center:
Select the product family page and then click the Downloads link.
• The documentation of all products and all supported versions is available in the
OpenText Knowledge Center. See the Release Notes for details and links. In the
xxiv Open Text Transactional Content Processing TCP100001-AGD-EN-5

Introduction
Knowledge Center, select the product family page, and then click the
Documentation link. In case, the required product belongs to the Livelink ECM
– Enterprise Server family, click the Livelink Module Documentation link and
select the product from the list.
Note: You can find the latest information on manuals and online help files for
each product in the corresponding Release Notes. This includes the
identification codes of the current documentation.
ii.vi Conventions
User interface
This format is used for elements in the graphical user interface (GUI), such as
buttons, names of icons, menu items, and fields.
Filenames, commands, and sample data
This format is used for file names, paths, URLs, and commands at the command
prompt. It is also used for example data, text to be entered in text boxes, and
other literals.
Note: If you copy command line examples from a PDF, be aware that PDFs
can contain hidden characters. OpenText recommends copying from the
HTML version of the document, if it is available.
KEY NAMES
Key names appear in ALL CAPS, for example:
Press CTRL+V.
<Variable name>
Angled brackets < > are used to denote a variable or placeholder. The user
replaces the brackets and the descriptive content with the appropriate value. For
example, <server_name> becomes serv01.
Internal cross-references
Click the cross-reference to go directly to the reference target in the current
document.
External cross-references
External cross-references are usually text references to other documents.
However, if a document is available in HTML format, for example, in the
Knowledge Center, external references may be active links to a specific section in
the referenced document.
Warnings, notes, and tips
Caution
Cautions help you avoid irreversible problems. Read this information
carefully and follow all instructions.
TCP100001-AGD-EN-5 Administration Guide xxv

Introduction
Important
Important notes help you avoid major problems.
Note: Notes provide additional information about a task.

Tip: Tips offer you quicker or easier ways of performing a task.
iii Contact information

OpenText Online (http://online.opentext.com/) is a single point of access for the
product information provided by OpenText. You can access the following support
sources through OpenText Online:
• Communities
• Knowledge Center
OpenText Online Communities
(http://communities.opentext.com/communities/livelink.exe/open/OpenTextOnli
neCommunity) provide the following resources:
• Usage tips, help files, and best practices for customers and partners.
• Information on product releases.
• User groups and forums where you can ask questions of OpenText experts.
The OpenText Knowledge Center (https://knowledge.opentext.com) is OpenText's
corporate extranet and primary site for technical support. The Knowledge Center is
the official source for the following:
• Product downloads, patches, and documentation including Release Notes.
• Discussion forums, Online Communities, and the Knowledge Base.
• OpenText Developer Network (OTDN), which includes developer
documentation and programming samples for OpenText products.
If you need additional assistance, you can find OpenText Corporate Support
Contacts at http://support.opentext.com/.
xxvi Open Text Transactional Content Processing TCP100001-AGD-EN-5

Part 1
Open Text Process Administrator
Part 1 Open Text Process Administrator
This part describes the administration of Enterprise Process Services using Process
Administrator.
With Process Administrator you perform the following tasks:
• Manage the processes you have defined in Process Designer (process classes).
• Present forms to the user
• Monitor active processes (process instances)
• Observe steps of processes (work items)
• Control permissions for security objects
Content This part contains the following chapters:
“Getting started” on page 31
This chapter describes how to start and connect to other systems.
“Introducing Process Administrator” on page 33
This chapter describes the elements of the graphical user interface of Process
Administrator.
“Defining settings” on page 39
This chapter describes the main settings for Process Administrator.
“Managing systems” on page 43
This chapter describes how you manage several systems with Process
Administrator.
“Managing process groups” on page 47
This chapter describes how to work with process groups which can be
referenced in a process using Process Designer.
“Managing process classes” on page 49
This chapter describes the management of defined processes (or more precisely,
process classes). These process classes first have to be created in Process
Designer.
“Managing process instances” on page 53
When a user starts a new process, a new process instance of this process class is
created. This chapter explains how to monitor processes that are already
underway.
“Managing work items” on page 57
A process instance contains work items. This chapter explains how to work with
these.
“Managing custom views” on page 65
This chapter describes how to create custom views which filter specific process
classes and process instances.
28 Open Text Transactional Content Processing TCP100001-AGD-EN-5

iii Contact information
“Managing work queues” on page 73

This chapter describes the creation and the management of work queues.
“Managing BAM reports” on page 81
This chapter describes Business Activity Monitoring (short: BAM) that provides
business intelligence to your TCP solution.
“Managing jobs” on page 83
This chapter describes the management of jobs, that are periodically executed
tasks.
“Managing agents” on page 93
This chapter describes the management of agents. Agents do some background
working, such as execute java scripts.
“Inflight changes” on page 97
This chapter describes how to set a superior class for a single process instance or
a complete custom view.
“Transporting settings” on page 105
This chapter describes how to transport settings and processes from one system
to another, for example from a test system to a productive system.
“Reference” on page 109
This chapter gives an overview of all icons, fields an properties of Process
Administrator.
TCP100001-AGD-EN-5 Administration Guide 29

Chapter 1
Getting started
1.1 Starting Process Administrator and logging on

To start Process Administrator:
1. Go to Start - Programs - Open Text - Process Administrator.
Process Administrator starts.
Tip: Before you can connect to the server, you have to configure the server
URL. This is usually done during installation.
To configure the connection to Enterprise Process Services, see
“Configuring connection to Enterprise Process Services” on page 41.
2. To log on to Process Administrator, select the system you want to work on,
right-click and select Log On on the context menu.
The Log On opens.
3. Enter your user name, password and domain, and then click Log on to connect
to the server.
Tip: To configure the system offline, click Work offline.
1.2 Exiting Process Administrator

To exit Process Administrator:
• Go to File - Exit. If you have changed settings without saving a message appears
to save the settings.
Process Administrator exists.
TCP100001-AGD-EN-5 Open Text Transactional Content Processing 31

Chapter 2
Introducing Process Administrator
2.1 Program window

The Process Administrator program window consists of:
Menu bars
From the menu, you can select functions.
Navigation tree
The navigation tree consists of:
System node
The system node is the top level node and represents the server you can log
on by Process Administrator.
Projects node
In Process Administrator projects are the top administration unit for
processes, profiles and jobs and are defined on the server.
In a TCP scenario the projects are configured in TCP Modeler. For further
information, see section 2.5.1 "TCP Projects" in Open Text TCP Modeler -
With Enterprise Process Services only one default project with one default
profile is provided.
The projects consist of:
Process Groups node
The process groups node is the parent node of all process group nodes.
Process groups contain processes of the same scope.
Custom Views node
The custom views node is the parent node of all defined custom views.
Custom views are filters for the process classes, process instances and
work items.
Profiles
The profiles node contains a list of GUI profiles for users.
In Process Administrator you can configure Work Queues and Reports for
each appropriate GUI profile on the server.
In a TCP scenario GUI profiles are configured in TCP Modeler. For further
information, see section 2.5.11 "GUI profiles" in Open Text TCP Modeler -

Chapter 2 Introducing Process Administrator
With Enterprise Process Services only one default project with one default
profile is provided.
Jobs
The jobs node contains periodically executed automation tasks.
Agents
The agents node contains programs for background working.
Filter section
The filter section in the top right-hand corner shows the filters which are marked
as searchable. For further information, see “Filtering process classes, process
instances and work items” on page 68.
List area
The list area displays process information.
Status bar
The status bar is located at the bottom of the program window. It shows status
information about the connection. For further information, see “Status bar” on
page 35.
On the right, you will see various information, depending on what you choose to
select in the navigation tree on the left.

2.2 Status bar
2.2 Status bar

The status bar shows connection details:
• First column: Current connection status
• Offline: The application is currently offline.
• Online: The application is currently online and the current user will appear
in brackets along with the domain information.
• Second column: Project id
• Third column: Name of the system to which you are connected.
• Forth column: Configured URL of Enterprise Process Services.
2.3 Paging and sorting search results

Paging After executing a query, Enterprise Process Services returns not all hits. This is
important to reduce server load and increase the application response time.
You can define the count of hits returned in the System Settings dialog (see “Setting
the number of items per page” on page 42).
In the bottom of a list the count of pages are displayed. You can either browse the
pages by clicking one of the buttons or entering a valid page index in the page text
box.
Sorting To sort the result list, click on the column header.

Note: Sorting does not work for long text properties such as Owner Query,
Step Properties and Exception Message.
2.4 Working with the context menu

Note: The commands shown in the context menu depend on where you right-
click it.
The context menu plays an important role in the operation of Process Administrator
since it contains a lot of important commands. For further information, see the
different sections of this guide.

2.5 Viewing audits

Note: The special permissions ViewSystemAudit and ViewAudit control who
can view audits.
To view audits:
1. Right-click and select View Audit on the context menu.
The Audit dialog box opens and displays the system activities.
2. Click on the table header to sort the column for certain criteria.
3. Click OK to close the dialog box.
2.6 Viewing comments

Note: The special permission ViewComment controls who can view
comments of process instances and work items.
To view comments of process instances and work items added in TCP Web
Client:
1. Right-click on a process instance or work item and select View comments on the
context menu.
The Comments dialog box opens and displays the comments.

2.7 Viewing graph
2. Click on the table header to sort the column for certain criteria.
2.7 Viewing graph

The process graph shows the graph definition as it is designed in Process Designer.
Note: The special permission ViewStatusInfo controls who can view the
graph.
To view the graph of process classes and the status information for process
instances and work items:
• Process class – Right-click on a process class and select View Graph on the
context menu.
The Class Graph opens and some properties as Name, Author, Version and
Creation time are displayed. No additional information for the steps and
connections are displayed.
• Process instance – Right-click on a process instance and select View Status
Info on the context menu. Additional process status information is displayed.
For further information on status information (frame, color, exclamation mark),
see section 3.5 "Checking route of a process" in Open Text BPM Web Process
Manager - User Guide (PR100001-UWB).
• Work item – Right-click on a work item and select View Status Info on the
context menu. Additional process status information is displayed. For further
information on status information (frame, color, exclamation mark), see section
3.5 "Checking route of a process" in Open Text BPM Web Process Manager - User
Guide (PR100001-UWB).
To resize the graph dialog and zoom the graph image, click one of the magnifying
glasses.

2.8 Refreshing information

To refresh the information shown in the program window:
• Right-click on any item in the navigation tree or list area and select Refresh to
retrieve the status from Enterprise Process Services and update the view.
You can also refresh the view by clicking F5.

Chapter 3
Defining settings
3.1 Customizing the view of the list area

You can customize the Process Administrator program window according to your
needs.
3.1.1 Adding or removing columns

Note: These settings apply to all process lists in Process Administrator.
To select the information displayed in the lists:

1. Go to View - Add/Remove Columns.
The Column Settings dialog box opens.
2. Select the tab of the view you want to change: Process Classes, Process
Instances or Work Items.
On the left, the dialog box contains the properties not used yet, and on the right,
the properties already selected as columns.
3. Highlight a property on the left and select Add to display it as a column.
4. Highlight a property on the right and select Remove to remove the column.
5. To reset the configuration of the displayed columns to the default settings, select
Default.
6. Click Ok to save your changes.
3.1.2 Changing column order

Note: These settings apply to all process lists in Process Administrator.
To change the order of columns:

1. Go to View - Add/Remove Columns.
The Column Settings dialog box opens.
2. Select the tab of the view you want to change: Process Classes, Process
Instances or Work Items.
3. Highlight a column in the Displayed Columns list.
4. Select Move Up to move it one place forward.

Chapter 3 Defining settings
5. Select Move Down to move it one place back.

6. To reset the configuration of the displayed columns to the default settings, select
Default.
7. Click Ok to save your changes.
3.2 Assigning permissions

Notes:
• The special permission ChangePermission controls who can change
permissions.
• In the Process Administrator permission dialog you can only edit rules for
existing permissions.
• Assigning permissions to the system affects all process groups and process
classes. Assigning permissions to process groups affects all process classes
and assigning permissions to process classes affects all process instances
and work items.
• The Current User checkmark does not affect process instance related
permissions like ViewProcessInstance.
To assign permissions:
1. Right-click on a system, process group or process class and select Edit
Permissions on the context menu.
The Permissions dialog box opens.
2. Edit the permissions. For further information on permissions, see section 9
"Working with Permissions" in OpenText Process Designer - Customizing Guide
(PR-CPD).
3.3 Changing password

Note: If your password has expired, you have to enter your old and new
password in the log on dialog. If you have forgotten your password, ask your
administrator to reset your password in User Management Server.
To change the password:

1. Select the system you want to change the password, right-click and select
Change Password on the context menu.
The Change Password dialog opens. Five text boxes are displayed.
2. In the first text box you see the User name. It is the currently logged on user and
read only.
In the second text box (Old password) enter your current password.
In the third text box (New password) enter your new password, and in the
fourth text box (Confirm password), enter the new password once again to

3.4 Specifying system properties
confirm it. In the fifth text box you see the Domain. It is the currently logged on
domain and read only.
3. Click Save to save the new password.
The Password dialog closes.
3.4 Specifying system properties

3.4.1 Configuring connection to Enterprise Process Services
To configure the connection to Enterprise Process Services:
1. Right-click on a system and select Properties on the context menu.
The System settings dialog box opens.
2. Enter the URL to Enterprise Process Services, for example
http://<Application server>:<port>/tcp/services/Process
(http://localhost:28080/eps/services/Process or
http://localhost:38080/tcp/services/Process).
3. Click Test connection. If successfully connected, click Finish.

4. On the system you want to log on, right-click and select Log on and log on to
the server.
3.4.2 Setting time interval for connection response

To define the time span (Time out) waiting for a response from Enterprise
Process Services:
2. Enter time in milliseconds for the time span.
For example, if you enter 3000, the defined timeout occurs after 30 seconds.
3. Click Finish to save your changes.
3.4.3 Testing connection to Enterprise Process Services

To test the connection to Enterprise Process Services:
2. Click Test Connection. A message displays the connection result.
3. Click Finish to close the dialog box.

Chapter 3 Defining settings
3.4.4 Setting the number of items per page

To ensure responsiveness, the results of all lists are grouped into pages.
To configure the number of items listed on pages:

2. Enter the number of items in per page. It is used for paging and sorting (see
“Paging and sorting search results” on page 35).
3. Click Finish to save your changes.

Chapter 4
Managing systems
4.1 Adding new system

You can manage several systems with Process Administrator.
To add a new system:

1. Go to File - New System.
The System Settings dialog box opens.
2. Enter the URL to Enterprise Process Services, for example
http://<Application server>:<port>/tcp/services/Process
(http://localhost:28080/eps/services/Process or
http://localhost:38080/tcp/services/Process).
3. Enter time in millisecond to define the time span (Time out) waiting for a
response from Enterprise Process Servicess.
For example, if you enter 30000, the defined timeout occurs after 30 seconds.
4. Enter the number of items in per page. It is used for paging and sorting (see
“Paging and sorting search results” on page 35).
5. Click Test connection. If successfully connected, click Next.
6. Select one or more projects and click Finish.
The new system is added.

Chapter 4 Managing systems
4.2 Deleting system

To delete a system:
1. Right-click on a system and select Delete on the context menu.
2. Confirm the dialog.
The system configuration is deleted.
4.3 Logging on to a system

Each system can have its own authentication to provide different user groups.
To log on to a system:
1. Right-click on a system and select Log On on the context menu.
The Log On dialog box opens.
2. Enter your user name, password, and domain name.
3. Click Log on to connect to the server.

Chapter 5
Managing projects
In Process Administrator projects are the top administration unit for processes,
profiles and jobs and are defined on the server.
In a TCP scenario the projects are configured in TCP Modeler. For further
information, see section 2.5.1 "TCP Projects" in Open Text TCP Modeler -
With Enterprise Process Services only one default project with one default profile is
provided.
5.1 Opening or closing projects

Note: Custom views of closed projects are deleted.
To open or close a project:

1. Right-click on a project and select Open/Close Projects on the context menu.
The Open/Close Projects dialog box opens.
The list displays the projects of the system that are configured on the server.
Projects that are already selected in Process Administrator but deleted on the
server are marked as not available.
2. Mark the projects you want to open or close and click Finish.
Confirm the dialog if you have closed a project.
The projects are displayed.

Chapter 5 Managing projects

Chapter 6
Managing process groups
You can manage process groups by using a context-sensitive menu in Process
Administrator.
You can add process groups and reference these groups in the process properties of
a process using Process Designer. For further information, see OpenText Process
Designer - Customizing Guide (PR-CPD). To select a process group in the drop down
menu of Process Designer it must be created in Process Administrator.
6.1 Displaying process groups

To display process groups:
• Select a process group to display all process classes of this group in the list area.
Refreshing the Right-click on a process group and select Refresh on the context menu to retrieve
view the status from Enterprise Process Services and update the view.

Chapter 6 Managing process groups
6.2 Adding new process groups

To add new process groups:
1. Right-click on the parent node of all process groups and select New Process
Group on the context menu.
The New Process Group dialog box opens.
2. Enter a name for the process group and click Ok.
The new process group is added.
6.3 Deleting process groups

To delete process groups:
1. Right-click on a process group and select Delete on the context menu.
The process group is deleted.
Note: It is not possible to delete process groups that contain process
classes.
6.4 Editing process group permissions

To edit the permissions of a process group, see “Assigning permissions” on page 40.
6.5 Viewing process group audits

To view the audits of a process group, see “Viewing audits” on page 36.

Chapter 7
Managing process classes
Process classes represent the templates of a process, for example vacation request.
You can manage process classes that have been designed and uploaded using
Process Designer by using a context-sensitive menu in Process Administrator. All
process classes are assigned to a process group.
Ad Hoc process The Ad Hoc process uploads a new process class. The process class is activated and
a process instance is created immediately.
All Ad Hoc process classes are listed in the Ad Hoc process group.
No process graph is available for Ad Hoc processes and therefore the process classes
cannot be opened in Process Designer.

Chapter 7 Managing process classes
7.1 Displaying process classes

To display process classes:
• Select a process group to display all process classes of this group in the list area.
Copying list Right-click on a process group and select Copy on the context menu to copy the list
information information to the clipboard (ID, Process Class Name etc.). Example:
PC9D405F8995EB66A200F55D7F41B119CA; Joint Mile Stone; Active; 11.09.-
2006 14:20:44;
7.2 Changing process class status

Note: The special permission ChangeProcessClassStatus controls the status of
process classes.
To change the status of a process class:

1. Right-click on a process class and select Change Status on the context menu.
Multiple selections are possible.
2. Select a status from the submenu:
New
Stored in the Process Designer process database and not yet released as an
active class.
Active
Active process class. Users see it in their process start list (depending on the
permissions in place) and can initiate process instances from it.
Note: Use the permission ViewProcessClass to control which users can
see a process class in their process start list. Use the permission
StartProcessInstance to control which users can initiate process
instances from this process classes.
Inactive
Inactive processes can no longer be started, but all instances continue to run
to the end. The user does not see an inactive process in the process start list
in TCP Web Client.
Invisible
Invisible processes can no longer be started and the user does not see an
invisible process in the process start list in TCP Web Client. Work items and
process instances are no longer visible for the user. Invisible processes are
also not included in reports.

7.3 Viewing process class audits
OpenText recommends setting no longer used process classes to status

Invisible instead of Inactive for performance reasons.
Active As Report
Processes are displayed under the menu item Reports in TCP Web Client.
7.3 Viewing process class audits

To view audits of process classes, see “Viewing audits” on page 36.
7.4 Viewing process class attributes

To view the attributes of process classes:
1. Right-click on a process class and select View Attributes on the context menu.
The Attributes dialog box opens.
Private, constant or reserved data objects are marked with a bracket behind the
data object name.
For further information on attributes, see section 8 "Working with Dispositions"
in OpenText Process Designer - Customizing Guide (PR-CPD).
7.5 Editing process class attributes

Note: The special permission ChangeProcessClass controls who can change
process classes.
To modify the values of process class properties:

1. Right-click on a process class and select View Attributes on the context menu.
2. Right-click on an attribute and select Edit on the context menu.
The Attribute Properties dialog box opens.
Tips:
• Not initialized multi value fields are not displayed. To add grid rows,
click tab in the grid.
• The values of all process paths of private fields are displayed in several
tabs.
3. Modify the fields as required and click OK to close the dialog box.
Note: If you select more than one process class, the fields will only contain
values if they are the same for all selected classes.

Chapter 7 Managing process classes

7.6 Viewing process class permissions

To view permissions of process classes, see “Assigning permissions” on page 40.
7.7 Viewing process class graph

To view the graph of process classes, see “Viewing graph” on page 37.
7.8 Creating a custom view for a process class

To create a custom view for a process class, see “Creating a custom view of an
existing process class, process instance or work item” on page 66.

Chapter 8
Managing process instances
Process instances represent processes that are underway, for example vacation
request from a team member.
A process instance is created for every process that has been started. You can
manage these instances by using a context-sensitive menu in Process Administrator.
8.1 Displaying process instances

Note: The special permission ViewProcessInstance controls who can view
process instances.
To display process instances:

• Select a custom view, for example Active Processes and change to Process
Instances tab to display all process instances of this custom view in the list area.

Chapter 8 Managing process instances
Refreshing the Right-click on a process instance and select Refresh on the context menu to retrieve
view the status from Enterprise Process Services and thus update the view.
Copying list Right-click on a process instance and select Copy on the context menu to copy the
information list information to the clipboard (ID, Process Class Name etc.). Example:
PI9D3B916B95EB66A200F55D7FF45B0548; 001-TestCase-Iteration23-Demo;
11.09.2006 14:15:29; 150;
8.2 Changing process instance status

To change the status of a process instance:
1. Right-click on a process instance and select Change Status on the context menu.
Active
The process instance is active. The process instance can be changed and
routed by the current user.
End
The final stage of a process instance is concluded or a connection causes it to
end.
Suspend
The process instance is suspended. It can be reactivated by the process
administrator.
Abort
The process instance is aborted. It cannot be reactivated. All work items
related to that instance are also aborted.
Transition
The process instance is in transition state. The current users can proceed with
their work items but no further work item of the instance can be opened.

8.3 Viewing process instance audits
8.3 Viewing process instance audits

Note: The special permission ViewAudit controls who can view audits of
process instances.
To view audits of process instances, see “Viewing audits” on page 36.
8.4 Viewing process instance attributes

Note: The special permission ViewObjects controls who can view attributes of
process instances.
To view the attributes of process instances:

1. Right-click on a process instance and select View Attributes on the context
menu.
There is a tab displayed for each data object. The attributes of the data object are
displayed in a list. The default data object for process attributes is named _default.
Tabs displaying constant data objects are marked constant.
Tabs displaying private data objects are marked private.

Chapter 8 Managing process instances
Attributes that are imported from a record type (from a connected repository), are
not listed, providing no corresponding document has been added to the process
instance. During this stage, the tab is marked reserved.
Multiple values are separated with [ ].
8.5 Viewing process instance status

To view the status information of a process instance, see “Viewing graph” on
page 37.
8.6 Viewing process instance comments

Note: The special permission ViewComment controls who can view
comments of process instances.
To view comments of a process instance, see “Viewing comments” on page 36.

Chapter 9
Managing work items
Work items represent steps in a process once it is underway, for example vacation
approval.
A work item is created during the runtime of a process instance in every routed
workflow step. You can manage these work items by using a context-sensitive menu
in Process Administrator.
Note: The special permissions ChangeWorkItem and ViewWorkItem control
who can change or view work items data.

Chapter 9 Managing work items
9.1 Displaying work items

To display work items:
• Select a custom view, for example Active Processes and change to Work Items
to display all work items of this custom view in the list area.
Copying list Right-click on a process instance and select Copy on the context menu to copy the
information list information to the clipboard (ID, Process Class Name etc.). Example:
WI9D3B916B95EB66A200F55D7F3F2FC12C; Active; 11.09.2006 14:15:29;
9.2 Changing work item status

To change the status of a work item:
1. Right-click on a work item and select Change Status on the context menu.
Note: The status you can set depends on the current status of the work
item. Therefore it is possible that you cannot select another or any status on
the context menu.
Abort
The process instance is aborted. It cannot be reactivated. If the process
instance that the work item is related to is aborted, the work item is aborted
also.
Active
The work item is active. The work item can be changed and routed by the
current user.
Agent
The work item waits for an agent to process it.
Suspend
The work item is suspended. It can be reactivated by the process
administrator.

9.3 Editing current user of work items
9.3 Editing current user of work items

Note: You can change the user of a work item only if the work item has the
status Active, Agent, Draft or Postpone.
To change the current user of a work item:

1. Right-click on a work item and select Edit Current User on the context menu.
The Change User dialog box opens.
2. Enter a user name and click Search.
The user(s) are displayed.
3. Select a user from the hit list and click OK to save your input. The work item is
now assigned to the selected user. It appears in the user's inbox.
Tip: You can use the “wildcards” to search for users:
• Use an asterisk (*) as a substitute for one or more characters.
• Use a question mark (?) as a substitute for one character.
• For example, use G* to find all values that start with G, or M?ller to
search for Miller and Muller.

9.4 Unreserving work items

To unreserve work items if a user reserved them via TCP Web Client or
Process Workplace:
• Right-click on a work item and select Undo Reserve on the context menu.
The work item list is updated immediately.
9.5 Resuming work items

To resume work items if you got an exception:
1. Locate the exception and correct it.
2. Right-click on a work item and select Resume on the context menu.
Enterprise Process Services tries to execute the work item again.
9.6 Viewing work item audits

To view audits of work items, see “Viewing audits” on page 36.
Note: The special permission ViewAudit controls who can view audits of
work items.

9.7 Viewing work item attributes
9.7 Viewing work item attributes

Note: The special permission ViewObjects controls who can view attributes
via work items.
To view attributes of work items:

1. Right-click on a work item and select View Attributes on the context menu.
Multiple values are separated with [ ].
9.8 Editing values of work item attributes

Note: The special permission ChangeWorkItem controls who can change
attributes of process instances via work items.
To modify the values of work item attributes:

1. Right-click on a work item and select View Attributes on the context menu.

2. Right-click on an attribute and select View Properties on the context menu.

The Attribute Properties dialog box opens.
3. Right-click on a value and select Add or Edit on the context menu to change
settings.
4. Modify the values as required and click OK to close the dialog box.
Note: The work item must not be “reserved” to be edited.
If you select more than one work item, the fields will only contain values if
they are the same for all selected classes.
The values are modified.
9.9 Viewing work item properties

To view properties of work items:
1. Right-click on a work item and select View Properties on the context menu.
The Work Item Properties dialog box opens and displays a list of the most
common work item properties.

9.10 Viewing work item status
9.10 Viewing work item status

To view the status information of a work item, see “Viewing graph” on page 37.
9.11 Viewing work item comments

To view comments of a work item, see “Viewing comments” on page 36.
Note: The special permission ViewComment controls who can view com-
ments of work items.

Chapter 10
Managing custom views
There can be a significant number of process classes, process instances and work
items in a company and you, as administrator, can quickly lose sight of the bigger
picture. This said, there are several ways to reduce (that is filter) the number of
process classes, process instances and work items displayed as a custom view. For
further information on filters, see “Filtering process classes, process instances and
work items” on page 68.
Custom views are configured and stored on your computer in your local profile. If
you open Process Administrator on another computer, connecting to the same
Enterprise Process Services, the custom views may be different.
With the Process Administrator installation some predefined custom views are
installed. You can manage custom views by using a context-sensitive menu in
Process Administrator.
Context menu If you right-click on a unselected custom view the content is not loaded but you can
use all commands of the context menu. This way you avoid that a lot of processes
will be loaded.
10.1 Displaying custom views

To display custom views:
• Select a custom view from the navigation tree to display the process classes,
process instances and work items in the list area on the right.

Chapter 10 Managing custom views
Refreshing the Right-click on a custom view and select Refresh on the context menu to retrieve the
view status from Enterprise Process Services and update the view.
10.2 Creating custom views

There are two ways to create a new custom view to filter certain process classes,
process instances and work items:
• Right-click on the custom views node and select New Custom View on the
context menu. For further information, see “Adding custom views” on page 66.
• To create a custom view of an existing process class or process instance, right-
click on a process class or process instance and select Create Custom View on
the context menu. For further information, see “Creating a custom view of an
existing process class, process instance or work item” on page 66.
10.2.1 Adding custom views

To add a new custom view:
1. Right-click on the custom views node and select New Custom View on the
context menu.
The Configure Custom View dialog box opens.
2. Enter a Name for the custom view. Select which Lists are returned when
selecting the custom view. Also select the Default List. For further information,
see “Editing custom views” on page 67.
3. To add a Filter condition, see “Adding new filter conditions” on page 68.
4. To edit filter conditions, see “Editing filter conditions” on page 69.
5. Click Ok.
The custom view is created and displayed in the custom views node of the
navigation tree.
To edit custom views, see “Editing custom views” on page 67.
10.2.2 Creating a custom view of an existing process class,

process instance or work item
To create a custom view of an existing process class, process instance or
work item:
• Right-click on a process class, process instance or work item and select Create
Custom View on the context menu.
The custom view is created and displayed in the custom view node of the
navigation tree.
If you create a custom view for a process class, the process class name and
version are used in the custom view name.

10.3 Editing custom views
If you create a custom view for a process instance, the process instance id is
used in the custom view name.
To edit custom views, see “Editing custom views” on page 67.
10.3 Editing custom views

To edit custom views to adjust them to your needs:
1. Right-click on a custom view and select Properties on the context menu.
2. Modify the fields as required:

Name
Enter the name of the custom view as shown in Process Administrator. The
name must be unique, otherwise you will overwrite another custom view
with the same name.
Lists
Mark the lists you want to display when a custom view is selected: Process
Classes, Process Instances, Work Items.
Tip: The more information is displayed, the more load is on Enterprise
Process Services. You should, therefore, deselect the lists you do not
necessarily need in a view.
Default List
Select the list you want to display by default in Process Administrator when
a custom view is selected.
3. To edit filter conditions, see “Editing filter conditions” on page 69.
4. Click OK to save your changes.

Note: If process attributes are used in a view configuration, the value is always
the attribute value at attribute index 0.
10.4 Cloning custom views

To clone a custom view to use the same settings as the original custom view:
• Right-click on a custom view and select Clone View on the context menu.
The custom view is cloned.
The name of the cloned custom view begins with Copy of. To rename the
custom view, see “Editing custom views” on page 67.
10.5 Deleting custom views

To delete custom views:
1. Right-click on a custom view and select Delete on the context menu.
2. Confirm the dialog box.
The custom view is deleted from your local Process Administrator
configuration.
10.6 Filtering process classes, process instances and

work items
10.6.1 Adding new filter conditions
You can create filter rules to collect specific process classes or process instances in a
separate list.

2. To add a new Filter condition, select Add.
The Edit Filter Condition dialog box opens.
3. To modify the filter condition, see “Editing filter conditions” on page 69.
4. Click OK.
A new filter condition is created.
You can add as many new filters you need.

10.6 Filtering process classes, process instances and work items
10.6.2 Editing filter conditions

To edit filter conditions according to your needs:
2. Select a Filter condition and click Edit.
The Edit Filter Condition dialog box opens.

Source
Select the object you want to filter.
Field
Select a field of the selected object.
Data object
The data object name is required for process attributes. For example, if the
filter condition evaluates the process attribute as _default.blnApproved =
true, the data object type is _default.
Note: You cannot use attributes from type LongString as filter
conditions.

Tips:
• You can find information about names, data objects and record
types of process attributes in the View Attributes dialog of process
classes.
• For an overview of field types, see “Filter fields” on page 110.
For further information on attributes, see section 8 "Working with
Dispositions" in OpenText Process Designer - Customizing Guide (PR-CPD).
Record type
The record type is required for process attributes. For example, if the filter
condition evaluates a virtual process attribute stored in a repository like
Livelink, enter the record type which contains the property.
Type
The type is required for process attributes. You must select the type of the
evaluated process attribute here.
Condition
The condition defines the evaluation operation. It depends on the data type
of the Field which condition can be selected.
Value
The value represents the default field value.
Tip: You can add “wildcards” to filter values when you use the
conditions Like or NotLike.
• For example, use G* to find all values that start with G, or M?ller to
search for Miller and Muller.
Searchable
Select the search flag to display the filter conditions in the filter section. For
further information, see “Searching with filter conditions” on page 70.
10.7 Searching with filter conditions

The filter section in the top right-hand corner of Process Administrator displays the
filters marked as “Searchable” in the Edit Filter Condition dialog.
The first column shows the value (for example ProcessInstance.CreationTime), the
second column displays the operator of the filter (for example <) and the third
column displays the default values defined in the custom view configuration (for
example 02.01.1970 00:00:00).

10.7 Searching with filter conditions
1. Select the custom view you want to search for with filter conditions.
The filter conditions are displayed.
2. Modify the values as required in the third column.
3. Click Search.
The results are displayed in the list area.
For further information on filters, see “Editing filter conditions” on page 69.

Chapter 11
Managing work queues
There are two types of work queues in TCP:
• A shared work queue (called Work Queue in the TCP GUI or in the BPM
Enterprise Connect Plugin) is a special inbox that grants shared access to
processes and documents for all users that are part of the specific process step.
This enables the users to work together on a pool of process work items.
• A personal work queue. There are different kinds of personal work queues:
Inbox, Started, Sent, Draft, and Postponed. They are visible in the Personal
drawer in the TCP GUI or in the BPM Enterprise Connect Plugin.
Notes:
• The special permission WorkQueueAdministration controls who can view
or change work queues.
• Administrative rights are required in User Management Server to configure
shared work queues because the proxy user settings are stored in User
Management Server.
• Work queues are not supported by Process Workplace. To use a similar
functionality as in TCP you can configure inbox views. For further
information, see section 14.7 "Configuring Views Settings" in OpenText
Enterprise Process Services - Installation Guide (PR-IGD).
11.1 Displaying work queues

To display work queues:
• Open a profile and select the Shared Work Queues or Personal Work Queues
node to display all work queues configured for this profile.

Chapter 11 Managing work queues
Refreshing the Right-click on a work queues node or a work queue in the list area and select
view Refresh on the context menu to retrieve the status from Enterprise Process Services
and update the view.
11.2 Creating new work queue

To create a new work queue:
1. Right-click on Shared Work Queues or Personal Work Queues depending on
the work queue type you want to create and select New Work Queue on the
context menu.
The Work Queue Properties dialog box opens.
The following dialog boxes provide different fields depending on the work
queue type.
Short name
Enter the short name for the work queue, for example Inbox.
Long name
Enter a descriptive name for the work queue, for example Inbox
outstanding accounts.
Type
Select the type of work queue items the work queue contains:
Inbox
Contains the work items that are assigned to the user.
Sent
Contains work items that are submitted by the user.
Started
Contains work items that are started by the user.
Postponed
Contains work items postponed for later processing by the user.
Draft
Contains work items that are already initiated but not submitted to the
next process step by the user.
Description
Enter a description for the work queue, for example Inbox for outstanding
accounts.
Click Next.

3. Modify proxy settings as required (only for shared work queues):

Proxy User
To select the user acting as proxy user to access the work queue items, click
Select. The proxy user is immediately applied in User Management Server
after creating a new work queue.
Notes:
• Administrative rights are required in User Management Server to
configure shared work queues because the proxy user settings are
stored in User Management Server.
• Assigning a new group to an existing proxy user changes the proxy
user and leads to errors in other work queues using the same proxy
user. If you need several user groups create proxy users with
miscellaneous user groups.
Access Users
To select the users using this work queue and process the containing work
items, click Select. You can select either single users or groups. The users are
immediately applied in User Management Server after creating a new work
queue.
Click Next.

4. Click New to add a new column, or modify column settings as required. To

enter a description, double-click in a field.
Tip: TCP: On every work queue list occurs 4 additional columns (icons
only) that are not editable by Process Administrator: Indicator, Reserved,
Inspect, Priority. That is, you cannot create your own settings for this
columns.
Short Name
Enter the short name of the column that is visible in the work queue list.
Source
Select the source that can either be a predefined value or a data object name
that is valid for the work item.
Note: If the _initiator source is used, the proxy user needs the
ViewProcessInstance permission to see the item in the work queue. If
the user does not have this permission, the work item is not added to
the work queue result list.
Field
Select a field name containing a
• predefined list of fields that are valid for the selected source, or a
• free-text field if the source is a data object name.
Type
Select the type for a data object field. For a predefined field the type is read-
only.

Format
Enter a .Net specific type formatter that can either be a predefined value
depending on the field type or a custom formatter with a defined free-text.
Width
Enter the column width in pixel.
Sortable
Mark it to allow the user to sort the work queue by this column.
Note: If a work queue definition contains a multivalue property then
disable sorting, otherwise the work queue is no longer accessible.
Sort Order
Define the sort order of the column by Descending or Ascending. You can
select only one column for sorting.
Filter
An asterisk in the filter button marks an already existing filter (...*).
To define a filter, click the filter button ....
The Edit Work Queues Filer dialog box opens.
Field
Displays the field name.
Source
Displays the source name.
Allow the user to change this filter
Select the check box to allow the user to change the filter criteria for this
column.
Notes:
• OpenText recommends to have as less as possible filterable
columns for performance reasons. Filtering can decrease the
refresh times for the end users.
• If the user changes the filter criteria and applies it, the
predefined filter is replaced with these settings and cannot be
reset.
• TCP: You can customize more filter options as can be displayed.
Therefore the search result does not match the search criteria and
more hits are displayed. Supported filters are:
• For boolean: only
• For date/time: >= and <
• For other types: = and Like

Operator
Displays the operator depending on the field type.
• =: equal
• !=: unequal
• >: greater
• <: lower
• >=: greater or equal
• <=: lower or equal
• Like: like
Tip: You can use the “wildcards” to search for users:
• For example, use G* to find all values that start with G, or
M?ller to search for Miller and Muller.
Criteria
Displays the filter criteria depending on the field typ.
Click New to add a new filter and select an operator from the predefined list
depending on the field type.
Click OK to save your changes.
Click Finish.
The new work queue is created and displayed in the list area.

11.3 Deleting work queues
11.3 Deleting work queues

To delete a work queue:
1. Right-click on a work queue and select Delete on the context menu.
The work queue is deleted.

11.4 Editing work queues

The dialog box to edit work queues contains the same fields as the creating work
queue dialog boxes only displayed on different tabs.
To edit a work queue:

1. Right-click on a work queue and select Edit on the context menu.
The Edit Work Queue dialog box opens.
2. To modify General settings as required, see step 2 in “Creating new work
queue” on page 74.
3. To modify Proxy User settings as required, see step 3 in “Creating new work
4. To modify Columns settings as required, see step 4 in “Creating new work

Chapter 12
Managing BAM reports
Business Activity Monitoring (short: BAM) provides business intelligence to your
TCP solution. With BAM you can retrieve multi-dimensional performance
indicators and thus monitor and optimize your processes. For further information
on BAM reports, see part 3 "Business Activity Monitoring" in Open Text
Transactional Content Processing - Scenario Guide (TCP100001-GCS).
Note: The special permissions WorkQueueAdministration and
ReportAdministration control who can view or change reports.
12.1 Displaying BAM reports

To display BAM reports:
• Open a profile and select BAM Reports to display all reports configured for this
profile.
Refreshing the Right-click on BAM Reports and select Refresh on the context menu to retrieve the
view status from Enterprise Process Services and update the view.
12.2 Deleting BAM reports

To delete a BAM report:
1. Right-click on a BAM report and select Delete on the context menu.
The BAM report is deleted.

Chapter 12 Managing BAM reports
12.3 Updating BAM reports

To update a BAM report:
1. Right-click on a BAM report and select Update on the context menu.
The Browse For Folder dialog box opens.
2. Select the file you want to import and click Open.
The BAM report is updated with the new settings. However the BAM report id
does not change.

Chapter 13
Managing jobs
Jobs are periodically executed automation tasks in Enterprise Process Services.
There are two types of jobs:
• Maintenance: Executes maintenance tasks, for example cleanup of finished
process instances.
• Miner: Performs process analysis, for example to provide numerical and
statistical information about activities, system events and documents as Business
Activity Monitoring (BAM) reports. For further information on BAM reports, see
“Managing BAM reports” on page 81.
The job execution is handled by the subsystems Dispatcher and Worker which are
working hand in hand.
The dispatcher executes PMQL queries (Process Management Query Language, the
query language of Enterprise Process Services) based on a cron-schedule, finds
affected objects based on configurable conditions with it and sends these items to
the worker. The worker loads the transformation rule and invokes the associated
transformer. The transformer contains the logic for creating the miner metrics or for
the maintenance tasks.
The dispatcher does not execute queries for the object types Timestamp and
Timestamp Topic. These types serve as a time-based triggers for certain
transformers. Object type Timestamp is dispatched to only one node in a cluster,
object type Timestamp Topic is dispatched to all cluster nodes.
Note: The special permissions JobAdministration and QuartzAdministration
control who can view or change jobs.

Chapter 13 Managing jobs
13.1 Displaying jobs

To display jobs:
• Open the Jobs node and select the Maintenance or Miner node to display all
jobs.
Refreshing the Right-click on the Jobs node or a job in the list area and select Refresh on the
view context menu to retrieve the status from Enterprise Process Services and update the
view.
13.2 Creating new jobs

To create a new job:
1. Right-click on Maintenance or Miner depending on the job type you want to
create and select New Job on the context menu.
The Job Properties dialog box opens.
Identifier
Enter the name for the job, for example ProcessInstanceCleanUp. The name
must be unique in the system.
Object Type
Select the object type:
Process Instance
The job performs actions on process instances only and processes the
start and end date and time information.
Timestamp
The job executes when a timestamp object type is received in a message.
The job is executed on only one node in a cluster.
Timestamp Topic
The job executes when a timestamp topic object type is received in a
message. It is distributed to workers on all cluster nodes.
Transform Rule
The transform rule is delivered with the Enterprise Process Services
installation.
The following combinations of object types and transform rules are
supported:
Maintenance
Object type
ProcessInstance

Transform rule
eps.maintenance:CleanupProcessInstance
Description
The job selects only finished or aborted process instances and
removes them from the process database.
Miner
Object type
ProcessInstance
Transform rule
eps.miner:ActivitiesDailyMonthlyYearly
Description
Creates analysis on steps and process instances.
Object type
ProcessInstance
Transform rule
eps.miner:Process InstanceDailyMonthlyYearly
Description
Creates analysis on process instances only.
Object type
TimestampTopic
Transform rule
eps.miner:VMStatsHourlyDailyMonthly
Description
Creates technical statistics about the virtual machine of every
application server node.
Select the transform rule which is executed on the object type and click Next.

3. Modify the schedule settings as required:

Type
Select Hourly, Daily, or enter your own cron job settings as Expert (see
below).
At
Select time when the job starts.
Between (only for Hourly cron job settings)
Select hours when the job starts.
Every (only for Daily cron job settings)
Select days when the job starts.
Cron-Expression
Displays the cron-expression of the configured cron job.
Expert
Enter your own cron job settings.
Cron-Expression is a string comprised of 6 fields separated by white space.
The 6 mandatory and 1 optional fields are as follows:
Table 13-1: Cron-Expressions
Field Name Allowed Values Allowed Special Char-

acters
Seconds 0-59 ,-*/
Minutes 0-59 ,-*/

Field Name Allowed Values Allowed Special Char-

acters
Hours 0-23 ,-*/
Day-of-month 1-31 ,-*?/LWC
Month 1-12 or JAN-DEC ,-*/
Day-of-Week 1-7 or SUN-SAT ,-*?/LC#
Tips:
• The “*” character is used to specify all values. For example, “*” in
the minute field means “every minute”.
Pay attention to the effects of “*” in the day-of-week and day-of-
month fields.
• The “?” character is allowed for the day-of-month and day-of-week
fields. It is used to specify “no specific value”. This is useful when
you need to specify something in one of the two fields, but not the
other. For further information, see the examples below.
Pay attention to the effects of “?” in the day-of-week and day-of-
month fields.
• The “-” character is used to specify ranges For example “10-12” in
the hour field means “the hours 10, 11 and 12”.
• The “,” character is used to specify additional values. For example
“MON,WED,FRI” in the day-of-week field means “the days
Monday, Wednesday, and Friday”.
• The “/” character is used to specify increments. For example “0/15”
in the seconds field means “the seconds 0, 15, 30, and 45”. And
“5/15” in the seconds field means “the seconds 5, 20, 35, and 50”.
• The “L” character is allowed for the day-of-month and day-of-week
fields. This character is short-hand for “last”, but it has different
meaning in each of the two fields. For example, the value “L” in the
day-of-month field means “the last day of the month”.
If used in the day-of-week field it simply means “7” or “SAT”. But if
used in the day-of-week field after another value, it means “the last
xxx day of the month”, for example “6L” means “the last Friday of
the month”. Using the “L” option it is important not to specify lists,
or ranges of values, as you will get confusing results.
• The “W” character is allowed for the day-of-month field. This
character is used to specify the weekday (Monday-Friday) nearest
the given day. For example, if you specify “15W” as the value for
the day-of-month field it is “the nearest weekday to the 15th of the
month”. So if the 15th is a Tuesday, then it will start on Tuesday the
15th. If the 15th is a Saturday, it will start on Friday the 14th, and if

the 15th is a Sunday, it will start on Monday the 16th. However if

you specify “1W” as the value for day-of-month, and the 1st is a
Saturday, it will start on Monday the 3rd, as it will not jump over
the boundary of a month's days. The “W” character can only be
specified when the day-of-month is a single day, not a range or list
of days.
You can also combine the “L” and “W” characters for the day-of-
month expression, which means “last weekday of the month”.
• The “C” character is allowed for the day-of-month and day-of-week
fields. This character is short-hand for “calendar” and means values
are calculated against the associated calendar, if any. If no calendar
is associated, then it is equivalent to having an all-inclusive
calendar. A value of “5C ” in the day-of-month field means “the first
day included by the calendar or after the 5th”. A value of “1C” in
the day-of-week field means “the first day included by the calendar
on or after Sunday”.
• The “#” character is allowed for the day-of-week field. This
character is used to specify “the nth” XXX day of the month. For
example, the value of “6#3” in the day-of-week field means the third
Friday of the month (day 6 = Friday and “#3” = the 3rd one in the
month). Other examples: “2#1” = the first Monday of the month and
“4#5” = the fifth Wednesday of the month. Note that if you specify
“#5” and there is not 5 of the given day-of-week in the month, then
no firing will occur that month.
• The legal characters and the names of months and days of the week
are not case sensitive.
Example 13-1: Cron-Expressions
Expression Meaning
0 012 * * ? Start at 12pm (noon) every day
0 15 10 ? * * Start at 10:15am every day
0 15 10 * * ? Start at 10:15am every day
0 15 10 * * ? * Start at 10:15am every day
0 * 14 * * ? Start every minute starting at 2pm and
ending at 2:59pm, every day
0 0/5 14 * * ? Start every 5 minutes starting at 2pm
and ending at 2:55pm, every day
0 0/5 14,18 * * ? Start every 5 minutes starting at 2pm
and ending at 2:55pm, AND start every
5 minutes starting at 6pm and ending at
6:55pm, every day

Expression Meaning
0 0-5 14 * * ? Start every minute starting at 2pm and
ending at 2:05pm, every day
0 10,44 14 ? 3 WED Start at 2:10pm and at 2:44pm every
Wednesday in the month of March
0 15 10 ? * MON-FRI Start at 10:15am every Monday, Tues-
day, Wednesday, Thursday and Friday
0 15 10 15 * ? Start at 10:15am on the 15th day of
every month
0 15 10 L * ? Start at 10:15am on the last day of every
month
0 15 10 ? * 6L Start at 10:15am on the last Friday of
every month
0 15 10 ? * 6#3 Start at 10:15am on the third Friday of
every month
Click Next.
4. Modify conditions (only for object type Process Instance):

Condition
Enter a PMQL query where condition for job filtering. For both job types
(miner and maintenance) a PMQL sample is already specified. For further

information on the PMQL syntax, see Open Text Enterprise Process Services
10.0.1 PMQL - Process Management Query Language
(https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=15
252881&objAction=browse&viewType=1).
The PMQL query consists of a fixed part (depending on the job type) and a
dynamic condition part which can be configured.
Conditions support two different replacement tags:
• Last run time of the dispatcher: {_dispatcher.LastRunTime}
<And>
<ProcessInstance.Status
Condition="=">2</ProcessInstance.Status>
<ProcessInstance.ProcessClassName
Condition="Like">*</ProcessInstance.ProcessClassName>
<ProcessInstance.EndTime
Condition=">">{_dispatcher.LastRunTime}</ProcessInstance.End
Time>
</And>
• Current time with a given offset, for example 60 days back (h for hours, d
for days): {_dispatcher.CurrentTime,-60d}
<And>
Condition="=">2</ProcessInstance.Status>
<ProcessInstance.ProcessClassName
Condition="Like">*</ProcessInstance.ProcessClassName>
Condition="<">{_dispatcher.CurrentTime,-
60d}</ProcessInstance.EndTime>
</And>
Example 13-2: Finished instances of the class Accounts Payable that

have been finished or aborted 30 days ago or earlier
<And>
Condition="In">2;5</ProcessInstance.Status>
<ProcessInstance.ProcessClassName Condition="=">Accounts
Payable</ProcessInstance.ProcessClassName>
Condition="<">{_dispatcher.CurrentTime,-
30d}</ProcessInstance.EndTime>
</And>
Click Finish.
The new job is created and displayed in the list area.

13.3 Deleting jobs
13.3 Deleting jobs

To delete a job:
1. Right-click on a job and select Delete on the context menu.
The job is deleted.
13.4 Starting jobs

Note: The special permission QuartzAdministration controls who can start
jobs.
You can start a job only if it is stopped.
To start an job:
• Right-click on a job and select Start on the context menu.
The job is started.
Tip: You can select multiple jobs.
13.5 Stopping jobs

Note: The special permission QuartzAdministration controls who can stop
jobs.
You can stop a job only if it is started.

To stop an job:
• Right-click on a Job and select Stop on the context menu.
The job is stopped.
Tip: You can select multiple jobs.
13.6 Editing jobs

The dialog box to edit jobs contains the same fields as the creating job dialog boxes
only displayed on different tabs.
To edit a job:
1. Right-click on a job and select Edit on the context menu.
The Edit Job dialog box opens.
2. To modify general settings as required, see step 2 in “Creating new jobs” on
page 84.
3. To modify schedule settings as required, see step 3 in “Creating new jobs” on
page 84.
4. To modify condition settings as required, see step 4 in “Creating new jobs” on
page 84.

Chapter 14
Managing agents
Agents do some background working, such as execute java scripts. You can manage
agents by using a context-sensitive menu in Process Administrator.
To add agents and reference these agents in the process properties of a process using
Process Designer, see section 5.3.1 "Details on Using the Agent Step" in OpenText
Process Designer - Customizing Guide (PR-CPD).
For further information on agents, for example permissions, types, see Open Text
Enterprise Process Services Agent Framework
(https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=15252881
&objAction=browse&viewType=1).
Upgrading To upgrade agents import the new agent registrations, see “Importing agent
agents registrations” on page 108.
Note: The special permissions AgentAdministration control who can view or
change agents.
14.1 Displaying agents

To display agents:
• Select the Agent node to display all agents configured on the server in the list
area.

Chapter 14 Managing agents
Refreshing the Right-click on the Agent node or an agent in the list area and select Refresh on the
view context menu to retrieve the status from Enterprise Process Services and update the
view.
14.2 Registering agents

To work with agents you must register it to Enterprise Process Services. Afterwards
define the agent step in Process Designer.
To use custom java agents deploy to Enterprise Process Services first. For further
information, see section 9 "Process Interface for Wf-XML Installation" in OpenText
Enterprise Process Services - Installation Guide (PR-IGD).
To register an agent:
1. Right-click on the Agents node and select Register Agent on the context menu.
The Agent Registration dialog box opens.
Agent Id
Enter the id of the Enterprise Process Services agent.
Agent Type
Mark the Agent Type you want to use: Asynchronous, Synchronous,
External.
Agent class name
Enter the class name for the agent type asynchronous or synchronous, for
example com.opentext.ecm.bpm.agent.ScriptAgent.
For an external agent type the class name is specified as
com.opentext.ecm.bpm.agent.ExternalAgent and must not be changed.
Max. Fatal Error Count

Enter the maximum fatal error count before the agent is shutting down.
Default is 20.
Trigger Interval
The property is only available for the agent type Asynchronous. Enter the
trigger interval of the agent. Default is 1 second.
The agent is registered and displayed in the list area.

14.3 Unregistering agents
14.3 Unregistering agents

To unregister an agent does not delete the agent itself but the registration to
Enterprise Process Services
To unregister an agent:
1. Right-click on an Agent and select Unregister on the context menu.
The Confirm Agent Unregister dialog box opens.
Tip: You can select multiple agents.
2. Click Yes to unregister the agent.
The agent is unregistered and removed from the list area.
14.4 Starting agents

You can start an agent only if it is stopped and from type synchronous or
asynchronous.
To start an agent:
• Right-click on an Agent and select Start on the context menu.
The agent is started.

Chapter 14 Managing agents
14.5 Stopping agents

You can stop an agent only if it is started and from type synchronous or
asynchronous.
To stop an agent:
• Right-click on an Agent and select Stop on the context menu.
The agent is stopped.
14.6 Clearing counters

You can only clear the counters if the value is greater than 0.
To clear the counter for an agent:

• Right-click on an Agent and select Clear Counters on the context menu.
The counters are cleared.
14.7 Editing agents

You can edit all agent properties except the agent id.
To edit an agent:
1. Right-click on an Agent and select Edit on the context menu.
The Edit Agent Registration dialog box opens.
2. Modify the values as required (see “Registering agents” on page 94) and click
OK to close the dialog box.
14.8 Viewing agent audits

To view the audits of an agent, see “Viewing audits” on page 36.

Chapter 15
Inflight changes
“Inflight changes” brings agility into the world of well-defined transactional
business processes of Enterprise Process Services. They allow to incorporate
organizational changes faster, for example new approval policies effective on a
certain day which can be applied to existing process instances. Also you can apply
changes or fixes to existing process definitions with a minimum influence of the
users, for example replacing a form on a certain step.
You can set a new process class (superior process class) for a single process instance
or a complete custom view.
Set a superior process class in two steps:
• Connect a process class to set a superior process class for a process class (see
“Connecting class” on page 97)
• Re-link instances to map the existing process instances of the origin process class
to the superior process class (see “Re-link instances” on page 101)
Notes:
• The original class cannot be set as new class (successor class).
• The Re-link Instances command on the context menu is disabled when the
view of the node is not loaded.
• When upgrading process instances using inflight changes the old process
class must not be set to invisible. Otherwise the currently active work items
are not displayed anymore.
15.1 Connecting class

The new superior process class must be selected from the existing classes. Therefore
you can use the filter search to find the superior process class.
1. Right-click on a process class, process instance or custom view you want to

change, and select Advanced - Connect Class on the context menu.
The Connect Class dialog box opens.
Tip: To add the column Successor Class in the program window, see
“Customizing the view of the list area” on page 39.

Chapter 15 Inflight changes
2. Search for a superior process class.

To use the active filter enter a process class name or “wildcards”, for example *
as a substitute for one or more characters, or a question mark ? as a substitute
for one character. Also you can select a process status.
Click Search.
The superior process class(es) are displayed but without the original process
class. The original process class cannot be set as successor process class.
Tip: If no process classes are found use the inactive filter to search for all
process classes.

15.1 Connecting class
3. Select a superior process class and click Next.

The differences of the two process classes are displayed:
• New process class name
• Number of errors found
• Number of differences found
The Original process class name and his Version are displayed above the filter
search.
To avoid usage of the original process class select Set status of original process
class to inactive. If the original process class is already inactive this check box
cannot be selected.
Select Open re-link instances dialog to proceed with the next step. Do not select
the check box if you want to finish later, see “Re-link instances” on page 101.

Important
• Properties of deleted or added steps (nodes) and connections are not
listed.
• Existing work items of the old instance will not be changed. This
means, for example, if a work item exists on a step with a time
restriction in the superior process class, the time restriction is not
added to this work item after the re-link. If a new work item is
created the restriction of the superior process class will be assumed.
• For the “creation date” and “author e-mail” changes (possible to set
via Process Designer) no information will be listed.
• Renaming of objects, for example connections, is similar to deleting
and adding them.
• Some elements (time restrictions, client systems, permissions, class
attachment references and data restrictions) are distributed from
“process class” over “step” to “connection”. If one of this elements
will be added, removed or changed the proper error/difference is
added more times to the displayed result list.
Note: The superior process class can only be set if no errors exist.
Tip: You can save the differences of the process classes in a XML file.
Right-click on Save difference list and select the destination.
4. Click Previous to solve the errors or click Finish to set the successor class.
To solve errors either select another process class or upload a new process class
without errors and select this new process class.

15.2 Re-link instances
15.2 Re-link instances

To re-link process instances to a superior process class the process instances will be
locked and set to transition status. This means users can proceed with their work
but no work item of the process instance can be reserved.
Notes:
• Process instances with work items reserved by users cannot be re-linked.
You must re-link the process instances after unreserving the work items
again.
• All work items of an instance in transition state cannot be opened. The user
who reserved the work item is able to unreserve or sent it. If he tries to open
a work item he gets the message “The work item could not be reserved”.
The Re-link instances dialog can be opened from different views:
• Process class view, with all process instances from the selected process class.

• Process instance view, where one or more instances can be selected.

• Custom view, with filters for the process classes, process instances and work
items.
1. Select the process class or process instance(s) you want to re-link, right-click and
select Advanced - Re-Link Instances on the context menu.
The Lock all selected process instances dialog box opens.
2. The number of found process instances which will be locked is displayed.
Note: Only process instances with status active or transition can be locked.
Click Next.
The Re-link process instances dialog box opens.
3. The status of the process instances is set to transition. Further information is
displayed:
• Available number of process instances which will be re-linked.
• Number of process instances with work items reserved by users.
• A list of work items which could not be locked. These work items are
reserved by users.
Tip: You can save information about the work items reserved by users in a
XML file. Right-click on Save list and select the destination.
Click Finish to re-link the process instances.
4. All process instance are re-linked and set to active.
If the process class of the process instance does not have any successor process
class the instance cannot be re-linked. Also a process instance cannot be re-
linked if a data object with the same name as the successor process class is
attached on a process class.
Tip: You can save the result of the re-link process in a XML file. Right-click
on Save list and select the destination.
Click Close to close the dialog box.
15.3 Re-link exceptions

Some changes are not allowed between the original and the successor process class.
Unless not stated explicitly, the changes are allowed without conflict resolution.

15.3 Re-link exceptions
Not allowed Changes for following elements and properties are not allowed:
changes for
elements and
properties
Element “Process Class”

• Property Name
• Property Start step
Element “Step”
• Delete a step
• Property Name
• Property Object class (step class)
Element “Connection”
• Delete a connection
• Property Start step
• Property Target step
Element “(Data) Object”
• Delete a object
• Property Name
• Property Object type
• Property Record type
• Property Reserved state
• Property Type (normal, constant, private)
Element “Attribute”
• Delete an attribute
• All properties
Element “Disposition”
• Add values
• Remove values
Allowed changes Changes for following element and property are allowed:
for elements and
properties
Element “Attribute”
• Change values of an attribute (only change no remove/add)

Note: If you change the values of a disposition field these changed values are
only displayed for new instances. For running instances the old disposition
values are displayed.
Not allowed Changes for the following step types are not allowed:
changes for step
types
Step type “Start step”

• All properties
Step type “End step”
• All properties
Step type “Sub process step”
• Property Mode
Step type “Split step”
• All properties
Step type “Join step”
• All properties
Step type “Normal step”
• Property Type
• Property Behaviour
• Property Disposition

Chapter 16
Transporting settings
You can transport settings and processes from one system to another, for example
from a test system to a productive system.
16.1 Transporting process class definition

To transport a process class definition:
1. Download the process class definition. To do so, right-click on a process class
and select Download Definition on the context menu.
The Process Class Definition dialog box opens.
2. Specify the directory where you want to save the definition and click Save.
Process Administrator downloads a zip package which contains the process
definition, process forms and design time attachments as it was uploaded by
Process Designer.
3. Upload the process class definition to another system by Process Designer, see
section 4.1.1 "Creating a Project" in OpenText Process Designer - Customizing
Guide (PR-CPD) and section 4.2.4 "Adding an Existing Process to a Project" in
OpenText Process Designer - Customizing Guide (PR-CPD).
Tip: The preferred way to deploy an existing process class definition to another
system is uploading the original process definition using Process Designer.
Downloading the definition in Process Administrator should only be used if
the original process definition is lost.
16.2 Transporting work queue configurations

The work queue transport consists of the two xml files workQueues.xml and
workQueueDefs.xml and contains all work queues of a specific profile. In general
these two files are located in a folder with the name of the appropriate profile.
Note: The work queue transport for shared work queues contains the proxy
user id but not the access user ids for this user as this is a user property. All
work queue columns containing the field WqlId are dropped during import
because the TCP Web Client does not support this field.

Chapter 16 Transporting settings
16.2.1 Exporting work queue configurations

To export work queue configurations:
1. Right-click on a profile and select Export Work Queue on the context menu.
2. Specify the directory where you want to save the transport folder and click OK.
A sub folder with the name of the profile is created containing the two xml files
with the work queue configurations.
16.2.2 Importing work queue configurations

To import work queue configurations:
1. Right-click on a profile and select Import Work Queue on the context menu.
2. Select the folder containing the two xml files with the work queue definitions
you want to import and click OK.
The work queue configurations are imported.
16.3 Transporting report configurations

A report configuration is a single xml file that contains all parameters of the
specified report.
16.3.1 Exporting report configurations

To export report configurations:
1. Open a profile, select BAM Reports and then select a report in the list area.
2. Right-click on the report and select Export on the context menu.
The Save As dialog box opens.
3. Specify the directory where you want to save the report file, enter a file name
and click Save.
The report configuration is saved in the xml file.

16.4 Transporting job configurations
16.3.2 Importing report configurations

To import report configurations:
1. Open a profile, right-click on BAM Reports and select Import Report on the
context menu.
The report configuration is imported.
16.4 Transporting job configurations

The job transport consists of a single xml file that contains all job configurations of
the appropriate job type.
16.4.1 Exporting job configurations

To export job configurations:
1. Open the Jobs node, right-click on the Maintenance or Miner node and select
Export Jobs on the context menu.
2. Specify the directory where you want to save the transport file, enter a file name
and click Save.
All job configurations are saved in the xml file.
16.4.2 Importing job configurations

To import job configurations:
1. Open the Jobs node, right-click on the Maintenance or Miner node and select
Import Jobs on the context menu.
The Open dialog box opens.
The job configurations are imported.

Chapter 16 Transporting settings
16.5 Transporting agent registrations

The agent transport consists of a single xml file that contains all agent
configurations.
16.5.1 Exporting agent registrations

To export agent registrations:
1. Right-click on Agents and select Export List on the context menu.
2. Specify the directory where you want to save the transport file, enter a file name
and click Save.
All agent registrations are saved in the xml file.
16.5.2 Importing agent registrations

To import agent registrations:
1. Right-click on Agents and select Import List on the context menu.
The Open dialog box opens.
The agents are imported.

Chapter 17
Reference
17.1 Icons
Process groups The following table provides an overview of all available process group and process
and process class icons.
classes
Icon Type Explanation

All classes All classes
New classes New classes, not activated
Classes active as Process classes that can be selected in the Reports list by the
report user
Active classes Active, can be selected from the Start Process list by the user
Invisible classes Invisible, cannot be selected by the user. Process class and
the instances or work items are not visible for the user, not
even via a report
Inactive classes Inactive, cannot be started, instances are processed to the
end node as designed
Process The following table provides an overview of all available icons of process instances.
instances

New Draft instances, not activated
Active Active instances
End Ended instances
Suspend Suspended instances
Abort Aborted instances
Transition Instances in transition state
Work items The following table provides an overview of all available work item icons.

Chapter 17 Reference

Active Active work items
Active (Member
Accept)
Active (Member
Auto Accept)
Standard work Other work item status
items
End Ended work items
Exception = Yes Work items with exception flag set to Yes
Suspend Suspended work items
Jobs The following table provides an overview of all available job icons.

Run Running jobs
Stop Stopped jobs
Agents The following table provides an overview of all available agent icons.

Run Running agents
Stop Stopped agents
No status External agents with unknown status
Error Stopped agent due to maximal fatal error counts (see

“Registering agents” on page 94)
17.2 Filter fields

The following table provides an overview of available filter fields for process
classes.
Field Type Explanation

Id String Unique process class ID
Name String Process class name
Author String Process author
CompletionAction String Process completion action
DisplayName String Process class display name

17.2 Filter fields
Field Type Explanation

Title String Default title for work items
DefaultLanguage String Process class default language
Version String Process class version
Status Integer Process class status
0: New
1: Active
2: Inactive
3: Active As Report
Priority Integer Process class priority
-1: Low
0: Normal
1: High
AuditLevel Integer Process audit level
0: No Audit
10: Basic Events
20: Advanced Events
30: Regulated Processing
40: All Events
CreationTime Long Process creation time.
The following table provides an overview of available filter fields for process
instances.
Property Field Explanation

Id String Unique process instance id.
ProcessClassId String Unique process class id
Initiator.Id String Instance initiator user id.
Initiator.Email String Instance initiator email address
Initiator.DisplayName String Instance initiator display name
Initiator.Name String Instance initiator name
Initiator.WqlId String Instance initiator WQL id
InitiatorStep String Name of the initiator step
ProcessClassName String Name of the process class
DueTimeCount Integer Instance due time count

Chapter 17 Reference
Property Field Explanation

Priority Integer Process instance priority
-1: Low
0: Normal
1: High
CreationTime Long Instance creation time
DueTime Long Instance due time
The following table provides an overview of available filter fields for process work
items.
Property Field
Id String
CurrentStep String
CurrentConnection String
Title String
ProcessInstance String
User.Id String
User.Email String
User.DisplayName String
User.Name String
User.WqlId String
LastUser.Id String
LastUser.Email String
LastUser.DisplayName String
LastUser.Name String
LastUser.WqlId String
OriginalUser.Id String
OriginalUser.Email String
OriginalUser.DisplayName String
OriginalUser.Name String
OriginalUser.WqlId String
AgentId String
SubProcessWorkItemId String
LastUser.OutOfOffice Integer

17.2 Filter fields
Property Field
User.OutOfOffice Integer
Status Integer
ReceivedAction Integer
SentAction Integer
DueTimeCount Integer
Priority Integer
OutOfOffice Integer
Disposition Integer
ExceptionStatus Integer
CreationTime Long
DueTime Long
PostponeTime Long
OpenedTime Long
ReceivedTime Long
SentTime Long
StepLate Boolean

Part 2
Open Text TCP Application Server
administration
Part 2 Open Text TCP Application Server administration
This part describes the administration of TCP Application Server using TCP
Configuration and TCP Application Manager.
With TCP Configuration and TCP Application Manager you perform the following
tasks:
• Administer auditing and classification
• Create and manage TCP projects
• Maintain the connections to other servers in the TCP landscape
• Monitor the logging
• Re-configure TCP Application Server
“Prerequisites” on page 117
This chapter describes how to set up the effective system user and how to deploy
the TCP Application Manager.
“Administering audit entries” on page 121
This chapter explains how to set up and manage the auditing functionality.
“Administering classification” on page 127
This chapter explains how to manage the classification functionality.
“Administering Open Text TCP” on page 133
This chapter describes how to monitor and administer TCP using the TCP
Configuration. It also contains a section about the re-configuration of TCP
Application Server.
“Re-configuring TCP Application Server” on page 161
This chapter describes the re-configuration of TCP Application Server using the
TCP Configuration Web GUI or TCP installer.
“Configuring and customizing the TCP application” on page 167
This chapter describes how to configure the TCP application via changes of the
configuration files. It is also explained how the application can be rebuilt and
deployed.

Chapter 18
Prerequisites
Before you can start administering TCP, you must perform the following tasks:
• Set up the effective system user (for example BizEffectiveUser_default) for
connecting to TCP Context Server. For details about
BizEffectiveUser_default, see BizEffectiveUser_default on page 350.
• Deploy TCP Application Manager. This tool is needed for the auditing as well as
classification administration. For details, see “Working with TCP Application
Manager (PDMS UI only)” on page 117.
Important
TCP Application Manager is available only with PDMS UI.
18.1 Managing system users

TCP Application Server uses the effective system user (for example
BizEffectiveUser_default) in the group BizEffectiveUsers. For more
information, see BizEffectiveUser_default on page 350.
18.2 Working with TCP Application Manager (PDMS

UI only)
With TCP Application Manager, you can manage additional functionality for all
projects, for example evaluating audit entries that are created in TCP Web Client,
TCP Modeler or TCP Context Server or defining classification for documents across
applications.
Note: TCP Application Manager is available only with PDMS UI.
To set up TCP Application Manager:

TCP Application Manager is a TCP project that is available in the templates
directory of TCP Modeler and has to be deployed as any other TCP project.
1. Import the transport file <TCP Modeler installation
directory>/Templates/ApplicationManager.ixtrns in TCP Modeler.
Example for path: C:\Program Files\Open Text\TCP Modeler 10.0.1\-
Templates\ApplicationManager.ixtrns

Chapter 18 Prerequisites
2. Deploy the project in TCP Configuration; see “Open Text TCP Application
Server administration” on page 115.
To log on to TCP Application Manager:

1. Enter the URL for TCP application and select the Application Manager project.
http(s)://<COMPUTER name>:<PORT>/TCP
2. Enter the required log on information.

User log on
Log on as a member of the AuditOfficers or ClassificationOfficers
group. The standard user is DMSAdmin.
Tip: It is not possible to log on to different applications on the same
server with the same browser sessions. However, two different browser
sessions on the same client are possible.
Password
Enter the password for the user.
3. Click Login.
4. If you belong to more than one user group, a page is displayed after you log on,
where you must select the user group you want to work with.
Select the user group in the selection box, and click Login or click Enter.
The GUI opens with the initial Query page.
With the single-sign-on feature, you do not have to log on to PDMS Web Client
explicitly. If configured accordingly, your general system log on can be used to
access PDMS Web Client directly. In this case, the log on page is skipped and the
starting page, respectively the group selection page is displayed immediately.

18.2 Working with TCP Application Manager (PDMS UI only)
Note: If your computer uses the HTTP protocol and SSL (Secure Socket Layer)
to communicate with the server, it may be necessary to install an SSL certificate
on your computer when you start the program for the first time. This SSL
certificate identifies the addressed server as a trustworthy source.
For questions concerning the installation of such certificates, contact your
system administrator.
The TCP Application Manager GUI

Application Manager is based on PDMS UI (PDMS Web Client) and thus includes
the same GUI features as any other such application, for example, a navigation area,
general functions, queries and hit lists, favorites, etc.

Chapter 19
Administering audit entries
TCP Application Manager allows you to:
• Display audit entries, including those not related to a record or document, for
example log on or log out actions
• Search for entries that match certain criteria
• Delete obsolete entries
• Print the hit list of entries
• Export the hit list of entries in .xls format
These functions are described in the following sections. Configuration of queries on
audit entries is described in the Open Text TCP Modeler - Customization Guide
(TCP100001-CGD).
All other general PDMS UI functions such as working with hit lists, queries, or
favorites, are described in the Open Text Transactional Content Processing - User Guide
(TCP100001-UGD).
Important
While any user with the required permission can view the audit entries for a
particular item directly within PDMS UI, only a designated Record
Manager/Administrator belonging to the group AuditOfficers can work
with TCP Application Manager.
19.1 Finding and displaying audit entries

The audit entries for a particular item can be viewed by any user with the required
permission directly within PDMS UI. In order to display application-related audit
entries, for example log on or log out actions, or to search for entries that match
certain criteria, a designated Audit officer and TCP Application Manager are
required.
19.1.1 Displaying audit entries for a particular

record/document
To display all available audit entries for a particular item:
1. Perform a query to search for the item within PDMS UI.

Chapter 19 Administering audit entries
2. In the resulting hit list, open the Properties page for the item.
3. Select the Audit entries action.
All available audit entries for that item are displayed as a hit list.
19.1.2 Displaying audit entries that match certain criteria

A special query on audit entries is provided in TCP Application Manager to search
for entries that match certain criteria.
To execute the Audit Entries query:

1. In TCP Application Manager, select the Audit Entries query.
2. Enter the search criteria, for example a particular user, application, date or
object type, and perform the search.
Tip: To find only application-related events (for example log on, log out),
enter “Object Type=NULL” and, optionally, specify a particular application.
To find an audit entry by its unique ID, enter the ID.
3. Click Search to perform the search.
The Audit Entries hit list displays all audit entries that match the specified criteria.

19.1 Finding and displaying audit entries
From the hit list view, you can:

• Display an individual audit entry – Click Show properties and actions for
the corresponding entry.
• Delete an individual audit entry – See “Deleting an individual entry” on
page 124.
• Print or export the hit list – See “Exporting and printing lists of audit entries”
on page 125.
19.1.3 Displaying audit entries for deleted items

Since you cannot search for items that have been deleted, a special query is
provided to search for all audit entries that are related to deleted items.
To execute the Obsolete Audit Entries query:

1. In TCP Application Manager, select the Obsolete Audit Entries query.
2. The criterion that the item must be deleted is included in the query implicitly.
Optionally, you can enter additional criteria to restrict the list of entries.
The Obsolete Audit Entries hit list displays audit entries containing the Delete
event for an item.
From the hit list view, you can:

• Display an individual audit entry – Click Show properties and actions for
the corresponding entry.
• Delete obsolete audit entries related to the deleted items – See “Deleting
several obsolete audit entries” on page 124.
• Print or export the hit list – See “Exporting and printing lists of audit entries”
on page 125.

Chapter 19 Administering audit entries
19.2 Deleting audit entries

Note: In order to delete audit entries, the administrator must belong to the
AuditOfficers group. By default, the user DMSAdmin is a member of this
group.
19.2.1 Deleting an individual entry

You can delete individual entries from the hit list of an Audit Entries query.
To delete an individual entry:

1. Display the audit entry as described in “Displaying audit entries that match
certain criteria” on page 122.
2. If available, click Delete for the corresponding entry in the hit list.
Otherwise, click Show properties and actions to display the Properties page
for the corresponding entry and click Delete .
3. Confirm the delete action in the dialog.
The audit entry is deleted.
Tip: You can delete several individual audit entries at once by performing a
multiple selection in the hit list and then using the Delete action in the function
bar.
19.2.2 Deleting several obsolete audit entries

To delete several obsolete audit entries:
1. Execute the Obsolete Audit Entries query as described in “Displaying audit
entries for deleted items” on page 123.
The Obsolete Audit Entries hit list displays audit entries that contain the
Delete event for an item. Based on these entries, you can perform an action that
deletes all other audit entries that refer to the same (deleted) item, and have thus
become obsolete, for example the creation or modification of a deleted
document.
2. Select the deleted items for which you want to delete all related obsolete audit
entries.
3. Select the Delete related audit entries action from the selection list.
4. Confirm the delete action in the dialog.
The obsolete audit entries for the selected items are deleted.
Tip: You can also print or export this hit list; see “Exporting and printing lists
of audit entries” on page 125.

19.3 Exporting and printing lists of audit entries
19.3 Exporting and printing lists of audit entries

After you have performed a search for audit entries with particular criteria, you can
print the resulting hit list or export it in .xls format.
To print the hit list:

1. In TCP Application Manager, execute a query with your search criteria.
2. In the resulting hit list, click Print hit list in the function bar.
Depending on the settings in Options, either the current page or the entire hit list is
printed.
To export the hit list:

1. In TCP Application Manager, execute a query that includes your search criteria.
2. In the resulting hit list, click Save hit list as Excel file in the function bar.
The standard file selection dialog opens where you can select the storage
location in your local file system.
Depending on the settings in Options, either the current page or the entire hit list is
exported.

Chapter 20
Administering classification
Classification is another means of structuring large amounts of data. A classification
is similar to a multivalue property that you assign to an item. That way you
organize items into groups by assigning the same classification. Each item can be
assigned to several classifications. Classifications can be defined hierarchically, thus
creating a classification tree of classifications and subclassifications, to reflect the
company's organizational structure, business rules, or Records Management
classification. Creating classifications is restricted to special administrators
(ClassificationOfficers) and is performed in TCP Application Manager, while
assigning classifications to items is done in TCP Web Client and is allowed by any
user with the Change properties permission.
Administration for classification in TCP Application Manager includes the
following tasks:
• Creating classifications
• Editing classification properties
• Deleting classifications
• Displaying the hit list of classifications
• Displaying the classification tree of defined classifications
20.1 Creating new classifications

If you belong to the group ClassificationOfficers, you can create new
classifications that can then be assigned to new or existing items by any user, in
order to structure the data. By default, the user DMSAdmin is a member of this group.
To create a classification:
1. Expand the selection list in the general functions area and select Classification
as the item type to create.
A property screen is displayed.

2. Enter the properties.

Chapter 20 Administering classification
Property Description
Classification name Name of the classification
Assignable Option whether the classification is allowed to be assigned
to an item by the users.
Only deactivate for obsolete classifications or classifica-
tions that are used to structure the classification hierarchy.
Parent Name of the superior classification in the classification
tree.
If no Parent is defined, a root classification is created.
3. Creating several classifications one after the other

You can create several classifications one after the other. To do so, activate the
Enable fast entry of similar items option in the Create dialog. The dialog is
displayed again after the classification is created. For the last classification,
deactivate the option or click on Cancel to close the dialog.
4. Click Save to save the specified properties and create the classification.
20.2 Editing classifications

If you belong to the group of ClassificationOfficers, you can edit classification
properties. By default, the user DMSAdmin is a member of this group.
To edit classification properties:

1. In the classification tree or hit list, find the classification you want to edit, and
click Show properties and actions to display the Properties page.
2. Select the Edit properties function.
The properties are displayed in edit mode.
3. Only the Assignable option is editable. If you no longer want users to assign the
classification to any items, for example because the classification has become
obsolete, deactivate this option. You can make the classification Assignable
again any time.
4. Click Save to save your changes.
The Properties page is displayed.
20.3 Deleting classifications

You can delete classifications if you are their owner or if you belong to the group
ClassificationOfficers. By default, the user DMSAdmin is a member of this
group.

20.4 Displaying classifications
Important
When you delete a classification, all subclassifications are deleted, as well,
whereas assignments of those classifications to items are NOT deleted. Thus,
rather than deleting classifications, OpenText recommends making them
unassignable for further items by deactivating the Assignable option (see
“Editing classifications” on page 128).
If you must delete a classification, delete the assignments of any items to the
classification and its subclassifications first, and then delete the
classifications.
To delete classifications:
1. In the classification tree or hit list, find the classification you want to delete, and
click Delete .
If the icon is not available in the hit list, click Show properties and actions to
switch to the Properties page and select the Delete action there.
2. Click Confirm to confirm the deletion.
The classification and all its subclassifications are deleted.
20.4 Displaying classifications

Two queries are pre-configured in TCP Application Manager to display the defined
classifications.
• Classification classes query – displays a hit list of all subclassifications for a
specific classification.
• Classification tree query – displays a DocuLink folder with the classification
hierarchy tree.
To configure additional queries using TCP Modeler, see Open Text TCP Modeler -
20.4.1 Displaying the hit list of classifications

A special query on classification is provided in TCP Application Manager to search
for all classifications or all subclassifications for a specific classification.
To execute the Classification classes query:

1. In TCP Application Manager, select the Classification classes query.
2. Select the classification for which you want to see the subclassifications from the
selection list, or leave the field empty to see all classifications.

Chapter 20 Administering classification
A hit list of all subclassifications for the specified classification is displayed.
20.4.2 Displaying the classification tree

When you create new classifications, you can define a Parent in order to create a
hierarchy of classifications. This hierarchy can be displayed as a tree using dynamic
DocuLink folders. The classification tree is displayed when you perform the
Classification tree query. The root of the tree is always a folder named
Classification tree. This folder contains all classifications for which you did not
define a Parent during creation. Each subfolder contains the subclassifications
defined for the current classification. You can navigate through the tree to get an
overview of the classification structure. When you open a classification folder in the
navigation area, a hit list of the subclassifications is displayed.
Tip: To configure additional DocuLink folders for classification using TCP
Modeler, see Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
To execute the Classification tree query:

1. In TCP Application Manager, select the Classification tree query.
2. You can enter a Classification path in order to display only subclassifications of
a certain classification. Use the following syntax:
<root_class>:<subclass1>:<subclass2>:...
3. Click Search ( ) to perform the search.
The DocuLink tree is displayed in the navigation area. The subclassifications of the
currently open folder are displayed as a hit list in the working area.
20.5 Assigning classifications to an item

To assign classifications to an item:
1. Perform a query to search for the item you want to assign a classification to
within the TCP application (both TCP Web Client and PDMS Web Client).
2. In the resulting hit list, open the Properties page for the item.
3. Select the Edit properties function. This function is only available if you have
the required permission.
4. In the Classification field, select each classification you want to assign to the
item. You can remove assigned classifications any time by deselecting each
classification in this field.
Only classifications that are configured to be Assignable are listed (see “Editing
classifications” on page 128).
Note: When you edit the Classification property, assigned classifications
that are configured to be no longer Assignable, and also deleted

20.5 Assigning classifications to an item
classifications, are still listed in this field. However, if you deselect such a
classification and save the settings, the unassignable or deleted
classification is no longer available.
If the Classification property is included in a query assignable classifica-
tions are available as search criteria. Unassignable classifications are only
listed in the PDMS Web Client, whereas not in the TCP Web Client. De-
leted classifications are not available as search criteria.

Chapter 21
Administering Open Text TCP
TCP Configuration allows the administrator to control access to the system and to
the documents contained within it, including settings for the connection to TCP
Context Server and the security settings used for signed URLs and SSL.
Furthermore, general project administration and availability is handled here.
Administration As opposed to configuring individual applications using TCP Modeler, TCP
tasks Configuration helps you manage the applications on the separate servers.
To define special functionality across applications, use TCP Application Manager.
For details, see “Working with TCP Application Manager (PDMS UI only)” on
page 117.
21.1 Starting TCP Configuration

Tip: It is not possible to log on to the same application twice using the same
client. However, two different browser sessions on the same client are possible.
To start TCP Configuration:

1. Open the TCP Application Server configuration in a browser window by
entering http://<TCP Application Server>:<port>/tcp_config in the
address bar.
2. In the log on window use the administrator user name Admin and the
password you entered during installation or configured afterwards (see
“Changing password” on page 135). The TCP Application Server configuration
opens with the Projects Overview page and the About Open Text
Transactional Content Processing page.

Chapter 21 Administering Open Text TCP
21.1.1 The TCP Configuration GUI
Navigation area
The navigation area on the left is divided into the following sections:
General
General settings for TCP Application Server. For details, see “General project
settings” on page 138, “Managing access for ArchiveLink calls” on page 186,
“Configuring Single Sign-On (SSO) for PDMS UI” on page 142 and
“Logging” on page 145.
Projects
List of available projects on TCP Application Server. The project name is an
active link to the project page. For details, see “Projects overview” on
page 135 and “Managing projects” on page 136.
Configuration packages
Packages to re-configure TCP Application Server. For details, see “Re-
configuring TCP Application Server” on page 161.
Working area
The working area displays the selected page. Initially, it displays the Projects
Overview page.
General functions area
The general functions are available on all the pages:
Icon Function Description
Add Project Opens the New Project page.
Change Opens the Password page (see

Password “Changing password” on page 135).
Log-out Closes the session.

21.1 Starting TCP Configuration

Help Opens the online help.
21.1.2 Changing password

The password is set during installation, but can be changed.
To change the password:

1. Click Change Password in the general functions area.
The Password dialog opens.
2. Enter the old password in the Old Password field.
Enter the new password (New Password) and confirm it (Confirm New
Password).
3. Click Save to save the new password.
21.1.3 Projects overview

Click Projects Overview to get an overview of all available TCP projects and to
get information about the current software version.
The following columns are displayed in the overview:

Edit
Click on Edit to open the Project page. For details, see “Managing projects” on
page 136).
Project Name
Click on the project name to log on to the project using the PDMS UI.
Project Identifier
Project identifier used in TCP Modeler.
Start Time
Date and time that TCP Service was started.

Status
• A green icon shows that the project is running.
• A red icon shows that the project is stopped due to an error with starting or
reloading the project (e.g. invalid GUI configuration). For details check the
log file (see “General” on page 145).
About Open Text Transactional Content Processing
Shows information about the current software version.
Reload Configuration
Reloads the new configuration of all TCP applications on the server to put the
changes into effect without restarting TCP Application Server. Also, if you add
or remove a project, you have to click this button to see the changes in the TCP
application.
Warning
Consider that after a reload of the configuration the active users (TCP
Web Client and PDMS Web Client) are disrupted in their work. The
users get a corresponding message and are forced to relogin to continue
work.
Thus, it is recommended to perform the reloading of the configuration in
times where no or only few users are affected.
The following changes cannot be made on the fly and force a restart of the
application:
• Enable or disable SSO
• Changes to the Enterprise Process Services configuration packages
• Adding or changing application server datasources
21.2 Managing projects

While the individual projects are configured using TCP Modeler, you create and
edit the general project data in TCP Configuration.
Click Projects Overview to get an overview of all available TCP projects. From the
Projects Overview page, you can:
• Create a new project – Click Add Project in the general functions area.
• Edit an existing project – Click Edit for the corresponding project in the list.
The settings for new and existing projects are very similar.
Tip: In the title of the Edit Project page you find a link to quickly log on to the
project using the PDMS UI.

21.2 Managing projects
Project Name
Enter a descriptive name for the project.
Description
Enter a description of the project.
Project Identifier
Enter the project identifier from TCP Modeler. For details, see Open Text TCP
Modeler - Customization Guide (TCP100001-CGD).
Note: A project identifier can only be used once in all projects.

System User
Enter the name of the system user for your project. The default user name is
BizEffectiveUser_default. For details, see “Managing system users” on
page 117 and Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
Password
Enter the password for the system user.
Domain
Enter the domain for the system user.
Default Repository Id
Enter the default repository ID. Usually the default entry is the project name.
Note: You have to change this value for projects you migrated from BPM
Server 9.7.1. In this case you have to enter “Context” as Default Repository
ID (see also OpenText Transactional Content Processing - Upgrade Guide (TCP-
DGD)).
TCP Context Server URLs
The URL of the TCP Context Server host or hosts, if a cluster is used. Separate
URLs of different cluster nodes with a new line.
This setting is pre-configured with the URL defined during installation.
Note: TCP projects on one TCP Application Server can use different
Context Servers as long as User Management Server is the same.
TCP Context Server Protocol
Select whether to use the http protocol or the https protocol for SSL
communication with TCP Context Server. For information on further settings for
SSL, see “Configuration for SSL” on page 373.
Actions
The Actions bar is available only on the Edit Project page.
Icon Tool tip Description
OK Saves your settings.
Click Reload Configuration on the Projects Overview
page to apply this change to the TCP application.
Delete Project Deletes the project.
Click Reload Configuration on the Projects Overview
page to delete the project.
21.3 General project settings

To define general project settings, click General Project Settings in the General
section.

The general project settings specify the connection to TCP Context Server and
ArchiveLink URL generation. The settings are used for the ClientLib of TCP Context
Server. The default value of a parameter is given in square brackets.
New: With patch TCP-1001-068 or higher, the ArchiveLink URL generation is
defined by the general settings ArchiveLink Host, ArchiveLink HTTP Port,
ArchiveLink HTTPS Port and ArchiveLink SSL Mode.
Protocol Handler
HTTP protocol handler [JAKARTA]
(Property name: DS_PROTOCOL_HANDLER)

Maximum Connections for all Context Server Hosts

The maximum total number of connections to all the available Context Server
hosts [64].
(Property name: HTTP_MAX_TOTAL_CONNECTIONS)
Maximum Connections per Context Server Host
The maximum number of HTTP connections to a single Context Server host [64].
(Property name: HTTP_MAX_CONNECTIONS_PER_HOST)

Cache Size
The available cache size, in percent, of the virtual machine memory [5].
(Property name: DMS_CACHE_SIZE)
Note: The percentage is multiplied by the count of projects. If you have a
cache size of 25% and 5 projects, 125% of the memory is used for the cache.
The cache size multiplied by the project count should be 25%, that is if you
have 5 projects, set the cache size to 5%.
Maximum Cacheable Size
The maximum size, in bytes, of an entity that can be cached [100000].
(Property name: DMS_MAX_CACHABLE_SIZE)
Buffer Size
The size of the buffer in bytes.
Buffer size for transferring HTTP request [8192].
(Property name: HTTP_BUFSIZE)
Enable SSL for UMS
Enable SSL communication with the TCP Context Server hosts (true/false). For
information on further required settings, see “Configuration for SSL” on
page 373.
Note: You can only configure SSL for the User Management Server
connection if you configure a https URL in the UMS configuration package
UMS, setting Cluster Connect URLs, see “Defining UMS access information
and audit settings (UMS)” on page 277. If you enable SSL for the User
Management Server connection, you must restart the TCP application.
Use Http Expect 100
Performance optimization for HTTP header; generally not used (true/false).
Project Base URLs
If clustering is used, the base URLs to each project host in the cluster are
required, so that logging and other project settings can be sent to each host. In
some cases, automatic generation of the correct URL fails; then you should enter
the base URLs for each project host in this field using the following syntax:
<protocol>://<host>:<port>
where <protocol> can be either http or https, for example:
http://myHost1:8080
http://myHost2:8080
...

Project Link Base URL

If the project is located on a different host than TCP Configuration, the link to the
project in the Projects Overview page does not work. In this case, you must
enter the base URL for the project in this field using the following syntax:
<protocol>://<host>:<port>
where <protocol> can be either http or https, for example
http://myHost:8080.
Default Project
Project settings such as access right or presentation settings of the default project
are used in situations where no project is yet selected, mainly in the project
selection dialog of the TCP application.
The following settings from ADC.properties are used:
adc.browser.disableCaching and adc.config.content.encoding.
ArchiveLink Host
The host name used to process the ArchiveLink requests. In case of a clustered
environment, enter the host name of the load balancer, otherwise the name of the
TCP Application Server.
Default value: Name of the TCP Application Server that was specified during the
installation.
ArchiveLink HTTP Port
The HTTP port used to process the ArchiveLink requests. In case of a clustered
environment, enter the HTTP port of the load balancer, otherwise the HTTP port
of the TCP Application Server.
Default value: HTTP port of the TCP Application Server that was specified
during the installation by the port binding set.
ArchiveLink HTTPS Port
The HTTPS port used to process the ArchiveLink requests. In case of a clustered
environment, enter the HTTPS port of the load balancer otherwise the HTTPS
port of the TCP Application Server.
Default value: Port binding set specified during the installation + 8443, for
example 38443.
ArchiveLink SSL Mode [SSL Off]
Select On if you want to use SSL for ArchiveLink. In this case provide also the
ArchiveLink HTTPS port (see above). For more information about SSL
configuration, see “Configuration for SSL” on page 373.
ArchiveLink Extended Info [Off]
Select On if you want to retrieve extended information for each component of a
document.
Important
If you select On, it takes significantly more time to display a document
stored in a TCP Business Object Layer repository.

Examples for extended information:

• A component has a signature or not
• The name of the volume where the component is stored on
• The volume is offline or online
ArchiveLink Default Charset [UTF-8]
Encoding to be used for reading the body of ArchiveLink requests.
ArchiveLink Repository Prefix [_]
The repository prefix is used to distinguish between the repositories known by
TCP Application Server and the logical archives coming from a TCP Business
Object Layer repository in case the names of repositories and logical archives are
equal. TCP Application Server inserts this repository prefix at the beginning of
each repository name.
21.4 Configuring Single Sign-On (SSO) for PDMS UI

PDMS Web Client supports SSO with Windows. Your Windows system log on and
password are used to sign on to all TCP applications, if configured appropriately.
Note: If you want to use the SSO scenario with Windows 7, you must adapt the
security configuration of Windows 7. For details refer to the OTDN at
https://knowledge.opentext.com/knowledge/llisapi.dll/open/17580217.
Important
If your load balancer or Web proxy server is an Apache server with SSL and
you use an Internet Explorer for working with the TCP systems, you must
remove the following settings in the Apache's ssl.conf file to use SSO :
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Configuring SSO consists of the following tasks:

• Enabling SSO for a new project, see “Managing projects” on page 136.
Important
If you change SSO enabling for a current project, you must re-deploy
TCP, which will destroy all current sessions.
• Defining an SSO key store, key alias, and an SSO user in the security settings, see
• Extending the URL for logging on to a PDMS Web Client as follows:

21.4 Configuring Single Sign-On (SSO) for PDMS UI
http://<host>:<port>/TCP/SSO/<projectName>
If the project with the given project name does not exist, the project selection
page is displayed in case you have access to more than one project. Otherwise
the log on page of the single project is displayed.
To configure NTLM and SSO Servlet filter settings:

1. Copy the file <TCP installation directory>\custom\ADCApplication.-
war\WEB-INF\web.xml.default (in case of WebSphere application server:
web.xml.websphere.default) to the same directory and rename it to web.xml.
2. Open the new web.xml file with a text editor.

3. Search for the follwing lines:
<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.http.domainController</param-name?
<param-value>@domain.controller@</param-value>
</init-param>
4. Replace the entry “@domain.controller@” by the name of your domain

controller.
Important
The NTLM protocol on the domain controller must be activated and
special settings on the clients are required. For details, see “Configuring
NTLM settings on the clients” on page 144.
5. Remove the lines starting with “”.
6. Save your changes.
7. Rebuild the TCP Application (see “Rebuilding and deploying of the TCP
application” on page 169) and deploy the EAR file <TCP installation
directory>\custom\tcpappserver.ear in your JEE application server.
• JBoss: Copy it to the deploy directory (of each cluster node).

• WebSphere: Select the TCP application in the WebSphere Administration
and click Update. Do not alter any of the default settings. See your
WebSphere Administration manual for details. Ensure that the TCP
application is started in your WebSphere administration.

21.4.1 Configuring NTLM settings on the clients

By default, an NTLM filter is inserted to the web.xml file when SSO is enabled. This
requires configuration settings on the clients.
For Internet Explorer:

1. Add a value to the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Inter
net Settings\
Value Name: DisableNTLMPreAuth

Data Type: REG_DWORD
Value: 1
2. Activate Automatic Logon only in Intranet zone for the browser.
a. In Internet Explorer, go to Tools - Internet Options.
b. In the Security tab, select the Local intranet Web content zone, and click
Custom Level to change the security level for that zone.
c. In the User Authentication area, activate Automatic logon only in Intranet
zone.
d. Store the settings.
3. If TCP Application Server is not part of your local Intranet zone, you have to
add it.
b. In the Security tab, select the Local intranet Web content zone, and click
Sites.
c. In the Local intranet dialog box, click Advanced.
d. Add the fully qualified name of TCP Application Server to the Local
Intranet sites, for example tcp.appserver.com.
e. Store the settings.
4. If a proxy server is configured for Internet Explorer, add TCP Application
Server to the list of exceptions, so that it does not use the proxy server.
b. In the Connection tab, click LAN Settings.
c. In the Proxy Server area, click Advanced.
d. In the Exceptions area, add the TCP Application Server name to the Do not
use proxy server for addresses beginning with: field.
e. Store the settings.

21.5 Logging
For Firefox/Mozilla:
• Define TCP Application Server as a trusted server. To do so, change the browser
configuration as follows:
a. In the browser address bar, enter about:config.
b. Enter ntlm as a filter.
c. In the displayed list of configuration parameters, find network.automatic-
ntlm-auth.trusted-uris. Set the value to the name of the host as specified
in the URL.
For example, for the URL
https://myhost:<port>/TCP/SSO/<projectName>, enter the value
myhost.
For the URL
https://myhost.opentext.net:<port>/TCP/SSO/<projectName>, enter
the value myhost.opentext.net.
You can enter several hosts, separated by commas.
d. After editing the configuration, restart Firefox.
21.5 Logging
21.5.1 General
This section describes configuration issues for the logging, monitoring and profiling
features. The logging is based on the log4j package of the Apache Jakarta Project
(see http://jakarta.apache.org/ for detailed information on advanced
configuration).
Main categories
The three main categories containing categories (subcategories) to configure
logging for certain kinds of events. Each main category can be configured
independently.
Logging
For debugging (see “Configuring the logging categories” on page 146)
Profiling
Duration of special actions on the application server (see “Configuring the
profiling categories” on page 152)
Monitoring
Basic events in the application, for example request received (see
“Configuring the monitoring categories” on page 156)
Subcategories
All main categories have subcategories. Subcategories describe particular
occurrences or problems. The subcategories are described in the corresponding
section for each main category.

Level
The level configures the log level for a category to be logged.
If a specific level is set for a category, all entries of this level and the higher levels
will be logged. This means that if the level Warning is set, all entries for Fatal,
Error and Warning are logged.
Appender
The appender specifies the format of the logging entry, whether it is stored as an
entry in the log file or sent as an e-mail notification, etc. The appender can be
configured in the file <TCP installation directory>\custom\ixosappconf.-
jar\log4j.xml.
Log files The log files are written into the directory:
directory JBoss: <jboss-home>\server\<your-configuration>\log\
WebSphere: <WAS_HOME>\profiles\<your-profile>\logs\
• Logging is written into a file named TCPApplication.log.
• Monitoring is written in a file named TCPApplication_monitor.log.
• Profiling is written in a file named TCPApplication_profiling.log.
• TCP configuration changes are logged in a file named
TCPApplication_appconfig.log.
21.5.2 Configuring the logging categories

The logging page allows you to configure the logging for the administration
application and the logging for the projects at once. Logging entries are stored in the
file: TCPApplication.log
There are two methods of configure logging settings:
• Using the TCP Configuration GUI – These settings remain valid as long as TCP
Application Server is running. When the server is shut down, the logging set-
tings are reset.
Important
Ensure that the project base URL is set to be able to define the settings in
the GUI, see Project Base URLs on page 140.
• In an XML file in the TCP J2EE application – In this case, the logging settings
are permanent.
The log4j.xml file is located in the ixosappconf.jar in the application EAR
file (tcpappserver.ear).
The settings are similar for both methods and are described for the individual
categories in the following sections.

21.5 Logging
Important
The logging will always be written to the log file on the host that processes
the request. If a session is started, all requests will be processed by the same
host. However, the log on page is independent from the session and may be
processed by another host of the cluster. So, possibly, the logging of the log
on page and the logging of the session will each be written on a different
host.
To configure logging:
1. Select Logging in the general section of the TCP Configuration GUI.
The following page is displayed:
2. Select all the logging categories that you want to set to a particular log level.
You can use SHIFT or CTRL to make multiple selections.
3. In the Log Level list box, select the appropriate log level. The log level for the
categories changes immediately. The new log levels are displayed in the
Categories area.
4. Repeat the process for the next log level.


Reset Logging Resets all log levels to the settings defined in the file <TCP
installation directory>\custom\ixosappconf.jar\log4j.-
xml. This action is useful after troubleshooting, for instance,
when you temporarily have to increase the log level to detect a
problem cause.
Back to Pro- Navigates to the projects overview page with the version infor-
jects Over- mation.
view
21.5.2.1 Log levels

The Level list box contains a list of all the available log levels. The new log level is
applied immediately.
Level (GUI) Level (XML) Description

FTL FTL Fatal errors, which stop the system working
ERR ERR Errors that affect parts of the system, for example a spe-
cific functionality
WRN WRN Unusual and unexpected situations that may or may not
be error situations
INF INF Trace log level for information that gives an overview of
what is happening in the system
DBG DBG Trace log level to provide very detailed information
ENT LVE Trace log level that indicates method entries (“ENT”) and
exits (“LVE”)
DEV DEV All messages are logged, including method entries
(“ENT”) and exits (“LVE”)
21.5.2.2 Logging subcategories

The area Categories displays a list of all the available logging subcategories with
their log level. The application generates the list, so it may differ from the screen
above. A category is displayed there only if the class behind the category is used at
least once.
TCP
Problem Subcategories
Log-in, user management Log-in
ADCSession
ADCDirectAction
ixos.adc.acc

21.5 Logging
Problem Subcategories
Rights ixos.adc.acccontrol
Communication with Context Server com.opentext.ecm.mservices.ddo.sp

i.ecr
Communication with other Reposito- com.opentext.ecm.mservices.ddo.-

ries spi.<repository implementation>,
e.g. hibernate
Displaying a document ADCActionShowDoc
Displaying an XML document ADCActionShowDoc
Downloading a document ADCActionDownloadDoc
Uploading a document ADCCtlMenuButtonFileUpload

UploadHandlerIndexing
Editing and displaying notes ADCCtlNote

ixos.adc.ido.dms.DMSNoteList
Mailing a document ADCCtlEmail

ixos.adc.appl.mail
SecKey in the communication with ixos.adc.sec

TCP Context Server
Enterprise Process Service
Description Subcategories
Complete Process Service (without com.opentext.ecm.bpm
WQL)
Process agents com.opentext.ecm.bpm.agent
Audit service com.opentext.ecm.bpm.audit
Calendar service com.opentext.ecm.bpm.calendar
Process engine com.opentext.ecm.bpm.engine
History service com.opentext.ecm.bpm.history
Process locking com.opentext.ecm.bpm.locking
Maintenance utilities Maintenance utilities com.-

opentext.ecm.bpm.maintenance
Miner service com.opentext.ecm.bpm.miner
Permission service com.opentext.ecm.bpm.permission
Profile service Profile service com.opentext.-

ecm.bpm.profile
PMQL engine com.opentext.ecm.bpm.pmql
Asynchronous communication com.opentext.ecm.bpm.queue

Description Subcategories
Repository service com.opentext.ecm.bpm.repositories
Rules engine com.opentext.ecm.bpm.rules
Process scheduler com.opentext.ecm.bpm.scheduler
Script host com.opentext.ecm.bpm.scripts
Process Service API com.opentext.ecm.bpm.service
Remote/Local API com.opentext.ecm.bpm.service.Proc

essServiceImpl
Session service com.opentext.ecm.bpm.session
Process status information com.opentext.ecm.bpm.statusinfo
Time restrictions com.opentext.ecm.bpm.timerestrict

ion
Transport object com.opentext.ecm.bpm.transport
Process entities com.opentext.ecm.bpm.types
Process utilities (e-mail service, re- com.opentext.ecm.bpm.utils

placement tags, ...)
WDL Compiler com.opentext.ecm.bpm.wdl
WQL Service com.opentext.ecm.mservices.wql
Remote API com.opentext.ecm.tcp.ws
SOAP API com.opentext.ecm.tcp.ws.impl.proc

ess.ProcessServiceImplSoap

21.5 Logging
21.5.2.3 Configuring the log file entries

The syntax of the log entries can be configured in the file <TCP installation
directory>\custom\ixosappconf.jar\log4j.xml . By default, the entries consist
of the following values:
<Log level> <Time stamp> <Thread> <Class+Method><Loglevel-dependant
information>
where:
Variable Description
<Log Level> Indicates the selected log level
<Time stamp> Indicates when the action occurred
<Thread> Thread that initiated the log entry
<Class+Method> Class and method that created the log entry
<Loglevel-dependant Can be various types of information, depending on the log
information> level, for example the error message or stack trace
To change the configuration of the standard logging, change the <root> entry:
<root>
<priority value="WRN"
class="ixos.log4j.LogPriority" />
</root>
<appender name="A1" class="ixos.base.log4j.LogPriority">
<param name="File" value="\temp\logging.log" />
<param name="Append" value="true" />
<param name="MaxBackupIndex" value="10" />
<param name="MaxFileSize" value="20MB" />
<layout class="ixos.base.log4j.ExtPatternLayout">
<param name="ConversionPattern"
value="%c{2}\t%d\t%m\t%n" />
</layout>
</appender>
MaxBackupIndex specifies the number of backup files generated. There is one

backup file by default. This configuration creates up to 10 backup files before it
overwrites the first.
MaxFileSize specifies the maximum size of the log file in bytes. The default
maximum file size is 10 MB; this configuration sets 20 MB.
A configuration for a subcategory has the following format:
<category class="ixos.base.log4j.LogCategory"
name="ixos.adc.eof.usermodel"
additivity="true">
<priority value="DBG" class="ixos.base.log4j.LogPriority" />

<appender-ref ref="A1" />

</category>
The default appender for the logging is set to a FileAppender, which writes to a file
named TCPApplication.log.
If you want to write the logging entries of this subclass to a file other than the
default file, you can configure another appender and set it to the subcategory. This
example writes to the file \temp\usermodel.log:
<category class="ixos.base.log4j.LogCategory"
name="ixos.adc.eof.usermodel"
additivity="false">
<priority value="DBG" class="ixos.base.log4j.LogPriority" />
</category>
<appender name="A5" class="org.apache.log4j.FileAppender">
<param name="File" value="\temp\usermodel.log" />
<layout class="org.apache.log4j.PatternLayout">
</layout>
</appender>
additivity="false" means that the logging events are only written to the
appender configured for this subcategory. true would also write to the appenders
of parent categories.
21.5.3 Configuring the profiling categories

The profiling page allows you to configure the logging for profiling. Logging entries
are stored in the file: TCPApplication_profiling.log
To configure profiling:
1. Select Profiling in the general section of the TCP Configuration GUI.

21.5 Logging
2. Select all the profiling categories that you want to set to a particular log level.
Categories area.

problem cause.
jects Over- mation.
view

21.5.3.1 Profiling log level

Level Description
PROF Profiling entry, no different levels. The entry
contains the duration of the specific action.
NOPROF Profiling is off
By default, no profiling is logged.
21.5.3.2 Profiling subcategories

The area Categories displays a list of all the available logging subcategories with
their log level. The application generates the list, so it may differ from the screen
above. A category is displayed there only if the class behind the category is used at
least once.
Accountable action SubCategory

Profiling user log on PROFILING.user.login
Select users by prefix (for example send PROFILING.users.select

task)
Profiling queries PROFILING.doc.query
Profiling sending e-mail PROFILING.doc.email
Profiling time stamp verification PROFILING.doc.time stamp
Profiling folder queries PROFILING.folder.query
Profiling fulltext query PROFILING.storelink.query
Profiling application start PROFILING.app.start
Profiling event handling PROFILING.gui.root.handleEvent
Profiling rendering of GUI components. PROFILING.gui.ctl.render

Must be followed by “:” and the controller
name, for example for rendering
ADCCtlTree, use
PROFILING.gui.ctl.render:ADCCtlTree

21.5 Logging

Profiling of different SOAP calls to the TCP PROFILING.pms.send
Service server PROFILING.pms.abort
PROFILING.pms.create.process
PROFILING.pms.delete.attachment
PROFILING.pms.request.process
PROFILING.pms.execute.pmql
PROFILING.pms.get.userinfo
PROFILING.pms.get.attachmentinfo
PROFILING.pms.get.processes
PROFILING.pms.get.userprocesses
PROFILING.pms.get.count
PROFILING.pms.set.route
PROFILING.pms.set.subject
PROFILING.pms.set.attachments
PROFILING.pms.set.datafields
Profiling of a query on IOLayer level PROFILING.iolayer.query
Profiling calculating all paths of a entity PROFILING.iolayer.get.paths
Profiling calculating all parents of a entity PROFILING.iolayer.get.parents
Profiling of a makefullqualified (== getEn- PROFILING.iolayer.makefullqualified

tity) call
Profiling finding the records\subfolders of a PROFILING.iolayer.folder.query
folder on IOLayer level
Profiling updating the children-cache of a PROFILING.iolayer.folder.cache.update
folder
Profiling of a remote XDR call PROFILING.intf.xdr.call
Profiling of a remote ArchiveLink call PROFILING.intf.al.call
Profiling rendering an XML document to PROFILING.renderXML

HTML via XSL
Profiling of opening Late Indexing inbox PROFILING.lateindexing.getinbox
Profiling of getting all Favorites of the user PROFILING.Favorites.get

21.5.3.3 Configuring the profiling log file entries

directory>\custom\ixosappconf.jar\log4j.xml. By default, the entries consist
<Used time> <Action> <Action-dependant values>
where:
<Used time> Indicates the time required to perform the action.
<Action> Corresponds with the subcategory without the main category pre-
fix, for example doc.upload.
<Action- Can be various types of information, depending on the action, for
dependant values> example the uploaded document.
To change the configuration of the standard logging, change the entry:

<category class="ixos.base.log4j.ProfilingCategory"
name="PROFILING"
additivity="false">
<param name="delimiter" value="\t" />
<priority value="PROF"
class="ixos.base.log4j.ProfilingPriority" />
<appender-ref ref="Profiling" />
</category>
A configuration for a subcategory works the same way as with logging.
21.5.4 Configuring the monitoring categories

The monitoring page allows you to configure the logging for monitoring. Logging
entries are stored in the file: TCPApplication_monitoring.log
To configure monitoring:
1. Select Monitoring in the general section of the TCP Configuration GUI.

21.5 Logging
2. Select all the profiling categories that you want to set to a particular log level.
Categories area.

problem cause.


jects Over- mation.
view
21.5.4.1 Monitoring log level


NOMON Monitoring is off
ALERT ALERT Monitoring level for system-
critical events
FAIL FAIL Failure in the application,
like wrong log on, invalid
HTTP request. Failure could
be escalated to ALERT if a
specific number of events in
a subcategory occur in a
defined time interval. This
could be used to detect De-
nial-of-Service (DoS) attacks
or system probing.
ADMIN ADMIN Monitoring level for all ac-
tions in the administration
of the application
INFO INFO Monitoring level that logs
all messages
21.5.4.2 Monitoring subcategories

The area Categories displays a list of all the available logging
categories/subcategories with their log level. The application generates the list, so it
may differ from the screen above. A category is displayed there only if the class
behind the category is used at least once.
ALERT/FAIL

User log on fails MONITOR.user.log-in
HTTP request is invalid MONITOR.http.invalid

21.5 Logging
ADMIN

User changes own password MONITOR.user.changeOwnPwd
User logs off MONITOR.user.logoff
Request handling MONITOR.rootctl.handle
Session started MONITOR.session.started
Session restored MONITOR.session.restored
Request received MONITOR.request.received
Request parameters MONITOR.request.parameters
Web access (for example from TCP Service) MONITOR.Webaccess.action
Web access parameters MONITOR.Webaccess.parameters
21.5.4.3 Configuring the monitoring log file entries

directory>\custom\ixosappconf.jar\log4j.xml. By default, the entries consist
<Log Level> <Action> <Time stamp> <Action-dependant values>
where:
<Log Level> Indicates the selected log level.
<Action> Corresponds with the subcategory without the main category pre-
fix, for example user.login.
<Time stamp> Indicates when the action occurred.
<Action- Can be various types of information, depending on the action, for
dependant values> example the user that logged in.
To change the configuration of the standard logging, change the <root> entry (e.g.):
<category class="ixos.base.log4j.MonitorCategory"
name="MONITOR"
additivity="false">
<param name="delimiter" value="\t" />
<priority value="ADMIN"
class="ixos.base.log4j.MonitorPriority" />
<param name="escalationThreshold" value="10" />
<param name="escalationInterval" value="60" />
<\category>
<appender name="A3" class="org.apache.log4j.FileAppender">

<param name="File" value="\temp\failure.log" />

</layout>
</appender>
<appender name="A2" class="org.apache.log4j.net.SMTPAppender">
<param name="From" value="me@company.de" />
<param name="To" value="you@company.de" />
<param name="Subject" value="ALERT" />
<param name="SMTPHost" value="mailhost.company.de" />
<param name="Threshold"
value="ALERT#ixos.base.log4j.MonitorPriority" />
value="%d %-6p %m%n" />
</layout>
</appender>
The escalationThreshold defines how many FAIL events must occur in the same
subcategory in the time interval defined in escalationInterval (in seconds) in
order to send an ALERT. In this example, an ALERT is sent if more than 10 false log-
ons occur in 60 seconds.
For the MONITOR category, an e-mail appender is defined, which sends an e-mail if
an ALERT event occurs.
A configuration for a subcategory works the same way as with logging.

Chapter 22
Re-configuring TCP Application Server
This chapter describes the re-configuration of TCP Application Server using the TCP
Configuration.
22.1 Configuring Enterprise Process Services

application (PS)
All Enterprise Process Services application parameters are configured during
installation. You can re-configure them in the PS configuration package.
Important
If you save the changes of the configuration, current user sessions are
terminated immediately!
To configure Enterprise Process Services application (PS):

1. Open the TCP Configuration in a browser window by entering
http://<Application server>:<port>/tcp_config in the address bar.
2. In the log on window, use the Admin log on Admin and the password you
entered during installation or configured afterwards (see “Changing password”
on page 135). The TCP Configuration opens.
3. In the Configuration Packages section of the navigation area, click PS. The PS
page opens.

Chapter 22 Re-configuring TCP Application Server

22.1 Configuring Enterprise Process Services application (PS)
4. Change the settings as desired:

System Name
Enter the name of Enterprise Process Services, for example default.
Internal User
Enter the name of the internal User Management Server user. The default is
ProcessService.
Internal User Password
Enter the password of the internal User Management Server user. The
default is geheim.
Internal Domain
Enter the domain of the internal User Management Server user, for example
_internal.
Audit Level
Select the audit level of Enterprise Process Services. Default is 10. Select a
higher level for more audit entries.
Max redelivery Count
Enter the count for sending a message to execute a command, for example
time restriction. If a message can still not be processed after the maximum
numbers of deliveries to the system it is removed from the queue and the
exception flag of the work item is set to true. If the exception flag of a work
item is set to true it has to be resumed in Process Administrator.
Default Office
Enter the name for the default office/location used for calendar calculation.
Office User Property (e.g. Location)
Enter the name of the user property of User Management Server which
contains the office/location of the user, used for calendar calculation. If this
property is not set, Location is used as default name for the User
Management Server property.
Smtp Host
Enter the name of the SMTP host used for Enterprise Process Services
notification e-mails.
Smtp User
Enter the user name of the SMTP host.
Smtp User Password
Enter the password of the SMTP user.
Sender e-mail Address
Enter the default e-mail address used if no sender address is specified.
Pessimistic Locking Timeout (ms)
Enter the time in milliseconds to wait for a locked object. The default is 2000.
For example time to wait for a process instance to be unlocked at concurrent
access.

Chapter 22 Re-configuring TCP Application Server
Time Restriction Locking Timeout (ms)

Enter the time in milliseconds to wait for time restrictions to be executed
synchronous. The default is 6000. For example, time to wait for the lock if
time restrictions of one process instance are executed simultaneously.
Use a longer time period if several time restrictions can be executed for one
process instance at the same time.
Use Impersonation
With impersonation you authenticate Enterprise Process Services at User
Management Server via Single Sign-On (SSO). The impersonation
functionality is only used by the agent framework. To use impersonation,
you must have an SSO user and a proper key store configured (see “Security
settings for TCP Application Server” on page 367). Default setting is false.
To enable impersonation chose true.
User who has Public Key
Enter the certificate user, see “Configuration of the TCP certificate user” on
page 365.
Notification e-mail Subject
Enter the subject of the e-mail that notifies a user of a new work item. You
can use replacement tags. To enable notifications at a process, the client
system <email.eps.ecm.opentext.com/> must be defined for this process.
Notification e-mail Body
Enter the body of the e-mail that notifies a user of a new work item. You can
use replacement tags. To enable notifications at a process, the client system
<email.eps.ecm.opentext.com/> must be defined for this process.
You must adapt host, port, and work queue ID of the link depending on
your environment. You can retrieve the work queue ID via Process
Administrator.
Example:
Dear {workItem.currentUser.displayName},
The work item
http://myserver/tcpweb/Tcp.aspx?UID={workItem.currentUser.id}&
SelectedProject&ProtocolVersion=1.0&CientMode=Full&GroupID&Act
ionID=Open&ActionTarget=OpenText.Ecm.Tcp.Model.WorkItemAction&
Property1={workItem.id}&Property2={_default.systemWQ_ID} was
assigned to you.
Tip: You can store the work queue ID in a data field and access it via
replacement tag in the link; in the example, this is
{_default.systemWQ_ID}.
Default Exception Action
Select if an e-mail is sent for each work item that causes a problem at the
asynchronous engine handling.

22.1 Configuring Enterprise Process Services application (PS)
Exception e-mail Recipient

Enter the recipient to whom the exception e-mail is sent. The address can
either be a WQL statement or an e-mail address. Multiple e-mail addresses
can be separated by semicolons.
Exception e-mail Subject
Enter the subject of the exception e-mail. You can use replacement tags.
For details about replacement tags, see OpenText Process Designer -
Customizing Guide (PR-CPD).
Exception e-mail Body
Enter the body of the exception e-mail. You can use replacement tags.
For details about replacement tags, see OpenText Process Designer -
Customizing Guide (PR-CPD).
5. Click Save.

Chapter 23
Configuring and customizing the TCP application
23.1 General mechanism

To configure the TCP application several (example) files are provided that can be
adapted (see “Custom TCP installation directory” on page 167). To take care of
changes made in the configuration files, the application must be rebuilt and
deployed (see “Rebuilding and deploying of the TCP application” on page 169).
23.1.1 Custom TCP installation directory

The installation of TCP Application Server creates the following directory on the
local file system where you can customize the TCP application:
<TCP installation directory>\custom
For installation details see section 7.1 "Installing and configuring TCP Application
Server" in OpenText Transactional Content Processing - Installation Guide (TCP-IGD).
The custom directory contains the following subdirectories and (example) files for
configuring the TCP application:
File ADCApplication.war\WEB-INF\web.xml.default (in case of WebSphere
application server: web.xml.websphere.default):
For administrating legacy GUI (e.g. enabling SSO) the file web.xml in
ADCApplication.war must be replaced. To do so, copy the given example file
web.xml.default to web.xml and adapt it.
File appserver.ear\deployment.xml.default:
Only needed for WebSphere application server! For registering custom jar files
that contain ejbs in WebSphere application server the file deployment.xml in
tcpappserver.ear must be replaced. To do so, copy the given example file
deployment.xml.default to deployment.xml and add for every custom jar file
containing ejbs a separate EJBModuleDeployment line. The ID must be greater
than the IDs of already defined EJB-ModuleDeployments.
Directory configuration.data.add:
Allows inserting or updating entries in the configuration table. The key-value-
pairs defined in properties files in this directory are mapped to the according
columns (sName and sValue) of the configuration table. If the key is set to delete
the value is interpreted as sName entry to be deleted from configuration table.
Some characters must be escaped in properties files if they occur in name or
value:
• “\” must be written as “\\”
• “: ” must be written as “\:”

Chapter 23 Configuring and customizing the TCP application
• “=” must be written as “\=”
To update configuration data:

1. Open a command prompt and change to the directory:
<TCP installation directory>\base\bin
2. Enter the command:

java –jar updateCustomConfiguration.jar <properties file
containing installation parameters>
Directory custom.jar:
Files and directories added to this directory are packed into a file custom.jar.
The generated file is afterwards inserted into the file tcpappserver.ear.
File ddo.jar\META-INF\hivemodule.xml.default:
For replacing the file hivemodule.xml in ddo.jar, copy the given example file
hivemodule.xml.default to hivemodule.xml and adapt it.
Directory ear.add:
Files and directories added to this directory are inserted into the
tcpappserver.ear file.
Important
Do not insert a file custom.jar into this directory.
Also files that already exist in the default file tcpappserver.ear are not
allowed.
File ixosappconf.jar\log4j.xml.default:
For changing logging behavior the file log4j.xml in ixosappconf.jar can be
replaced. To do so, copy the given example file log4j.xml.default to
log4j.xml and adapt it.
Files port.binding.sets\portBindingSet.<portSetName>.properties:
Only used for port binding in JBoss application server! Adapt given or add new
port binding sets in this directory. <portSetName> is referenced by the parameter
jboss.port.binding.set in the installation parameters used for rebuilding the
TCP application. To take care of changes made to port binding set, the complete
installation must be repeated.
File ps-server-engine-core.jar\calendar\calendar.xml.default:
For administrating the calendar service replace file calendar.xml in ps-
server-engine-core.jar. To do so, copy the given example file
calendar.xml.default to calendar.xml and adapt it (see “Configuring
calendar service” on page 170).
File application.xml.add:
Jar files put to directory ear.add must be registered in file META-
INF\application.xml of tcpappserver.ear. To do so, the content of file

23.2 Configuring additional custom agents
application.xml.add is inserted into the file META-INF\application.xml . So

all jar files containing ejbs must be registered as ejb module, all other jar files
must be defined as jar module in case of JBoss application server. In case of
WebSphere application server the other jar files must not be registered, no jar
module definitions are allowed!
23.1.2 Rebuilding and deploying of the TCP application

To take care of changes made in the configuration files, the TCP application must be
rebuilt and deployed.
To rebuild the TCP application:

1. Open a command prompt and change to the directory: <TCP installation
directory>\base\bin
2. Execute the command:

java –jar staging.jar <properties file containing installation
parameters>
The generated TCP application tcpappserver.ear can be found in <TCP

installation directory>\custom and must be deployed manually. In case of
JBoss application server replace the TCP application in the deploy (or farm)
directory of your JBoss configuration. In case of WebSphere application server use
WebSphere deployment mechanism.
23.2 Configuring additional custom agents

To add a custom agent:
1. Copy the jar file containing the custom agent to directory <TCP installation
directory>\custom\ear.add.
2. If necessary update file <TCP installation directory>\custom\-

application.xml.add for registering jar file containing the custom agent.
3. In case of WebSphere update of <TCP installation directory>\custom\-

appserver.ear\deployment.xml may be necessary.
4. To work with the custom agent you must register it (see “Registering agents” on
page 94).
23.3 Configuring additional plugins

To configure additional plugins:
1. Copy the jar file containing the custom plugin to directory <TCP installation
directory>\custom\ear.add.


application.xml.add for registering jar file containing the custom plugin.
3. If entries in configuration table are needed add an according properties file to

directory <TCP installation directory>\custom\configuration.data.add.
23.4 Configuring additional repository bridge SPI

To configure a additional repository bridge SPI:
1. Copy the jar files needed for repository bridge SPI to directory <TCP
installation directory>\custom\ear.add.

application.xml.add for registering jar files needed for repository bridge SPI.
3. If entries in configuration table are needed add an according properties file to

directory <TCP installation directory>\custom\configuration.data.add.
4. If necessary put adapted hivemodule.xml to directory <TCP installation
directory>\custom\ddo.jar\META-INF.

23.5 Configuring calendar service

The calendar service allows to calculate due dates used for time restrictions.
Optional working hours and/or scheduled blocks can be used to calculate the due
time.
• The calendar service supports different time zones and offices. One office has to
be in one time zone.
• It is possible to use working hours without scheduled blocks but not scheduled
blocks without working hours.
Note: If using working hours and/or scheduled blocks only positive due time
calculation is possible. It is not possible, for example to use a time restriction
with a due time 10 hours before a specified date.
To configure calendar service:

• Update the file <TCP installation directory>\custom\ps-server-engine-
core.jar\calendar\calendar.xml according to the following description.
calendar.xml The calendar.xml defining the working hours and scheduled blocks has the
following definition:

23.5 Configuring calendar service
<?xml version="1.0" encoding="UTF-8"?>

<CalendarDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance">
<WorkingHours>
...
</WorkingHours>
<ScheduleBlocks>
...
</ScheduleBlocks>
</CalendarDefinition>
The block of working hours defines working days which contains working blocks. A
working day has an office, a time zone like “Europe/Berlin” (Java ID of the time
zone) and a day of week (starts with Sunday = 1, Monday = 2, … ). The start and
end time of a working block has to be defined in the specified time zone (for
example “Europe/Berlin”). A working day can contain an arbitrary number of
working blocks.
• Hour: An hour is represented by a number from 0 to 23 (17h = 5pm).
• Minute: A minute is represented by a number from 0 to 59.
• Second: A second is represented by a number from 0 to 59.
<WorkingDay>
<DayOfWeek>2</DayOfWeek>
<TimeZone>Europe/Berlin</TimeZone>
<Office>Kempten</Office>
<WorkingBlock>
<StartTime>
<Hour>8</Hour>
<Minute>0</Minute>
<Second>0</Second>
</StartTime>
<EndTime>
<Hour>12</Hour>
<Minute>0</Minute>
<Second>0</Second>
</EndTime>
</WorkingBlock>
<WorkingBlock>
<StartTime>
<Hour>13</Hour>
<Minute>0</Minute>
<Second>0</Second>
</StartTime>
<EndTime>
<Hour>17</Hour>
<Minute>0</Minute>
<Second>0</Second>
</EndTime>
</WorkingBlock>

</WorkingDay>
Scheduled blocks define holidays. A scheduled block has an office, a time zone like
“Europe/Berlin” (Java ID of the time zone), a comment and a start/end date.
• Month: A month is represented by a number from 1 to 12 (1 = January).
• Day: A day is the day of the month. The first day of the month has value 1.
• Hour: An hour is represented by a number from 0 to 23 (23h = 11pm).
• Minute: A minute is represented by a number from 0 to 59.
• Second: A second is represented by a number from 0 to 59.
<ScheduleBlock>
<TimeZone>Europe/Berlin</TimeZone>
<Office>Kempten</Office>
<Comment>New Year</Comment>
<StartDateTime>
<Month>1</Month>
<Day>1</Day>
<Year>2005</Year>
<Hour>0</Hour>
<Minute>0</Minute>
<Second>0</Second>
</StartDateTime>
<EndDateTime>
<Month>1</Month>
<Day>1</Day>
<Year>2005</Year>
<Hour>23</Hour>
<Minute>59</Minute>
<Second>59</Second>
</EndDateTime>
</ScheduleBlock>
• Default Office:
The Default Office is used if there is no office set for a user.
• Office User Property:
The Office User Property defines the name of the User Management Server
property containing the office of a user. The default value is Location. This name
is used when property in the configuration is empty.

23.6 Configuring an additional certificate store
23.6 Configuring an additional certificate store

During installation the default certificate store bpmcert.store is created for
configuring an certificate user (see also “Configuration of the TCP certificate user”
on page 365). It is possible to use a different certificate store for other TCP security
issues (see also “Security settings for TCP Application Server” on page 367).
To configure an additional certificate store:

• Copy the certificate store to the directory <TCP installation
directory>\custom\custom.jar.

Part 3
Open Text TCP Context Server administration
Part 3 Open Text TCP Context Server administration
This part describes the administration of TCP Context Server using TCP Context
Server administration and TCP Context Server configuration.
With TCP Context Server administration and TCP Context Server configuration you
perform the following tasks:
• Monitor the performance and working of the server
• Setup and maintain the connections to other servers in the TCP landscape
• Administer and backup the database
• Re-configure TCP Context Server if necessary
“Major administration tasks” on page 177
This chapter gives an overview of the major administration tasks.
“Administering TCP Context Server” on page 179
This chapter contains the administration task which must be performed on TCP
Context Server
“Searching with the query builder” on page 202
This chapter explains how to build valid SQL statements with the query builder
“Administering the database” on page 217
This chapter contains maintenance tasks for the databases, such as back up.
“Re-configuring TCP Context Server via configuration packages” on page 223
This chapter explains how to re-configure certain functions of TCP Context
Server.

Chapter 24
Major administration tasks
The main tasks of the TCP Context Server administrator are:
Task Scheduling Where See

Configuring logical archives Once per ar- TCP Context “Configuring the
for access by Context Server: chive Server admini- archive access” on
Enabling/disabling archives, stration: Ar- page 182
default user and SSL settings chives
Configuring connection to full- Once per full- TCP Context “Managing Fulltext
text servers text server Server admini- Servers” on
stration: Fulltext page 203
Server- Configu-
ration
Configuring connection to Once per ren- TCP Context “Managing Rendi-
Rendition Server dition server Server admini- tion Servers” on
stration: Rendi- page 210
tion Server-
Configuration
Monitoring error queues for Daily TCP Context “Using the Fulltext
fulltext indexing and render- Server admini- Server error
ing stration: Fulltext queues” on
Server - Error page 207
queues or Rendi-
tion Server - Er-
ror queues
Configuring archive modes for Once per ar- Archiving and “Archive Mode
Open Text Imaging Enterprise chiving sce- Storage Admini- configuration” on
Scan nario stration page 321
Configuring jobs for Context Once per ad- TCP Context “Standard jobs” on
Server administration tasks ministration Server admini- page 191
task stration: Jobs and
Archiving and
Storage Admini-
stration
Monitoring Context Server job Daily TCP Context “Using jobs to per-
execution Server admini- form administra-
stration: Jobs tive tasks” on
page 190
TCP Context Server database Regularly DBMS (Oracle, “Performing a da-
backup MS SQL Server) tabase backup” on
page 335

Chapter 24 Major administration tasks
Task Scheduling Where See

Context Server database reor- Regularly TCP Context “Reorganizing the
ganization Server admini- database and up-
stration: Ad- dating statistics” on
ministration page 217
Unlock or undo documents Regularly TCP Context “Unlocking records
that are checked out Server admini- and undoing
stration: Undo changes” on
checkout page 201
Configuring logging Troubleshoot- TCP Context “Logging” on
ing Server admini- page 145
stration: Logging

Chapter 25
Administering TCP Context Server
You administrate TCP Context Server using the TCP Context Server administration
Web GUI.
25.1 Getting started

25.1.1 Starting the TCP Context Server administration
To start TCP Context Server administration:
1. Make sure the Tomcat server is started.
2. Open the TCP Context Server administration in a browser window by entering
http://<TCP Context Server>:<port>/archive/admingui in the address bar
and log on as DMSAdmin.
If you want to create forms or set a default ACL for new documents, you must
use a user which is member of the DMSCustomizers group, for example
DMSCustomizer.
The following general functions are available throughout the program:

Back Returns to the previous page. Use this
icon instead of the Back function of
your browser.
Log-out Exits the application. You return to the
logon page.
Help Opens the online help.
About box Shows the version number of the soft-

ware.
25.1.2 Starting the Archiving and Storage Administration

You must perform certain tasks (see “Major administration tasks” on page 177) in
the Archiving and Storage Administration. To start the Archiving and Storage
Administration, see section 3 "Administration Client and the Main Objects of the
Archive Server Node" in OpenText Archive Server - Administration Guide (AR-ACN).

Chapter 25 Administering TCP Context Server
25.2 Managing system information

25.2.1 Viewing server information
In the navigation area, click Server information to display the TCP Context Server
configuration, the cluster configuration parameters and the Records Management
parameters. Information provided may vary depending on your configuration.
Records If Livelink ECM – Records Management is enabled, you get information about the
Management host and the status. For a running Records Management, the number of created
records and failed attempts of creation are displayed. Failed attempts do not
necessarily mean, the record creation failed at all. It may be that the record needed
several attempts until it was eventually created.
The section Records Management Types displays a list of all applicable item types
created within Enterprise Library Services.
To refresh this list from Enterprise Library Services, click F5.
25.2.2 Viewing log files, caches and Java VM information in

the TCP Context Server core
To view log files, caches and Java VM information:
2. In the navigation area, click TCP Context Server core to display the following
information:
• List of log files for dynamic logging. You can view the log files.
• Cache information. You can resize the cache and empty it.
• Input field for searching cached entities
• Information about the Java Virtual Machine (Java VM). You can run the Java
VM Garbage collection function.
To view log files:

• In the Logging section, click Show log file to view the content of a log file.
• ixcommon.log contains information about all components of TCP Context
Server.
• ixdms.log contains information about the core of TCP Context Server.
OpenText Global Services uses this information for the solution of your
hotline requests.

25.3 Managing archives
To resize the cache:

You can resize the cache to either an absolute value or a percentage of the available
memory.
1. In the Cache section, select either bytes or % of max. memory.
2. In the field below, enter the new value of the cache, according to your measure
selection.
3. Click Resize cache .
To clear the cache if necessary, for instance, to assist OpenText Global

Services in a support case:
• In the Cache section, click Clear Cache .
The cache is cleared. All new data is being retrieved from the database.
To view cached entities:

1. In the View cached entity section, enter an entity ID (for example
ixos.dms.admin:DMSServer) and click View entity to display the
properties overview of this entity.
2. In the properties overview, click Show entity properties to display the entity
type's attributes and properties with their values. Click a version link to display
the attributes and properties of the respective version. If available, you can also
display cached information about renditions, components and annotations.
Note: The cache may contain only a part of the properties of an entity.
To run a garbage collection on the Java VM:

The Java VM Garbage collection automatically frees objects that are no longer
referenced by the application and thus frees memory to increase the performance.
Usually, the garbage collection runs automatically. You can start it manually to
assist OpenText Global Services in a support case.
• In the Java™ VM section, click Run garbage collection .
The garbage collection is executed and all garbage is deleted.
25.3 Managing archives

25.3.1 Displaying Archiving Services information
To display Archiving Services information:

2. In the navigation area, click Archiving Services information to display

information about the connected archive servers. The primary archive server is
marked with a crown symbol.
25.3.2 Configuring the archive access

In the navigation area, click Archives to display the list of the logical archives on the
connected archive servers. To modify the parameters of the selected archive, click
Edit .
In the Archive: <archive name> dialog, you enable the archive, define the SSL usage
and the settings for the default user.
Note: The setting Authentication required to is only available if patch TCP-
1001–005 or higher is installed on your system.
Enabled
Enable or disable the logical archive.
Authentication required to
Select the operations that you want to protect by requiring authentication. Only
users with a valid signed URL (SecKey) can perform the selected operations. If
an operation is unselected, every user can perform it without authentication.
Use SSL
Specify whether Secure Socket Layer (SSL) is used in the selected archive for
archiving and viewing documents via HTTP. SSL permits the authorized,
encrypted communication between the Imaging Clients and Archive and Storage
Services (including the use of cache servers).
• use: SSL must be used. This setting is not recommended for standard
installations of Livelink ECM – Suite for SAP Solutions.
• don't use: SSL is not used.
• may use: The use of SSL for the archive is allowed. In this case, each
individual client decides on the basis of the HTTP Use SSL registry setting. If
this value is set to 1, SSL is used for communication. The default value is 0
(no SSL). When viewing with the Java Viewer, may use does not use SSL.
This setting is recommended for standard installations of Livelink ECM –
Suite for SAP Solutions.
Default User, Default password and Default domain
Enter the logon name, the password and the domain of the Default user.
Important
Changing the default user may impact access to existing documents.
Consequently, either the default ACLs or the ACLs of the archived
documents may have to be changed.

25.4 Administrating forms
Click OK.

You can use the Form overlay feature to create and administer forms.
Notes:
• You can only operate with forms when you are logged in as a member of
the DMSCustomizers group (for example DMSCustomizer) with the domain
_internal.
• You cannot delete forms because they may already be used.

• To create a test document (that is to create a root entity), add the user
DMSCustomizer to the Root Entity Creators group.
To administrate forms:
2. In the navigation area, click Form overlay to display information about the
forms.
25.4.1 Viewing forms

Viewing the In the navigation area, click Form overlay.
forms list This page displays the list of the existing forms with their parameters:
Name
Name of the form.
Version
Version number of the form.
Status
Displays the form status: ON, OFF, or TEST.
Activation date
Displays the date from which the form should be used.
Content type
Displays the content type (MIME type) of the form; for example, image/tiff.
Components
Displays the number of components (pages) that belong to the form.
Viewing the Click View FORM.INFO to display the following parameters:
FORM.INFO file
• Start-Of-Assignment
• Start-Of-Offset

• Start-Of-Page
• Start-Of-FormularID
For details on these parameters, see Open Text Imaging Windows Viewer - User Guide
(CLWVW090700-UGD).
If you have not uploaded a FORM.INFO file, this file contains the default values. For
details on upload, see Form info on page 186.
Viewing the Click View entity information to display the technical information stored in TCP
Entity Context Server for the form and its components.
Information
The Components of <document ID> page opens.
Click <component name> to display the component with Windows Viewer.
25.4.2 Creating a form

1. In the navigation area, click Form overlay .
This page displays an overview of the parameters for all the forms:
2. Click Add form .
The Add form page opens.
Note: The parameters correspond directly to the property types of the
record type ixos.dms:OverlayForm.
Enter the following parameters:
Form name
Enter a unique name for the form.
Version
Enter a version number for the form. You can choose the version number
freely, as this is a text field. The application checks the value when it creates
the form.
Status
Select the appropriate form status from the list box. A form can have the
status ON, OFF, or TEST.
Activation date
Enter the date from which the form should be used. Use the format yyyy-
MM-dd.You can activate the form at a later date. For example, if your
company designs a new logo for the letterhead, you can create the form in
advance and activate it on a certain date.
Archive name
Enter the archive name of the logical archive where the form is stored. For
details about logical archives, see section 5.1 "Logical Archives" in OpenText
Archive Server - Administration Guide (AR-ACN).
Content type
Enter the content type (MIME type) of the form, for example, image/tiff.

Content
Use the Browse button to upload the first page of the form, that is the first
component. You can add pages later. For details, see “To change a form:” on
page 185.
3. Click OK. The application returns to the Forms page. The list shows the new
form.
25.4.3 Testing a form

1. On the Forms page , click Create test document .
The Create a test document page opens.
2. Specify the following parameters:
Document name
Enter a name for the test document.
Archive name
Enter the Archive name for the logical archive where the test document is
stored.
Form name
Click a form in the list box.
Component content
Enter typical text for the kind of document to be used with this form.
3. Click Submit.
25.4.4 Changing a form
Important
If you change an already used and activated form, these changes are
immediately in place for the next viewing request. Therefore, be careful with
changes, and use the version scheme to create new forms.
To change a form:
1. In the navigation area, click Form overlay.
This page displays an overview of the parameters for all the forms:
2. On the Forms page, click Edit form in front of the form you want to modify.
The Edit form page opens.
3. You can change the following parameters or files:
Status
Select a status in the list box.

Activation date
Enter the activation date of the form. Use the format yyyy-MM-dd.
Upload
Select a file to upload:
Form info
Upload the FORM.INFO file created by Windows Viewer and link it to the
form.
For information on how to change the layout and position of the form
overlay, see Open Text Imaging Windows Viewer - User Guide
(CLWVW090700-UGD).
Content
Add another component (page) to the form.
Click Browse to navigate to the appropriate file.
4. Click Submit.
The application returns to the Forms page. If you added a new component, you
can see that the number of components has increased accordingly.
25.5 Managing access for ArchiveLink calls

You can protect ArchiveLink calls from TCP Context Server to Archive and Storage
Services by key management. If you secure this communication, you must also
protect the ArchiveLink calls from the client to TCP Context Server by importing
certificates.
25.5.1 Setting a default ACL for newly archived documents

With the ACL mapping functionality, you can specify users per logical archive. For
each user, you can specify the default record permissions (default ACL) of a
document type. When the user archives documents to the logical archive, these
default record permissions are used instead of the default record permissions of the
ixos.dms:entity system record type.
You can specify a user for each logical archive, and assign default permissions to
this user with an ACL. When documents are archived via ArchiveLink, these default
permissions are used instead of the permissions of the system record type. For
details, see Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
Note: You can only set, view and remove default ACLs when you are logged
in as a member of the DMSCustomizers group (for example DMSCustomizer)
with the domain _internal.
To set a default ACL for documents archived via ArchiveLink:


2. In the navigation area, click ACL mapping.

The ACL mapping for ArchiveLink page opens with a list of the logical
archives.
3. Select an appropriate user from the User list box. This user creates the
documents to be archived with the default ACL and owns the documents.
4. Select an appropriate default ACL from the Default ACL of document type list
box, for example mycompany.sales:Proposal.
To view a default ACL for documents archived via ArchiveLink:

Viewing is only available if you already defined a mapping.
archives.
3. Click the View ACL link of the archive. The Default ACL of Entity Type page
opens with a list of the individual users/groups and their permissions.
4. Click Back. The application returns to the ACL mapping for ArchiveLink page.
To remove a default ACL for documents archived via ArchiveLink:

archives.
3. Click Remove of the archive you want to remove the default ACL from. The
application returns to the ACL mapping for ArchiveLink page.
25.5.2 Protecting the archive server connection

To protect the archive server connection:

2. In the navigation area, click Key management to manage security keys and
certificates.
The following features are available:
• Show current private key and certificate
Displays details to the private key and the corresponding public certificate.
Click Show Cert. to view the certificate.
• Replace current private key and certificate
Use this feature if you want to replace the default private OpenText key with
one from a trust center.
1. Click Browse to select a pem containing the key certificate pair (certificate
and key).
2. Click Upload Cert. to replace the current key and certificate by the pair
selected in step 1.
• Send certificate to the Archiving Services
After uploading the new pem file, you must send it to the Archiving Services
where it will be activated. Select which logical archive the certificate should
be used for and confirm with Send Cert.
You must enable the certificate on the archive server. For details, see section
7 "Configuring Security Settings" in OpenText Archive Server - Administration
Guide (AR-ACN)).
• Create internal user corresponding to the private key
Some scenarios (like following hyperlinks in print lists, accessing some
forms) require the creation of an internal user from the internal certificate. To
create such a user, you must be logged on as an User Management Server
administrator.
Click Create User to create an internal user.
The name of the new user is ixos. That user's password should be changed
within User Management Client.
• Show enabled user certificates
Click OK to display all enabled user certificates.
• Show disabled user certificates
You must be logged on as a User Management Server administrator.
Click OK to display all disabled user certificates
25.5.3 Protecting the client connection

A user may be authenticated via an access token or a signed URL. If a content
request comes without such authentication information, it may run in the default

context specified by the default user. This user is created with the Import Certificate
Wizard. The signed URLs are specified by SAP within the ArchiveLink 0045 interface.
SSO checker for signed URLs is configured by default in User Management (see
“Configuring the SSO checkers” on page 257) and the need for a signature must be
activated via the logical archive on the archive server (see section 7.2.3 "SecKeys
from SAP" in OpenText Archive Server - Administration Guide (AR-ACN)).
This wizard creates an enabled default user in User Management and sets the
necessary rights.
Note: You can only perform this wizard as User Management Server
administrator.
To import certificates:
2. In the navigation area, click Import certificates to start the Import Certificate
Wizard.
3. Authenticate as UMS administrator
a. To authenticate as User Management Server administrator, enter its user
name, clientele, domain and password.
b. Click Next.
4. Choose archive
a. Select the logical archive to be enabled.
b. Click Next.
5. Set user rights
a. Enter the name of the default user you want to create. The default user gets
the rights needed for the creation of a user.
b. Click Next.
6. Send certificate from the leading application
Open your leading application (for example SAP) and send the certificate to
TCP Context Server.
7. Import certificate
Transfer a certificate from the leading application.
a. Open your leading application (for example SAP) and send the certificate to
TCP Context Server.
b. If the certificate is sent successfully, click Next.

8. Remove user rights

a. Enter the name of the default user.
b. Click Next.
The additional rights are taken away from the default user.
9. Enable created user
a. Select the created user in the list box.
b. Click Next.
The user is enabled.
10. Add membership
a. Select the RootEntity Creators group and click Next.
b. Click Next.
11. Certificate customized
Click Finish to exit the wizard.
25.6 Using jobs to perform administrative tasks

TCP Context Server offers a set of predefined administrative tasks which you can
start. You can also create your own tasks. Tasks are defined in JavaScript files. To
start tasks use jobs. You can execute jobs manually or automatically according to a
time schedule.
Manual job execution
To run a script manually, make sure that the script is available in the scripts
directory and start a job in the Available Jobs list, see “Executing jobs manually
using TCP Context Server administration Web GUI” on page 197.
Scheduled job execution (optional)
To run a script automatically, script execution use the job scheduling
functionality in Open Text Administration (Administration Client) of Archive
and Storage Services. For details, see “Scheduling TCP Context Server jobs” on
page 199).
According to the scheduling, a job triggers the dmsremotcmd command, which
starts the defined script on TCP Context Server. This is useful for regular tasks
(for example purgejob).

Figure 25-1: Manual and scheduled TCP Context Server job execution
Note: The scripts can be found in the directory

<webapps>/archive/config/scripts within the Tomcat directory on TCP
Context Server. You can add additional JavaScript scripts here.
25.6.1 Standard jobs

This sections describes when and how to use standard jobs delivered with TCP
Context Server.
If you use jobs, start the purge job regularly, preferably using the scheduler, see
Purge job on page 196.
Rendition generation
If you use the additional solutions for rendition generation, OpenText
recommends to use this job.
It is possible to render documents to other formats, for example TIFF or PDF.
This has the advantage that these formats are more suitable for long-term
archiving. The conditions for rendering are defined in TCP Modeler. The
rendition generation itself is managed by jobs on TCP Context Server. These jobs
cause the rendering service to start processing queued render requests.
Recommended scheduling: hourly or daily.

Manual execution Scheduled execution

Script name/ renderjob.js dmsremotecmd
Command
Parameters (renderjob)1
Notes:
1. Parameter is only relevant for scheduled execution. Do not enter parentheses.
Restart of failed rendition jobs

Use the restartrenderjob job to restart failed jobs that are located in the
Rendition Server error queues.
Note: The restartrenderjob job is available if patch TCP-1001–077 or
higher is installed. For more information about patches, see
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/14866608.
For more information about error queues, see “Using the Fulltext Server error
queues” on page 207. When restartrenderjob is started, the specified jobs will
be rescheduled, that is moved from the error queues of the Rendition Server to
the queue of the renderjob. You can specify whether you want to restart all jobs
or jobs with specific error codes.
Recommended scheduling: hourly or daily.

Script name/ restartrenderjob.js dmsremotecmd
Command
Parameters (restartrenderjob) <error code (list)>|all1
all: All jobs will be restarted

<error code (list)>: Jobs with a certain error code or certain error
codes will be restarted. Use a space as separator for error codes.
Notes:
1. First parameter put in parentheses is only relevant for scheduled execution. Do not enter
parentheses.
Reindex job for fulltext

If you use the additional solutions for fulltext indexing, OpenText recommends
to use the reindex job.
If your index is damaged, you must reindex your documents.
Recommended scheduling: perform manually.


Script name/ reindexjob.js dmsremotecmd
Command
Parameters (reindexjob) index <entity type id> [-sd dd.MM.yyyy] [-ed
dd.MM.yyyy]1
If you want to define a time frame for the document creation, spec-
ify a start date (sd) and an end date (ed).
Notes:
parentheses.
Remove documents from fulltext index

If you want to remove documents from the fulltext index use the reindex job
with the remove parameter. .
Recommended scheduling: perform manually.

Script name/ reindexjob.js dmsremotecmd
Command
Parameters (reindexjob) remove <entity type id> [-sd dd.MM.yyyy] [-ed
dd.MM.yyyy]1
If you want to define a time frame for the document creation, spec-
ify a start date (sd) and an end date (ed)
Notes:
parentheses.
Deleting entities when retention period expires

To delete entities when their retention period expires, use the retention job. The
retention period is a period of time after which a document is automatically
removed from the archive or otherwise processed. Entities that are already
archived on optical media are not physically deleted but the references to these
entities in the database of the archive server are deleted.
Note: To control how and for how long enterprise content is retained,
OpenText strongly recommends to use Livelink ECM – Records
Management (instead of retention jobs). For details, see part 1 "Open Text
Records Management" in Open Text Transactional Content Processing -
Scenario Guide (TCP100001-GCS).
The customizer sets the retention period in TCP Modeler (see section 20
"Retention period" in Open Text TCP Modeler - Customization Guide (TCP100001-
CGD)).

Important
The delivered retentionjob.js script is only a sample and starting
point for custom development. After a standard installation, there are no
entity types in the system for which a retention period is defined;
therefore by default this script will not find anything to delete. Contact
OpenText Global Services if you want to use retention management.

Script name/ retentionjob.js dmsremotecmd
Command
Parameters (retentionjob) <entity type>1
Notes:
Pipeline enqueueing jobs

If the corresponding pipelines are installed on TCP Context Server, use the
pipeline enqueueing jobs to schedule the ingestion process.
Note: To use the enqueueing tools for a locally installed document pipeline,
you must adapt the scripts manually. For details, see section 10 "OpenText
TCP Document Pipelines installation" in OpenText Transactional Content
Processing - Installation Guide (TCP-IGD).
startCODMS
This job starts the COLD document pipeline to process data and documents
to be archived into TCP Context Server.
Recommended scheduling: hourly.

Script name/ startCODMS.js dmsremotecmd
Command
Parameters (startCODMS)1
For a description of all other parameters, see section 6.3 "Starting
the Document Pipelines Using Jobs" in OpenText Document Pipelines
- Overview and Import Interfaces (AR-CDP).
Notes:
startCODMSR3
This job starts the COLD document pipeline to process data and documents
to be archived into TCP Context Server. Attributes are archived to SAP.


Script name/ startCODMSR3.js dmsremotecmdr3
Command
Parameters (startCODMSR3)1
Notes:
startCODMSXSL
This job starts the COLD document pipeline to process XML data to be
archived into TCP Context Server.

Script name/ startCODMSXSL.js dmsremotecmd
Command
Parameters (startCODMSXSL)1
Notes:
startCODMSXSLR3
This job starts the COLD document pipeline to process XML data to be
archived into TCP Context Server. Attributes are archived to SAP.

Script name/ startCODMSXSLR3.js dmsremotecmd
Command
Parameters startCODMSXSLR31
Notes:

startEXDMS
Starts the batch import document pipeline to process data and documents
which are to be imported into TCP Context Server.

Script name/ startEXDMS.js dmsremotecmd
Command
Parameters (startEXDMS)1
Notes:
startEXDMSR3
Starts the batch import document pipeline to process data and documents
which are to be imported into Context Server and SAP.

Script name/ startEXDMSR3.js dmsremotecmd
Command
Parameters (startEXDMSR3)1
Notes:
Purge job
This job removes stored information about previously executed jobs from TCP
Context Server. This includes message protocols that each job creates in the
var\log\messages directory of TCP Context Server installation as well as some
statistics placed in the TCP Context Server database for each job execution.
This job uses the settings Job Age before Purging and Jobs Kept after
Purging (Max Number). Configure these parameters as desired in the
DMSCORE package in the TCP Context Server Configuration Web GUI. For
details, see “Configuring Context Server (DMSCORE)” on page 232.
Recommended scheduling: daily, during after-hours


Script name/ purgejob.js dmsremotecmd
Command
Parameters (purgejob)1
Notes:
25.6.2 Executing jobs manually using TCP Context Server

administration Web GUI
To start a job
1. Make sure that the script you want to execute is available in the directory
webapps\archive\config\scripts within the Tomcat directory on TCP
Context Server, for example in the
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\-
archive\config\scripts directory.
2. Open the TCP Context Server administration by entering

3. In the navigation area, click Jobs.
4. To see the current state of the jobs (scripts) in the Available Jobs list, click
Refresh below the Parameter box.
Note: The Description column in the Available Jobs list shows the text
that is contained in the script file line starting with // @description.
5. In the Parameter box, enter the desired parameters for the job (script) you want
to execute.
6. In the Available Jobs list, go to the job (script) you want to execute and click
Start. The execution starts and the job appears in the Active and completed jobs
list.
Note: If you want to abort a running job, click Abort. Then the job is aborted
immediately. You cannot resume an aborted job.
Using the log file

A finished job can have one of the following states:
• 0: OK
• 1: An error occured. Click View log to see detailed information.

25.6.3 Executing scheduled jobs using Open Text

Administration
To use the job scheduler in Open Text Administration (Archive and Storage
Services), perform the following major steps:
1. Install dmsremotecmd, see “Installing dmsremotecmd” on page 198.

2. Make sure that the script you want to execute is available in the directory
webapps\archive\config\scripts within the Tomcat directory on TCP
Context Server, for example
C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\-
archive\config\scripts.
3. Set the parameters for the communication between the scheduler and TCP
Context Server, see “Setting communication parameters on the archive server”
on page 198.
4. Create and schedule the TCP Context Server jobs, see “Scheduling TCP Context
Server jobs” on page 199.
25.6.3.1 Installing dmsremotecmd

• On Archive Server 9.6:
From the Open Text TCP CD-ROM, install the dmsremotecmd file from path
<TCP_CD-ROM>/dmsremotecmd/LEA–9.6.
• On Archive and Storage Services 9.7

From the Open Text TCP CD-ROM, install the dmsremotecmd files from path
<TCP_CD-ROM>/dmsremotecmd/Archiving-Services–9.7.x.
25.6.3.2 Setting communication parameters on the archive server

To configure the communication between the scheduler and TCP Context Server, set
the following configuration parameters on the archive server. For details how to set
these parameters, see the documentation on <TCP_CD-ROM>/dmsremotecmd
corresponding to your version of installed Archive and Storage Services to configure
these parameters.
Key Description Default

DMS_HOST Name of TCP Context Server where the JS -
scripts are located
DMS_PORT Port of TCP Context Server where the 18080
scripts are located
DMS_USER User name for jobs executed on TCP Con- DMSAdmin
text Server

25.7 Logging
Key Description Default

DMS_PASSWORD Encrypted password of the user =irokWj7rpDw=
If you want to
change the
password, en-
crypt it with the
command line
tool enc.
DMS_CLIENTELE Organization name in User Management defaultcliente
le
DMS_DOMAIN The domain to which the DMS_USER be- _internal

longs
DMS_PROTOCOL Protocol used for communication with http
TCP Context Server
Note: If you change the password of DMSAdmin user in User Management

Client, you must change it also in the Registry setting DMS_PASSWORD. For more
information about changing the password, see Purpose: dmsremotecmd on
page 357.
25.6.3.3 Scheduling TCP Context Server jobs

Create and schedule the TCP Context Server jobs (via dmsremotecmd. See the
documentation on <TCP_CD-ROM>/dmsremotecmd corresponding to your version of
installed Archive and Storage Services to).
OpenText recommends that you monitor the execution of these jobs daily (see part 5
"Monitoring" in OpenText Archive Server - Administration Guide (AR-ACN)).
25.7 Logging
TCP Context Server delivers an elaborate logging system for troubleshooting.
OpenText recommends that you use the default log level WARN for all components
during normal working times. For details, see “Static logging” on page 200.
For troubleshooting, extend the log level dynamically. For details, see “Dynamic
logging” on page 200).
Log levels The different levels of logging are:

ERROR ERR Errors that affect parts of the system, for example a spe-
cific functionality.
WARN WRN Unusual and unexpected situations that may or may not
be error situations.


INFO INF Trace log level for information that gives an overview of
what is happening in the system.
DEBUG DBG Trace log level to provide very detailed information.
LVE LVE Trace log level that indicates method exits (“LVE”).
ENT LVE Trace log level that indicates method entries (“ENT”) and
exits (“LVE”).
DEV DEV All messages are logged, including method entries
(“ENT”) and exits (“LVE”).
ALL ALL All messages are logged.
Static logging The static log level of the whole TCP Context Server is defined in the parameter Log
Level within the TCP Context Server configuration package COMMON. For details,
see “Configuring static logging (COMMON)” on page 229.
Dynamic logging For troubleshooting, it is possible to set the log level for selected categories
dynamically in the TCP Context Server administration.
To start dynamic logging:

2. In the navigation area, click Logging.
The Logging page opens.
All available categories are displayed in the categories list box.
3. Select the categories (with the mouse) you want to change the log level for.
Note: Look for category names, that is class names, in the error message or
the log file (see “To view log files:” on page 201) to find out which category
you must change. For help, contact OpenText Global Services.
Use SHIFT and STRG for multiple selection.
4. Select the log level for the marked categories in the Level list box.
5. Click OK.
The log level for the selected categories is changed.
Note: The log level will be reset to the values defined in the TCP Context
Server configuration package DMSCORE with the next server restart.

25.8 Unlocking records and undoing changes
To view log files:

2. In the navigation area, click Context Server core.
The page with the Logging section and other information section opens.
3. In the Logging section, click Show log file to view the contents of a log file.
ixcommon.log contains information about all components of TCP Context
Server. ixdms.log contains status information about the core of TCP Context
Server. OpenText Global Services uses this information for the solution of
hotline requests.
25.8 Unlocking records and undoing changes

You can unlock a record or undo the check out if a user who is unavailable has
checked out or locked a record.
Note: You must be a member of the DocumentAdmins group in order to use the
unlock or undo functionality.
To unlock records and undo changes:

http://<TCP Context Server>:<port>/archive/admingui in the address bar.
2. In the TCP Context Server section of the navigation area, click Undo checkout.
The Find records page opens.
3. Select whether you want to search for locked or checked out records.
4. Enter the user and its domain who locked or checked out records (e.g user
DMSAdmin and domain _internal). In addition or alternatively, you can select
the record type of the records.
5. If you want to refine the query, enter display name, date and/or record ID. You
can use wildcards for the display name: % matches any chars, _ matches one
char, \ for escaping.
6. Click Search to start the search.
A list with the locked or checked out documents opens. Above this list, the
search parameters are displayed.
7. Select Unlock in front of the document(s) for which you want to undo the
checkout and click OK.

25.9 Searching with the query builder

You can use the query builder to verify the SQL syntax or to execute arbitrary
queries. The query builder is a debugging tool.
The query builder helps you create a query in the TCP Context Server Query
language. This query language is described in Open Text Transactional Content
Processing - Using the TCP Context Server Query (TCP100001-PQU).
Tip: To reuse queries which are stored in the query cache, click Database -
Query cache in the navigation area.
To build a query:
http://<TCP Context Server>:<port>/archive/admingui in the address bar.
2. In the TCP Context Server section of the navigation area, click Build query.
The Query Builder page opens in a new window.
3. Build your query. If you use the Internet Explorer, you copy an element (for
example operator, entity type, property or relation) into the query field by
clicking on it. If you use another browser, do this by copy and paste.
4. Additionally, you can enter parameter values in the Parameter section to build a
query that uses parameters.
5. Select the appropriate options in the Options section.
Fetch limit
Limits the number of displayed hits to the value entered. You are informed if
the query produced more hits than displayed. Default is 200.
Timeout
Time in seconds a query may take to be executed. The query will be
terminated, when the timeout is reached. Use this option to avoid a
performance reducing action on your database while you are still testing
your query. Default is 10 seconds.
Format XML
Beautifies the XML you entered. Default is yes.
Show SQL
Displays the SQL statement that was formed according to your XML query.
Depending on the complexity of your XML query, there may be more than
one SQL statement. In this case they are numbered from 1 to n. Default is no.
Show Execution Plan
Displays the database execution plan or plans that are a result of the SQL
statement. Execution plans reveal the activity of a database while processing
the query. This information is provided for debugging and mainly intended
for use by OpenText Global Services. Default is no.

25.10 Managing Fulltext Servers
Execute
Executes the query. For testing and debugging, disable this option. Default is
yes.
6. Click Query to execute your query or to test the query syntax.

The Query Result page opens in a new window.
This window shows the query in the selected query formats (XML, SQL or
Execution Plan), a query result summary and the individual hits with their
properties.
Tip: If you request support, enable Show SQL and Show Execution Plan,
disable Execute and make the result page available to your contact person at
OpenText.

25.10.1 Configuring Fulltext Server on TCP Context Server side
This section describes only the configuration of the fulltext solution on TCP Context
Server side. For the installation and configuration description, see Open Text
Transactional Content Processing - Scenario Guide (TCP100001-GCS).
To configure the connection to a Fulltext Server:

and log on as user DMSAdmin.
2. In the External Servers section of the navigation area, click Fulltext Server -
Configuration.
The Fulltext Servers page opens with a list of the existing fulltext server
configurations.
3. Click Add new configuration to create a new Fulltext Server configuration.
The Add new configuration page opens.
4. Enter the following settings:
Configuration name
Descriptive name of the configuration.
Fulltext ID
ID of the configuration, for example My_Fulltext_Solution.
Enabled
Select this check box to enable this configuration.
Description
Short description of the fulltext engine

Host name
Name of the Livelink fulltext host
Fulltext server URL
URL of the fulltext host, for example
http://ll_server/livelink/livelink.exe
Administration user name

Name of the Livelink administration user. Default is Admin.
Administration user password
Password of the Livelink administration user. Default is livelink.
Query user name
Name of the Livelink fulltext query user. This user is used to execute fulltext
queries on Livelink side. For a description how to create this user, see section
11 "Setup of the XML Activator" in Open Text Transactional Content
Processing - Scenario Guide (TCP100001-GCS).
Query user password
Password of the Livelink fulltext query user.
Slice
Name of the associated Data Source (Slice) on Livelink side, for example
My_Fulltext_Solution.
Slice path
Specifies the directory in the fulltext carrier from which the XML Activator
process reads data as XML file. The carrier writes the documents into this
directory.
Propagate regions
The propagate regions functionality forwards the definition of the properties
to be indexed to the Livelink. This saves configuration efforts. Select one of
the following options:
• Propagate regions in case the Livelink fulltext server is already running
and the fulltext carrier is running on the same host as the Fulltext Server.
The bootstrap file is part of the carrier installation and must be manually
copied to the Slice directory. This file will be indexed as first file and will
make the regions (TCP properties) known on Livelink side.
• Don't Propagate regions in case the Fulltext Server does not run yet. You
must propagate the regions later.
• Propagate regions and create bootstrap file to create a bootstrap file
which is sent to the Livelink for indexing to make the regions known
there. This requires that the fulltext carrier runs on the Context Server
host.
You can set this option also later.
5. Click OK to save your settings. You return to the Fulltext Servers overview
page.

If you want to delete a configuration, click Delete in front of the configuration

name.
Click the configuration name link of the configuration you want to view or edit
the configuration.
6. Click Show XML Configuration File to see and edit the full configuration as it
is used by TCP Context Server, carrier and fulltext search. This includes
information on the MIME types to be indexed and the Content types (TCP
Context Server component names).

Content of the elements

<host>
Information about the Livelink host name and the URL to the Livelink
fulltext service
<admin>
Information about the name of the administration user and password
(encrypted)
<query>
Information about name of the Livelink fulltext query user, password
(encrypted) and query fetch limit
<id>
Information about the ID of the fulltext configuration. This element must
also contain the information about the corresponding search template ID, for
example <id name="My_Fulltext_Solution"
template="MY_FULLTEXT_OWNERID_208">, see section 12.4 "Specifying the
search template ID in XML configuration file" in Open Text Transactional
Content Processing - Scenario Guide (TCP100001-GCS).
<mimetypes>
List of MIME types which should be indexed or not.
<contentnames>
List of TCP Context Server component names which should be indexed or
not
<propertymappings>
List of additional properties which should be indexed. This element is
currently not supported.
<slices>
List of slices. Currently, only one slice is supported.

Important
Follow these instructions after the fulltext configuration:
1. After creating the search template, you must specify the search template
ID in the <id name> tag (of the XML configuration file) to avoid errors,
for example <id name="My_Fulltext_Solution"
template="MY_FULLTEXT_OWNERID_208">. For details, see section 12.4
"Specifying the search template ID in XML configuration file" in Open
Text Transactional Content Processing - Scenario Guide (TCP100001-GCS).
2. The fulltext configuration must not be changed if it is already used for
indexing, that is a fulltext filter that uses this configuration is defined
and documents are created with this document type.
3. You can define only one fulltext filter for a document type (= record
type).
4. Define the filter for exactly that operation that TCP Modeler delivers via
the Fulltext button. For details, refer to section 2.2.4 "Filters - fulltext
and rendition jobs" in Open Text TCP Modeler - Customization Guide
(TCP100001-CGD).
5. New configurations may be added, but the new configuration can only
be used for document types that are not already used for storing
documents.
6. Use only one single fulltext carrier per fulltext configuration, even if the
other carrier runs on a different computer.
25.10.2 Using the Fulltext Server error queues

As the error queues for the fulltext server and Rendition Server use the same
mechanism, using these queues is described here only once for the Fulltext Server. If
there is something different for Rendition Server, this is described in parentheses.
Several error queues are provided by the Fulltext Server and Rendition Server.
These error queues are visible in the TCP Context Server administration. Entries in
these error queues can be deleted (if the problem could not be fixed) or restarted (if
the problem could be fixed).
Display indexing In the navigation area, click Fulltext Server - Error queues (Rendition Server:
or rendering Rendition Server - Error queues).
errors
The Fulltext Server - Error queues (Rendition Server - Error queues) page opens
with a list of the error queues.

Columns
The following table shows the columns with their descriptions.
Column Description
Error Code Displays the error code number
Number of Errors Displays the numbers of errors if you
have activated the show cumulated er-
rors option.
Error description Start of the error description.
Click Show cumulated errors right to
the Error Description column header to
switch to the detailed description of the
error queues.
Host (origin) Displays the name of the fulltext or rendi-
tion server where the error occurs
DocID Display the docid of the document which
failed during fulltext indexing or render-
ing.
Record type Display the record type of the document
Timestamp Displays the time when the error occured
Maximum number of entries per error code

To keep the error queues list short, you can reduce the number of entries per
code in the Maximum number of entries per error code field. If you enter a
number less than 1, for example 0, all entries are displayed.
Show cumulated errors
Click Show cumulated errors to cumulate the error messages of the same
error code. Only one error per code is displayed. The Number of errors column
displays the number of errors for an error code.

If the error is caused by a faulty connection to the fulltext (indexing) engine, restart
all processes for the whole error queue after solving the connection problem.
To restart all error queues:

1. In the navigation area, click Fulltext Server - Error queues (Rendition Server:
Rendition Server - Error queues).
The Fulltext Server - Error queues (Rendition Server - Error queues) page
opens with a list of the error queues.
2. Click Restart all .
Note: This operation may take several seconds. You have to refresh the
browser window to see the results.
You can restart the selected errors to test if your troubleshooting has solved the
problem.
To restart the selected errors:

2. Select the errors you want to restart.
3. Click Restart selected .
If the cumulated errors view is on, all error entries of the same error code are
restarted.
You can restart a single error class to restart all errors of the same error class:
To restart a single error class:

2. Click Show cumulated errors to cumulate the error messages if the
cumulated view is not already switched on.
3. Select the error (classes) you want to restart.
4. Click Restart selected .

If the problem could not be solved, you can delete the error in the error queue.
To delete the selected errors:

2. Select the error (classes) you want to restart.
3. Click Delete selected .
You can delete all error in the error queue.
To delete all error queues:

2. Select the icon for all queues.
3. Click Delete all .
25.11 Managing Rendition Servers

25.11.1 Configuring Rendition Server on TCP Context Server
side
To use Rendition Server with TCP Context Server:
1. Install Rendition Server. For details, see OpenText Rendition Server - Installation
and Administration Guide (RS-IGD).
2. Administer Rendition Server. For details, see OpenText Rendition Server -
Installation and Administration Guide (RS-IGD)
3. Configure the connection to Rendition Server. For details, see “Rendition Server
configuration in the TCP Context Server administration” on page 211.
4. Customize TCP Context Server to use Rendition Server. For details, see
“Customizing TCP Context Server to use Rendition Server” on page 212.

5. Create jobs in the TCP Context Server administration. For details, see “Creating
rendition jobs in TCP Context Server administration” on page 213.
6. Customize the supported source MIME types. For details, see “Customizing the
supported source MIME types” on page 214.
7. Define filters in TCP Modeler. For details, see section 2.2.4 "Filters - fulltext and
rendition jobs" in Open Text TCP Modeler - Customization Guide (TCP100001-
CGD).
25.11.1.1 Rendition Server configuration in the TCP Context Server

administration
To configure the connection from TCP Context Server to Rendition Server:

1. In the External Servers section of the navigation area, click Rendition Server -
Configuration.
The Rendition Servers page opens with a list of the existing Rendition Server
configurations.
2. Click Add new configuration to create a new Rendition Server configuration.
The Add new configuration page opens.
3. Define the parameters for the connection:
Configuration name
Enter a name for the connection, for example the computer name. This name
is used to identify the connection in log files and job protocols.
Description
Enter a description for the connection.
Enabled
Use this option to enable Rendition Server.
Host
Enter the name of the computer where the Rendition Server is installed.
Port
Enter the port number of the Rendition Server. The default port number is
18080 for HTTP and 18090 for HTTPS.
Protocol
Select HTTP or HTTPS as the protocol of the connection between TCP Context
Server and Rendition Server.
Connector
Enter the configured application name. Default is render.
All these parameters are used to generate a URL to render the documents.
4. Click OK to save your settings. You return to the Rendition Servers overview
page.

5. If you want to delete a configuration, click Delete in front of the configuration

name.
6. Click the configuration name link of the configuration you to view or edit the
configuration.
25.11.1.2 Customizing TCP Context Server to use Rendition Server
To customize TCP Context Server to use Rendition Server:

1. Open the TCP Context Server configuration in a browser window by entering
http://TCP Context Server:<port>/archive_config in the address bar.
2. In the login window, enter user login, password, and domain. Use the Admin
login for administration tasks.
The TCP Context Server configuration opens.
3. In the Configuration Packages section of the navigation area, click FILTER.
The FILTER page opens.
The upper part contains common filter parameters and the Fulltext User
Password which is not relevant here. The common filter parameters have
default values which you need only to re-configure in rare cases, for example
after changing the password of the FilterUser user. The lower part starting
with Render All in One contains the parameters specific for rendering.
Filter
Global switch for enabling or disabling filter handling. You can only use the
fulltext or rendition server if the filter is on. Default is on.
Filter Log Level
Log level for filters. For a description of the log levels, see “Logging” on
page 199. Default log level is WARN.
Filter Update Configuration Interval (sec)
This interval indicates how often the filter reads the filter configuration. To
modify the filter configuration in TCP Modeler, see section 4.2.6 "Filters" in
Open Text TCP Modeler - Customization Guide (TCP100001-CGD). Default is
300 seconds. This is the recommended setting.
Filter User Password
Enter the password for the user FilterUser. You do not define or change
the password here, but in User Management Client.
Render All in One
Default is Yes, that is, all components of a record are merged into a single
rendition. This option enables you, for example to render multiple single-
page TIFF files that belong together into one document.
Render Configurations File
Default is <Tomcat>/webapps/archive/config/setup/rendertypes.xml.

Specify the file that contains your rendering configurations. Within TCP
Modeler, you reference to one of these configurations within this file. For
details, see section 6.5 "Defining filters in Open Text TCP Modeler" in Open
Text Rendition Server - Installation and Administration Guide (RS090701-IGD).
Render Eliminate Duplicate Jobs
Default is on. This is the recommended setting. Disable this option for
troubleshooting purposes only.
Render Queue Size
Length of the rendition job queue in the memory. Default is 10. Use as small
a number as possible. The following is the formula to calculate the minimum
size: <Number of rendition servers> multiplied by <number of concurrent
connections> plus a small safety.
Render TCP Context Server URL
Specify the URL of the source document. Default is:
http://<TCP Context Server>:18080/archive.
You can use HTTP or HTTPS. Default port number for HTTP is 18080.
Default port number for HTTPS is 18090.
Check your installation of ArchiveLink for the correct path. By default this is
/archive.
Render User Password

Enter the password for the RenderUser when connecting to Rendition
Server. You do not define or change the password here, but in User
Management Client.
Rendition Server Concurrent Connections
Specify the number of concurrent connections to each rendition server you
configured. Set the number of connected Adlib Express computers plus a
small safety. (Rendition Server uses the Adlib Express software.)
Rendition Status Poll Interval (ms)
Poll interval (in milliseconds) to check states of rendering jobs. Default is
10000 ms. Decreasing this interval leads to a higher server load due to more
frequent polling. Increasing this interval extends the period until a document
is available in the system. If you are running multiple concurrent
connections, a longer interval is recommended to keep the server
performance.
5. Click Save. The page reappears with the message The re-configuration was
successful. You must restart the application for the changes to take effect. .
6. To make your changes effective, restart TCP Context Server.
25.11.1.3 Creating rendition jobs in TCP Context Server administration

Define and schedule the jobs for creating renditions with the TCP Context Server
administration via Jobs. The jobs run on the archive server.

All aspects of creating and scheduling jobs on TCP Context Server are covered in
detail in “Using jobs to perform administrative tasks” on page 190.
Required parameters for dmsremotecmd:
• --host <TCP Context Server>
• --port <TCP Context Server>
• --user DMSAdmin
• --password <not encrypted password of DMSAdmin>
• --domain _internal
• --clientele <clientele> renderjob
Note: renderjob must be the last entry in the parameter list of the
command.
Example: dmsremotecmd --host duffy --port 18080 --user DMSAdmin --
password geheim --domain _internal --clientele defaultclientele
renderjob
The documents are rendered according to the scheduling of the rendering job. If
problems occur, the documents are queued in an error queue. For details, see “Using
the Rendition Server error queues” on page 216.
25.11.1.4 Customizing the supported source MIME types

You must verify and customize the supported and unsupported source MIME types
. Do this in the
<Tomcat installation>\webapps\archive\config\setup\rendertypes.xml file.
This file contains a default configuration named globalwhich is used if no other
configuration is specified by the customizer in TCP Modeler with the rendition
filter's Configuration parameter.
Every MIME type is a compound of a type and a subtype (type/subtype), for
example application/pdf). The rendertypes.xml file allows you to exclude and
include certain MIME types to be processed by the render job.
Important
The configurations done in the rendertypes.xml file must match the
capabilities of the Adlib Express Server. This means that you must exclude
existing source MIME types that are not supported by Adlib.
Every document of a MIME type that is not supported results in a rendition error
queue entry.

Tags in the rendertypes.xml file:

<config name="<config name>">
The tag specifies the unique name of the configuration.
Note: The global default configuration must always exist.
<default supported="false" />
The default tag specifies the treatment of MIME types that are not explicitly
listed. The recommended setting is false. Documents of MIME types that are not
listed are then ignored. The documents are listed in the error queue, but not
passed to the Rendition Server.
<type name="application" supported="true"><type />
The type tag specifies the treatment of all MIME types of a certain type. In this
example, all MIME types of the type application are supported.
<exception name="vnd.dxr" />
The exception tag can appear within a <type> tag only. It specifies subtypes that
are excluded from the treatment specified with the <type> tag. In the example,
the subtype vnd.dxr of the type application is not supported.
<preferred><preferred />
The preferred tag is not utilized.
Example:
<render-types version="1">
<config name="global">
<default supported="false" />
<type name="application" supported="true">
<exception name="vnd.dxr" />
</type>
<type name="text" supported="true" />
<type name="multipart" supported="false" />
<type name="image" supported="false" />
<type name="audio" supported="false" />
<type name="video" supported="false" />
<type name="model" supported="false" />
<type name=" " supported="false" />
<preferred>
<mimetype name="text/rtf" />
<mimetype name="application/pdf" />
<mimetype name="application/rtf" />
<mimetype name="text/html" />
<mimetype name="text/plain" />
<mimetype name="text/xml" />
</preferred>
</config>
</render-types>

25.11.2 Using the Rendition Server error queues

As the error queues for the Fulltext Server and Rendition Server use the same
mechanism, using these queues is described only once in “Using the Fulltext Server
error queues” on page 207.

Chapter 26
Administering the database
26.1 Reorganizing the database and updating

statistics
Via Database - Administration, you can start the following reorganization jobs:
• Delete ACLs which are no longer referenced by any entity.
• Remove columns for which the corresponding property types have been
removed from the record type. When you remove a property type from a record
type in TCP Modeler, the corresponding column of the database table is not
actually deleted since this would cause unreasonable load on the system.
Instead, these kinds of columns are no longer used. You can use scheduled
system downtime to remove the respective columns from the tables.
Note: All of these actions can take several minutes and block the whole server.
To start a reorganization:
2. In the Database section of the navigation area, click Administration.
The Administration page opens with a list of the jobs you can execute.
3. Click the button next to Reorg ACL or Reorg Entity types.
26.2 Performing consistency checks for tables and

folders
Via Database - Consistency checks, you can start consistency checks for tables and
folders in the database.
Note: Consistency checks can take several minutes and block the whole server.
To start consistency checks:

2. In the Database section of the navigation area, click Consistency checks.
The Database checker page opens.

Chapter 26 Administering the database
3. Click Table consistency check, or Folder consistency check.

When the consistency check is finished, the Table consistency check or Folder
consistency check page opens displaying the results of the check. The table
consistency check shows all entities with their tables, columns and views. The
page informs you about the state of tables, columns and views as well as the
number of records contained in tables and views.
The folder consistency check page informs you about:
• Results of the entity table against folder table check
• Whether each folder has a display name
• Whether each folder has a parent folder
• Whether each folder has a single homing (that is whether each folder has
only one parent folder)
• How many members each folder has (that is how many documents and sub-
folders the folder contains)
• How many existing members each folder has
• Whether the display names of objects in this folder are unique
26.3 Debugging the database

In the Database section, the TCP Context Server administration offers many tools
for getting information about the database state and structure. This information is
basically provided for debugging and mainly intended for use by OpenText Global
Services.
26.3.1 Viewing the status of the database

2. In the Database section of the navigation area, click Status.
The Database status page opens.
3. Click an entity type, property type, relation or block to display detailed
information about the respective object.
The database status page informs you about:

• Database parameters
• Schema update history
• List of entity types linking to the individual parameters of each entity
• List of property types linking to the individual parameters of each property

• List of relations linking to the individual parameters of each relation

• List of blocks linking to the individual parameters of each block
Note: Blocks are logical units that aggregate all functions of an area, for
example all functions for one entity type (create, update, delete).
• List of counters
26.3.2 Viewing the entity type hierarchy

The Entity type hierarchy page displays the hierarchy of the entities in the database.

2. In the Database section of the navigation area, click Type hierarchy .
The Entity type hierarchy page opens.
3. Click an entity type to display detailed information about its attributes,
localization, ACL, Default ACL, properties, relation source, relation target and
indices.
26.3.3 Viewing the ACL cache

The ACL cache page displays the ACL cache.

2. In the Database section of the navigation area, click ACL cache.
The ACL cache page opens.
26.3.4 Viewing the query cache

The Query cache page displays the last executed queries. The cache can contain up
to 17 entries. Use this cache to repeat queries by copying from this cache into the
query builder, see “Searching with the query builder” on page 202.

2. In the Database section of the navigation area, click Query cache.
The Query cache page opens.

Chapter 26 Administering the database
26.3.5 Viewing the database connections

The Connection pool page displays the number of connections available and which
threads currently use a connection.
The first column shows the available connections with a connection name, the
internal number of the connection and the number of all available connections. The
default number of connections is 20 plus one connection used by the system.
The second column shows connections currently used by a thread. You see the name
of the thread as it was handed over by the Tomcat server as well as the internal
number of the connection it uses.
Tip: To view the activity of that thread, check the ixdms log file. For details, see
“Logging” on page 199.

http://<TCP Context Server>:<port>/archive/login in the address bar and
log on as DMSAdmin.
2. In the Database section of the navigation area, click Connection pool.
The Connection pool page opens displaying the list of database connections.
If you want to view the stack traces in the log, click Dump stack traces to log. The
page reopens with the message Stack traces dumped to log. . The log file is stdout
which is visible in the Tomcat log file. To view the log files, switch to the Tomcat
server log directory and open the newest stdout log file.
26.3.6 Searching component information

Use the Component information page to search for entities with components. For
example, a component can be an attached document.
Tip: The search is case sensitive.

2. In the Database section of the navigation area, click Component information.
The Component information page opens with the Entity ID input field.
3. Enter an entity id and click Search.
The Component information page reopens, listing the components and
component attributes of the specified entity.

26.3.7 Searching table information

Use the Table information page to search for detailed information about tables,
views, columns and indices. This detailed information comprises attributes,
localization, ACL, default ACL, properties, relation target and index keys.
Tip: The search is case sensitive.

2. In the Database section of the navigation area, click Table information.
The Table information page opens with the Table or view, Column and Index
search fields.
3. Enter the name of a table, view, column or index (for example DMSServer in the
Table or view field) and click the Search button.
The Table information page reopens. Hits are displayed below the search
fields. Click the name of the entity type to display detailed information about
the attributes, localization, ACL, default ACL, properties, relation target and
index keys of this entity type.

Chapter 27
Re-configuring TCP Context Server via
configuration packages
You re-configure the initial settings of TCP Context Server using the TCP Context
Server configuration Web GUI.
The initial password for the Admin user is set during installation but can be changed
with a command line tool, see “Changing password for TCP Context Server” on
page 238.
To start the TCP Context Server GUI use one of the following ways:
• Open the TCP Context Server configuration in a browser window by entering
http://<TCP Context Server>:<port>/archive_config in the address bar.
Enter Admin and the password you specified during installation and click Log
on.
• Open the TCP Context Server administration in a browser window by entering
and log on as DMSAdmin. In the navigation area, click Context Server
configuration.
27.1 Configuring configuration and logging

directories (ROOT)
To configure ROOT settings:
1. In the Configuration Packages section of the navigation area, click ROOT.
The ROOT page opens with the fields Configuration Directory and Logging
Directory.
2. Change the parameters as desired.
Configuration Directory
This directory contains the TCP Context Server configuration files.
Logging Directory
This directory contains the TCP Context Server log files.
3. Click Save.

Chapter 27 Re-configuring TCP Context Server via configuration packages
27.2 Configuring the database access (DBM)

All TCP Context Server database parameters are configured during installation. You
can reconfigure them in the DBM configuration package.
Note: If you use an existing database, make sure that the following
prerequisites are met:
• The database fulfills the necessary requirements.
• The database is running.
Important
Consider that the Tomcat server must be restarted if the data source is
created new or is changed.
If the access to the database is configured via data source, this configuration
must be done manually for all TCP Context Servers in a clustered
environment.
To configure database settings:

1. In the Configuration Packages section of the navigation area, click DBM.
The DBM page opens.
2. Configure at least one kind of database connectivity (primary, secondary or
tertiary). Consider that the definition on the highest level is used. Thus it is
recommended to configure only one kind of connectivity to avoid confusion.
Primary DB Connectivity – Datasource Name
Select the name of a data source. The data source must be both configured in:
<TOMCAT_HOME>/webapps/archive/META-INF/context.html
<TOMCAT_HOME>/webapps/archive_config/META-INF/context.html
For details, see “Maintaining the Apache Tomcat data sources” on page 225.
Secondary DB Connectivity – JDBC URL
JDBC URL of the database.
For example:
jdbc:oracle:thin:@//<database host>:<listener port>/<listener
global database name>
or
jdbc:sqlserver://<database host>:<TCP/IP network protocol
port>;databaseName=<name of database>
Tertiary DB Connectivity – Host Name

Host name of the database server.
Tertiary DB Connectivity – TCP/IP Port
TCP/IP network protocol port of the database server.

27.3 Maintaining the Apache Tomcat data sources
The default port is:

• Microsoft SQL Server: 1433
• Oracle listener: 1521
Tertiary DB Connectivity – Database Name
Name of the database, for example DMS.
3. Change the settings as desired.
Database User's Logon
User name for the database, for example ixdms.
Database User's Password
Password of the database user.
Tablespace/File Group for Tables
Enter the tablespace/file group for tables, for example DMS_DATA.
Tablespace/File Group for Indexes
Enter the tablespace/file group for indexes, for example DMS_INDEX.
Drop Existing Tables
Caution
Handle this option with care. Only select Yes if you want to drop the
TCP Context Server database schema, in particular all database
tables. As a result, all kind of data and configurations stored before
will be deleted.
Create Initial Database Schema

The default is No. Select only Yes if you selected Yes for Drop Existing
Tables (see above) and if you want to create a database schema identical to
that of a newly installed TCP Context Server.
4. Click Save.

Tomcat provides means to maintain data sources for each Web application.
Note: Apart from the different paths the Tomcat maintenance is identical for
User Management Server and TCP Context Server. Therefore, the Tomcat
maintenance section exists only in the “Context Server administration” part but
is also referenced by the “User Management Server administration” part.
You provide the necessary information in the following files:
TCP Context Server:
<TOMCAT_HOME>/webapps/archive/META-INF/context.xml
<TOMCAT_HOME>/webapps/archive_config/META-INF/context.xml

User Management Server:

<TOMCAT_HOME>/webapps/ums/META-INF/context.xml
<TOMCAT_HOME>/webapps/ums_config/META-INF/context.xml
Important
• The two context.xml files for User Management Server must be
identical.
• The two context.xml files for TCP Context Server files must be
identical.
• Tomcat always restarts the Web application after you saved an edited
context.xml file.
• These data source definition files will be copied during installation of

User Management Server or TCP Context Server.
• Maintaining database connections via data sources must take place be-
fore initial configuration or re-configuration.
Tip: For details about the Tomcat context definition, see

http://tomcat.apache.org/tomcat-6.0-doc/config/context.html.
Sample With the installation of a TCP Web Application, a sample context.xml is installed.
context.xml You can modify this file.
<?xml version="1.0" encoding="UTF-8"?>
<Context> <Resource name="jdbc/oracle" ... (See “Oracle
connection (one instance)” on page 226)
/> <Resource name="jdbc/sqlserver" ...(See “SQL
Server database connection” on page 228)
/> <Resource name="jdbc/oracle-rac" ...(See
“Oracle Real Application Cluster (RAC) connection” on page 227)
/> </Context>
Oracle connection (one instance)

Use this section to connect to a single instance Oracle database.
<Resource name="jdbc/oracle"
type="oracle.jdbc.pool.OracleDataSource"
factory="oracle.jdbc.pool.OracleDataSourceFactory"
driverType="thin"
serverName="<database host>"
portNumber="="<listener
port>" serviceName="<listener global database name>"
description="Oracle Datasource" />

name
Provide a name for the connection and follow the naming convention
jdbc/<connection>. This name is displayed in the DBU (User Management
Server) or DBM (TCP Context Server) configuration.
type, factory, driverType
Leave the values as provided unless you know what you are doing.
serverName
Provide the name of the database host.
portNumber
Port of the Oracle listener. Default is 1521.
serviceName
Listener global database name, for example DMS or UMS.
description
Description of the connection for your information.
Oracle Real Application Cluster (RAC) connection

You can use this resource to connect one or more database hosts in an Oracle RAC.
However, if you use only one database host, you might want to use the easier syntax
of the first example.
<Resource
name="jdbc/oracle-rac"
type="oracle.jdbc.pool.OracleDataSource"
factory="oracle.jdbc.pool.OracleDataSourceFactory"
url="jdbc:oracle:thin:@(description=(address_list=(address=(host=<vir
tual
database host 1>)(protocol=tcp)(port=<listener port>))
(address=(host=<virtual database host
2>)(protocol=tcp)(port=<listener
port>))
(failover=on)(load_balance=on))(connect_data=(service_name=<listener
global database name>)))" description="Oracle RAC
Datasource" />
name
type, factory
url
With the URL you can address one or more database hosts. The following
example breaks the URL line of code into a more readable format. After editing
it, remove the line breaks and put the URL in one long line.

jdbc:oracle:thin:@
(description=
(address_list=
(address=(host=rac1-vip)(protocol=tcp)(port=1521))
(failover=on)
(load_balance=on)
)
(connect_data=(service_name=UMS))
)
Note: For TCP Context Server, the last line must contain DMS (instead of
UMS).
• address – identification of one database host. Add a line for each host.
• host – name of the database host. For Oracle RAC, use the virtual host name
which is typically identified by the -vip suffix.
• protocol – type of protocol, typically tcp.
• port – port of the Oracle listener. Default is 1521.
SQL Server database connection

Use this section to connect to a Microsoft SQL Server.
<Resource name="jdbc/sqlserver"
type="com.microsoft.sqlserver.jdbc.SQLServerDataSource"
factory="com.microsoft.sqlserver.jdbc.SQLServerDataSourceObjectFactor
y"
class="com.microsoft.sqlserver.jdbc.SQLServerDataSource"
serverName="<database
host>" portNumber="<database port>"
databaseName="<database
name>" dataSourceDescription="SQLServer Datasource" />
name
type, factory, class
serverName
Name of the database host.

27.4 Configuring static logging (COMMON)
portNumber
Port of the database host. Default is 1433.
databaseName
Name of the database. For example, UMS or DMS.
dataSourceDescription
Description of the connection for your information.

To configure log settings:
1. In the Configuration Packages section of the navigation area, click COMMON.
The COMMON page opens.

Log File Size (MB)
Maximum file size of the static log files, for example ixcommon.log and
ixdms.log.
The log files are saved in the \webapps\archive\WEB-INF\log directory.

Log Files to Keep
Maximum number of log files to keep. If the maximum number is exceeded,
the oldest log file will be deleted.
Log Level
Default static log level for all components. Default log level is WARN. For a
description of the log levels and dynamic logging, see .
If you want a different log level for a special component, you can define it as
a component parameter, for example in the DMSCORE or FILTER package
within the TCP Context Server configuration.
3. Click Save.
27.5 Configuring archive settings (ARCHIVE)

27.5.1 Configuring connection to the primary archive server
To configure connection settings:
1. In the Configuration Packages section of the navigation area, click ARCHIVE.
The ARCHIVE page opens with the parameters of the connection to the archive
server.

ArchiveLink Protocol Version

ArchiveLink protocol version to be used for Archive and Storage Services
Archiving Services Host
Name of the Archive and Storage Services host (archive server)
Archiving Services Port for Local Read Requests
Port number of the locally installed archive server for read requests
Archiving Services Port for Local Write Requests
Port number of the locally installed archive server for write requests
Archiving Services Port for Remote Read Requests
Port number of the remote installed archive server for read requests
Archiving Services Port for Remote Write Requests
Port number of the remote installed archive server for write requests
Archiving Services Servlet Path
Archive servlet path of the archive server
Default Application
Default Application for Archive and Storage Services. This information is
used as application name in the accounting of Archive and Storage Services.
Default Language
Default Language for the error messages of Archive and Storage Services.
Default User
Default User used for the connection to Archive and Storage Services. This
user owns the archived documents. This user information is used in the
accounting of Archive and Storage Services.
HTTP Buffer Size (bytes)
Buffer Size (in bytes) for assembling HTTP requests
HTTP Connection Timeout (msec)
HTTP connection timeout period for establishing the connection in
milliseconds.
HTTP Maximum Connections
This is the maximum number of concurrent HTTP connections between TCP
Context Server and all connected archive servers.
HTTP Maximum Connections per Host
This is the maximum number of concurrent HTTP connections between TCP
Context Server and a single archive server (host).
HTTP Protocol
HTTP Protocol used for the connections between TCP Context Server and
Archive and Storage Services.
HTTP Timeout (msec)
HTTP timeout in milliseconds for the connections between TCP Context
Server and Archive and Storage Services. This value indicates the maximum

27.6 Configuring connection to User Management Server (UMS)
response time for Archive and Storage Services. Value 0 means that there is
no timeout.
3. Click Save.
27.5.2 Configuring connection to further archive servers

The connection to the primary archive server is defined during installation. Therefore,
all known servers (that is further archive servers) of the primary archive server are
automatically available for TCP Context Server. The primary archive server is
marked with a crown in the TCP Context Server administration.
TCP Context Server controls the access to all the underlying logical archives of all the
known archive servers. However, you can disable logical archives if these archives
are not used by Open Text TCP but by the archive server directly. These can be
archives of an existing archive server system (before installation of Open Text TCP),
or archives used by other products.
Important
Do not add TCP Context Server as a known server in the Archiving and
Storage Administration, because this will lead to problems. See section 12
"Adding and Modifying Known Servers" in OpenText Archive Server -
Administration Guide (AR-ACN).
To disable a logical archive, see “Configuring the archive access” on page 182.
27.6 Configuring connection to User Management

Server (UMS)
To configure connection settings:
1. In the Configuration Packages section of the navigation area, click UMS.
The UMS page opens with the parameters of the connection to User
Management Server.
DMS Clientele
Clientele that contains the users and groups of TCP Context Server. Default
is defaultclientele. You can enter all values defined in User Management
Server.
HTTP Connect URLs
HTTP URL of User Management Server. You can enter more than one URL if
you are using more than one User Management Server. Enter each URL in a
separate line. Use the protocol field to select whether you want to use http or
https.

Note: You should use a HTTPS URL. The only exception would be a
common secure environment of User Management Server and TCP
Context Server.
HTTPS Connect URLs
HTTPS URL of User Management Server. You can enter more than one URL
if you are using more than one User Management Server. Enter each URL in
a separate line. Use the protocol field to select whether you want to use http
or https.
Protocol
Protocol to be used to communicate with User Management Server. If you
select http, the URLs in the HTTP Connect URLs field are used, else the
URLs in the HTTPS Connect URLs field are used.
3. Click Save.
27.7 Configuring Context Server (DMSCORE)

To configure TCP Context Server settings:
1. In the Configuration Packages section of the navigation area, click DMSCORE.
The DMSCORE page opens.

Administrator
User name of the TCP Context Server administrator.
Administrator Domain
Domain of the administrator. Default is _internal.
Administrator Password
Password of the administrator.
ArchiveLink Allow Basic Authentication
Allow basic authentication for content access. Default value is off, that is
TCP Context Server accepts only access tokens or signed URLs as credentials
for service calls. Otherwise, also user name and password are accepted.
ArchiveLink ISO8859-1 HTTP Port
This port must also be configured within the tomcat configuration in
server.xml. Default is 19080.
ArchiveLink ISO8859-1 HTTPS Port

This port must also be configured within the tomcat configuration in
server.xml. Default is 19090.
ArchiveLink Property Type Mappings

Mapping between ArchiveLink attributes and property types. Use the
following syntax:

27.7 Configuring Context Server (DMSCORE)
<Attribute>=<property type>
ArchiveLink Record Type Mappings

Mapping between logical archives and record types. Use the following
format:
<Archive ID>=<Record type>
Cache Maximum Object Size (bytes)

Maximum cacheable object size in bytes. Default value is 100000
(approximately 100 KB).
Cache Size (Percent of JVM Heap Size)
Cache size as a percentage of Java Virtual Machine heap size. Enter -1 to
disable the cache.
Crypto Property File
Path to the crypto property file containing the configuration parameters for
the used Java Crypto library.
Delete Content Job Batch Size
Maximum fetch limit for a query which searches for jobs to delete content.
HTTP Connect URL
URL for connecting to TCP Context Server via HTTP. Format:
http://<host>:<port>/<path>. This port also must be configured within
the tomcat configuration in server.xml.
HTTPS Connect URL
URL for connecting to TCP Context Server via HTTPS. Format:
https://<host>:<port>/<path>. You can enter both a HTTP Connect URL
and a HTTPS Connect URL. The URLs of all available cluster nodes are sent
to the client when the client connects. The client selects the URL according to
its strategy. This port also must be configured within the tomcat
configuration in server.xml.
Job Age before Purging
Number of days to keep the runtime information for each finished job. The
default is 7.
Jobs Kept after Purging (Max Number)
Maximum number of jobs to be kept after purging. The default is 1000.
Lock Default Timeout (sec)
Default time-out for document locks in seconds. The setting -1 means no
time-out. The default is used if the client requests a lock without indicating a
timeout value.
Lock Maximum Timeout (sec)
Maximum time-out for locks in seconds. The setting -1 means no time-out.
Lock Minimum Timeout (sec)
Minimum time-out for locks in seconds. The setting -1 means no time-out.

Log Classes
Logging for extra classes. Enter the following format:
<classname>=<loglevel>
Log Level
Log level for TCP Context Server start-up. For a description of the log levels,
see “Logging” on page 199. Default log level is WARN.
Log Performance Statistics
Flag for enabling or disabling the logging of performance statistics in
ixdms.log. Default value is off. Use logging for debugging, for example for
analyzing very long response times.
Mime Type Derivation
Allowing or prohibiting MIME Type Derivation. Default value is on, that is
TCP Context Server tries to determine the MIME type via the file extension if
the client sends content without content type or with a pseudo MIME type.
My Host Aliases
Enter aliases if you want to refer to the host by different names (for example
in lower case and upper case) or if you use different network adapters.
Separate the aliases by commas.
My Host Name
You can specify a host name if you use an environment with multiple host
names.
Notes Validation
Flag for enabling or disabling the validation of the XML structure in the
notes. Default value is on.
Query Fetch Limit
This fetch limit for queries indicates the maximum number of hits to be
fetched from the server. Such a limit helps you to keep the server load below
a certain level. This limit affects only the users and groups which are not in
the UnlimitedQueryResultGrantees group. Default value is 500. Enter 0 to
remove the fetch limit.
Hard Query Fetch Limit
Note: The Hard Query Fetch Limit setting is only available if patch
TCP-1001-005 or higher is installed on your system.
Maximum number of hits that a query can return. Default value is 0 which
means that there is no limit. In contrast to the Query Fetch Limit, this limit
affects all groups. OpenText strongly recommends that you specify a much
larger value for the Hard Query Fetch Limit than for the Query Fetch
Limit. OpenText recommends a range of 10000 up to a maximum of 100000,
depending on the main memory. This prevents that the query allocates a
significant percentage of the available main memory.

27.8 Configuring cluster settings for TCP Context Server (CLUSTER)
Query Timeout (sec)

Timeout for queries in seconds. Default value is 0 which means that there is
no timeout.
RPC Buffer Size (bytes)
Buffer size for remote procedure calls (RPC) in bytes. Default value is 8192.
Retrieve extended Content Info from Archiving Services
Extended content info from Archiving Services. Mark on or off. Default
value is off.
3. Click Save.
27.8 Configuring cluster settings for TCP Context

Server (CLUSTER)
The default values of initial configuration are based on the assumption that only a
single server is installed. For a cluster installation please adjust the settings for the
cluster node, load balancing weight, multicast address, multicast port and node
name on each node of the cluster.
To configure cluster settings:

1. In the Configuration Packages section of the navigation area, click CLUSTER.
The CLUSTER page opens.
Cluster Name
The name of the cluster. All nodes of the cluster must have the same cluster
name. The default value is set to the host name.
Load Balancing Weight
The load balancing weight of this node in the cluster. The value must be
greater zero. Specifies how many requests can be proportionally processed
by this node in regards to the other nodes of the cluster. The default value is
set to one.
Multicast Address
All nodes of the cluster must have the same multicast address, for example
“228.8.8.8”. No default value is provided.
Multicast Port
The multicast port number. All nodes of the cluster must have the same
multicast port number, for example “7500”. No default value is provided.
Node Name
The name of the node in the cluster. Each node must have a unique name.
The default value is set to the host name.

Protocol Stack
Defines the protocol stack. The default value is set to TCP based protocol
stack.
3. Click Save.
The message The re-configuration was successful. You must restart the
application for the changes to take effect. appears.
27.9 Configuring filters for Fulltext Server and

Rendition Server (FILTER)
Note: As the filter configuration for Rendition Server is one step in the
connection configuration process for Rendition Server, this is described in
“Customizing TCP Context Server to use Rendition Server” on page 212.
The filter settings for the Fulltext Server have default values which you need only to
re-configure in rare cases, for example if you changed the password of the user
FulltextUser.
To configure filter settings:

1. In the Configuration Packages section of the navigation area, click FILTER.
The FILTER page opens. The upper part contains general filter parameters and
specific parameters for the fulltext filter. The lower part starting with Render
All in One contains the parameters for rendering which are not relevant here.
Filter
Global switch for enabling or disabling filter handling. You can only use the
fulltext or rendition server if the filter is on. Default is on.
Filter Log Level
Log level for filters. For a description of the log levels, see “Logging” on
page 199. Default log level is WARN.
Filter Update Configuration Interval (sec)
This interval indicates how often the filter reads the filter configuration. To
modify the filter configuration in TCP Modeler, see section 4.2.6 "Filters" in
Open Text TCP Modeler - Customization Guide (TCP100001-CGD). Default is
300 seconds. This is the recommended setting.
Filter User Password
Enter the password for the user FilterUser. You do not define or change
the password here, but in User Management Client.
Fulltext User Password (only for Fulltext Server)
Enter the password for the user FulltextUser when connecting to the
Fulltext Server. You do not define or change the password here, but in the
User Management.

27.10 Configuring the Records Management (RM)
3. Click Save.
The message The re-configuration was successful. You must restart the
application for the changes to take effect. appears.
27.10 Configuring the Records Management (RM)

You can modify the Records Management specific settings in the RM configuration
package.
To configure Records Management:

1. In the Configuration Packages section of the navigation area, click RM.
The RM page opens.
Enabled
Option to enable or disable Records Management. Default is off.
Enterprise Library Services Application Name
Name of the application that runs on the Enterprise Library.
Enterprise Library Services Application Password
Password for the application.
Enterprise Library Services Folder Type
Enterprise Library Services folder type which is used to create the folder
structure in the Enterprise Library. The default is
com.opentext.tcp.folder.
Enterprise Library Services Host

Machine that hosts Enterprise Library Services
Enterprise Library Services Port
Port on which Enterprise Library Services listens. The default is 8080.
Enterprise Library Services User
Name of the Enterprise Library Services user. The default is Admin.
Enterprise Library Services User Password
Password of the Enterprise Library Services user stated above.
RMAdmin Password
Password of the Records Management administrator.
Records Management Job Batch Size
Maximum fetch limit for a query job which searches for Records
Management specific things.
3. Click Save.

27.11 Changing password for TCP Context Server

with a command line tool.
To change the password of the Admin user:

1. Open a command prompt and change to the directory
/<Tomcat>/webapps/archive_config/WEB-INF/.
2. Enter the command java -jar cfgpwd.jar

A warning is displayed, that the passwords entered will be echoed in clear text
on the screen.
3. Enter the current password of the Admin user.
4. Enter the new password of the Admin user.
Note: The password must consist at least of 6 characters. Only ASCII
characters in the range of 32 – 126 (decimal) are allowed. Spaces in the
front and the end of the password are not allowed and will be removed.
A message confirms the successful changing of the password.

Part 4
Open Text User Management Server
administration
Part 4 Open Text User Management Server administration
This part describes the administration of User Management Server. There are
different types of administrators involved with User Management:
• ROOT administrators are responsible for the User Management system as a
whole.
• Organization administrators adapt the User Management to the needs of a
company, department or subdepartment. They have the right to manage their
own organization, but have no access to other organizations.
These groups have different administration tasks (see “Major administration tasks”
on page 177).
“Working with User Management” on page 253
This chapter explains the different administration tasks for the User
Management.
“Working with User Management Client” on page 241
This chapter describes the graphical user interface for the administration of the
User Management.
“Managing configuration parameters” on page 279
This chapter provides configuration parameters for external domains, Single
Sign-On, organizations, groups, and users.

Chapter 28
Working with User Management Client
This chapter introduces the window, structure and usage of User Management
Client.
Note: To run User Management Client with SSL, you have to install the correct
server certificate.
MMC User Management Client uses the Microsoft Management Console (MMC). MMC
offers a common environment for any number of administrative tools, which are
integrated as snap-ins into the MMC console. Thus, a unified interface is available to
the system administrator for all management tasks.
In User Management Client, the organization structure is defined along with the
corresponding security settings.
28.1 Starting User Management Client

To start User Management Client via the Windows Start menu:
• Go to Start - Programs - Open Text - User Management Client.
User Management Client starts and the programm window opens. For details
on the programm window, see “Program window” on page 243.
28.1.1 Integration into Microsoft Management Console

If you prefer to work in the Microsoft Management Console (MMC), User
Management Client can be integrated as a snap-in.
To add User Management Client in the MMC:

1. Start the MMC via Start - Run, enter MMC, and click OK.
2. In the MMC menu, go to File - Add/Remove Snap-in.
3. Click Add.
A list of all available snap-ins is displayed.
4. Select Open Text User Management Client and click Add, and Close.
5. Click OK.
A new node appears in the MMC: Open Text User Management Client.
6. Save the MMC configuration via File - Save as, choose a directory and a file
name, and click Save.
MMC stores the configuration data in a file with the extension *.msc.

Chapter 28 Working with User Management Client
7. Start the configured MMC via double-click on the *.msc file, or add the *.msc
file to the Start menu.
28.1.2 Connecting to a second User Management Server

The primary User Management Server is defined during installation. If you have
different User Management Servers to manage, you can add the additional servers
as new system nodes.
To connect to a second User Management Server:

1. Right-click the User Management Client node, and select Add a system
node.
2. Enter the system name and the URL of User Management Server.

28.2 Program window
3. Enter a period for the Session TimeOut in milliseconds. Default is 30000.

4. Click URL Test to examine the connection to User Management Server.
5. If you want to filter automatically users, groups external users and external
groups with the start of User Management Client: Click Filter Settings and
enter a letter in the Filter field.
6. Click OK.
7. Click File - Save to save the configuration of this additional node.
To change these settings later, select the system node and go to Settings.
28.2 Program window

28.2.1 Window elements
Figure 28-1: Elements of the User Management Client window
The User Management Client program window consists of:
Left pane You see the hierarchical structure of the User Management.
Right pane The right pane shows the content of the structure object that is selected
in the left pane.

Menu bar In the Action menu, you find the commands relevant for the object that
is selected in the left or right pane. The same commands are available in
the shortcut menu. Use the Favorites menu to define and organize your
favorites.
Navigation This toolbar provides buttons to go back and forward, one level up, and
toolbar to show or hide the left pane.
Commands This toolbar provides buttons for some commands from the Action
toolbar menu, depending on the selected object.
Help button Click to start online help for User Management Client.
Filter toolbar This toolbar is available if you select the User or Groups nodes. For de-
tails on filters, see “Using filters” on page 248.
Note: Some GUI elements are part of the MMC. These are not described in this
documentation. For information on these elements, open the Help menu and
click Help Topics to open the MMC online help.
28.2.2 Objects of User Management

The objects of the User Management are shown as nodes in the left pane. Objects
that are used for authorization and access control are summarized as Principals.
Sym- Object Description

bol
User Management Cli- Node for the User Management snap-in
ent
User Management Node for the connected User Management Server
Server
Organization Node for the organization
Configuration In this node, the properties of the organization, of

external domains, and of SSO contexts are man-
aged.
Admins In this node, organization administrators are de-
clared. To do this, assign users, departments, roles
or groups.
Security groups This principal type is used only by TCP Service.
Here you can create security groups and then as-
sign users to these groups.
Users This principal type holds the internal users of an
organization which can be declared and edited. All
referenced external users are displayed here, too.
Groups This principal type holds the internal groups. All
external referenced groups are displayed, too.

28.3 Changing properties
Sym- Object Description

bol
Positions This principal type is only used by TCP Service. It
contains job titles within the organization, such as
salesperson, trainee or technician.
Roles This principal type is only used by TCP Service.
Roles might include team leader, project leader or
deputy team leader.
Departments This principal type is only used by TCP Service. It
contains organization departments such as Sales,
Development, Purchasing or Production.
Projects This principal type is only used by TCP Service.
Projects are objects that can be entrusted to particu-
lar users in the organization, such as new product
development.
Hierarchy In this node, the defined principals are combined
in relations. Here, users are assigned to groups.
External users and groups can be included. For
TCP Service, you build the department and project
structures here.
External Domains In this node, you can define access to external user
management systems such as Active Directory or
LDAP.
28.2.3 Working with the context menu

The context menu plays an important role in the operation of User Management
Client since it contains a lot of important functions. For further information, see the
different sections of this guide.
28.3 Changing properties

Note: The properties of referenced users and groups are managed in the
external User Management. Therefore you cannot change them in User
Management Client.
To change the properties of a principal:

1. Select the principal in the right pane.
2. Right-click and select Properties from the context menu.
The properties dialog opens.
There are three kinds of properties:

Changeable properties These properties can be changed

at any time.
for example Language
Unchangeable proper- These properties cannot be
ties changed after the creation. The
for exampledomain property is displayed in gray
letters.
Mandatory properties These properties must be de-
fined, otherwise you cannot save
for example mail the changes. The property is dis-
played with yellow background.
3. Change the properties. A list of all properties and their meaning is available in
“Managing configuration parameters” on page 279.
4. Click OK.
28.4 Adding additional and multi-value properties

Not all properties are available by default. You can add properties to a principal, for
example, if
• you are using dynamic properties in TCP Service, or
• you want to prevent the restart of the application in TCP. Add the
invalidationPeriodMinutes property for the user
BizEffectiveUser_default.
To add properties:
1. Select the principal, for example a group.

28.4 Adding additional and multi-value properties
3. Click Add.
A new row is added in the properties table.
4. Enter the name, value and type of the new property.
For users, groups and configuration, you can add multi-value properties. Select
a *Multi property type and add a second row with the same property name
and the same property type.
5. Click OK.

28.5 Deleting properties

You can delete additional properties.
1. Select the principal, for example a user.
3. Select the properties you want to delete.
4. Click Delete Selection.

5. Click OK.
28.6 Using filters

To increase the clarity of User Management Client, you can filter the names and
display names for users, groups and members of a group. You can filter by the
initial letter, a prefix, or a letter or pattern that is contained in the name.
To use a filter:
Normally, the filter applies to the display name.
1. Click Filter by Name/Logon to filter the Name or Logon column.
2. Select one of the filter methods as described below.
To filter by initial letter:

1. Select the Users or Groups node or a specific group in the Hierarchy node.
2. Click the letter in the toolbar.
Only the users or groups starting with the chosen letter are displayed.
To filter by prefix:
You can define your own start search pattern for the filter function.

28.7 Reference
2. Click Define your own filter .

The Prefix dialog box opens
3. Enter the pattern and click OK.

Only the users or groups starting with the given characters are displayed.
To filter by letter or pattern within the name:

You can filter for a letter or character combination within the user or group name.
2. Click Content Search .
3. Click a letter in the toolbar, or click Define your own filter and define a
search pattern, for example adm.
All users with the search pattern adm are displayed:
For example admin, euradm, emeadm, ixosadm.
28.7 Reference
Commands The following table provides an overview of all available commands.
Item Available for Description

Info Client Delivers the version information for User
Management Client.
Add a system node Client Connects a new User Management Server
for administration.
Settings Server Displays the settings for the connection to
the selected User Management Server.
New Organization Server “Adding organizations” on page 255


User Logon Server Opens the logon dialog box for the se-
lected User Management Server.
Properties Left pane: Shows the properties of the selected user
Organization management element.
Right pane:
Configuration
Security groups
Users
Groups
Positions
Roles
Department
Projects
Add an external Do- Organization “Adding an external User Management
main External Do- system” on page 256, such as LDAP or a
mains Windows domain.
New configuration Configuration Adds a new SSO configuration to work
with access tokens from an external SSO
solution. A proper Checker Module is
required for these new token types.
New Security Security group Adds a new security group.
Add User Security group “Assigning users to security groups” on
page 270
New User Users “Adding new users” on page 265
New enabled User Users Creates a new user and sets the password
(the user cannot change it).
Reset Password Right pane: “Changing/resetting user password” on
Users page 266
Member of Right pane: Shows the groups where the selected user
Users or group is included. If you have selected
Groups a role, the assigned users are listed.
Roles
Certificate Right pane: “Adding a certificate user” on page 265
Users
Promote to Signing Right pane: “Enabling eSign for administrators and
Admin Users users” on page 268
Promote to Signing Right pane: “Enabling eSign for administrators and
User Users users” on page 268
New Group Groups “Adding new groups” on
page 266(internal groups)
New Position Positions Adds a new position.

28.7 Reference

New Role Roles Adds a new role.
New Department Departments Adds a new department.
New Project Projects Adds a new project.
Delete Right pane: Deletes the selected user management
Organization element.
Configuration
Security groups
Users
Groups
Positions
Roles
Departments
Projects
Refresh Right pane: Connects to User Management Server and
Organization updates the user management elements
Configuration from the database.
Security groups
Users
Groups
Positions
Roles
Departments
Projects
Help all elements Opens the online help for User Manage-
ment Client.

Chapter 29
Working with User Management
This chapter describes the usage of the User Management.
29.1 User management concept

Before you start your practical user administration work, read about the basic
concept and terms in section 1.5 "User and organizational model " in Open Text
Transactional Content Processing - System Overview Guide (TCP100001-GGD).
If you have already implemented a User Management based on an LDAP directory
server or Active Directory, you can connect this system as an external domain to
Open Text User Management. For details, see “Adding an external User
Management system” on page 256).
User Management supports Single Sign On (SSO) within the OpenText products by
default. For details, see “Configuring the SSO checkers” on page 257). SSO with SAP
products can be added as a project solution.
You can create internal users/groups or reference external users/groups from an
external User Management system. Internal users are part of the _internal domain.
Internal and referenced external users are automatically members of the Everyone
group. But this only allows the user admission to Open Text User Management. The
access to documents and data objects is managed in different ways:
• Static access control via ACLs, managed in TCP Modeler. For details, see Open
Text TCP Modeler - Customization Guide (TCP100001-CGD).
• Dynamic access control in Open Text TCP applications.
• Assignment to grantee groups for administration and customization. For details,
see “Standard groups and users” on page 345.
• Application user for a defined logical archive.
29.2 Administration levels

There are three types of administrators that use User Management Client. According
to the special job description of the tasks, there may be overlap among the different
types.
ROOT administrator
The ROOT administrator of Open Text User Management is responsible for the
configuration and the administration of User Management Server.

Chapter 29 Working with User Management
The tasks of the ROOT administrator are:

• Adding external user management systems (domains)
• Defining organization administrators
• Adding new SSO checkers
• Database tasks
• Auditing User Management Server
The ROOT administrator has the right to administer all organizations.
Organization administrators
For each organization, organization administrators are defined. Each
organization administrator can only manage their own organization, they have
no rights for other organizations.
The tasks of the organization administrator are:
• Adding external user management systems (domains)
• Adding new SSO checkers
• Adding and referencing new users and groups
• Configuring the organization
• Assigning users to groups
Enterprise Process Services administrators
In addition to the organization administration, the administrator for Enterprise
Process Serviceshas to configure the principals that are workflow relevant.
The tasks of the Enterprise Process Services administrator are:
• Adding new positions, roles, departments and projects
• Defining the hierarchy of departments and projects
A User Management Server organization administrator account is required to
perform these tasks.
29.3 Managing the system

The ROOT area is used to administrate User Management as a whole.
If you start User Management Client for the first time, you can find in the ROOT
area:
• The Admin user that is used for the initial configuration, and
• the Everyone group where every user you add to the organization is a member
by default.

Naming recommendations for organizations, domains, and departments

• Use short, clear and descriptive names to avoid typos.
• Use the names that you really have in your organization. For example, the
company's department “Engineering” is represented in User Management Server
as department with the same name.
• Do not use the same name for different types of objects, like an organization and
a domain.
• Do not use blanks and special characters.
• Do not rely on lowercase and uppercase characters as the only difference
between names. Some systems, like Windows, use case insensitive domain
names. Choose lowercase domain names.
29.3.1 Defining the ROOT administrators

As the first task, add one or more root-level administrators from an external User
Management.
Note: The password for the Admin default user is delivered by OpenText.
OpenText recommends assigning external users or groups to the Admins node.
So the administrators can use their own domain logon and you do not have to
distribute the password of the Admin standard user.
To define the ROOT administrators:

1. Open User Management Client and log on as the Admin user in the ROOT area
with the _internal domain.
2. Add an external domain. For details, see “Adding an external User Management
system” on page 256.
3. Assign external users or groups to the Admins node of the ROOT area. For
details, see “Assigning users or groups to other groups” on page 267.
4. Disable the Admin default user. For details, see “Disabling obsolete users or
groups” on page 268.
29.3.2 Adding organizations

Note: Adding organizations is not relevant for the current version. It is only
available due to compatibility reasons.
You define the name of the default organization during installation.
To add organizations:
1. Log on as ROOT administrator.

2. Select the <Server> node , right-click and select New Organization from the
context menu.
The New Organization dialog opens.
3. Enter the organization name considering “Naming recommendations for
organizations, domains, and departments” on page 255 and click OK.
The new organization is displayed in the tree structure.
4. Define administrators for this new organization:
a. Add new users. For details, see “Adding new users” on page 265.
b. Assign these users to the Admin node of the new organization. For details,
see “To assign users to a group:” on page 267.
Note: You can also reference users from an external domain. For details,
see “Adding an external User Management system” on page 256).
5. Define the properties of the organization. For details, see “Defining the
organization settings” on page 263
29.3.3 Adding an external User Management system

You can add external domains such as Windows Active Directory domains, Livelink
servers or LDAP directory servers to Open Text User Management.
To add an external User Management system:

1. Select the External Domains node of your organization, right-click and select
Add an external domain from the context menu.
The Add an external domain dialog opens.
2. Enter the name of the domain. Consider “Naming recommendations for
organizations, domains, and departments” on page 255.
3. Click OK.
The domain appears with domain users and groups in the External Domains
node.
4. To define the properties of the external domain, select the Configuration node
of your organization.
5. Select the external domain in the right pane, right-click and select Properties
from the context menu.
The Properties dialog box opens.
6. Define the configuration parameters according to the type of your external
domain:
a. To define the domain type, change the NamingModule value and click OK.
Domain type NamingModule value
Livelink user manage- ixos.sec.xnaming.modules.LLNamingModule

ment

Domain type NamingModule value
LDAP, Active Directory ixos.sec.xnaming.modules.FastLDAPNamingModule
b. Go to Properties again. The properties list should now contain also the
specific properties for your domain type.
c. Change the configuration properties for your domain type. The properties
list can have several pages, use the Browse button and scroll to navigate.
• See “Configuring a domain for Livelink ECM – Enterprise Server user
management” on page 279.
• See “Configuring a domain for LDAP directory server” on page 280.
7. Click OK.
8. Now you can reference groups and users to the internal User Management. For
details, see “Referencing groups and users from an external domain” on
page 263. Log on as one of the referenced users, right-click User Management
Server and select User Logon.
29.3.4 Displaying the members of external groups

To view the members of external groups:
• Select the external domain of which you want to view the members.
The users and groups which are members of the external domain are displayed
in the right pane of the window.
29.3.5 Displaying the URLs and status of cluster nodes

To view the URL and status of cluster nodes:
• Select Cluster Nodes in the left pane.
The nodes in the cluster are displayed in the right pane of the window with
their URL and status.
29.3.6 Configuring the SSO checkers

To prevent that the user must log on every time when he connects to a new
application, configure SSO.
Note: For all access token types, a Checker Module must be configured in the
ROOT area as well as the particular organization for which this kind of SSO
will be available. Both configurations must reference the same AccessToken
type and Checker Module.

There are four SSO scenarios:

Internal access token
The checker module for the handling of internal access tokens
SessionIdCheckerModule is automatically created during installation. By
default, it is set to the following values: The session becomes invalid after 30
minutes of inactivity or after 24 hours.
Tip: To prevent issues in session management, you should reconcile the
values for the session management of TCP Application Server. In any case,
TCP Application Server session must last longer than the user management
session. In the standardjboss.xml file, set the max-bean-age value to a
similar length, for example 7300 seconds, so that the bean lives only a little
longer than the user management session. With this method, a invalid
session does not waste memory.
<max-bean-age>7300</max-bean-age>
<max-bean-life>3600</max-bean-life>
The user gets an access token when he or she logs in to the first OpenText
application. All other OpenText applications accept this access token. Therefore,
no additional logon is necessary during this session.
Note: For users whose access tokens must not time out (such as
BizEffectiveUser_default and FulltextUser), set the invalidation
period as user attribute for that user. Define the property
invalidationPeriodMinutes and enter the value in minutes (see
“Managing parameters for users” on page 288).
Use this mechanism with caution, as the session store can grow without
limits if used incorrectly.
SSO with SAP NetWeaver Portal
If you want to use encrypted cookies from the SAP NetWeaver Portal, add and
configure the SAPSSOCheckerModule.
The user name at the portal is stored in a cookie. User Management Server can
decrypt and check this cookie in order to get the user name. If the user name is
recognized by User Management as an internal or external user, the user gets an
access token.
The user name storing the certificate must be identical with the SAP workplace
name.
Create a certificate user for this scenario. For details, see “Adding a certificate
user” on page 265).
SSO with signed URL
If you want to handle signed URLs specified by the ArchiveLink protocol,
configure the SignedURLChecherModule.
The name of the certificate user must be the same as the name of the user who
signs the URL (the authID).
To get the certificate, send it via putcert from the leading application to TCP
Context Server. This can be managed by the Import Certificate Wizard, see
“Protecting the client connection” on page 188.

SSO for signed users

If you want to handle signed URLs containing user information, configure the
SignedUserCheckerModule.
The checker module checks the format of the URL and the signature from the
leading application. If both are valid and the URL is not expired, the module
checks the unlimitedCertificate property on the user specified in the authID.
If this property is set to true, all users specified in the user parameter are
accepted without further check. If this property is set to false (recommended),
the limitedCertificateUserIds properties of the user specified in the authID
are evaluated. Only if the user specified in the user parameter of the URL is
specified in this property, the access is granted.
Create a certificate user for this scenario, that is assign a certificate to a special
user (see “Adding a certificate user” on page 265). The name of the certificate
user must be the same as the name of the user who signs the URL (the authID).
For SAP applications, you may also send a certificate via putcert to TCP
Context Server. This can be managed by the Import Certificate Wizard, see
“Protecting the client connection” on page 188.
In both cases, you must configure the user certificate after it has been assigned to
the certificate user. For details, see “Configuring the certificate user” on
page 266).
To enable SSO:
1. Select the Configuration node for your organization, right-click and select
New configuration from the context menu.
The New configuration dialog opens.
Note: The SessionIdCheckerModule has already been created with the
organization. Select this module and choose Properties to edit this module.
2. Enter the required parameters for the SSO module. The parameters depend on
the scenario:
• See “Configuring checker context for internal session ID token” on page 285
• See “Configuring checker context for SSO with SAP Enterprise Portal” on
page 285
• See “Configuring checker context for signed URL” on page 285
• See “Configuring checker context for signed user” on page 286
3. Click OK.

29.3.7 Configuring caching

You can configure system cache, domain synchronization and cluster node
synchronization.
To configure the system cache:

The User Management Server system cache minimizes the database requests and
User Management Server internal processing. Principal information such as user
name and user ID are cached.
1. Select the ROOT area , right-click and select Properties from the context
menu.
The Properties dialog opens.
2. Add the following properties:
PrincipalCacheS Defines the cache size for the principals. Size per entry: 3
ize kB
Default value: 500 entries.
For performance reasons, do not set to 0.
The recommended size is: number of

active users and groups + 20%
GetAllCacheSize Defines the cache size for the GetAll Size per entry: 10-
calls. 100 kB
NameIdCacheSize Defines the cache size for the name IDs. Size per entry: 100
Bytes
3. Click OK.
To configure domain synchronization:

Data of external domains is synchronized regularly into User Management Server.
You can either specify the interval or concrete synch-times.
menu.
The Propertiesdialog opens.
2. Add one of the following properties:
SynchTimes
Defines the exact times of synchronization for the given domain. This
mechanism overrides the CacheTimeMinutes setting.
You can precisely schedule the domain-synchronization with external
directories. You must create a configuration value with the key SynchTimes

in the ROOT clientele. The value contains the times for the domain
synchronization, each entry separated by a semicolon ;.
Example 29-1: SynchTimes

The following value causes synchronization to start at 6 am, 1:15 pm and 7
pm:
0600;1315;1900
After a restart of User Management Server an immediate synchronization
will be carried out.
The logfile shows a corresponding entry at startup:
INF 4047 2007-10-25 11:20:41,218 [Thread-1]
ixos.sec.um.types.DomainSynchronizer.DomainSynchronize
r() - domainSynch explicit synchTimes: 0600;1315;1900
CacheTimeMinutes
Defines how frequently all external domains are synchronized.
Default value: 60 minutes.
Do not schedule domain synchronization to frequently as it causes some
load on the external system, and also blocks User Management Server
3. Click OK.
To configure cluster node synchronization:

In a clustered User Management Server deployment, changes to data must be
synchronized regularly.
menu.
2. Add the following property:
ChangeLog Defines how often the cluster nodes are
RefreshSeconds synchronized.
Default value: 30 seconds.
Changes on one User Management
Server may take as long as the above
value to become visible on other nodes.
3. Click OK.

29.3.8 Configuring session management

User sessions from all organizations are kept in a size configurable cache in memory
and are stored in the database. The size of the cache and the db-cleanup-period
can be configured, through configuration parameters of the ROOT clientele.
SessionCacheSiz Defines the cache size for sessions.

e Default value: 10000 entries.
For performance reasons, do not set to
0.
The recommended size is: number of
active users + 100%.
SessionStoreCle Defines specific times to perform the
anupTimes cleanup of the db-session store.
Per default, the cleanup is done every
12 hours, starting at system-start.
The format of the entries is:
0200;0615;1200;1830.
29.3.9 Configuring auditing

You can configure auditing using the ums_config application.
To configure auditing:
1. Open the User Management Server configuration in a browser window by
entering http://<User Management Server>:<port>/ums_config in the
address bar.
2. In the log on window, enter user logon, password and domain. Use the Admin
logon for administration tasks. User Management Server administration opens.
3. Click UMS.
4. Choose an audit level.
Audit level Meaning
NOAUDIT No actions are logged.
ADMIN Only actions of the administrator are
logged.
MODIFY Modifying actions of all users are logged
(default).
LOGIN Modifying actions including logon of all
users are logged.
READ All actions including read actions are
logged.

29.4 Managing the organization
5. Enter the audit log size in MB. The default is 5 MB. When the audit log file has
reached the defined size a new file is created. The audit log files are saved as
umsaudit.log in the \webapps\ums\WEB-INF\log directory.

The following tasks are relevant for each organization, regardless in which
environment it is used.
29.4.1 Defining the organization settings

To define the organization settings:
1. Select your organization , right-click and select Properties from the context
menu.
2. Define the default properties. For details, see “Managing parameters for
organizations” on page 287).
3. Add new properties if needed. To do so, click Add and enter property, value
and type.
4. Click OK.
29.4.2 Referencing groups and users from an external domain

If an external user logs on to TCP, he is automatically referenced in the domain of
the User Management that was created for the external system and becomes a
member of the Everyone group. The user can access the system, but cannot read or
write any records unless the Everyone group is referenced in some ACL.
Tip: You can deactivate automatic-referencing.
If the external user or group requires additional rights, you must assign it manually
to other groups.
To reference external groups:

Most users obtain permission via membership in the group of an external User
Management.
1. Select the external User Management in the External Domains node .
The members of the external group are displayed in the right pane.
2. In the Groups subnode , select the group you want to reference.
3. Drag and drop the selected group on the Groups node .
The group is now referenced. You are asked if you want to reference the users of
the referenced group as well.
Note: Referencing users is only recommended for TCP Context Server.

4. To reference the users, click Yes.

The users are referenced and their external membership with the referenced
group is shown.
Note: This does not automatically reference external users, which are
added to the external group in the external user directory later.
5. Now you can assign the referenced group to other groups. For details, see
“Assigning users or groups to other groups” on page 267).
To reference external users:

Only in special cases single external users are referenced from an external domain.
1. Select the external user management system in the External Domains node .
2. In the Users subnode , select the users you want to reference.
Tip: To select more than one user, select a single user, and then hold down
the CTRL key while you click other users that you want to select.
3. Drag and drop the selected users on the Users node.
The users are referenced and automatically assigned to the Everyone group.
4. Now you can assign the referenced user(s) to other groups. For details, see
“Assigning users or groups to other groups” on page 267).

29.4.3 Adding new users

In the Users node, all internal and referenced external users are displayed. Here,
you can define user properties, add a certificate user, or enable or disable a user.
In general, you should rather use the users and groups from existing external
directories than create new accounts in the _internal domain.
To add new users:

1. Select the Users node for your organization, right-click and select New User
from the context menu.
The New User dialog opens.
2. Define the properties of the new user:
a. Enter a logon, a display name, a description and an e-mail adress for the
new user.
b. Enter the additional default properties of the new user. For details, see
“Managing parameters for users” on page 288.
c. Add new properties if needed. For details, see “Adding additional and
multi-value properties” on page 246.
3. Click OK.
The new user is displayed in the Users node. The new user must change his
password at his first logon to enable his account.
Tip: If you want to enable the user without changing the password at first
logon, use Add enabled user. The same dialog box opens.
29.4.4 Adding a certificate user

If you are using SSO with SAP NetWeaver Portal or signed users (see “Configuring
the SSO checkers” on page 257), you must create a certificate user.
To add a certificate user:

1. In the Users node , select the BizEffectiveUser_<application> user (see
“Standard groups and users” on page 345), or any other user who may sign
URLs and for whom certificates must be evaluated (for example from a leading
application), right-click and select Certificate from the context menu.
The Certificate dialog opens.
2. Select the PEM file. The PEM file is delivered by the leading application.
Tip: If you use Microsoft Sharepoint as leading application, the certificate
must have the .cer format.
3. Click OK.
In the next step you can configure the user certificate.

29.4.5 Configuring the certificate user

After you have assigned a certificate to a user, some new properties are added to
that user.
Property Description
userCertificateBinary Identifier of the actual certificate
unlimitedCertificate Identifier if certificate owner can sign
unlimited user access tokens
The default is FALSE.
limitedCertificateUserIds Identifier for which user the certificate
owner can sign user access tokens
The unlimitedCertificate parameter determines whether all users specified in

the user parameter of the URL are accepted by the SSO checker module without
further check. If this property is set to false (default), only the users specified in the
limitedCertificateUserIds property of the certificate user are granted access.
29.4.6 Changing/resetting user password

To change/reset the user password:
1. Select the user in the Users node of his or her organization, right-click and
select Reset password from the context menu.
The Reset password dialog opens.
2. Enter the temporary new password twice and click OK.
Note: The user must change this new password at first logon because of
security reasons.
Tip: OpenText recommends changing the default password of the ROOT
administrator.
29.4.7 Adding new groups

In the Groups node, all internal and referenced external groups are displayed. Here,
you can add new internal groups and define the properties for internal groups. This
node is the target for referenced external groups.
To add new groups:

1. Select the Groups node for your organization, right-click and select New
Group from the context menu.
The New Group dialog opens.
2. Define the properties of the new group:

a. Enter the additional default properties of the new user. For details, see
“Managing parameters for groups” on page 290.
b. Add new properties if needed. For details, see “Adding additional and
multi-value properties” on page 246.
3. Click OK.
The new group is displayed in the Groups node.
29.4.8 Assigning users or groups to other groups

In the Groups subnode of the Hierarchy node you define the assignment of users
and groups for TCP Context Server. Internal and referenced groups are already
displayed in this subnode.
Note: The DMS customizer must decide which groups should be added.
To assign users to a group:

1. Open the Groups subnode of the Hierarchy node .
2. Select the user you want to assign in the Users node .
3. Drag the selected user to the group in the Groups subnode of the Hierarchy
node .
The user is assigned to the group.

To assign a group to a group:

1. Open the Groups subnode of the Hierarchy node .
2. Select the group you want to assign in the Groups node .
3. Drag the selected group to the respective group in the Groups subnode of the
Hierarchy node .
The group is assigned to the group.
Note: You can create groups' hierarchies with any number of levels but only
two hierarchical levels are displayed, not a tree. If a group has more than one
sublevel, you must select the subgroup on the upper level in order to see its
subgroup.
29.4.9 Disabling obsolete users or groups

To disabling obsolete users or groups:
1. Select the user in the Users node of the respective organization, right-click
and select Properties from the context menu.
2. Set the State property to Disabled.
3. Click OK.
Notes:
• When a user or a group is disabled, he becomes invisible in the User
Management, for example in the Admin node or in a position.
• The disabling of the user does not affect the validity of an already granted
access token. The access token becomes invalid after the invalidation period
ends.
29.4.10 Enabling eSign for administrators and users

To add users to the group of signing administrators, you must log on as UMS
system administrator, and you must be a signing administrator.
Tip: As UMS system administrator you cannot add yourself to the group of
signing administrators.
To enable eSign for administrators and users:

• Select the user in the Users node of the respective organization, right-click
and select Promote to Signing Admin or Promote to Signing User from the
context menu.
The entry is checked in the context menu.
The user has the following new properties:

29.5 Managing Enterprise Process Services
eSignRole=signingAdmin
The user is a signing administrator, and can add other users to the group of
signing users.
eSignRole=signingUser
The user is a signing user.
29.4.11 Enabling the proxy mechanism

The proxy mechanism can give other users access to the documents of persons who
are out of the office.
To enable the proxy mechanism:

1. Select the user in the Users node of the respective organization, right-click
and select Properties from the context menu.
2. Set the allowProxy property to True.
3. In the proxyIds property, enter the IDs of the users allowed to take the proxy
role for the person who is out of office.
You can also add the IDs of groups here. That will allow all members of the
group to take the proxy role.
You can add more than one proxyIds property. Select String-multi as Property
type. For details, see “Adding additional and multi-value properties” on
page 246.
4. Click OK.

29.5.1 Adding new principals
To define and run business workflows for Enterprise Process Services you must
define additional principals for your organization.
Symbol Principal Description

Security groups Security groups are needed for the administration of
Enterprise Process Services.
Positions Job titles within the organization, such as sales person,
trainee or technician.
Roles Roles within the organization, such as project leader.
Departments Organization departments such as sales.

Symbol Principal Description

Projects Projects are subjects that can be entrusted to particular
users in the organization, such as new product devel-
opment.
Tip: In the following procedure, replace the <principal> variable with the
principal you want to add, for example Role.
To add new principals:

1. Open your organization and select the <principal> node, right-click and select
New <principal> from the context menu.
The New <principal> dialog opens.
2. Enter the name of the principal and a comment.
3. Click OK.
The new principal is displayed in the principals folder.
29.5.2 Assigning users to security groups

To assign users to security groups:
1. Select a security group, right-click and select Add user from the context menu.
The Add user dialog opens.
2. Select the users you want to assign to this security group.
Tip: To select more than one user, select a single user, and then hold down
the CTRL key while you click other users that you want to select.
3. Click OK.
The selected users are assigned to the security group.
29.5.3 Defining the hierarchical structure

In the Hierarchy node, you define the hierarchical structure of your organization:
• Assignment of positions to departments
• Assignment of users and roles to positions
• Assignment of positions to projects
29.5.3.1 Defining hierarchy structure of departments

In the Departments subnode, you define the permanent hierarchy structure of your
departments.
All departments you have added to the Departments node are already displayed in
the Hierarchy node, but not in hierarchical order.

To defining hierarchy structure of departments:

1. Define the hierarchical order of the departments by drag-and-drop.
Define positions and assign users to the positions:
a. Select the Positions node, right-click and select Add position from the
context menu.
The Add position dialog opens.
b. Select the position you want to assign in the Positions list.
c. If needed, select the users you want to assign to this position in the Users
(optional) list.
d. Click OK.
2. Drag a defined position to the superior position, and other positions to
Positions in Departments.
3. Repeat these steps until you have reproduced the structure of your
organization.
29.5.3.2 Defining the temporary structure of projects

In the Projects subnode, you can define the temporary structure of your projects.
Projects you have added to the Projects node are displayed in the Hierarchy node,
but not in hierarchical order.
To define the temporary structure of projects:

1. Define the hierarchical order of the projects by drag-and-drop.
Drag the positions from the Department subnode to a position or a superior in
the Projects subnode.

Note: Users are not assigned directly to projects but via positions. The
position source for projects is the Department subnode in the Hierarchy
tree. Only positions, and thus the assigned users, from there are accepted.
2. Repeat this step until you have reproduced your project structures.
29.6 Troubleshooting
If you have problems with the User Management, consult the Knowledge Center
User Management Server
(https://knowledge.opentext.com/knowledge/llisapi.dll/open/15446872). In
particular, the entry
https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=15451041&
objAction=ArticleView&viewType=1 provides hints on troubleshooting,
configuration tests and information on logging.
To change the log level of the various User Management modules:

1. In a Web browser, enter the URL http://<User Management
Server>:<port>/ums/logadm.
2. Log on as administrator and confirm.

3. Select the logging components (use SHIFT and CTRL in the common Windows
way).
4. Select the new log level and click OK.
The log levels are changed dynamically, no restart is required.
The log files are named ums.log or ums.log.n (with n being a number) and are
located in the <tomcat>/webapps/ums/WEB-INF/log directory on User
Management Server.

Chapter 30
Re-configuring User Management Server
You configure User Management Server using the User Management Server
configuration Web GUI.
After the installation, User Management Server is basically configured. If you want
to change settings, use this configuration Web GUI.
with a command line tool, see “Changing password for User Management Server”
on page 278.
To start User Management Server configuration:

1. Open the User Management Server configuration in a browser window by
entering http://<User Management Server>:<port>/ums_config in the
address bar and log in as Admin.
The User Management Server configuration opens.
2. In the Configuration Packages section of the navigation area, click one of the
configuration packages:
• In the ROOT configuration package, you define configuration and logging
directories. For further information, see “Configuring configuration and
logging directories (ROOT)” on page 274.
• In the DBU configuration package, you configure database access. For
further information, see “Configuring the database access (DBU)” on
page 274.
• In the COMMON configuration package, you configure static logging. For
further information, see “Configuring static logging (COMMON)” on
page 276.
• In the UMS configuration package, you define the audit level and how User
Management Server can be accessed by other servers. For further
information, see “Defining UMS access information and audit settings
(UMS)” on page 277.
To change the password for User Management Server, see “Changing password for
User Management Server” on page 278.
Note: Apart from the different paths the Tomcat maintenance is identical for
User Management Server and TCP Context Server. Therefore, the Tomcat
maintenance section exists only in the “Context Server administration part ”

Chapter 30 Re-configuring User Management Server
(see “Maintaining the Apache Tomcat data sources” on page 225), but is also
referenced by the “User Management Server administration section.” part.
30.1 Configuring configuration and logging

directories (ROOT)
To configure ROOT settings:
1. In the Configuration Packages section of the navigation area, click ROOT.
The ROOT page opens with the fields Configuration Directory and Logging
Directory.
Configuration Directory
This directory contains the User Management Server configuration files.
Logging Directory
This directory contains the User Management Server log files.
3. Click Save.
30.2 Configuring the database access (DBU)

All User Management Server database parameters are configured during
installation. You can reconfigure them in the DBU configuration package.
Note: If you use an existing database, make sure that the following
prerequisites are met:
• The database fulfills the necessary requirements.
• The database is running.
Important
Consider that the Tomcat server must be restarted if the data source is
created new or is changed.
If the access to the database is configured via data source, this configuration
must be done manually for all User Management Servers in a clustered
environment.
To configure database settings:

1. In the Configuration Packages section of the navigation area, click DBU.
The DBU page opens.

30.2 Configuring the database access (DBU)
2. Configure at least one kind of database connectivity (primary, secondary or

tertiary). Consider that the definition on the highest level is used. Thus it is
recommended to configure only one kind of connectivity to avoid confusion.
Primary DB Connectivity – Datasource Name
Select the name of a data source. The data source must be both configured in:
<TOMCAT_HOME>/webapps/ums/META-INF/context.html
<TOMCAT_HOME>/webapps/ums_config/META-INF/context.html
For details, see “Maintaining the Apache Tomcat data sources” on page 225.
Secondary DB Connectivity – JDBC URL
JDBC URL of the database.
For example:
jdbc:oracle:thin:@//<database host>:<listener port>/<listener
global database name>
or
jdbc:sqlserver://<database host>:<TCP/IP network protocol
port>;databaseName=<name of database>
Tertiary DB Connectivity – Host Name

Host name of the database server.
Tertiary DB Connectivity – TCP/IP Port
TCP/IP network protocol port of the database server.
The default port is:
• Microsoft SQL Server: 1433
• Oracle listener: 1521
Tertiary DB Connectivity – Database Name
Name of the database, for example UMS.
Database User's Logon
User name for the database, for example ixums.
Database User's Password
Password of the database user.
Tablespace/File Group for Tables
Enter the tablespace/file group for tables, for example UMS_DATA.
Tablespace/File Group for Indexes
Enter the tablespace/file group for indexes, for example UMS_INDEX.

Drop Existing Tables
Caution
Handle this option with care. Only select Yes if you want to drop the
User Management Server database schema, in particular all database
tables. As a result, all kind of data and configurations stored before
will be deleted.
Create Initial Database Schema

The default is No. Select only Yes if you selected Yes for Drop Existing
Tables (see above) and if you want to create a database schema identical to
that of a newly installed User Management Server.
4. Click Save.

To configure log settings:
1. In the Configuration Packages section of the navigation area, click COMMON.
The COMMON page opens.
Log File Size (MB)
Maximum file size of the static log files, for example ixcommon.log and
ums.log.
The log files ares saved in the \webapps\ums\WEB-INF\log directory.

Log Files to Keep
Maximum number of log files to keep. If the maximum number is exceeded,
the oldest log file will be deleted.
Log Level
Default static log level for all components. Default log level is INFO.
3. Click Save.

30.4 Defining UMS access information and audit settings (UMS)
30.4 Defining UMS access information and audit set-

tings (UMS)
Important
Do not change the DMS clientele later as it is used by TCP Context Server to
connect to User Management Server. If you change it, you need to re-
configure TCP Context Server, too.
To configure UMS access information and audit settings:

1. In the Configuration Packages section of the navigation area, click UMS.
The UMS page opens.
UMS Connect URL
Enter the URL of User Management Server on this node, as seen from
outside. This URL is added to the list of connect URLs and is also written to
the *.WDSL files used by User Management Client.
Cluster Connect URLs
The list contains the valid connect URLs for all nodes of the User
Management Server cluster. Values entered in UMS Connect URL are added
to the list automatically.
Node Name
Enter the name of the UMS node. This name is used to distinguish nodes in
the changelog entries of the User Management Server database. Use a
distinct name, even if there only is one node.
DMS Clientele
Name of the clientele used by TCP Context Server. Do not change the entry
after TCP Context Server has been configured.
Audit Level
Enter the level of auditing. Default is MODIFY. For more information, see
“Configuring auditing” on page 262.
Audit Log Size (MB)
Enter the size of the audit log. Default is 5 MB. When the audit log file has
reached the defined size a new file is created. For more information, see
“Configuring auditing” on page 262.
3. Click Save.

30.5 Changing password for User Management

Server
with a command line tool.
To change the password of the Admin user:

1. Open a command prompt and change to the directory
<Tomcat>\webapps\ums_config\WEB-INF\.
2. Enter the command java -jar cfgpwd.jar

A warning is displayed, that the passwords entered will be echoed in clear text
on the screen.
3. Enter the current password of the Admin user.
4. Enter the new password of the Admin user.
Note: The password must consist at least of 6 characters. Only ASCII
characters in the range of 32 - 126 (decimal) are allowed. Spaces in the front
and the end of the password are not allowed and will be removed.
A message confirms the successful changing of the password.

Chapter 31
Managing configuration parameters
31.1 Managing parameters for external domains

These general configuration parameters are available for all domain types:
• _name (Domain name, read-only)
Name of the domain as configured during creation (for example, during domain
configuration for an LDAP directory server, see “Configuring a domain for
LDAP directory server” on page 280). You cannot change the domain name.
• NamingModule
Class name for the naming module for this domain. This parameter defines what
kind of external system is connected.
The default is !ConfigureMe! after creation of the domain.
Change it to ixos.sec.xnaming.modules.FastLDAPNamingModule for
LDAP/ActiveDirectory.
Change it to ixos.sec.xnaming.modules.LLNamingModule.java for Livelink
ECM – Enterprise Server.
• OSNamingModule.CaseInSensitive
To achieve a case insensitive behavior for the users of an external domain in User
Management Server, go to the configuration of the relevant domain and set this
parameter to true (or any other value except false). By default, case sensitivity
is enabled. The setting is activated by bouncing User Management Server.
31.1.1 Configuring a domain for Livelink ECM – Enterprise

Server user management
To connect the user management system of a Livelink ECM – Enterprise Server as
an external domain to an User Management Server, you need a jar file and account
information for a Livelink ECM – Enterprise Server user from the Livelink ECM –
Enterprise Server. The jar file lapi.jar is part of the LAPI component of Livelink
ECM – Enterprise Server which might have to be installed on the Livelink ECM –
Enterprise Server first.
To configure a domain for Livelink ECM – Enterprise Server user

management:
1. Get the lapi.jar file from your Livelink server (default path:
...OPENTEXT/application/WEB-INF/lib/lapi.jar) and copy it to the
<tomcat>/webapps/ums/WEB-INF/lib directory.

Chapter 31 Managing configuration parameters
2. Restart the tomcat.

3. Create and configure the domain in User Management Server. For details, see
How to configure a LiveLink domain at
31.1.2 Configuring a domain for LDAP directory server

For this configuration, you need profound knowledge of LDAP.
To configure a domain for LDAP directory server in User Management Server, see
How to configure a LDAP domain at
To test and for troubleshooting, set the log level of all ixos.sec.* modules to
DEBUG. For details, see “Troubleshooting” on page 272.
31.1.3 Configuring a LDIF enrichment provider to extend

attributes
User Management Server supports the concept of attribute enrichment to extend the
set of attributes of existing User Management Server principals with data from
additional external sources (enrichment provider). You can use the attribute
enrichment with the following User Management Server principal types: User,
Group, Department, Role, Position and PositionInDepartment.
A JAVA interface for enrichment providers was defined (see “Implementation” on
page 282) and User Management Server was extended to read data from this
interface to add the retrieved attributes to existing User Management Server
principals.
You can configure one enrichment provider per User Management Server domain
on the domain level, and for any User Management Server domain. Use the
EnrichmentProviderModule attribute to configure the full class name of the
enrichment provider implementation.
The enrichment provider implementation is called during the regular domain
synchronization to retrieve the data from additional external sources. User
Management Server updates this new data then to all affected principals.
The implementation must provide a per-principal-type configuration to User
Management Server, detailing the mapping between unique attributes in User
Management Server and corresponding attributes in the enrichment provider data
set.
Functionality
• The enricher is part of User Management Server.
• The enrichment provider instances are controlled by the enricher.

• The enrichment provider instances access the external sources of enrichment

data (for example SAP) and prepare the required subset of that data.
• The enricher regularly retrieves that enrichment data from the enrichment
provider instances and adds it to the User Management Server data store.
Examples for LDIF attributes

• LDIFEnrichment.ixUser.fileName: Defines the location and the name of the
LDIF file for users, for example d:/data/users.ldif.
• LDIFEnrichment.ixUser.umsIdAttr: Defines the user attribute of the external
domain, for example _name.
• LDIFEnrichment.ixUser.enrichmentIdAttr: Defines the user enrichment
attribute of the external domain, for example dn.
• LDIFEnrichment.ixUser.costcenter: Defines the cost center, for example
SAP_costcenter.
• LDIFEnrichment.ixUser.personalnr: Defines the personal number, for example

pers_number.

• LDIFEnrichment.ixGroup.fileName: Defines the location and the name of the

LDIF file for groups, for example d:/data/groups.ldif.
• LDIFEnrichment.ixGroup.umsIdAttr: Defines the group attribute of the external
domain, for example _name.
• LDIFEnrichment.ixUGroup.enrichmentIdAttr: Defines the group enrichment
attribute of the external domain, for example dn.
Implementation To implement an enrichment provider you must use the Java interface
ixos.sec.enrichtment.EnrichmentProvider in the jsec.jar. Below you see an
example for a javadoc of the enrichment provider interface.
/**
* Service provider interface for enriching existing UMS principals
(e.g. users or groups, _internal or external)
* with attributes from a separate, external source (such as SAP).
* One such provider instance can be configured per UMS domain and
must be configured in the domain.
*
* The providers deliver additional, "enriching" attributes for (a
subset of) the principals in the domain.
* Conflicts with existing attributes will be resolved decisively:
enrichment wins.
* Standard attributes such as the name or email cannot be enriched.
*
* Each provider must have a default constructor without parameters.
*
* The provider instances will be called regularly, during the regular
domain-synchronization,
* which now includes the _internal domains.
* - prepareRefreshOfProviderCache() will be called first.
* Here, the provider should do all the actual work in the
background.
* - refreshProviderCache() will be called afterwards, to make the new
data-set visible.
*
* The external source of enrichment data often has a DIFFERENT unique
attribute for object-identification
* than the UMS.
* To match the data from the enrichment source with the UMS data, a
mapping is required.
* The id of the unique UMS attribute (not necessarily the _name) must
be specified by each instance, per type.
*
* The providers return the actual data as map: uniqueName =>
MultiMap.
* The uniqueName values will be matched with the values from the
configured UMS attribute
*/
public interface EnrichmentProvider
{

/**
* Specifies the UMS-side of the id-matching, MUST exist per
configured type
* and will be returned by the getPerTypeSettings() call.
*/
public final static String UMS_ID_ATTR =
"EnrichmentProvider.umsIdAttr";
/**
* Initialize the provider with its specific configuration data,
such as connection settings.
* This configuration data is read from configure of the UMS
domain and the full domain configuration is passed.
* This will be called at system startup and after any change to
the configuration.
*/
void init( Map<String, String> config ) throws ProviderException;
/**
* This method will be called regularly and executed in the
background, so that the provider can prepare/refresh
* an internal cache of enrichment data. Additional calls to
getAllPrincipals() might arrive during this call
*/
void prepareRefreshOfProviderCache() throws ProviderException;
/**
* This method will be called to make visible the cached
enrichment data.
* The UMS server does not respond during this call, so this
should just quickly update some references.
*/
void refreshProviderCache() throws ProviderException;
/**
* Get a map of configuration settings, where the keys are the
types of UMS principals,
* which this instance provides enrichment data for.
* Keys are from the ixos.sec.util.Constants.TYPE_ values.
* Supported are user, group, department, position,
positionindepartment, role.
* The Map per type contains settings such as the UMS_ID_ATTR.
*/
Map<String, Map<String, String>> getPerTypeSettings();
/**
* Get the enrichment data of all those principals of the given
type, for which enrichment data is available.
* This will be called by the UMS to add the enrichment data to
the UMS principals.

* The data is returned as map of id=>MultiMap, with the id being

the unique value to be compared
* with the UMS_ID_ATTR values of the UMS principals. All keys and
values of the MultiMap must be Strings.
*/
Map<String, MultiMap> getAllPrincipals( String principalType )
throws ProviderException;
31.1.4 Configuring CAP/UMS integration

What is CAP ? The Common Authentication Protocol (CAP) enables the integration of Open Text
Runtime and Core Services and other applications like Open Text User Management
Server. Applications authenticate users through this protocol. A user’s logon
credentials are sent to the Runtime and Core Services server by the application.
Runtime and Core Services authenticates the user by means of the appropriate
network mechanism - for example, NT Lan Manager (NTLM). If the authentication
is successful, the Runtime and Core Services server returns a token to the
application that the user is logging on to.
The CAP integration enables User Management Server-based applications to access
CAP-based applications. This requires a CAP token on CAP-based applications and
an access token on User Management Server-based applications.
User Management Server enables that all authenticate calls for external users
(external = not from the _internal domain) are passed on to Runtime and Core
Services which returns a CAP token (a string). This mechanism is restricted to
external users as Runtime and Core Services is not expected to know the arbitrary
users from the _internal domain. The returned CAP token is added to User
Management Server access tokens.
Access to the The User Management Server access token stores the CAP token as an unsigned
CAP token parameter (URL encoded string) referenced by the key capToken.
Validation of User Management Server validates the CAP tokens it has created by checking the
tokens internal User Management Server list of created sessions. The result of such a
validate (capToken) call is a regular User Management Server access token which
contains the capTokenString in the designated unsigned parameter.
Also User Management Server validates CAP tokens which where not created
through calls to User Management Server. These CAP tokens are sent to the
Runtime and Core Services server for validation and an User Management Server
access token is created from the result. This requires that the relation between User
Management Server domain names and CAP domain names is configured in User
Management Server. Also, the value of the identifier field in the CapSession must be
a valid user name in User Management Server.
To configure the integration of CAP and User Management Server, see CAP
Connection
(https://knowledge.opentext.com/knowledge/llisapi.dll/properties/1192522690_0
00).

31.2 Managing parameters for SSO contexts
31.2 Managing parameters for SSO contexts

31.2.1 Configuring checker context for internal session ID
token
These properties are available:
• module
ixos.sec.sso.modules.SessionIdCheckerModule
• token
ixos.sec.sso.modules.SessionIdToken
• expirationPeriod
Defines the inactivity timeout in seconds. The default is 2100.
• invalidationPeriod
Defines the maximum session life time in seconds. The default is 72000.
31.2.2 Configuring checker context for SSO with SAP

Enterprise Portal
• module
ixos.sec.sso.modules.SAPSSOCheckerModule
• token
ixos.sec.sso.modules.SAPSSOToken
• UserDomain
Configures domain name of domain where user and groups can be found. The
default is _internal.
31.2.3 Configuring checker context for signed URL

• module
ixos.sec.sso.modules.SignedUrlCheckerModule
• token
ixos.sec.sso.modules.SignedUrlAccessToken

• SignedURLUpdatePeriod
Defines the updating period of signed URL handler for changes to certificate
users.
• SignedURLExpirationPeriod
For high-volume scenarios with SignedURLs this optional configuration
parameter is available, to reduce the validity period of the UMS internal
SignedUrlAccessToken. Set it in the configuration of the
SignedUrlAccessToken for the proper organization. The value gives the validity
of the token in seconds, so a value like 60 would avoid storing these tokens
longer then 60 seconds and thus greatly reduce the memory requirements in
such scenarios.
• importUnknownSignedUsers
To enable the automatic reference of users, who access the system with a
SignedUserAccessToken and are not yet referenced, add this key to the
configuration of the SignedUserAccessToken. The existence of the key alone
triggers the behavior, but still choose an intuitive value like true.
This automatic reference will only happen, if the signing-user referenced in the
given token can sign ANY user, which is indicated by the
unlimitedCertificate attribute of the signing user.
31.2.4 Configuring checker context for signed user

• module
ixos.sec.sso.modules.SignedUserCheckerModule
• token
ixos.sec.sso.modules.SignedUserAccessToken
• importUnknownSignedUsers
To enable the automatic reference of users, who access the system with a
SignedUserAccessToken and are not yet referenced, add this key to the
configuration of the SignedUserAccessToken. The existence of the key alone
triggers the behavior, but still choose an intuitive value like true.
This automatic reference will only happen, if the signing-user referenced in the
given token can sign ANY user, which is indicated by the
unlimitedCertificate attribute of the signing user.
31.3 Managing parameters for the root organization

CacheTimeMinutes
Defines the period of time after which the domain is synchronized. For details,
see “Configuring caching” on page 260.

31.4 Managing parameters for organizations
CacheLogRefreshSeconds
Defines the period of time after which the node data in a UMS cluster is
synchronized. For details, see “Configuring caching” on page 260.
SessionCacheSize
Defines the cache size for sessions. For details, see “Configuring session
management” on page 262.
SessionStoreCleanupTimes
Defines specific times to perform the cleanup of the db-session store. For
details, see “Configuring session management” on page 262.
31.4 Managing parameters for organizations

• Organization
The name of the organization. Consider “Naming recommendations for
organizations, domains, and departments” on page 255.
• AutoUnlockPeriod
After a defined number of failed user logons (see MaxFailedLoginAttempts),
the logon of the user will be locked. You can unlock the user manually or
automatically by setting this property.
The default is 1200 seconds.
• Name
The name of the organization.
• PasswordExpirationTime
Defines the time period, in days, after which the password of a user becomes
invalid. Then the user must change his password before he can log on again.
• DefaultLocale
Defines the default language setting for all organization users.
• PasswordMinNumSpecial
Specifies the minimum number of special characters that must be included in a
password.
• PasswordHistoryLength
Specifies how many changed passwords per user should be stored. When the
user must change the password, he is not allowed to use one of the old stored
passwords.
The default is 5.
• Description
Short description of the organization.

• PasswordMinLength
Specifies the minimum length for a password.
The default is 6 letters.
• MaxFailedLoginAttempts
Maximum number of false log on attempts after which the user account will be
locked.
It is possible to unlock the account after a defined period (see
AutoUnlockPeriod property).
• AccountLockingForImport
Defines whether the MaxFailedLoginAttempts property is also relevant for
referenced users.
The default value is false, because this may lead to conflicts with the account
locks in the external system.
31.5 Managing parameters for users

• Account Ends
Defines end of user account validity. Not used.
• Account Starts
Beginning of user account validity. Not used.
• allowProxy
Whether the proxy mechanism is active for the user or not. The value to activate
the proxy mechanism is true.
• DefaultACL
Not used.
• Description
A description of the user.
• Domain (read-only)
The domain of the user. The domain for internal users is always _internal.
• Email
The e-mail of the user. This e-mail address must be unique in the organization.
• eSignRole
eSign role of the user. Values can be signingAdmin and signingUser.
• External
0 for internal user, 1 for referenced.

31.5 Managing parameters for users
• FailedLoginAttempts
Number of failed log-ons in a row.
• invalidationPeriodMinutes
Defines the period after which the access token becomes invalid. This is relevant
for an application user to prevent the access token from timing out during
lengthy processes such as fulltext indexing.
• ixPwdExpires
Defines the date when the user password will become invalid.
• ixUniqueIdentifier (read-only)
Unique user ID.
• Language
The language settings for the user. The defined value is used per default when
creating a user for the organization.
• Login (read-only)
The logon of the user.
• limitedCertificateUserIds
Identifier of the user for which the certificate owner can sign user access tokens.
• Organization (read-only)
The name of the organization to which this user belongs.
• OutOfOffice
Set this property to 1 if the user is out of the office. This causes a dedicated
OutOfOfficeRule to be applied in TCP. The parameter has no affect on User
Management Server itself.
• Password
The password of the user. If you want to edit this field, the Password dialog box
opens (see “Changing/resetting user password” on page 266). This property is
only available to internal users.
• proxyIds
Identifiers of other users who are allowed to act as proxy for the user. You can
enter more than one value.
• State
Use enable to introduce the new user. If this user leaves the organization, use
disable.

• TimeZone
The time zone of the user. This is relevant if the user works in a different time
zone than User Management Server.
• Initials
The user's initials.
• unlimitedCertificate
Identifier used when certificate owner can sign unlimited user access tokens.
• userCertificateBinary
Identifier of the actual certificate.
31.6 Managing parameters for groups

• Organization (read-only)
The name of the organization to which this group belong.
• Domain (read-only)
The domain of the group. The domain for internal groups is always _internal.
• Name (read-only)
The name of the group.
• State
Use enable or disable.
• Description
Short description of the group.

Part 5
Open Text TCP Web Client administration
Part 5 Open Text TCP Web Client administration
This part describes the configuration of TCP Web Client.

“Setting the ASP.NET version” on page 293
This chapter explains how to set the ASP.NET version.
“Changing security settings” on page 293
This chapter describes how to change security settings.
“Starting ASP.NET State Service” on page 294
This chapter explains how to start ASP.NET State Service and changing further
ASP.NET configuration settings.
“Changing user-specific settings” on page 294
This chapter explains how to configure user-specific settings such as the length
of breadcrumbs or the Out of office functionality
“Configuring application settings for large uploads” on page 295
This chapter explains how to support the upload of large files.
“Configuring the viewers” on page 296
This chapter explains how to change the Java Viewer URL.
“Configuring log file” on page 298
This chapter explains how to configure the log file.
“Configuring Single Sign-On (SSO)” on page 299
This chapter describes how to configure Single-Sign-On.
“Installing multiple TCP Web Clients” on page 306
This chapter explains how you install more than one TCP Web Client on a
system.

Chapter 32
Configuring TCP Web Client
This chapter describes the configuration of TCP Web Client.
32.1 Setting the ASP.NET version

Make sure that ASP.NET version 2 is set in Microsoft Internet Information Services
(IIS). For IIS 7, this is already set by default. The following procedures show how
you do it for IIS 6.
To set the ASP.NET version for IIS 6:

1. Open IIS Manager.
2. Find the virtual folder of TCP Web Client, for example Web Sites -Default Web
Sites - tcpweb.
3. Right-click the folder and select Properties. Then go to the ASP.NET tab.
4. Select ASP.NET version 2.
5. Click Ok.
To change the ASP.NET configuration settings for IIS 6:

1. Open IIS Manager.
2. Go to the properties page of TCP Web Client, for example Web Sites - Default
Web Sites - tcpweb.
3. Right-click and select Properties, and go to the ASP.NET tab.

4. Click Edit Configuration.
5. Change settings as desired, for example the text for the Welcome Page or the
JavaViewerURL.
6. Click Ok.
32.2 Changing security settings

To change security settings:
1. Open Windows Explorer and find the directory where TCP Web Client was
installed, for example C:\inetpub\wwwroot\tcpweb.

Chapter 32 Configuring TCP Web Client
2. Change the security settings of the following subdirectories in the Windows

Explorer manually: \forms, \log. Allow Full Control for local group IIS_WPG.
32.3 Starting ASP.NET State Service

After installing TCP Web Client the SessionState mode is set to StateServer
(<sessionState mode="StateServer" timeout="32" />). This is the
recommended setting for session management. It requires that the ASP.NET State
Service is started.
To start ASP.NET State Service:

1. Open Services via Start - All Programs - Administrative Tools - Services, and
go to ASP.NET State Service.
2. Right-click and select Properties.
3. For Startup type select Automatic.
4. Click Ok.
5. Start the ASP.NET State Service.
32.4 Changing user-specific settings

To activate the out of office functionality
If you activate the out of office functionality, the Out of Office tab in the Settings
dialog of the TCP Web Client is visible for the user, see section 3.2.6 "Defining the
out of office settings " in Open Text Transactional Content Processing - User Guide
(TCP100001-UGD).
1. Open web.config (for example C:\inetpub\wwwroot\tcpweb) and go to the
section <appSettings>.
2. Look for the EnableOutOfOffice key or add it in the following way:
<add key="EnableOutOfOffice" value="true" />
To set the length of breadcrumb path

You can adjust the length of the breadcrumb path by the following setting in
web.config.
1. Open web.config (for example c:\inetpub\wwwroot\tcpweb), and go to the

<appSettings> section.
2. Look for the MaxHistoryPathLength key or add it in the following way:

<add key="MaxHistoryPathLength" value="64"/>
Enter a number for the value. Default is 64.

32.5 Configuring application settings for large uploads
Tips:
• Setting the MaxHistoryPathLength to 0 hides the breadcrumbs. In that
case, back navigation is possible only via the back buttons in the
different views.
• If the actual length of the breadcrumbs exceeds the configured length,
the path is cut from the left, where the cutting is indicated by a
symbolic entry “...”. Despite of the restricted length shown at the UI,
the path exists virtually in full length. I.e. when navigating back, the
path successively fills from the left.
32.5 Configuring application settings for large

uploads
FileUp can accept uploads of up to 4 gigabytes (default). It is important to configure
the application settings to make sure ASP.NET State Service doesn't block large
uploads before FileUp can process them. The maxRequestLength parameter is set in
the httpRuntime section of web.config. The parameter maxRequestLength is set in
kilobyte. So, for example, if you want to allow uploads of 100 MB, you would set
maxRequestLength to 102400. There are also some other settings in httpRuntime
section which you can adjust according to the needs of your application.
To configure the maximum request length

1. Open web.config (for example C:\inetpub\wwwroot\tcpweb), and go to the
<system.web> section.
2. Set maxRequestLength in kilobyte.

3. If necessary, adjust additional settings according to the needs of your
application (see the example below).
<configuration>
<system.web>
<httpRuntime
executionTimeout="1200"
maxRequestLength="102400"
useFullyQualifiedRedirectUrl="false"
minFreeThreads="8"
minLocalRequestFreeThreads="4"
appRequestQueueLimit="100" />
</system.web>
</configuration>

32.6 Configuring the viewers

You can configure which viewer is used to display content such as JPG or TIFF files.
TCP GUI supports the following viewers:
• Open Text Imaging Java Viewer
• Open Text Imaging Web Viewer
• Open Text Imaging Windows Viewer
New: Now, TCP GUI supports also Web Viewer and Windows Viewer. This
requires certain patches.
Note: The ApplicationViewer key and the WebViewerURL key are only
available if patch TCP-1001-028 or higher is installed on your system.
For more information about customizing the viewers for the TCP GUI, see section
17.1 "Configuring Viewers for TCP GUI" in Open Text TCP Modeler - Customization
Guide (TCP100001-CGD).
To configure Java Viewer:

1. Install and configure Java Viewer, see Open Text Imaging Viewers and DesktopLink
- Installation and Administration Guide (CL090700-IGD) or a previous version,
depending on the version you want to install. For Java Viewer requirements, see
the Open Text Imaging Viewers and DesktopLink Release Notes.
2. Open the web.config file (for example in c:\inetpub\wwwroot\tcpweb), and
go to the <appSettings> section.
• Enable the ApplicationViewer key and set the value to JavaViewer:
<add key="ApplicationViewer" value="JavaViewer" />
3. Enable the JavaViewerURL key and enter the URL to Java Viewer, for example
<add key="JavaViewerURL" value="http://JVhost/JAVAVW" />
To configure Web Viewer:

The usage of Web Viewer requires the following patches:
• Web Viewer 9.7.5 with Web Viewer patch 008 or higher
• TCP-1001–067 or higher for TCP GUI
• TCP-1001–068 or higher for TCP Application Server
For more information about patches, see
1. Install Web Viewer, see OpenText Imaging Web Viewer - Installation and
Configuration Guide (CLWEBV-IGD) of the version you want to install. For
requirements, see the Open Text Imaging Web Viewer Release Notes.

32.6 Configuring the viewers
2. Open the web.config file (for example inc:\inetpub\wwwroot\tcpweb), and

• Enable the ApplicationViewer key and set the value to WebViewer:
<add key="ApplicationViewer" value="WebViewer" />
3. Enable the WebViewerURL key and enter the URL to the Web Viewer, for
example
<add key="WebViewerURL"
value="http://myserver:18080/WebViewer/viewer.srv" />
4. Enable the <Defaultclientele> key and set the value to the clientele of the User
Management Server associated to the application. The default value is
defaultclientele.
<add key="DefaultClientele" value="yourclientele" />
Important
If you use Web Viewer you must add the following setting to the Web
Viewer viewer.cfg file:
HTTP_PROTOCOL_COOKIE_POLICY=ignoreCookies
For more information on the viewer.cfg file, see section 4.1 "Configuration
files" in OpenText Imaging Web Viewer - Installation and Configuration Guide
(CLWEBV-IGD) of the version you want to install.
To configure Windows Viewer:

The usage of Windows Viewer requires the following patches:
• Windows Viewer 9.7.5 with Windows Viewer patch 011 or higher
• TCP-1001–067 or higher for TCP GUI
• TCP-1001–068 or higher for TCP Application Server
For more information about patches, see
1. Install Windows Viewer, see Open Text Imaging Viewers and DesktopLink -
Installation and Administration Guide (CL090700-IGD) or a previous version,
depending on the version you want to install. For requirements and
prerequisites, see the Open Text Imaging Viewers and DesktopLink Release
Notes.
2. Open the web.config file (for example in c:\inetpub\wwwroot\tcpweb), and
• Enable the ApplicationViewer key and set the value to WinViewer:
<add key="ApplicationViewer" value="WinViewer" />

3. To use always the same Windows Viewer window when the user opens a
document, perform the following steps:
New: The reuse of the Windows Viewer window for all documents to be
opened is a new feature of patch TCP-1001-072.
a. Make sure that patch TCP-1001-072 or higher is installed. For more
information about patches, see
b. Go to the directory <IIS installation directory>\wwwroot\tcpweb\-
config.
c. Rename ViewerStateConfig.xml, for example to

ViewerStateConfig.Internal.xml.
d. Rename ViewerStateConfig.External.xml to ViewerStateConfig.xml.

e. In ViewerStateConfig.xml, active all lines starting with <transition id=
... and targetState="ShowExternalReuse" by removing the comments.
f. In ViewerStateConfig.xml, deactivate all lines with

targetState="ShowExternal" by commenting these lines out.
32.7 Configuring log file

To configure the log file
1. Open web.config (for example C:\inetpub\wwwroot\tcpweb), and go to
<log4net>.
2. Set the log level.

The global log level can be set in logger name for name space
OpenText.Ecm.Tcp. Following log levels are supported:
• TRACE
• DEBUG
• INFO
• WARN
• ERROR
• FATAL
After the installation the log level is set to INFO.
The logging is written to file tcpwebclient.log in the log directory of your
TCP application.

32.8 Configuring Single Sign-On (SSO)

Note: If SSO is enabled for a certain TCP Web Client, this TCP Web Client can
only be used for SSO. Internal users cannot login any more. To use internal
users, duplicate TCP Web Client (see “Installing multiple TCP Web Clients” on
page 306) and enable SSO only for one TCP Web Client installation.
To enable SSO:
Perform the following steps to enable SSO with the TCP Web Client, User
Management Server and the Microsoft Windows Operating System:
Note: You can use SSO only with Microsoft Internet Explorer but not with
other Web browsers.
1. See “Creating a certificate” on page 299.
2. See “Configuring the checker module on User Management Server” on
page 301.
3. See “Configuring User Management Server” on page 302.
4. See “Updating TCP Web Client configuration” on page 303.
5. See “Changing Internet Information Services (IIS) Manager settings” on
page 303.
6. See “Setting folder permissions” on page 306.
7. See “Adding external domain and users” on page 306.
32.8.1 Creating a certificate

To create a certificate:
1. Create a certificate file including a private key on the server where TCP Web
Client is installed.
When no trusted certificate is needed use the Windows SDK utility makecert.
To create a certificate with an exportable private key use the option pe of
makecert. This option is only available in newer builds of makecert (for example
version 5.131.3617.0). To test if you need a new version of makecert start
makecert from a command prompt without any options. Then the usage is
displayed and you will see if the pe option is available.
Creating a self signed certificate would be sufficient. It is not required to have a
certificate issued by a Certificate Authority. The certificate is used to establish a
trusted relationship between User Management Server and TCP Application
Server. The communication between User Management Server and the TCP
Application Server is signed with a private key/public key pair.
2. At the command prompt, enter makecert.exe -sk tcpKey —pe —r —n
"cn=TCPCert" —ss storetcp1 —sr localmachine tcpcert.cer.

Note: Do not use copy & paste. Type in the whole command.
The meaning of the parameters is:

• -sk: The private key with the name tcpKey is generated.
• -pe: The certificate can be exported together with the private key.
• -r: The self signed certificate is created.
• -n: The certificate with the subject TCPCert is created.
• -ss: The certificate is stored in the personal store (storetcp1).
• -sr: The certificate is stored in the local machine store.
Additionally the certificate is stored in the tcpcert.cer file. This file is needed
to assign the certificate to the UMS user needed to verify the signature of signed
user accesses.
Notes:
• Store the certificate in the local machine store. Thus it can be accessed
from all users and not only by a specific user. This is, for example,
important for TCP Web Client as it is a Web application running with
the impersonated user accounts.
• Internet Explorer cannot manage certificates in the local machine store.
To do this create a MMC with the plug-in Certificates and select local
machine store.
• To install the certificate on several Web servers, export it with the MMC
certificate plug-in together with its private key in PKCS #12 (.PFX)
format. You can also import the certificate on other servers running
TCP Web Client.
• When you encounter problems accessing the certificate store try to
import the certificate file to a dedicated store on the local computer. Use
the name of the store in the web.config which can be found in Registry
at HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates.
• It may be necessary to add “read” permissions to the certificate store
directory for your authenticated users. You can find the certificates in
the folder <Drive>:\Documents and Settings\All Users\-
Application Data\Microsoft\Crypto\RSA\MachineKeys.

3. To add the certificate to the local machine store, open a command prompt and
enter mmc.
The MMC opens.
4. Go to File - Add/Remove Snap-In, click Add and select Certificates.
5. Click Computer account.
6. Select Local computer, click Finish, then click Close and Ok to return to the
MMC main window.
7. Go to Certificates (Local Computer) - storetcp - Certificates and open TCPCert.
The Certificate window opens.

8. Go to the Details tab. The Subject should be TCPCert.
32.8.2 Configuring the checker module on User Management

Server
For all access token types, a Checker Module must be configured in the ROOT area
as well as the particular organization for which this kind of SSO will be available.
Both configurations must reference the same AccessToken type and Checker
Module. For further information, see “Configuring the SSO checkers” on page 257.
To configure the SSO checkers:

1. Open User Management Client and log on at organization ROOT.
2. Go to ROOT - Configuration and open
ixos.sec.sso.modules.SignedUserAccessToken configuration.

3. Check and adjust the following settings:

• Display name: ixos.sec.sso.modules.SignedUserAccessToken
• _name: ixos.sec.sso.modules.SignedUserAccessToken
• description: Configuration ixos.sec.sso.modules.SignedUserAccessToken
• module: ixos.sec.sso.modules.SignedUserCheckerModule
• token: ixos.sec.sso.modules.SignedUserAccessToken
Tip: If the Windows domain used for authentication has mixed uppercase
and lowercase logins, adapt the configuration of the domain in User
Management. Add the key OSNamingModule.CaseInSensitive and set
the value to true.
Click Ok.
32.8.3 Configuring User Management Server

To configure User Management Server:
1. Open User Management Client and create a certificate user (see “Adding a
certificate user” on page 265).
2. Add the certificate you created with makecert (file tcpcert.cer) to this user. To
do this select the user, right-click and select Certificate.
The Certificate window opens.

Tip: The certificate is needed in cer format and thus the certificate file
created with makecert (tcpcert.cer) can be used.
3. Enter the path to the file tcpcert.cer.
4. Set the property unlimited Certificate to true.
32.8.4 Updating TCP Web Client configuration

To update the TCP Web Client configuration:
1. Open the web.config file in <root>\Inetpub\wwwroot\tcpweb (for example
C:\inetpub\wwwroot\tcpweb) and configure the following keys in the
appSettings section. Adapt the values according to your needs and certificate
values (see step 2 in “Creating a certificate”).

<add key="SSO.Cert.Store" value="storetcp1" />

<add key="SSO.Cert.Subject" value="TCPCert" />

<add key="SSO.Cert.User" value="tcpcertuser" />

<add key="SSO.Clientele" value="defaultclientele" />

<add key="SSO.Expiration" value="72000" />
To adapt the value of tcpcertuser, use the value of the certificate user you
created before, see step 1.
2. Change the following settings for identity and authentication in the
<system.web> section of the web.config file:
<identity impersonate="true" />

<authentication mode="Windows">
<forms defaultUrl="Main.aspx" timeout="30"
slidingExpiration="true" />
</authentication>
32.8.5 Changing Internet Information Services (IIS) Manager

settings
Change the following settings in Internet Information Services (IIS) Manager. The
settings depend on your IIS version.
Note: This chapter assumes that you installed Internet Information Services
(IIS) Manager as described in section 3.4 "Setting up Microsoft Internet
Information Services (IIS)" in OpenText Transactional Content Processing -
Installation Guide (TCP-IGD).

To change Internet Information Services (IIS) Manager settings in IIS 7 (on

Windows Server 2008):
1. Open Internet Information Services (IIS) Manager.
2. Double-click the name of the virtual folder, in this example tcpwebSSO.
3. Double-click Authentication.
4. Set the status of Anonymous Authentication to Disabled.

5. Double-click the name of the virtual folder, in this example tcpwebSSO.
6. Enable ASP.NET Impersonation for TCP Web Client.

a. In the Connections pane, click the name of the computer, in this example
VMSCSTCP-32–01. The VMSCSTCP-32–01 Home pane opens.
b. Double-click ISAPI and CGI restrictions.
c. Set ASP.NET 2.0.50727 to Allowed.
To change Internet Information Services (IIS) Manager settings in IIS 6 (on

Windows Server 2003):
1. Open Internet Information Services (IIS) Manager.
2. Go to tcpweb, right-click and select Properties.
The tcpweb Properties window opens.
3. Go to the Directory Security tab and click Edit for Authentication and access
control.
The Authentication Methods window opens.
4. Remove the check mark from the check box Enable anonymous access and
select Integrated Windows authentication.
5. Click Ok and Ok to close the Properties dialog.
6. In Internet Information Services (IIS) Manager, go to Web Service Extensions.

7. Set ASP.Net to status Allowed.
32.8.6 Setting folder permissions

To set folder permissions:
1. Create a new group TCPSSOusers via Computer Management.
2. Add domain users to this group.
3. Set the folder permissions for:
• C:\Inetpub\wwwroot\tcpweb\forms
• C:\Inetpub\wwwroot\tcpweb\log
• Only for Windows Server 2003:
C:\Documents and Settings\All Users\Application Data\Microsoft\-
Crypto\RSA\MachineKeys
• Only for Windows Server 2008:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
To do this, go to the folders, right click and select Properties.

4. Go to Security tab and add the created group TCPSSOusers.
5. Set the permissions to Full Control, and click Ok.
32.8.7 Adding external domain and users

The external domain(s) of the user have to be added to User Management Server.
Depending on the settings of the Checker Module the users have to be imported
manually or not.
To test SSO:
• Log on with the URL http://<computer>/tcpweb/login.aspx.
No logon dialog appears, instead you have to select the group if more than one
group is available.
32.9 Installing multiple TCP Web Clients

If you want to use TCP Web Client with different projects you must install multiple
TCP Web Clients and define for each client the project in the web.config file.
The installation depends on the platform.
To install multiple TCP Web Clients on Windows Server 2003:

1. In the wwwroot directory, copy the tcpweb folder to a new folder tcpweb2.

32.9 Installing multiple TCP Web Clients
2. Create a virtual folder for tcpweb2:

a. Right-click the folder in Windows Explorer and select Properties from the
context menu.
b. In the tab Web Sharing, select Share this folder with the same alias name,
in this case tcpweb2.
c. Click OK.
d. For the local group IIS_WPG, set the folder permissions to Full Control for:
For details, see step 3 in “Setting folder permissions”.
3. Configure the virtual folder in IIS Manager.
a. Right-click the new virtual folder tcpweb2 and select Properties from the
context menu.
b. In the Directory Security tab, edit the Authentication and access control:
Enable anonymous access. Disable integrated Windows authentication.
c. Click OK.
d. In the Documents tab, enable the default content page and specify
tcp.aspx as single entry.
e. Save your settings and close IIS Manager.
To install multiple TCP Web Clients on Windows Server 2008 with Microsoft IIS
7:
1. In the wwwroot folder, copy the tcpweb directory and rename it, for example to
tcpweb2.
2. For the local group IIS_IUSRS, set the folder permissions to Full Control for:
For details, see step 3 in “Setting folder permissions”.
3. In IIS Manager convert the directory (in this example tcpweb2) to an
application. Do this by right-clicking the folder and selecting Convert to
Application.
4. Enable Anonymous Authentication, see step 3 in “To change Internet
Information Services (IIS) Manager settings in IIS 7 (on Windows Server 2008):”.
5. Double-click the name of the virtual folder, in this example tcpweb2.
The tcpweb2 Home pane opens.

6. Double-click Default Document.

The Default Document pane opens.
7. Remove the existing default values and add tcp.aspx as single entry.
8. Enable the tcp.aspx page. This is the case if Disable is visible in the Actions
pane.
Troubleshooting tip
In case the tcpweb2 application cannot be accessed properly, try the following
steps:
1. Edit C:\Windows\System32\inetsrv\config\applicationHost.config.
2. In the applicationHost.config file, copy all existing <location> sections
where the path starts with Default Web Site/tcpweb and add them to the
end of the file. Rename the paths to Default Web Site/<tcp_sso_dir> (in
this example Default Web Site/tcpweb2) in each of the copied sections.
Example for a <location> section to be copied:
<location path="Default Web Site/tcpweb">
<system.webServer>
...
</system.webServer>
</location>

Part 6
TCP Document Pipelines administration
Part 6 TCP Document Pipelines administration
This part describes TCP Document Pipelines and DocTools.

“Overview of TCP Document Pipelines for TCP Context Server” on page 311
This chapter introduces the various pipelines.
“Functional description of the TCP DocTools” on page 313
This chapter contains detailed information about DocTools.
“Permissions for the indexing scenarios” on page 325
This chapter describes the permissions for indexing scenarios.
“Sample batch import files for TCP Context Server pipelines” on page 329
This chapter lists the files for a batch import.

Chapter 33
Overview of TCP Document Pipelines for TCP
Context Server
These pipelines are available for scenarios with TCP Context Servers:
Table 33-1: TCP Document Pipelines for TCP Context Servers
Pipeline name Display name in in- Display name in Open Description

stallation Text Document Pipe-
line Info
CODMS COLD Batch import for TCP Archives documents to
Context Server with TCP Context Server.
attributes extraction Includes inbox and
process scenarios for
TCP version 10.0. For
details, see OpenText
Document Pipelines -
Overview and Import
Interfaces (AR-CDP).
CODMSR3 COLD for TCP Context Batch import for Docu- Archives documents to
Server Link: with attributes TCP Context Server and
extraction attributes to SAP. In-
cludes inbox and proc-
ess scenarios for TCP
version 10.0. For details,
see OpenText Document
Pipelines - Overview and
Import Interfaces (AR-
CDP).
EXDMS Batch Import Batch import for TCP Archives documents to
Context Server: attrib- TCP Context Server.
utes supplied in ad- Includes inbox and
vance process scenarios for
TCP version 10.0. For
details, see OpenText
Document Pipelines -
Overview and Import
Interfaces (AR-CDP).

Chapter 33 Overview of TCP Document Pipelines for TCP Context Server
Pipeline name Display name in in- Display name in Open Description

stallation Text Document Pipe-
line Info
EXDMSR3 Batch Import for Con- Batch import for Docu- Archives documents to
text Server Link: attributes sup- TCP Context Server and
plied in advance attributes to SAP. In-
cludes inbox and proc-
ess scenarios for TCP
version 10.0. For details,
see OpenText Document
CDP).
SCDMS Scan Scan pipeline for TCP Archives scanned
Context Server documents to TCP Con-
text Server. Includes
inbox and process sce-
narios for TCP version
10.0. For details, see
OpenText Document
CDP).
Basic TCP .
scenario
1. The dmsPrepdoc DocTool fetches the document ID and writes the ATTRIBUTES
file as in the standard scenario.
2. The gen_prop DocTool reads the ATTRIBUTES file and writes an XML file that
contains all the properties used in TCP Context Server.
3. The doctodms DocTool sends the document and corresponding properties to
TCP Context Server.
4. The Inbox DocTool sends the document identifier to the TCP Application
Server for PDMS UI Inbox late indexing scenarios.
5. The psdt DocTool starts a workflow and attaches the document, for example for
TCP GUI late indexing scenario.

Chapter 34
Functional description of the TCP DocTools
Various DocTools are used in TCP Document Pipelines. This section contains a brief
functional description of the TCP DocTools. For reference purposes, the default
name of the DocTool displayed in DPInfo is listed in the table as well. Note,
however, that these names may be configured differently.
Terminology conventions
Several tools are provided in duplicate versions (named “R3...” and “DB...”). In
this case, both versions implement the same functionality, but depend on
whether the DocTool is used in the pipeline that is designed for storing the
attributes into an SAP database (“R3”).
DocTools for scenarios using a TCP Context Server contain the abbreviation
dms. DocTools for Enterprise Process Services scenarios contain the
abbreviation ps.
Table 34-1: Functional description of the DocTools
DocTool Display name in Description

DPInfo
Tools for TCP Context Server
dmsPrepdoc Prepare attributes Replaces Prepdoc for TCP Context Server
scenarios. It generates a Record ID (DOCID)
for each document without reference to
the archive. It creates the ATTRIBUTES file
and also (for MTA documents) the
META_DOCUMENTS_INDEX file.
doctodms Send document and Sends the document components and at-
attributes to TCP Con- tributes to TCP Context Server.
text Server
dmsformid Select Overlay Form Part of the forms overlay scenario; re-
from TCP Context trieves the Record ID of the form from
Server TCP Context Server and writes it to the
COMMANDS file as DMS_OVERLAY_FORM. For
PDF files, the DocTool also retrieves the
archive ID and writes both IDs to the PDF
file; see also OpenText Document Pipelines -
Overview and Import Interfaces (AR-CDP).

Chapter 34 Functional description of the TCP DocTools
DocTool Display name in Description

DPInfo
Tool for TCP
inbox Put document to TCP Registers a document for indexing in
PDMS UI. Depending on the configura-
tion, it can also create a task in the inbox,
or call a plug-in event in TCP. Note that
you can perform only one action per
document, i.e. register for indexing, or
create a task, or trigger a plug-in. See also
“Inbox” on page 315.
Tool for Enterprise Process Services
psdt Send Document ID and Sends Document ID and archive ID to the
Archive ID to TCP Enterprise Process Services and starts a
workflow. Reads the COMMANDS file and
the connection data from the TCP Docu-
ment Pipelines environment (configured
during installation. For details, see section
10.1 "Installing OpenText TCP Document
Pipelines" in OpenText Transactional Con-
tent Processing - Installation Guide (TCP-
IGD)).
34.1 Prepdoc, dmsPrepdoc

The main task of the Prepdoc DocTool is to create the ATTRIBUTES file from the
IXATTR file, replacing any placeholders with actual values. In addition, the
META_DOCUMENT_INDEX file is created for meta documents (see OpenText Document
Pipelines - Overview and Import Interfaces (AR-CDP)), including information on the
offset and document length of each logical document in the meta document.
The DocTool reads the IXATTR file provided in the document directory line by line,
expands the lines if necessary or retrieves actual values for placeholders, and writes
the modified line to the ATTRIBUTES file. The offset information for meta documents,
which is also included in the IXATTR file, is inserted in the META_DOCUMENT_INDEX
file. How each line from the IXATTR file is processed depends on the keyword; see
OpenText Document Pipelines - Overview and Import Interfaces (AR-CDP).
dmsPrepdoc
The dmsPrepdoc DocTool is used to create the ATTRIBUTES file for TCP Context
Server. Basically, the behavior of this DocTool is very similar to the traditional
Prepdoc, except for the following points.
• dmsPrepdoc generates the DocID by itself, rather than retrieving it from the
storage system.
• The IXATTR_ENCODING key in the COMMANDS file allows processing data from the
IXATTR file in formats other than the one used internally.

34.2 doctodms
34.2 doctodms
The main task of doctodms is to archive documents on a TCP Context Server. A (DP-
) document consists of one or more DMSDocuments, DMSIDOs, or both. Its attributes
and rendition information must be provided in an IXATTR file in the document
directory. For details, see OpenText Document Pipelines - Overview and Import
Interfaces (AR-CDP). Internally, this file is converted to an XML file named prop.xml
by the gen_prop tool. If necessary, (dummy) files for the rendered data must be
provided as well.
If the DocumentID or IDO ID already exists on Context Server, the existing attributes
and renditions will be replaced, and new attributes and renditions will be added to
the document on TCP Context Server.
You can define the number of documents to be archived in one transaction in the
environment variable DMS_DOCUMENTS_PER_TRANSACTION. The default is 100.
However, documents with renditions are always archived in a separate transaction.
The following parameters must be set in the COMMANDS file. See OpenText Document
Pipelines - Overview and Import Interfaces (AR-CDP).
DMS_DOCTYPE
Specifies the record type for the document. Unlike DOCTYPE for traditional
scenarios, the DMS_DOCTYPE key represents the business object for the document.
From the point of view of TCP Context Server, the default archive ID is defined
in the record type. As the record type in the document model contains the
business object, it is no longer necessary to map the business object to the archive
ID. Therefore, the mapping table and the corresponding key
ARCHIVID_CRITERION are not required for the TCP scenario.
DMS_DOCTYPE <record type>
Example:
DMS_DOCTYPE ixos.DMS:document
IXATTR_ENCODING
Specifies the encoding of the IXATTR file
IXATTR_ENCODING <encoding type>
Example:
IXATTR_ENCODING ISO8859_1
For a list of supported encodings, see OpenText Document Pipelines - Overview and
Import Interfaces (AR-CDP).
34.3 Inbox
The Inbox DocTool interacts with TCP to perform one of the following tasks:
• Create a routing item for a user or user group.

• Trigger the execution of a plug-in.

• Register a document for late indexing.
34.3.1 Parameters in DT_INBOX.Setup

DT_INBOX.Setu During the installation of the pipelines, you enter various parameters for DT_INBOX;
p see the appropriate installation guide at
https://knowledge.opentext.com/knowledge/llisapi.dll/open/14697323. The
Inbox DocTool reads the connection data from the DT_INBOX.Setup file. You find
the DT_INBOX.Setup file in the following location:
Windows %ECM_DOCUMENT_PIPELINE_CONF%/config/setup
Unix $ECM_DOCUMENT_PIPELINE_CONF/config/setup
Environment key Description Default value

INBOX_TIMEOUT Timeout in [s] for TCP connection 60
IN- Wait specified time in [ms] before retry- 100
BOX_RETRY_INTERVAL_M ing connection
S
DMS_DEFAULT_DOCTYPE Default record type used for late index- ixos.dms:Entit
ing if DMS_DOCTYPE statement is y
missed in COMMANDS file
BIZ_DUE_TIME_H Number of hours until due date/time 24
of TCP task
BIZ_USER TCP user of inbox DocTool BizDPUser

BIZ_PASSWORD Encrypted password for logon 6DA3D56EB90
F4463CF
729D2F646C7F
EF
BIZ_DOMAIN Domain for logon _internal
BIZ_GROUP Group for logon BizDPUsers
BIZ_GROUP_DOMAIN Group domain for logon _internal
BIZ_URL URL for TCP application, for example –
http://<tcphost>:18080/TCP
BIZ_PROJECT Project identifier of the TCP project; not –

the name, but the unique ID!

34.3 Inbox

BIZ_APPLICATION_1,…, Comma-separated connection string for –
BIZ_APPLICATION_9 BIZ-APPLICATION:
<application_name>,<url>,<project
>,<user>,<password_enc>,<domain>,
<group>,<groupdomain>
Note: With the key(s) BIZ_APPLICATION_1 ... BIZ_APPLICATION_9, you can

specify different sets of connection parameters for each application in a
comma-separated connection string and store this in the DT_INBOX.setup. In
the COMMANDS file, you can use such a BIZ_APPLICATION_<X> key by entering
the following line:
BIZ_APPLICATION_<X> <application_name>,
for example: BIZ_APPLICATION_1 myapplication.
The parameters correspond to the following keys:
• <url>
BIZ_URL
• <project>
BIZ_PROJECT
• <user>
BIZ_USER
• <password_enc>
BIZ_PASSWORD
• <domain>
BIZ_DOMAIN
• <group>
BIZ_GROUP
• <groupdomain>
BIZ_GROUP_DOMAIN
If you specify one or more of the BIZ_APPLICATION_1...BIZ_APPLICATION_9

key(s) and enter such a key in the COMMANDS file, the connection string of such a
key is used instead of the values in the corresponding environment keys. The
environment keys INBOX_TIMEOUT, INBOX_RETRY_INTERVAL_MS,
DMS_DEFAULT_DOCTYPE, and BIZ_DUE_TIME_H are always used, independent
from the use of the BIZ_APPLICATION_1...BIZ_APPLICATION_9 key(s).

34.3.2 Parameters in the COMMANDS file

Table 34-2: Inbox parameters in the COMMANDS file
Key Description Example

DMS_DOCID DMS document ID that is to be manda- DMS_DOCID
sent to the TCP application; is tory <docid>
defined automatically by Open
Text Imaging Enterprise Scan.
BIZ_ENCODING_BASE The BIZ-parameters in the manda- BIZ_ENCODING
64_UTF8N COMMANDS file are encoded in tory _BASE64_UTF8
BASE64 from UTF8N. No pa- N
rameters are available.
BIZ_APPLICATION The TCP application to connect optional BIZ_APPLICAT
to ION
<application
name>
One of the following entries is required: required

BIZ_DOC_RT_USER The task is sent to the inbox of BIZ_DOC_RT_U
this user. SER
Can be used with PDMS UI <domain>\<lo
only. gin>
BIZ_DOC_RT_GROUP The task is sent to the inbox of BIZ_DOC_RT_G

one user in this group. ROUP
Can be used with PDMS UI <domain>\<gr
only. oup name>
BIZ_PLG_EVENT Calls a plug-in event in TCP BIZ_PLG_EV

Example: ENT
<plugin>:<ev
BIZ_PLG_EVENT ent>
plugin_event_1
Alternatively to defining a user, group or plug-in event, the PILE_INDEX in the “Archive
mode” and the following entry can be defined:
BIZ_REG_INDEXING An indexing item is created in BIZ_REG_IN
the Indexing inbox. No parame- DEXING
ters are available.
Can be used with PDMS UI
only.
Note: For details on the COMMANDS file, see section 7.3 "The COMMANDS File"
in OpenText Document Pipelines - Overview and Import Interfaces (AR-CDP).

34.4 Psdt
34.3.3 Archive mode

You can configure the scenarios in the Archive Mode of Open Text Administration.
For details, see OpenText Archive Server - Administration Guide (AR-ACN). These are
the relevant parameters:
Scenario
DMS_INDEXING
Archive Name
Name of a logical archive.
Conditions
Select PILE_INDEX.
Workflow
Workflow name (if required. See “Psdt” on page 319).
Extended Conditions
The Extended Conditions correspond to the COMMANDS keys; see Table 34-2.
Always set BIZ_ENCODING_BASE64_UTF8N. In addition:
Indexing – Set BIZ_REG_INDEXING.
To configure an indexing scenario, see Open Text TCP Modeler - Customization
Guide (TCP100001-CGD). For general information about indexing, see Open Text
Transactional Content Processing - User Guide (TCP100001-UGD).
Tasks – The task is sent to the user specified with BIZ_DOC_RT_USER =
<domain>\<login>. Alternatively, to specify a user group, set
BIZ_DOC_RT_GROUP = <domain>\<group name>.
Plugin event – Set BIZ_PLG_EVENT = <plugin>:<event>. The plug-in name is

optional. The plug-in gets the Doc ID of the document in the plug-in request at
ixos.dms:Id. The DocTool awaits response=OK in the plug-in response.
For further information about plug-in events, see Open Text Transactional Content
Processing - Programming Guide (TCP-PGD).
34.4 Psdt
The psdt DocTool is used for indexing with the Pipeline scan scenario SCDMS and
batch import scenario EXDMS. It allows to start a process with a scanned document,
either in an early or late indexing scenario. For details, see “Overview of TCP
Document Pipelines for TCP Context Server” on page 311.
If configured in the COMMANDS file, the DocTool creates a process instances.
Parameters from psdt DocTool uses the following parameters from the Inbox DocTool (see “Inbox”
Inbox on page 315):

BIZ_USER TCP user of Inbox DocTool BizDPUser


BIZ_PASSWORD Encrypted password for logon. Pro- 6DA3D56EB90F4
vided by the Inbox DocTool. For de- 463CF
tails, see “Inbox” on page 315). 729D2F646C7FEF
BIZ_DOMAIN Domain for logon _internal
BIZ_PROJECT Project ID, needed to logon to Enter-
prise Process Services.
BIZ_GROUP Group for logon BizDPUsers
BIZ_GROUP_DOMAIN Group domain for logon internal
BIZ_URL URL for TCP application, for example -
http://<tcphost>:18080/TCP.
BIZ_ASYNC_ROUTIN If true the work item will be routed true

G asynchronous, otherwise synchronous
Document psdt DocTool uses the following parameters from the COMMANDS file configured in
parameters the archive mode:
Environment Description Value

key
PMS_PROCESS_ Process class name
NAME
IXUSER Scan user. Yet not in use.
PS_ENCODING_ Encoding within the command file required 1
BASE64_UTF8N
PS_MODE If set, the DocTool tries to create a process, required EPS
otherwise does nothing.
PS_SPI SPI name; reserved, only to set a defined SPI required
name, should be set according to the default
prefix of the TCP application.
PS_DATA If set to true, the data object scanData will optional true
be read from the process instance and the
attributes will be filled with the values from
the COMMANDS file. The attribute name must
match with the key name in the COMMANDS
file:
DOCTYPE: for example FAX
PAGES: number of scanned pages
IXUSER: scan user logon name
IXAPPL: scan application
COMPUTERNAME
PS_OBJECT Object name for the attached document optional default: document

34.4 Psdt
Environment Description Value

key
PS_PRIORITY Process instance priority optional UNDEFINED = -
10
LOW = -1
NORMAL = 0
HIGH = 1
BIZ_PROJECT Project name optional
In addition, the following key of the COMMANDS file is used:
DMS_DOCID Document ID, needed to attach the archived document to the process
34.4.1 Archive Mode configuration

When archiving documents with Enterprise Scan, there are three possible scenarios
for indexing:
Pre-indexing
A scanned document is indexed in Enterprise Scan before it is archived.
Late-indexing
A scanned document is archived first and then the indexing is performed in TCP.
Indexing
This combines or allows both previously described scenarios.
For all scenarios, you must connect to Archive and Storage Services and define an
archive mode with the settings as described in the following tables. The archive
modes are used by scan stations:

To set up the scan station:

1. In the Open Text Administration (formerly known as Archive Administration),
select the Scan Stations node below the Environment node.
2. From the Archive Mode tab, select the scenario.
3. On the General tab, select DMS_Indexing from the Scenario list.
4. On the Advanced tab, set the parameters and values according to your scenario
as described in the following table:
Parameter Indexing (TCP Pre-indexing Late-indexing (PDMS Web Client)

Web Client) (PDMS Web Cli-
ent)
Name arbitrary arbitrary arbitrary
Scenario DMS_Indexing DMS_Indexing DMS_Indexing
Archive existing logical ar- existing logical ar- existing logical archive
chive chive
Conditions - - PILE_INDEX
Workflow existing process - -
Extended Condi- see following - Add two keys
tions screenshot BIZ_ENCODING_BASE64_UTF8N and
BIZ_REG_INDEXING. Leave the val-
ues empty.

34.4 Psdt
For details on archive modes, see section 11 "Configuring Scan Stations" in

OpenText Archive Server - Administration Guide (AR-ACN).
You also must perform some customization steps in TCP Modeler. For details, see
section 32.1 "Indexing scenarios" in Open Text TCP Modeler - Customization Guide
(TCP100001-CGD).

Chapter 35
Permissions for the indexing scenarios
The following permissions are needed for the indexing scenarios.
Tip: *.Setup files are located in the Pipeline installation folder, for example:
%ECM_DOCUMENT_PIPELINE_CONF%/config/setup
$ECM_DOCUMENT_PIPELINE_CONF/config/setup
Table 35-1: Permissions for the early indexing scenario
Step Description User Permission Configuration

tool
doctodms Archives the BizDPUser, Static rights to TCP Modeler
scanned docu- configured in create the re-
ment and in- DMSDP.Setup cord type.
dexes the Group
document with BizDPUsers has
the requested the functional
record type right Create by
default.
psdt Logon to TCP. BizDPUser, Dynamic rights. TCP Modeler
Creates process configured in Needs read
instance and DT_INBOX.Setu properties
adds document p right of the re-
to the process cord type.
Group
BizEffectiveU
sers has func-
tional rights
Read
Properties
and
EntityFullAcc
ess by default.
Process step Logon user Dynamic rights. TCP Modeler

Needs at least
“read proper-
ties” right of
the record type.

Chapter 35 Permissions for the indexing scenarios

tool
Additional re- Configured BizEffectiveU Dynamic rights. TCP Modeler
quirement Admin user of ser_default Needs read
the TCP appli- properties
cation right of the re-
cord type.
Group
BizEffectiveU
sers has func-
tional rights
Read
Properties
and
EntityFullAcc
ess by default.
Table 35-2: Permissions for the late indexing scenario

tool
doctodms Archives the BizDPUser, Static rights, Open Text User
scanned docu- configured in must be mem- Management
ment as DMSDP.Setup ber of
ixos.dms:Enti RootEntityCre
ty ators.
Group
BizDPUsers has
the functional
right Create by
default
psdt Logon to TCP. BizDPUser, Dynamic rights, TCP Modeler
Creates process configured in needs read
instance and DT_INBOX.Setu properties
adds document p right.
to the process Group
BizEffectiveU
sers has func-
tional rights
Read
Properties
and
EntityFullAcc
ess by default.
Process step Late indexing Logon user Dynamic rights, TCP Modeler
of the docu- needs read
ment properties
right.

tool
Additional re- Configured BizEffectivUs Static rights, Open Text User
quirement Admin user of er_default must be mem- Management
the TCP appli- ber of allow
cation reading
properties.
Group
BizEffectiveU
sers has func-
tional rights
Read
Properties
and
EntityFullAcc
ess by default.

Chapter 36
Sample batch import files for TCP Context Server
pipelines
The following set of sample shows extracts of files that are provided for TCP
Document Pipelines to import meta documents with forms to a TCP Context Server
(CODMS).
Data files The data files for this scenario consist of the document list named META_DOCUMENT,
as well as a file containing the notes, named im.
The following is an extract from the meta document:
DOC NEW
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Titel|string|---- string 0 -----
|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Current_Date|datetime|2003/01/01
:01:01:01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:CustomerID|integer|00000000|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:EmployeeID|integer|00000001|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Order_Date|date|1970/01/01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Time|time|01:00:00|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:OrderID|integer|400000000|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:AccountPositionList|string|----
string 1 -----|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Total_Price|decimal|0.00|
DOC NEW
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Titel|string|---- string 2 -----
|

Chapter 36 Sample batch import files for TCP Context Server pipelines
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Current_Date|datetime|2003/01/01
:01:02:01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:CustomerID|integer|00000003|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:EmployeeID|integer|00000004|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Order_Date|date|1970/01/02|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Time|time|01:00:01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:OrderID|integer|@400000000#Order
ID1@|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:AccountPositionList|string|----
string 3 -----|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Total_Price|decimal|0.00|
COMMANDS file The following listing shows a typical COMMANDS file
DMS_DOCTYPE ixos.qa.ec.test:Order
DOCTYPE MTA
COMP im ASCII_NOTE im
COMP META_DOCUMENT ASCII META_DOCUMENT
ARCHIVID A1
USE_DOCID_FROM_COMMANDS on
DOCID 12345
NOTE_TITLE_BASE64_UTF8N RE1TRG9jdW1lbnRJbmZvXzE=
Note: The ARCHIVID is optional. But if the ARCHIVID is set in COMMANDS file,
only this ARCHIVID is used. Thus the ARCHIVID of the document type is
ignored.

Part 7
Databases administration
Part 7 Databases administration
This part describes the monitoring and backup of all TCP databases:
• TCP Context Server database. The default name is DMS.
• Enterprise Process Services database. The default name is PS.
• Business Activity Monitoring database. The default name is BAM.
• Quartz database. The default name is QUARTZ.
• In case of JBoss: JBoss DB
• TCP Configuration database. The default name is TCP_CONFIG
• User Management database. The default name is UMS.
Note: Monitoring and backup is similar for all databases. In the following, sub-
stitute the variable <db_name> with the database name used at installation.
“Monitoring the database” on page 333
This chapter explains how to regularly monitor databases.
“Performing a database backup” on page 335
This chapter describes how to backup databases.

Chapter 37
Monitoring the database
To monitor the filling level of a database, use the database tools of Oracle or
Microsoft SQL server. The Archive Web Monitor is no longer available.
To monitor Oracle 10g R2:

1. Log on to Enterprise Manager Database Control as user sys and connect as
sysdba.
2. Click Administration.
3. Click Database Administration - Storage - Tablespaces.
To monitor Oracle 11g R1:

1. Log on to Enterprise Manager Database Control as user sys and connect as
sysdba.
2. Click Server.
3. Click Storage - Tablespaces.
To monitor Microsoft SQLServer 2005 and SQLServer 2008:

1. Log on to SQL Server Management Studio as user sa.
2. Right-click <instance> - Databases - <db_name> .
3. Click Reports – Standard Reports - Disk Usage.
4. Click Summary - Reports - Disk Usage.

Chapter 38
Performing a database backup
The meta-data of archived documents is stored in the TCP Context Server database.
Along with other databases that are part of TCP, it must be backed up in a similar
way as the documents.
Important
As the TCP Context Server database is useless without the User
Management Server database, you must perform the backup of these
databases at the same time.
To avoid data loss and extended down times you, as system administrator, should
back up the database regularly and in full, and complement this full backup with a
daily backup of the log files. In general: the more backups are performed, the safer
the system is. Backups should be performed at times of low system activity.
Important
Database backups are required for all databases of the system: Archive and
Storage Services, TCP Context Server, User Management Server and TCP
Application Server with databases for processes, business activities,
scheduler (quartz), TCP Configuration and jboss cluster.
Storage media does not contain any data of the TCP database, that is you
cannot restore these databases by importing from media.
The database backup procedures are very similar for all databases.
The database can be set up as an Oracle database, or as an Microsoft SQL Server

database. The procedure adopted for backups depends on which of these database
systems is used.
The database must be backed up at regular intervals. However, because its data
contents are constantly changing, all database operations are written to special files
(online and archived redo logs under Oracle, transaction logs for Microsoft SQL). As
a result, the database can always be restored in full on the basis of the backup and
these files.

Chapter 38 Performing a database backup
38.1 Backing up an Oracle database

The <ORACLE_HOME> directory must be backed up after installation. This directory
contains the Oracle software, that is the binary files, the password file
pwd<db_name>.ora (Windows) or orapw<db_name> (UNIX) and information on
Oracle users with sysdba or sysoper rights. The databases operate in
ARCHIVELOG mode by default. This mode results in the following operating
procedure:
• During database operation, all operations are recorded in two or more online
redo log files which are used cyclically.
• As soon as an online redo log file is filled, a backup copy (archived redo log files)
is archived to the directory specified by the log_archive_dest parameter in the
init<db_name>.ora parameter file or in the spfile<db_name>.ora server
parameter file.
• A new online redo log file is written.
This ensures continuous, complete logging of operations.
Caution
The NOARCHIVELOG mode must not be used! In this mode, the online
redo log files are cyclically overwritten and not archived to a separate
directory. This means that complete logging of all operations is not possible.
The archived redo logs must be backed up to tape regularly. A database can only be
restored completely on the basis of the last full database backup, the archived redo
logs and the online redo logs. Only currently open transactions are lost. The
archived redo log files must be backed up completely in order to be able to restore a
database completely.
The frequency with which you perform a full database backup depends partially on
the amount of data that is saved every day. At the same time, the amount of time to
restore a database must also be considered. The longer the interval between the full
database backups, the greater the number of archived redo logs you have to apply
and, consequently, the longer the period required for restoration.
Caution
Make sure that there is always enough free storage space for the archived
redo log files as otherwise the Oracle database will come to an halt and will
not be able to continue functioning. No error message is displayed if this
occurs. Set the directory so that it is large enough (minimum 1 GB) and
monitor the amount of storage space available at regular intervals. See
“Monitoring the database” on page 333.

38.2 Backing up Microsoft SQL Server databases
If large volumes of data have to be archived every day then more frequent backups
are recommended. To do this, it is not necessary to shut down the database.
1. Back up the archived redo logs from the archive directory to tape at least once a
day.
2. Check that the tape backup can be read.
3. Delete the archived redo logs at regular intervals from the archive directory. To
increase security, the archived redo logs should not be deleted until after the
next or next to last complete backup has been completed.
For detailed information on Oracle backup and recovery concepts and how to
perform backups, refer to the Oracle online documentation.

An Microsoft SQL Server database is generally backed up online, that is the backup
is performed while the database is running. The backup should be performed
during periods of low system activity since it reduces the performance of the
database.
Important
Observe the following principles and settings in order to ensure that
backups can be performed successfully and completely:
• For online backups, never use the Backup tool provided by Microsoft
Windows since this tool backs up only closed files. You must always use
the SQL Server Enterprise Manager/Management Studio.
• The recovery model of the database must always be set to Full. To verify
this option, start Enterprise Manager/Management Studio and navigate
to <name of computer> - Databases - <db_name>. Right-click and select
Properties. You find the setting for the recovery model in the Options
tab.
• The Truncate log on checkpoint option must not be enabled. If this
option is enabled, the inactive part of the transaction log is deleted at a
checkpoint even though no backup of it exists.
• Never back up the data of a database and its transaction logs on the same
tape.
• You should never use the DISKDUMP or NULL backup devices that are
automatically created during SQL Server installation. It is useless to back
up to these devices.
For detailed information on Microsoft SQL Server backup and recovery concepts
and how to perform backups, refer to the Microsoft SQL Server online
documentation.

Chapter 38 Performing a database backup
Configuring the database: master database

The master database contains all the information about the structure of the
Microsoft SQL Server database, that is about all the employed databases and
users. The master database must be backed up:
• after initial installation,
• whenever a database has been created, modified or deleted,
• whenever log-ons or users have been added or deleted,
• whenever backup devices have been added or deleted,
• after re-configuration of the SQL server, and
• whenever the physical (files) and logical (file groups) structure has been
modified, for example after ALTER DATABASE, CREATE DATABASE, DISK INIT,
DISK RESIZE.
The transaction log for the master database is then also backed up automatically.
Scheduling database actions: msdb database
The msdb database contains all the scheduling information, for example
concerning regular backup processes. It must be backed up regularly, and
preferably every week. An additional backup is required after every scheduling
modification.
Data: <db_name>
This database contains all data of the server. It must be backed up regularly,
every week to every day depending on the amount of activity. To increase data
security, the data and index devices should also be backed up with RAID1 or
RAID5.
Transaction logs
Transaction logs record all database activities. Each database has its own
transaction log. A transaction log bridges the period between the last backup of
its database and a possible crash. Transaction logs must be backed up at least
once a day. Following the backup, the number of entries in the transaction log is
automatically reduced and space is created for further records (transaction log
dump). The space reserved for the transaction logs must never be filled since
otherwise the database will cease operating! Transaction logs should be backed
up by RAID1.
Recording the database structures
The procedure sp_helpdb [database] displays the structures of all the databases
running on the SQL server. You should record the output in a list that should
also be backed up regularly.
38.2.1 Backing up the transaction logs of an Microsoft SQL

Server database
The transaction logs of a Microsoft SQL Server database must be backed up at least
once a day. The frequency of daily backups depends on the number of transactions

that are performed per hour, how long restoration of the database is allowed to take
and how many phases of low database load there are. The transaction log dump
should be performed during periods of low activity since this operation impairs the
performance of the database.
Note: Perform these backups at regular intervals. A backup job does not
simply back up the data but also deletes all the entries in the transaction log
(transaction log dump) relating to transactions that have been completed
(inactive part). Without this, the log directory would fill up and the database
would no longer be able to function.
Check the amount of free storage space at regular intervals.
To back up the transaction logs, set up a job in Enterprise Manager/Management
Studio that is automatically performed at regular intervals.
38.2.2 Backing up the db_name and the msdb database

These databases must be backed up regularly, and at least once a week. In case of
high activity, you are advised to back up the <db_name> database daily. Perform the
backups at times of low activity since the performance of the database is impaired
by this operation.
Expiration date
In the event of a backup, Microsoft SQL Server always performs a few checks
to make sure that backup media are not accidentally overwritten. A medium is
not overwritten if the expiry period (Backup set will expire after <xx> days) or
the expiry date Backup set will expire on <date> of the data on the medium
has not expired. The expiry period is specified when the backup is generated.

Part 8
Security in TCP
Part 8 Security in TCP
This part describes the security measures available when working with TCP and the
settings they require.
The following overview gives a brief explanation of some basic security-related
terms used in this chapter.
Certificate
A certificate is a digital “passport”. It is a secure electronic identity conforming
to the X.509 standard. Certificates typically contain a user's name and public key.
A certification authority (CA) authorizes certificates by signing the contents
using its CA signing private key.
Key, private key
The key, which a user keeps secret in asymmetric encryption, can encrypt or
decrypt data for a single transaction, but cannot do both. A private key normally
depends on a certificate.
Signature
A digital signature is an electronic equivalent of an individual's signature. It
authenticates the message to which it is attached and validates the authenticity
of the sender. In addition, it provides confirmation that the contents of the
message to which it is attached have not been tampered with en route from the
sender to the receiver.
Signed URL
A signed URL is an URL in the SAP ArchiveLink format that is secured with a
signature.
“Standard groups and users” on page 345
This chapter describes the standard groups and standard users.
“Changing passwords of end users and standard users” on page 355
This chapter where and how to change the passwords apart from User
Management.
“Security measures” on page 363
This chapter gives a brief overview of the security measures used in TCP.
“Configuration of the TCP certificate user” on page 365
This chapter describes the settings for the certificate user which is used for
impersonation and security settings.
This chapter describes the security settings for TCP Application Server.
“Configuration for a Web proxy server” on page 371
This chapter describes the required settings if you want to use a Web proxy
server for TCP.

“Configuration for SSL” on page 373

This chapter describes how you configure SSL for TCP.
“Configuration for SecKeys and signed URLs” on page 395
This chapter describes the configuration for SecKeys and signed URLs.

Chapter 39
Standard groups and users
Standard users and groups are already configured during installation.
They are centrally stored on User Management Server and managed via User
Management Client.
39.1 Standard groups

To manage access rights for documents and processes in Transactional Content
Processing, some standard groups are defined.
Tip: To manage access rights for entities in TCP Context Server independently
from their ACLs, you can use grantee groups and revokee groups. For more
information, see “Grantee groups and revokee groups” on page 346.
The following standard groups are available:
Group name Members Description

AuditOfficers DMSAdmin Group contains audit officers.
AuditUsers FilterUser Members of this group are al-
lowed to audit records.
BizAdministrators DMSAdmin Contains all administrators for
TCP.
BizDPUsers BizDPUser Contains all TCP Document Pipe-
lines users.
BizEffectiveUsers BizEffectiveUser_de Should contain all effective users
fault used by .
BizProjectEveryone none Contains all users of a project. Do
not edit or assign this group
manually.
ClassificationOfficers DMSAdmin Group contains users who are
allowed to change classifications.
DMSAdministrators DMSAdmin Use this group for additional ad-
ministrators for TCP and TCP
Context Server.
DMSCustomizers • DMSCustomizer Use this group for additional cus-
• BizEffectiveUsers tomizers for TCP and TCP Con-
text Server.

Chapter 39 Standard groups and users

DocumentAdmins none Has the right to undo checkouts
and unlock documents. As there
are no default members, you must
add users to this group. For de-
tails refer to “Assigning users or
groups to other groups” on
page 267.
Needed for the usage of the func-
tionality Unlock and Undo
Checkout in TCP Context Server
Administration.
EntityFullAccess BizEffectiveUsers This group is a placeholder that
may be used in the de-fault ACL
definition of an entity type by
assigning all rights to this group.
FulltextUsers FilterUser Members of this group are al-
FulltextUser lowed to call fulltext functions.
Indexing IndexingWQ Members of this group are al-
lowed to call indexing functions.
RenderUsers FilterUser Members of this group are al-
RenderUser lowed to render entities.
RetentionUsers none Members of this group are al-
lowed to call retention functions.
RMAdministrators RMAdmin Members of this group are al-
lowed to configure RM types.
RootEntityCreators DMSALDefaultUser Users or user groups who are
members of this group are spe-
cifically and only allowed to cre-
ate records of the type
ixos.dms:Entity.
39.2 Grantee groups and revokee groups

To manage access rights to entities in TCP Context Server independently from their
ACLs, you can use grantee groups1 and revokee groups. The available grantee groups
and revokee groups are listed in the table below.
1 For details refer to section 1.2.5 "Access control" in Open Text Transactional Content Processing - System Overview Guide
(TCP100001-GGD).

Important
The membership in a revokee group overrules memberships in the
corresponding grantee groups and the permissions granted by ownership or
the ACL of an entity. For example, if a user is member of the
DisposeRevokees group, the user has no permission to delete any entity
even if the user is member of the DisposeGrantees group.
Note: The revokee groups are only available if patch UMS-1001-001 or higher
is installed on your system.

AclReadGrantees FilterUser Assigns global permission to
FulltextUsers read the ACL of all entities.
AclWriteGrantees none Assigns global permission to
change the ACL of any entity.
AnnoReadGrantees FilterUser Assigns global permission to
FulltextUsers read the annotations of all en-
RMGrantees tities.
RenderUsers
AnnoWriteGrantees FilterUser Assigns global permission to

change the annotations of any
entity.
ContentReadGrantees FilterUser Assigns global permission to
FulltextUsers read the contents of all docu-
RMGrantees ments.
RenderUsers
ContentWriteGrantees FilterUser Assigns global permission to

RenderUsers change the contents of any
document.
CreateGrantees BizDPUsers Assigns global permission to
BizEffectiveUsers create new entities.
FilterUser
DisposeGrantees RetentionUsers Assigns global permission to

delete any entity.
LinkGrantees none Assigns global permission to
change the contents of a
folder, that is to remove, add
or move entities or subfolder.
NoteReadGrantees FilterUser Assigns global permission to
FulltextUsers read the notes of all docu-
RMGrantees ments.
RenderUsers
NoteWriteGrantees FilterUser Assigns global permission to

add notes to any document.


PropertyReadGrantees BizEffectiveUsers Assigns global permission to
FilterUser see any entity and its proper-
RenderUsers ties.
FulltextUsers
RetentionUsers
RMAdministrators
RMGrantees
RenderUsers
RetentionUsers
PropertyWriteGrantees FilterUser Assigns global permission to

RMGrantees change the properties of any
entity.
RMGrantees none Assigns global permissions to
delete entities being no longer
under Records Management
control. This should be only
the certificate user of the En-
terprise Library Services
(Livelink Server).
ReorgGrantees FilterUser Assigns global permission to
DMSAdministrators reorganize data bases in TCP.
UndoCheckOutGrantees DocumentAdmins Assigns global permission to
undo a check out that has
been performed by any user
(necessary for the case in
which a user has checked out
a document and is not avail-
able to check it in or undo the
check out himself; usually.
Members of this group should
also be members of the
UnlockGrantees group).
UnlimitedQuery AuditOfficers Members of this group may

ResultGrantees AuditUsers disable the upper limit of hits
BizEffectiveUsers that can be returned for a
ClassificationOfficers query (which may result in
reduced performance).
DMSAdministrators
DMSCustomizers
DocumentAdmins
FilterUser
FulltextUsers
RMAdministrators
RMGrantees
RenderUsers


UnlockGrantees DocumentAdmins Assigns global permission to
unlock a document that has
been locked by any user (nec-
essary for the case in which a
user has locked a document
and is not available to unlock
it).
AclReadRevokees none Revokes global permission to
read the ACL of all entities.
AclWriteRevokees none Revokes global permission to
change the ACL of any entity.
AnnoReadRevokees none Revokes global permission to
read the annotations of all en-
tities.
AnnoWriteRevokees none Revokes global permission to
change the annotations of any
entity.
ContentReadRevokees none Revokes global permission to
read the contents of all docu-
ments.
ContentWriteRevokees none Revokes global permission to
change the contents of any
document.
CreateRevokees none Revokes global permission to
create new entities.
DisposeRevokees none Revokes global permission to
delete any entity.
LinkRevokees none Revokes global permission to
change the contents of a
folder, this means permissions
to remove, add, or move enti-
ties or subfolders.
NoteReadRevokees none Revokes global permission to
read the notes of all docu-
ments.
NoteWriteRevokees none Revokes global permission to
add notes to any document.
PropertyReadRevokees none Revokes global permission to
see any entity and its proper-
ties.
PropertyWriteRevokees none Revokes global permission to
change the properties of any
entity.


UndoCheckOutRevokees none Revokes global permission to
undo a check-out that has
been performed by any user.
UnlockRevokees none Revokes global permission to
unlock a document that has
been locked by any user.
UnlimitedQuery none Queries of members of this
TimeoutRevokees group are cancelled if these
queries take longer than the
limit specified in the Query
Timeout parameter. You can
configure the Query Timeout
parameter in the DMSCore
configuration package of TCP
Context Server, see
“Configuring Context Server
(DMSCORE)” on page 232.
39.3 Standard users

The following standard users are available:
BizDPUser
Purpose TCP Document Pipelines standard user.
Description The BizDPUser is the standard user after installing TCP Document
Pipelines.
This logon is used by DocTools , for example by doctodms to create

documents as well as for indexing items in TCP. You could also
create another user for Document Pipelines.
The BizDPUser is required for the indexing scenarios. The

installation automatically creates this user and a record access
profile. For details about the BizDPUser regarding permissions for
indexing scenarios, see section 32.1.1.4 "Required permissions for
indexing scenarios via TCP GUI" in Open Text TCP Modeler -
This user belongs to the organization configured on User Manage-

ment Server and has the domain _internal.
BizEffectiveUser_default
Purpose TCP project standard user

39.3 Standard users
Description Overview – TCP uses BizEffectiveUser_default or another

(configurable) member of the group BizEffectiveUsers as the
effective user to connect to TCP Context Server.
This user belongs to the organization configured on User

Management Server and has the domain _internal.
Tip: OpenText recommends using a dedicated effective user for

each project. Which effective user is used is defined in the
System User field in the project settings (see “Managing
projects” on page 136).
User configuration – To configure this user, use User Management

Client. For details, see “Standard groups and users” on page 345. Set
the user's invalidation period to a very large value with the property
invalidationPeriodMinutes. For details, see “Adding additional
and multi-value properties” on page 246.
Permissions – The effective user represents the actual user for the
evaluation of static permissions if dynamic permissions are switched
on. This concept (including effective and represented users) is
explained in section 10.4.1 "Understanding dynamic permissions" in
Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
Note: If you use dynamic permissions, the represented users

need the appropriate permissions on the records.
Dynamic permissions can be configured in TCP Modeler. By default,

all record access permissions are set to true.
To toggle between static and dynamic permissions mode, use the key
adc.config.onBehalfOf in ADC.properties. The default is true,
that is dynamic permissions are used.
For more information on static and dynamic permissions, see Open

Text TCP Modeler - Customization Guide (TCP100001-CGD).
DMSAdmin
Purpose Administrator logon for TCP Context Server and Transactional Con-
tent Processing.
Description This user must be added to the RetentionUsers group to perform
the retention jobs. For details, see “Using jobs to perform
administrative tasks” on page 190.
This logon is also used for scheduling the execution of scripts on TCP
Context Server. For details, see “Using jobs to perform administrative
tasks” on page 190.
DMSALDefaultUser
Purpose Standard user of the ArchiveLink interface.

Description This is the user defined by default for accessing TCP Context Server
documents via the ArchiveLink protocol.
You define the access separately for each logical archive. For details,
see “Managing access for ArchiveLink calls” on page 186.
DMSCustomizer
Purpose Standard user for customizing TCP projects.
Description This user is to be used for:
• Logging on to TCP Modeler as the customizer.
• Logging on to the TCP Context Server administration as the cus-
tomizer for the Form Info Maintenance and ACL Mapping for
Content Protocol functionality.
FilterUser
Purpose The user who applies the filters.
Description This user is an internal system user.
IndexingWQ
Purpose An artificial user that is used internally to address a shared work
queue.
Description IndexingWQ is the standard user for a shared work queue.
You must create additional users for each work queue.
FulltextUser
Purpose The user who applies the fulltext operations.
ProcessService
Purpose Enterprise Process Services user.
Description This user is used for routing work items and also for accessing
document metadata during routing.
RenderUser
Purpose The user who applies the render functionality.
RMAdmin
Purpose The system user who applies the Records Management functionality.

39.3 Standard users
Description This user creates, processes and finally deletes Records Management
jobs.

Chapter 40
Changing passwords of end users and standard
users
40.1 Resetting passwords of end users

Passwords of end users may only be reset to a defined value. This means that the
end user must specify a new password at the next logon.
To reset the password (by the administrator)

1. As an administrator, log on to User Management Client.
2. Navigate to the user and reset the password of this user. For more information,
see “Changing/resetting user password” on page 266.
Then, the user must change this new password at next logon because of security
reasons. For more information, see section 3.2.3 "Changing the password" in Open
Text Transactional Content Processing - User Guide (TCP100001-UGD).
40.2 Changing passwords of standard users

To change the password of a standard user, you must change it in User
Management Client and in every location where the user is stored together with his
password.
To reset the password in User Management Client

1. As an administrator, log on to User Management Client.
2. Navigate to the user and reset the password of this user. For more information,
see “Changing/resetting user password” on page 266.
The property pwdNeverExpired of the standard users is has already been set to
true. Therefore, it is not necessary to set an explicit expiration date.
To change the password in the user-specific location(s)

1. Look up the user-specific location(s) of the password in the following list.
2. Change the password in all locations according to the method that is provided
in the following list.

Chapter 40 Changing passwords of end users and standard users
Note: Passwords are always encrypted when they are stored. The encryption
happens automatically except for the BizDPUser user.
BizDPUser
Locations of password
TCP Document Pipelines server (this is the computer where TCP Document
Pipelines are installed).
Directory: %ECM_DOCUMENT_PIPELINE_CONF%/config/setup
Files:
• DMSDP.Setup
Parameter: DMS_PASSWORD
• DT_INBOX.Setup
Parameter: BIZ_PASSWORD
Changing the password in specific locations
1. Log on to the TCP Document Pipelines server.
2. Open a command prompt.
3. Execute cd <TCP Pipeline install dir>/bin.
4. Encrypt the password by executing enc - <new password>.
As a result, the password is encrypted with two different algorithms,
resulting in two different encrypted versions for your password. The two
versions are displayed, for example:
<E0607E62214DD890>
<irokWj7rpDw=>
The first line is encrypted with the idea algorithm, the second with the
blowfish algorithm.
Note: Use only the encrypted password in the second line that is
encrypted with the blowfish algorithm.
5. Copy the second line and replace the following two parameters by the
encrypted password in the second line:
• DMS_PASSWORD in the DMSDP.Setup file
• BIZ_PASSWORD in the DT_INBOX.Setup file.
BizEffectiveUser_default
Locations of password
TCP Configuration on every project page
1. Log on to TCP Configuration.

2. For every deployed project, edit this project and set the new password.
For more information about editing projects, see “Managing projects” on
page 136.
3. Reload the configuration of all TCP applications. For more information,
see “Projects overview” on page 135.
DMSAdmin
Purpose: Administration of TCP Context Server
Location of password
TCP Context Server configuration, configuration package DMSCORE.
1. Log on to the TCP Context Server configuration Web GUI using the
URL
http://<TCP Context Server>:<port>/archive_config. For more
information, see “Re-configuring TCP Context Server via
configuration packages” on page 223.
2. Click the configuration package DMSCORE. For more information,
see “Configuring Context Server (DMSCORE)” on page 232.
3. Set the new password for the administrator.
4. Restart TCP Context Server.
Purpose: dmsremotecmd
On the Archive Server in the DMSREMOTECMD.Setup file. This file is located
in the <AS-config>/config/Setup directory. The path for the <AS-
config> directory is specified in the 10AS.conf file. The 10AS.conf file
location depends on the operating system:
• Windows: C:\Documents and Settings\All Users\Application
Data\Open Text\conf_dirs
• UNIX: /etc/opentext/conf_dirs
A sample path for the DMSREMOTECMD.Setup file is
C:\Documents and Settings\All Users\Application Data\Open
Text\Archive Server 9.7.1\config\Setup\DMSREMOTECMD.Setup.
Changing the password in a specific location

It is assumed that you already changed the password in User
Management Client, see “Changing/resetting user password” on
page 266).
1. Log on to the TCP Document Pipelines server.
3. Execute cd <TCP Pipeline install dir>/bin.

4. Encrypt the password by executing enc - <new password>.

As a result, the password is encrypted with two different algorithms,
resulting in two different encrypted versions for your password. The
two versions are displayed, for example:
<E0607E62214DD890>
<irokWj7rpDw=>
The first line is encrypted with the idea algorithm, the second with
the blowfish algorithm.
Note: Use only the encrypted password in the second line that is
encrypted with the blowfish algorithm.
5. Copy the second line (containing for example irokWj7rpDw=) and
replace the parameter DMS_PASSWORD in the DMSREMOTECMD.Setup file
by the encrypted password in the second line. Example for an entry in
the DMSREMOTECMD.Setup file:
# TCP ContextServer USER PASSWORD
DMS_PASSWORD=irokWj7rpDw=
6. Restart the Runtime and Core Services component of Archive Server

(formerly known as ADMS).
DMSALDefaultUser
TCP Context Server administration, Archives section.
1. Log on to the TCP Context Server administration Web GUI using the
URL
http://<TCP Context Server>:<port>/archive/admingui. For more
information, see “Starting the TCP Context Server administration” on
page 179.
2. Click Archives. For more information, see “Configuring the archive
access” on page 182.
3. If the DMSALDefaultUser user is used, edit every archive and set the new
password.
DMSCustomizer
Not applicable. The logon happens only interactively.
Not applicable.

FilterUser
TCP Context Server configuration, configuration package FILTER.
1. Log on to the TCP Context Server configuration Web GUI using the URL

information, see “Re-configuring TCP Context Server via configuration
packages” on page 223.
2. Click the configuration package FILTER. For more information, see
“Configuring Context Server (DMSCORE)” on page 232.
3. Set the new password for the filter user in the Filter User Password field.
IndexingWQ
This user is never used for logon.
Not applicable.
FulltextUser
Purpose: Generating fulltext jobs
URL
3. Set the new password for the fulltext user in the Fulltext User
Password field.
Purpose: Executing fulltext jobs
TCP Context Server administration, Fulltext Configuration section.


URL
3. Set the new password for the fulltext user in the Fulltext User
Password field.
ProcessService
TCP Configuration, configuration package PS.
1. Log on to TCP Configuration.
2. In the Configuration Packages section of the navigation area, click PS.
For more information about configuring the Enterprise Process Services
application (PS), see “Configuring Enterprise Process Services application
(PS)” on page 161.
3. Set the new password for the internal user in the Internal User Password
field.
4. Restart TCP Application Server.
RenderUser

“Configuring filters for Fulltext Server and Rendition Server (FILTER)”
on page 236.
3. Set the new password for the render user in the Render User Password
field.

RMAdmin
TCP Context Server configuration, configuration package RM.

2. Click the configuration package RM. For more information, see
“Configuring the Records Management (RM)” on page 237.
3. Set the new password for the RMAdmin user in the RMAdmin Password
field.

Chapter 41
Security measures
This chapter gives a brief overview of the security measures used in TCP. It is
intended to help you to decide which security measures to implement. For more
information on the underlying security concepts and a definition of the terms used,
see the Technical Paper Secure Archiving
(https://knowledge.opentext.com/knowledge/llisapi.dll/open/0976813282_463_p
df) in the Knowledge Center.
Authentication
Authentication of users is performed by means of a password. To protect the
password, we recommend you use secure transmission with SSL. Change the
password regularly. You can enforce the change by invalidating a user's
password on User Management Server (see “Open Text User Management
Server administration” on page 239).
Denial of Service (DoS) attacks
Complete protection against DoS attacks is difficult to realize. It is possible to
reduce the effect of attacks from the Internet by “hiding” TCP behind a Web
proxy server so that it is not directly accessible from the Internet. Thus most
kinds of DoS attacks only disable the Web proxy server, but access to the
application server and Archive and Storage Services is still possible from the
intranet.
You can use a dedicated Web proxy server. Usually, this Web proxy server will
be located in the demilitarized zone (DMZ) of the customer's network.
Secure transmission
TCP supports Secure Socket Layer (SSL) transmission.
In TCP there are various components that have to be configured for SSL. If you
use a Web proxy server, you probably only want to secure the Internet
communication from the Web client to the Web proxy. Therefore, you have to
enable the Web proxy server for SSL. If you do not use a Web proxy server, you
have to enable the Web server for SSL.
Data integrity
You can verify the integrity of the data by using a time stamp and digital
signatures. These are implemented as part of Archive and Storage Services. For
details, see section 7.4 "Timestamp Usage" in OpenText Archive Server -
Administration Guide (AR-ACN).
Additionally, you can make sure that the data on its way to the archive is not
changed by transmission errors or other misbehavior of some components by
using a transmission checksum mechanism.

Chapter 41 Security measures
Note that you can combine a proxy server with SSL.

Chapter 42
Configuration of the TCP certificate user
The certificate user is used for impersonation (see Use Impersonation on page 164)
and security settings in TCP Configuration. For creating and configuring the
certificate user in the Open Text User Management Server see “Adding a certificate
user” on page 265 and “Configuring the certificate user” on page 266. This user
must be created in the internal domain according to the following requirements:
General settings
• Name: bpmcertuser
• Display name: bpmcertuser
• Mail: bpmcertuser@opentext.com
• Password: Password of the certificate user
Property settings
• userCertificateBinary (type: long string):
Copy and insert the public key which is stored in the file bpmPublicKey.txt,
located in directory <TCPAppHome>\custom (for details, see section 7.1
"Installing and configuring TCP Application Server" in OpenText Transactional
Content Processing - Installation Guide (TCP-IGD)).
• unlimitedCertificate (type: boolean): true
Tips:
• If the expiration date is exceeded, generate a new certificate.
• A certificate is generated, if the old (<TCPAppHome>\custom) was deleted. A
rebuild and deployment of the TCP application is needed, see “Rebuilding
and deploying of the TCP application” on page 169.

Chapter 43
Security settings for TCP Application Server
To define the security settings for TCP Application Server, open the TCP
Configuration and click Security Settings in the general section of the navigation
area.
This page contains the settings that are available for connection to TCP Context
Server and signed URLs in TCP Configuration.
Tips:
• To enable SSL, see “General project settings” on page 138.
• For details on configuring Single Sign-On, see “Configuring Single Sign-On
(SSO) for PDMS UI” on page 142.

Chapter 43 Security settings for TCP Application Server
The available settings are described here. The name of the parameter in the
ClientIxosCrypto.properties file is given in brackets.
Name of Certificate Store

Client certificate store for trusted certificates
(ixos.sec.crypto.comm.client.certStoreName)
Signature certificate store for trusted certificates
(ixos.sec.crypto.sign.certStoreName)
Important
Do not use ixosdemo.store in a productive environment. This store is
for test certificates only. ixosdemo.store is located on the TCP CD-ROM
in the templates\sec directory. You can copy it to the custom.jar
directory (see “Configuring an additional certificate store” on
page 173)
Value Description
The name of a certificate store file in the A certificate store file with this name
classpath. must be located in the classpath e.g. in
the custom.jar (see “Configuring an ad-
ditional certificate store” on page 173)
created during installation or rebuild of
TCP application EAR. If it is located in the
root directory and its name is
bpmcert.store, the setting must be iden-
tical to the filename.
Name of Key Store

Signature key store for signature keys
(ixos.sec.crypto.sign.pseStoreName)
Client key store for optional client keys and certificates
(ixos.sec.crypto.comm.client.pseStoreName)
Value Description
The name of a key store file in the A key store file with this name must be
classpath. located in the classpath e.g. in the
custom.jar (see “Configuring an addi-
tional certificate store” on page 173) cre-
ated during installation or rebuild of TCP
application EAR. If it is located in the root
directory and its name is bpmcert.store,
the setting must be identical to the file-
name.

JCE Security Providers
List of security providers who implement the Java Cryptographic Extensions
(JCE), separated by “;” (ixos.sec.crypto.jceProvider).
Value Description
iaik.security.provider.IAIK The default security provider.
sun.security.provider.Sun Security provider delivered with Java.
Use for JBoss only.
Key Alias for Connection

The client key alias for the preferred key if the server requires client
authentication. The alias is a name under which the key is registered in the key
store specified in the Name of Key Store field. In the ixosdemo.store the key
alias is ixos (ixos.sec.crypto.comm.client.enabledPrivateKeyAlias).
Value Description
ixos Demo value
Enabled Cipher Suites for Connection

Enabled cipher suites for the security protocol
(ixos.sec.crypto.comm.enabledCipherSuites)
This is a list of cryptographic algorithms used to encrypt the connection to TCP
Context Server. The default value is the recommended algorithm.
Value Description
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Non-exportable cipher suite.
SSL_RSA_WITH_3DES_EDE_CBC_SHA Non-exportable cipher suite.
SSL_RSA_WITH_RC4_128_MD5 Non-exportable cipher suite.
SSL_RSA_WITH_RC4_128_SHA Non-exportable cipher suite. Default
value.
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Exportable cipher suite. (Does not comply
with the security standards.)
SSL_RSA_EXPORT_WITH_RC4_40_MD5 Exportable cipher suite. (Does not comply
with the security standards.)
Key Alias for Signature

URL signing key alias for the preferred key for signed URLs. The alias is a name
under which the key is registered in the key store specified in the Name of
Certificate Store field. In the ixosdemo.store, the key alias is ixos.
(ixos.sec.crypto.sign.enabledPrivateKeyAlias)
Value Description
ixos Demo value

Chapter 43 Security settings for TCP Application Server
Action for Unknown Server

What the client should do with an untrusted server certificate
(ixos.sec.crypto.comm.client.unknownServerCert)
During SSL connection, a certificate is sent by TCP Context Server. TCP
Application Server tries to find a certificate in the configured certificate store
with which the TCP Context Server certificate is signed. If no certificate is found
and the action is deny, the connection is aborted because it is not a trusted
certificate. If the action is no_check, the connection is always accepted, though
the certificate is not trusted.
Value Description
deny Deny access to the server. The certificate
of the server has to be provided in the
TCP certificate store (default value).
user_check Ask the user to check the certificate. This
is not recommended in a server infra-
structure.
no_check Ignores server certificate.
Key Alias for Single Sign On

SSO key alias if the server uses Single Sign-On. The alias is a name under which
the key is registered in the key store specified in the Name of Key Store field.
Single Sign On User
Internal user who has the public key. To create this user see “Configuration of
the TCP certificate user” on page 365.
Domain Controller
Windows domain controller; required by the third-party servlet filter
Enable Single Sign On (SSO)
If the SSO parameters in the Security Settings are defined, this check box is se-
lected and Single Sign-On is enabled. A change to this setting requires the rede-
ployment of TCP Application Server, that is all user sessions are destroyed and
all data in this session is lost. For details, see “Configuring Single Sign-On (SSO)
for PDMS UI” on page 142.

Chapter 44
Configuration for a Web proxy server
To use a Web proxy server for TCP, configure TCP Application Server and your
Web proxy server as described:
To configure the proxy server:

1. Configure the following URLs as proxy and reverse proxy URLs in your proxy
server. See the documentation of your proxy server how to configure proxy
URLs.
• http://<application server>:<port>/PDMSW3Res
• http://<application server>:<port>/TCP
• http://<application server>:<port>/tcp_al
• http://<application server>:<port>/tcp
2. In TCP Modeler, select the root node of your project.

3. In the General tab, enter the following values:
TCP server name: <ProxyHost>
TCP port number: <ProxyPort>
4. Save your project.
5. Reload the TCP Configuration or restart the application server.

Chapter 45
Configuration for SSL
This chapter describes how you configure a secure communication for your
Transactional Content Processing system using the Secure Socket Layer (SSL). It
depends on your system landscape which connections need SSL encryption.
Main The following sections describe connections between:
connections
• TCP Context Server and User Management Server

• TCP Application Server and User Management Server
• TCP Application Server and TCP Context Server
• TCP Web Client and TCP Application Server
• Web browser and TCP Web Client
You also learn how to configure Apache Tomcat and JBoss for SSL.
Other Depending on your Transactional Content Processing system and your security
connections concept, you may secure other connections as well. However, the description of
these connections is not part of this guide. These connections could be the following:
• Web Viewer and TCP Application Server or TCP Context Server
• Java Viewer and TCP Application Server or TCP Context Server
• Windows Viewer and TCP Application Server or TCP Context Server
• DocTool and TCP Application Server, TCP Context Server or User Management
Server
• TCP Modeler and TCP Context Server
• Fulltext Carrier and TCP Context Server (for Fulltext Indexing)
• TCP Context Server and Archive Server (for Fulltext Indexing)
• TCP Context Server and Enterprise Library Services (for Records Management)
• User Management Server and LDAP or CAP
Placeholders The following chapters use several placeholders. Replace them with the values that
are valid for your environment.
The following placeholders are used:

Chapter 45 Configuration for SSL
<ContextTomcatHome>
Path of the root directory of the Tomcat installation where you installed TCP
Context Server
<ContextHost>
Name of the computer where TCP Context Server is installed
<ContextPort>
HTTP port of TCP Context Server, usually 18080
<ContextSslPort>
– HTTPS/SSL port of TCP Context Server, usually 18090
<UmsHost>
Name of the computer where User Management Server is installed
<UmsPort>
HTTP port of User Management Server, usually 18080
<UmsSslPort>
HTTPS/SSL port of User Management Server, usually 18090
<UmsTomcatHome>
– Path to the Tomcat installation where you installed User Management Server.
<TomcatHome>
Path to Tomcat installation directory of either TCP Context Server and User
Management Server. This variable is used in chapters where the description is
appropriate both.
<JavaHome>
Path to Java 5 installation
<TCPAppHome>
Path to the TCP application installation (not the JBoss installation itself).
<TCPAppHost>
Name of computer where TCP Application Server is installed. If you are using a
cluster, it is the host name of the load balancer.
<TCPAppPort>
HTTP port of TCP Application Server. For JBoss it is usually 38080 or, more
generally, <OTPortBindingNumber>8080. In a cluster, it is the HTTP port of the
load balancer.
<OTPortBindingNumber>
Number of the port binding you selected during the installation of TCP, see
“Custom TCP installation directory” on page 167
<TCPAppSslPort>
HTTPS/SSL port of TCP Application Server. For a single JBoss, it is usually
38443 or, more generally, <OTPortBinding-Number>8443. In a cluster, it is the
HTTPS port of the load balancer.

45.1 Configuring Apache Tomcat for SSL
<JBossHome>
– Path to the directory where JBoss is installed.
<JBossInstance>
– Directory name of the JBoss server configuration. The full path is
<JBossHome>\server\<JBossInstance>.
In the JBoss documentation, this path is called “server configuration” or

“configuration” which often leads to a mix-up with the conf directory <JBoss-
Home>\server\<JBossInstance>\conf. Therefore, this guide refers to it as
<JBossInstance> because it is the configuration of a single JBoss instance.
45.1 Configuring Apache Tomcat for SSL

If TCP Context Server or User Management Server acts as server in an SSL
connection, you must configure the Apache Tomcat for the respective server.
For the following secure connections, execute the steps in this section for the Tomcat
where User Management Server is installed:
where TCP Context Server is installed:
In all other cases you can skip this chapter and proceed with “Configuring SSL
communication between TCP Web Client and TCP Application Server” on page 389.
To configure Apache Tomcat 5.5 for SSL

See also The Apache Tomcat 5.5 Servlet/JSP Container SSL Configuration HOW-TO
(http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html).
1. Create a key store.
a. Open a command prompt and execute the following command:
For Windows:
<JavaHome>\bin\keytool -genkey -alias tomcat -sigalg
SHA1withRSA -keyalg RSA -keystore
"<TomcatHome>\conf\.keystore
For Unix:
<JavaHome>/bin/keytool -genkey -alias tomcat -sigalg
SHA1withRSA -keyalg RSA -keystore <TomcatHome>/conf/.keystore

You will be prompted for the following information. It is used to show a

user who accesses the Tomcat which organization your server belongs to.
Provide the information and press Enter:
• Password for the key store
• You are asked to enter your first and last name. Due to the requirements
for a SSL certificate you have to enter the host name of the computer
where Tomcat is running. Typically, web browsers check this name
against the host name entered in the URL. If both do not match, a
warning message is displayed.
If the server is accessed with a fully qualified domain name, you have to
enter the fully qualified host name, for example myhost.mydomain.com
instead of only myhost.
• Name of your organizational unit, for example Accounting.
• Name of your organization, for example MyCompany Inc..
• Name of your location, for example San Francisco.
• Name of your federal state or province, for example California.
• Country code, for example US as the country code for the United States.
The data you entered is displayed in the following format (example):
CN=myhost.mydomain.com, OU=Accounting, O=MyCompany Inc.,
L=San Francisco, ST=California, C=US
b. Confirm that the entered data is correct.

c. Enter the password for the key. Use the same password as you have entered
for the key store. The key store is created in the file
<TomcatHome>\conf\.keystore.
2. Add a connector for SSL.

a. Open the Tomcat configuration file <TomcatHome>\conf\server.xml for
editing.
b. Specify the path to the keystore file (attribute keystoreFile) and the
keystore password (attribute keystorePass). Add the following lines (for
example by uncommenting similar lines or using the template
\templates\tomcat\server.xml on the TCP product CD-ROM).
<Connector port="18090" maxHttpHeaderSize="8192"

maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="<YourKeystorePassword>"
keystoreFile="conf\.keystore"/>

45.2 Exporting the Apache Tomcat SSL certificate
Replace <YourKeystorePassword> with your password if you paste the above

text in your server.xml file. If you do not replace it, your server will not
start because of an XML parsing error.
3. Restart Tomcat.
4. Test the SSL connection with a browser.
a. Enter the URL according to step 2, in this example
http://<hostname>:18090. A dialog pops up asking if you trust this site.
This dialog pops up because you have generated a self-signed certificate for
the SSL connection which is not trusted by browsers
Note: You have alternative options to avoid the pop up:
• Sign your generated certificate by a certification authority (CA)
supported by your browser. The Tomcat documentation describes
how to generate a certificate signed by a certification authority. See
Http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html and go
to the section “Installing a Certificate from a Certificate Authority”.
• Add the certificate on each browser client as trusted certificate. Do
this when the dialog pops up.
b. Confirm to trust the site. The Tomcat default site is displayed.
45.2 Exporting the Apache Tomcat SSL certificate

The export of the Apache Tomcat SSL certificate is necessary if you want to establish
a SSL connection that avoids a “Man-In-The-Middle” attack. For this reason, you
register the SSL certificate as “trusted” on the client side. Otherwise, an attacker can
establish some kind of proxy between client and server which read the data
unencrypted.
Important
Before you can export the certificate, you must execute the steps of the
previous section, see “Configuring Apache Tomcat for SSL” on page 375
where User Management Server is installed:
where TCP Context Server is installed:

In all other cases you can skip this chapter and proceed with “Configuring SSL
communication between TCP Web Client and TCP Application Server” on page 389.
• Open a command prompt and execute the following command:

For Windows:
<JavaHome>\bin\keytool -export -alias tomcat -file
<CertificateFile> -keystore <TomcatHome>\conf\.keystore -
storepass <YourStorePassword>
For Unix:
<JavaHome>/bin/keytool -export -alias tomcat -file
<CertificateFile> -keystore <TomcatHome>/conf/.keystore -
storepass <YourStorePassword>
Note: Replace the following variables:

• <CertificateFile>: File path and file name of the certificate to be
exported, for example <TomcatHome>\conf\tomcat.cer. If you do not
specify a path, the certificate file is created in the directory where you
execute the command.
• <YourStorePassword>: Password of your certificate store.
If you have assigned a different alias than tomcat to your SSL certificate,
replace the alias tomcat with your alias.
Example:
C:\Java\jre1.5.0_11\bin\keytool -export -alias tomcat -file

C:\Tomcat-5.5.25\conf\tomcat.cer -keystore C:\Tomcat-
5.5.25\conf\.keystore -storepass keystore
The following message confirms the success of your operation: “Certificate

stored in file <tomcat.cer>”.

45.3 Configuring SSL communication between TCP Context Server and User Management Server
45.3 Configuring SSL communication between TCP

Context Server and User Management Server
1. Configure the User Management Server Tomcat for SSL, see “Configuring
Apache Tomcat for SSL” on page 375.
For a User Management Server cluster, you must do this for each server.
2. Export the Tomcat SSL certificate for User Management Server, see “Exporting
the Apache Tomcat SSL certificate” on page 377.
For a User Management Server cluster, you must do this for each server.
3. Import the certificate or, for a cluster, the certificates into ixoskeys.store.
a. Copy the certificate file(s) to the server where you installed TCP Context
Server. Note the path and file name. You will need it in a later step for
copying the certificate.
b. Backup the following file:
<ContextTomcatHome>\webapps\archive\config\setup\ixoskeys.stor
e
In a TCP Context Server cluster, do this for each Tomcat installation.

c. Import the certificate(s) to the certificate store.
i. Open a command prompt.
ii. Specify the CLASSPATH environment variable:
For Windows:
set "CATALINA_HOME=<ContextTomcatHome>"
set "ARCHIVE_LIB=%CATALINA_HOME%\webapps\archive\WEB-
INF\lib"
set "TOMCAT_LIB=%CATALINA_HOME%\common\lib"
set
"CLASSPATH=%CLASSPATH%;%ARCHIVE_LIB%\log4j.jar;%TOMCAT_LIB%
\iaik_jce_full.jar;%ARCHIVE_LIB%\ixosBase.jar;%ARCHIVE_LIB%
\jiaik.jar"
For Unix:
CATALINA_HOME=<ContextTomcatHome>
export CATALINA_HOME
ARCHIVE_LIB=$CATALINA_HOME/webapps/archive/WEB-INF/lib
export ARCHIVE_LIB
TOMCAT_LIB=$CATALINA_HOME/common/lib

export TOMCAT_LIB
CLASSPATH=$CLASSPATH:$ARCHIVE_LIB\log4j.jar:$TOMCAT_LIB\iai
k_jce_full.jar:$ARCHIVE_LIB\ixosBase.jar:$ARCHIVE_LIB\jiaik
.jar
export CLASSPATH
iii. Set the JAVA_HOME environment variable:

For Windows:
set "JAVA_HOME=<JavaHome>"
For Unix:
JAVA_HOME=<JavaHome>
export JAVA_HOME
iv. Execute the following command for each User Management Server
Tomcat certificate:
For Windows:
"%JAVA_HOME%\bin\java
ixos.sec.crypto.tools.Configurator"-import cert -
storage_file
"%CATALINA_HOME%\webapps\archive\config\setup\ixoskeys.stor
e" -input_file <CertificateFile> -alias <Alias>
For Unix:
$JAVA_HOME/bin/java ixos.sec.crypto.tools.Configurator -
import cert -storage_file
$CATALINA_HOME\webapps\archive\config\setup\ixoskeys.store
-input_file <CertificateFile> -alias <Alias>
<CertificateFile>: Path to your exported User Management Server

certificate. This is the path where you copied the file in step 3.a.
<Alias>: Unique name within the certificate store. OpenText
recommends that you use ums_ssl_<UmsHost> as scheme to avoid
name conflicts in case of an User Management Server cluster and to
associate the alias to the User Management Server server in the cluster.
4. For a TCP Context Server cluster, copy the ixoskeys.store file to each TCP
Context Server using the same location, for example
<ContextTomcatHome>\webapps\archive\config\setup\.
5. Configure the certificate store in TCP Context Server, which contains the trusted
certificates, that is the certificates which are allowed for SSL. Configure this in
the IxosCrypto.properties file. For a TCP Context Server cluster, do this for
each server.

45.3 Configuring SSL communication between TCP Context Server and User Management Server
a. In a text editor, open the file

<ContextTomcatHome>\webapps\archive\config\setup\IxosCrypto.pr
operties
b. Search for the property ixos.sec.crypto.comm.client.certStoreName

and set the value to the path of your certificate store, for example
<ContextTomcatHome>\webapps\archive\config\setup\ixoskeys.-
store . You can copy the value from the property
ixos.sec.crypto.comm.client.pseStoreName some lines above in this
file.
c. Search for the property
ixos.sec.crypto.comm.client.unknownServerCert and set the value to
“deny”.
d. Save your changes.
e. If you have installed TCP Context Server and User Management Server in
the same Tomcat, make sure that both installations use the same
cryptographic configuration, otherwise continue with step 6.
If both installations use the same Tomcat, the placeholders
<ContextTomcatHome> and <UmsTomcatHome> have the same path. Perform
the following steps to use the same cryptographic configuration:
i. Backup the file
<ContextTomcatHome>\webapps\ums\WEB-
INF\config\IxosCrypto.properties.
ii. Copy the file

<ContextTomcatHome>\webapps\archive\config\setup\IxosCrypto
.properties
to
<ContextTomcatHome>\webapps\ums\WEB-
INF\config\IxosCrypto.properties.
6. Configure the SSL URL in User Management Server.

a. Open the User Management Server configuration Web GUI at.
http://<UmsHost>:<UmsPort>/ums_config and log on as Admin, see also
“Re-configuring User Management Server” on page 273.
b. On the left side, below Configuration Packages, click UMS.
c. In the field Cluster Connect URLs, add the SSL URL for accessing your
User Management Server. Afterwards, the field should contain the
following entries:
http://<UmsHost>:<UmsPort>/ums/soap
https://<UmsHost>:<UmsSslPort>/ums/soap
For a User Management Server cluster, the list must contain a SSL URL for
each cluster node.

Remove the non SSL URLs, starting with http://, if all clients may only
access User Management Server over SSL. In this case, you must also
change the “UMS Connect URL” on the same page on each cluster node to
the respective SSL URL. for example
https://<UmsHost>:<UmsSslPort>/ums/soap.
d. Save your changes and log out.

7. Configure the SSL connection between TCP Context Server and User
Management Server in TCP Context Server configuration.
a. Open the TCP Context Server configuration at
http://<ContextHost>:<ContextPort>/archive_config and log on as
Admin, see also “Re-configuring TCP Context Server via configuration
b. On the left side, below Configuration Packages, click UMS.
c. In the field HTTPS Connect URLs, add the User Management Server SSL
URL for accessing your User Management Server. Afterwards, the field
should contain the same URLs as in the Cluster Connect URLs setting of
User Management Server, see step 6.c.
http://<UmsHost>:<UmsPort>/ums/soap
https://<UmsHost>:<UmsSslPort>/ums/soap
In case of a User Management Server cluster, the list must contain a SSL
URL for each cluster node.
d. In the Protocol field, select https.
e. Save your changes and log out.
8. Restart User Management Server and TCP Context Server.
9. Verify that the application works:
a. Open the URL https://<UmsHost>:<UmsPort>.
The Tomcat administration page displays. If it does not work, check the
following:
• Syntax error in the <UmsTomcatHome>\conf\server.xml file? Validate
the XML structure.
• Configuration error in the <UmsTomcatHome>\conf\server.xml file?
Check the Tomcat server log files in <UmsTomcatHome>\logs for details.
b. Open the URL https://<UmsHost>:<UmsSslPort>.
The Tomcat administration page displays. If it does not work, check the
following:
• Configuration error in the <UmsTomcatHome>\conf\server.xml file?
Check the Tomcat server log files in <UmsTomcatHome>\logs for details.

45.4 Configuring SSL communication between TCP Application Server and User Management Server
c. After the server has started, verify that the User Management Server log file
contains no ERROR or ixos.sec.sso.CheckerException entries. The path
of the log file is <TomcatHome>\webapps\ums\WEB-INF\log\ums.log.
d. After the server has started, verify that the TCP Context Server log file
contains no ERROR or ERR entries. The path of the log file is
<TomcatHome>\webapps\archive\WEB-INF\log\ixdms.log.
If the SSL URL is wrong, the following message appears in the log file:
ixos.sec.um.UserMgmtException: (JSEC:02053) The given list of
connectStrings is invalid: initial-connection to cluster could
not be established through [https://myhost:18099/ums/soap].
e. Open the TCP Context Server Administration at

http://<ContextHost>:<ContextPort>/archive/login and log on.

Application Server and User Management Server
1. Perform the following substeps only if not already done:
a. Configure the User Management Server Tomcat for SSL, see “Configuring
Apache Tomcat for SSL” on page 375. In a cluster, do this for each server.
b. Configure the SSL URL in User Management Server, see step 6 on
page 381.In a cluster, do this for each server.
c. Restart User Management Server and TCP Context Server. In a cluster, do
this for each server.
2. Export the Tomcat SSL certificate for User Management Server, see “Exporting
the Apache Tomcat SSL certificate” on page 377. In a cluster, do this for each
server.
3. Import the certificate(s) into the TCP certificate store:
Note: If you use a different store than the bpmcert.store file in the
<TCPAppHome>\custom directory created by the installation, use this store
in the following steps:
a. Copy the certificate file(s) to the server where you installed TCP Application
Server and note path and file name. You will need it in a later step for
copying the certificate. For an User Management Server cluster, copy all
certificates.
b. Backup the <TCPAppHome>\custom\bpmcert.store file.
c. Import the certificate into the certificate store.

For Windows:
set "TCP_HOME=<TCPAppHome>"
set "COMMON_LIB=%TCP_HOME%\base\staging\jars\common"
set "BASE_LIB=%TCP_HOME%\base\lib"
set
"CLASSPATH=%CLASSPATH%;%COMMON_LIB%\log4j.jar;%BASE_LIB%\ia
ik_jce_full.jar;%COMMON_LIB%\ixosBase.jar;%COMMON_LIB%\jiai
k.jar"
For Unix:
TCP_HOME=<TCPAppHome>
export TCP_HOME
COMMON_LIB=$TCP_HOME/base/staging/jars/common
export COMMON_LIB
BASE_LIB=$TCP_HOME/base/lib
export BASE_LIB
CLASSPATH=$CLASSPATH:$COMMON_LIB/log4j.jar:$BASE_LIB/iaik_j
ce_full.jar:$COMMON_LIB/ixosBase.jar:$COMMON_LIB/jiaik.jar
export CLASSPATH
iii. Execute the following command for each User Management Server
Tomcat certificate:
For Windows:
<JavaHome>\bin\java ixos.sec.crypto.tools.Configurator -
import cert -storage_file <TCPAppHome>\custom\bpmcert.store
For Unix:
<JavaHome>/bin/java ixos.sec.crypto.tools.Configurator -
import cert -storage_file <TCPAppHome>/custom/bpmcert.store
<CertificateFile>: Path to your exported User Management Server

certificate. This is the path where you copied the file in step 3.a.
<Alias>: Unique name within the certificate store. OpenText
recommends that you use ums_ssl_<UmsHost> as scheme to avoid
name conflicts in case of an User Management Server cluster and to
associate the alias to the User Management Server server in the cluster.
4. Rebuild the TCP application and deploy it, see “Rebuilding and deploying of
the TCP application” on page 169.

45.5 Configuring SSL communication between TCP Application Server and TCP Context Server
5. Open the TCP Application Server configuration at

http://<TCPAppHome>:<AppPort>/tcp_config and perform the following
steps:
a. On the left side below General, click General Project Settings.
b. In the field Enable SSL for UMS, select true.
c. Save your changes.
d. On the left side below General, click Security Settings.
e. In the Action for Unknown Server field, enter deny.
f. Save your changes.
6. Only for AIX and WebSphere – Configure the IAIK Security Provider, see “For
Websphere/AIX only: Configuring IAIK Security Provider” on page 393. In a
cluster, do this for each server.
8. Login to TCP GUI to verify if the application works.

Application Server and TCP Context Server
1. Perform the following substeps only if not already done:
a. Configure the TCP Context Server Tomcat for SSL, see “Configuring
Apache Tomcat for SSL” on page 375. In a cluster, do this for each server.
b. Open the TCP Context Server configuration at
http://<ContextHost>:<ContextPort>/archive_config and log on as
Admin, see also “Re-configuring TCP Context Server via configuration
c. On the left side, below Configuration Packages, click DMSCORE.
d. In the field HTTPS Connect URL, enter the SSL URL of your TCP Context
Server, for example https://<ContextHost>:<ContextSslPort/archive.
e. Save your changes.
2. Export the Tomcat SSL certificate for TCP Context Server, see “Exporting the
Apache Tomcat SSL certificate” on page 377. In a cluster, do this for each server.
3. Import the certificate(s) into the TCP certificate store:
Note: If you use a different store than the bpmcert.store file in the
<TCPAppHome>\custom directory created by the installation, use this store
in the following steps:
a. Copy the certificate file(s) to the server where you installed TCP Application
Server and note the path and file name. You will need it in a later step for

copying the certificate. For a TCP Context Server cluster, copy all
certificates.
b. Backup the <TCPAppHome>\custom\bpmcert.store file.
c. Import the certificate into the certificate store:
For Windows:
set "TCP_HOME=<TCPAppHome>"
set "COMMON_LIB=%TCP_HOME%\base\staging\jars\common"
set "BASE_LIB=%TCP_HOME%\base\lib"
set
"CLASSPATH=%CLASSPATH%;%COMMON_LIB%\log4j.jar;%BASE_LIB%\ia
ik_jce_full.jar;%COMMON_LIB%\ixosBase.jar;%COMMON_LIB%\jiai
k.jar"
For Unix:
TCP_HOME=<TCPAppHome>
export TCP_HOME
COMMON_LIB=$TCP_HOME/base/staging/jars/common
export COMMON_LIB
BASE_LIB=$TCP_HOME/base/lib
export BASE_LIB
CLASSPATH=$CLASSPATH:$COMMON_LIB/log4j.jar:$BASE_LIB/iaik_j
ce_full.jar:$COMMON_LIB/ixosBase.jar:$COMMON_LIB/jiaik.jar
export CLASSPATH
d. Execute the following command for each TCP Context Server Tomcat
certificate:
For Windows:
<JavaHome>\bin\java ixos.sec.crypto.tools.Configurator -import
cert -storage_file <TCPAppHome>\custom\bpmcert.store -
input_file <CertificateFile> -alias <Alias>
For Unix:
<JavaHome>/bin/java ixos.sec.crypto.tools.Configurator -import
cert -storage_file <TCPAppHome>/custom/bpmcert.store -
input_file <CertificateFile> -alias <Alias>
<CertificateFile>: Path to your exported TCP Context Server certificate.

This is the path where you copied the file in step 3.a.

45.6 Configuring JBoss for SSL
<Alias>: Unique name within the certificate store. OpenText recommends

that you use context_ssl_<ContextHost> as scheme to avoid name
conflicts in case of a TCP Context Server cluster and to associate the alias to
the TCP Context Server in the cluster.
4. Rebuild the TCP application and deploy it, see “Rebuilding and deploying of
the TCP application” on page 169.
5. Open the TCP Application Server configuration at
http://<TCPAppHome>:<AppPort>/tcp_config and select a project. For
details, see “Managing projects” on page 136.
a. In the field TCP Context Server URLs, add the SSL URL of your TCP
Context Server, according to the following pattern:
https://<ContextHost>:<ContextPort>/archive
b. In the field TCP Context Server Protocol activate https as protocol for the
communication with TCP Context Server.
c. For a TCP Context Server cluster do this for each server within the cluster.
d. Save your changes.
6. Only for AIX and WebSphere – Configure the IAIK Security Provider, see “For
Websphere/AIX only: Configuring IAIK Security Provider” on page 393. In a
cluster, do this for each server.
45.6 Configuring JBoss for SSL

If TCP Application Server acts as a server in a SSL connection, you must configure
the Apache Tomcat for the respective server.
To configure JBoss 4.2.2 GA for SSL

1. Create a key store.
a. Open a command prompt and execute the following command:
For Windows:
<JavaHome>\bin\keytool -genkey -alias jboss -sigalg
<JBossHome>\server\<JbossInstance>\conf\.keystore
For Unix:
<JavaHome>/bin/keytool -genkey -alias jboss -sigalg
<JBossHome>/server/<JbossInstance>/conf/.keystore

Example:
C:\Java\jre1.5.0_11\bin\keytool -genkey -alias jboss -sigalg

C:\jboss\server\TCP\conf\.keystore
You will be prompted for the following information. It is used to show a

user who accesses the Tomcat which organization your server belongs to.
Provide the information and press Enter:
• Password for the key store
• You are asked to enter your first and last name. Due to the requirements
for a SSL certificate you have to enter the host name of the computer
where Tomcat is running. Typically, web browsers check this name
against the host name entered in the URL. If both do not match, a
warning message is displayed.
If the server is accessed with a fully qualified domain name, you have to
enter the fully qualified host name, for example myhost.mydomain.com
instead of only myhost.
• Name of your organizational unit, for example Accounting.
• Name of your organization, for example MyCompany Inc..
• Name of your location, for example San Francisco.
• Name of your federal state or province, for example California.
• Country code, for example US as the country code for the United States.
The data you entered is displayed in the following format (example):
CN=myhost.mydomain.com, OU=Accounting, O=MyCompany Inc.,
L=San Francisco, ST=California, C=US
b. Confirm that the entered data is correct.

c. Enter the password for the key. Use the same password as you have entered
for the key store. The key store is created in the file
<JBossHome>\server\<JBossInstance>\conf\.keystore.
2. Add a connector for SSL.

a. Open the JBoss configuration file
<JBossHome>\server\<JBossInstance>\deploy\jboss-
web.deployer\server.xml for editing.
b. Specify the path to the keystore file (attribute keystoreFile) and the
keystore password (attribute keystorePass). Add the following lines (for
example by uncommenting similar lines).
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
emptySessionPath="true"

45.7 Configuring SSL communication between TCP Web Client and TCP Application Server
keyAlias="jboss"
keystorePass="<YourKeystorePassword>"
keystoreFile="${jboss.server.home.dir}\conf\.keystore"/>
Replace <YourKeystorePassword> with your password if you paste the above

text in your server.xml file. If you do not replace it, your server will not
start because of an XML parsing error.
3. Restart JBoss.
4. Test the SSL connection with a browser.
a. Enter the URL according to the pattern
https://<TCPAppHost>:<TCPAppSslPort>, for example
https://localhost:38443. Use the port number that you specified in
step 2. <OTPortBindingNumber> is the number of the port binding you
selected during the installation of TCP, see “Custom TCP installation
directory” on page 167.
A dialog pops up asking if you trust this site. This dialog pops up because
you have generated a self-signed certificate for the SSL connection which is
not trusted by browsers.
Note: You have alternative options to avoid the pop up
• Sign your generated certificate by a certification authority (CA)
supported by your browser. This is a standard procedure regarding
handling of certificates. Contact your Administrator which CAs are
supported by your browsers and then contact the CA, usually a
company or an institution within your company, to sign your
certificate.
• Add the certificate on each browser client as trusted certificate. Do
this when the dialog pops up.
b. Confirm to trust the site. The JBoss default site is displayed.

Web Client and TCP Application Server
45.7.1 Preparing TCP Application Server
• Configure TCP Application Server for SSL:
• Single JBoss: see “Configuring JBoss for SSL” on page 387
• WebSphere: see your WebSphere documentation or contact your WebSphere
administrator
• Any cluster: configure the appropriate load balancer supported by your J2EE
application server to communicate over SSL with the client.

45.7.2 Exporting the SSL certificate of the TCP Application

Server
This description works regardless of the type of application server you use: JBoss,
WebSphere or a load balancer in front of a cluster.
To export the SSL certificate:

1. In Internet Explorer, open a HTTPS URL to a TCP Web Service:
https://<TCPAppHost>:<TCPAppSslPort>/tcp/services/Tcp
Example for JBoss –

https://localhost:38443/tcp/services/Tcp
The results depends on the version of Internet Explorer that you use.
Internet Explorer 7 and 8 – The web page with the following message opens:
“There is a problem with this website's security certificate”.
Internet Explorer 6 – The Security Alert window opens because your browser
does not the consider the certificate as a trusted SSL certificate. .
2. Depending on the Internet Explorer version, proceed as follows:
For Internet Explorer 7 and 8:
a. Click Continue to this website.
b. Click the Certificate Error label to the right of the address bar.
c. Click View certificates. The Certificate dialog opens.
For Internet Explorer 6: ClickView certificate. The Certificate dialog opens.
3. Export the certificate:
a. On the Details tab, click Copy to File. The Certificate Export wizard opens.
Click Next.
b. Select DER encoded binary X.509 (.CER) and click Next.
c. Specify the file name for the certificate you want to export (for example
C:\mycert.cer) and note the path and file name. You will need it in a later
step for copying the certificate.
d. Click Next. On the last page, click Finish. The Certificate Export wizard
closes.
4. In the Certificate dialog, click OK.
5. Internet Explorer 6 only – In the Security Alert window, click Yes if you trust
that certificate and want to see the pages that are hosted on your JBoss
application server.

45.7 Configuring SSL communication between TCP Web Client and TCP Application Server
45.7.3 Securing the ArchiveLink communication

1. In TCP Modeler, open the project you want to secure with SSL.
2. Click the Attached Files node
3. Double-click the ADC.properties file to edit it.
4. Search for property al.tcp_al.url. If the line begins with # remove the leading
# characters.
Set the property to the following value:
al.tcp_al.url=https://<TCPAppHost>:<TCPAppSslPort>/tcp_al/archive
In the case of a cluster the URL must point to the host and SSL port of the load
balancer.
5. Save your changes in the editor.
6. Save your TCP Modeler project.
7. Configure Web Viewer or Java Viewer configured for TCP Web UI to use SSL.
You must register the certificate you exported from TCP Application Server (see
Section 45.7.2) as trusted certificate in the viewer you are using.
For details, see OpenText Imaging Viewers and DesktopLink - Configuration Guide
(CL-CGD).
45.7.4 Securing the Web Service communication

1. Copy the certificate file (that you have saved in step 3.c in “Exporting the SSL
certificate of the TCP Application Server” on page 390) to the computer where
you installed TCP Web Client. Note the path and file name. You will need it in a
later step for importing the certificate.
2. Open the Microsoft Management Console on that computer with Start - Run,
enter MMC, and click OK. A MMC window opens.
3. Go to File - Add/Remove Snap-in. The Add/Remove Snap-in dialog opens.
4. Click Add. The Add Standalone Snap-in dialog opens.
5. Select Certificates and click Add. The Certificates snap-in dialog opens.
6. Select Computer account and click Next. The Select computer dialog opens.
7. Select Local computer and click Finish. The dialog closes.
8. In the Add Standalone Snap-in dialog, click Close. The Add Standalone Snap-
in dialog closes.
9. In the Add/Remove Snap-in dialog, click OK.

10. Import the certificate into the Windows certificate store.

a. From Console Root, navigate to Certificates (Local Computer) - Trusted
Root Certificates Authorities - Certificates.
b. On the Action menu, point to All Tasks and click Import. The Certificate
Import Wizard opens. Click Next.
c. Click Browser and select the certificate file you previously saved and copied
to the local machine in step 1. Click Next. The Certificate Store dialog
opens.
d. Select Place all certificates in the following store and click Next.
e. Click Finish. The following message box appears: The import was
successful.
11. In the right pane of the MMC, find your certificate. If you used a self signed
certificate, the properties Issued By and Issued To contain the host name of
your TCP Application Server.
12. Right click on your certificate and select Properties.
13. In the Certificate purpose area, select Enable only the following purposes.
14. Clear all options except Server Authentication and click OK.
15. Back up the web.config file of your TCP Web Client installation (for example
from C:\inetpub\wwwroot\tcpweb).
16. Edit the web.config file:
a. Open the web.config file in a text editor.
b. Find the <basicHttpBinding> element, you find several <binding>
elements.
c. In each of these <binding> elements, edit the <security> element:
i. Change the attribute value of mode from None to Transport. 2. After
that the <security> element must look like the following:
ii. Make sure that each <security> element looks as follows:
<security mode="Transport">
<transport clientCredentialType="None"
proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName"
algorithmSuite="Default" />
</security>
d. In the <client> element, for each <endpoint> element, replace the first part
of the address attributes values by the SSL URL of TCP Application Server.
Afterwards the addresses begin with https:/<TCP
AppHost>:<TCPAppSslport>.

45.8 Configuring SSL communication between browser and TCP Web Client
e. Save your changes.

17. Restart IIS, for example in Internet Information Services (IIS) Manager.
45.8 Configuring SSL communication between

browser and TCP Web Client
This chapter describes the major steps for configuring the SSL communication
between browser and TCP Web Client running in IIS.
Note: As no TCP component is involved in the SSL configuration between
browser and TCP Web Client, this procedure concentrates on the major steps
and refers to documentation from Microsoft.
The high-level steps for configuring SSL are the same in IIS 7 and IIS 6.0:
1. Get an appropriate certificate. You can obtain server certificates from an outside
certification authority (CA), or you can issue your own server certificates by
using Microsoft Certificate Services.
2. Create an HTTPS binding on a site.
3. Test the SSL connection by creating a request to the site.
4. Optionally configure SSL options, for example making SSL mandatory.
For a detailed description for enabling SSL for IIS 7 on Windows Server 2008, refer
to the Microsoft article “How to Setup SSL on IIS 7” at
http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/.
For a detailed description for enabling SSL for IIS 6 on Windows Server 2003, refer
to the Microsoft article “Using SSL to Encrypt Confidential Data” at
http://technet.microsoft.com/en-us/library/cc738495%28WS.10%29.aspx.
45.9 For Websphere/AIX only: Configuring IAIK Secu-

rity Provider
What is IAIK ? The IAIK Provider for the Java™ Cryptography Extension (IAIK-JCE) is a set of
APIs and implementations of cryptographic functionality, including hash functions,
message authentication codes, symmetric, asymmetric, stream, and block
encryption, key and certificate management. It supplements the security
functionality of the default JDK. (quoted from http://jce.iaik.tugraz.at/)
TCP uses the third-party library IAIK as cryptographic library and especially its
certificate/key store implementation.
Note: You must configure the IAIK provider only if you use IBM WebSphere
as application server or AIX as operating system.

To configure the IAIK provider

1. On all TCP Application Servers of a cluster, check whether iaik_jce_full.jar
is located in <JavaHome>\jre\lib\ext.
Tip: If you use WebSphere, specify <WAS_HOME>\java for <JAVA_HOME>.
If not, copy it from <TCP_CD>\tcpappserver\lib.
2. For WebSphere and JBoss on AIX, on all TCP Application Servers (of a cluster):
Configure the security provider in
<JavaHome>\jre\lib\security\java.security as follows:
a. Open the file with a text editor

b. Change the following lines:
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
to
security.provider.1=iaik.security.provider.IAIK

Chapter 46
Configuration for SecKeys and signed URLs
It is assumed that you have a certificate with a private key in a key store.“Protecting
the client connection” on page 188 describes the tools for key store management and
certificate import.
Important
Keep in mind that the application server or cluster must be restarted after
signed URLs are configured.
To configure the server for SecKeys and signed URLs:

1. To enable SecKeys between TCP Context Server and Archive and Storage
Services, see “Security settings for TCP Application Server” on page 367. Send
the certificate to the appropriate archive <contRep> of the archive server, and
activate the new certificate (see section 7 "Configuring Security Settings" in
OpenText Archive Server - Administration Guide (AR-ACN)). Make sure that this
archive has the setting Signature required : Read Create Update Delete.
Make sure that DMSALDefaultUser has the permission to create new users.
2. Make sure that the JDK patch for signed URLs, Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction Policy Files, is installed in
<java_home>\jre\lib\security.
3. Copy the file <TCP_CD>\tcpappserver\lib\iaik_jce_full.jar to the

<JAVA_HOME>\jre\lib\ext directory of each cluster node.
For WebSphere use <WAS_HOME>\java for <JAVA_HOME>.
4. For JBoss on AIX and WebSphere - on all servers of a cluster: Configure the
Security Provider in <JAVA_HOME>\jre\lib\security\java.security. Open
the file with a text editor and change the following lines:
to:
security.provider.1=iaik.security.provider.IAIK

Chapter 46 Configuration for SecKeys and signed URLs

a. Set the class path:
set CLASSPATH=<TCP_CD>/tools/putcert/putcert.jar
b. Send the certificate to TCP Context Server:
<java_home>/jre/bin/java ixos.adc.sec.PutCert <TCP Context

Server name>[:<port>] <authId> <contRep> <certificate file
name>
where <authId> is the name of the new default user (do not use an existing
user name) and <contRep> is the name of the archive.
6. In User Management Client:
a. Make sure that a user is created with the name <authId>.
b. Add the property invalidationPeriodMinutes and modify the property
ixPwdExpires. Use the same values as set for the user
BizEffectiveUser_default.
7. Copy it to <TCP installation directory>\custom\custom.jar (see

“Configuring an additional certificate store” on page 173):
a. Make sure that the key store entries in TCP Configuration (security settings:
Name of Key Store, Name of Certificate) have the same name as your key
store file in the in custom.jar directory.
b. Edit the Key Alias for Signature field, and set it to the name of your key
alias.
8. Make sure that the JCE Security Providers field contains following value:
• In case of JBoss:
iaik.security.provider.IAIK;sun.security.provider.Sun
• In case of AIX:
iaik.security.provider.IAIK
9. In the file ADC.properties of your TCP Modeler project, create or edit these
entries:
adc.config.onBehalfOf=true
adc.alurl.mode=DMS
adc.alurl.baseurl = http://<Context Server name>:<port>/archive
adc.signurl.on=true
adc.signurl.validity.seconds=300
adc.signurl.signer=<authId>
10. Restart the server or cluster.

Glossary
This glossary describes terms concerning User Management.
_internal domain
Each organization has a domain known as _internal. All principals except
external and referenced principals belong to this domain.
ROOT area
ROOT is the base administration area to administer User Management Server.
ROOT administrators have global access rights. A second organization exists in
parallel to ROOT. Only administrators can log on to ROOT.
Admins
Admins is a virtual group of principals that has a special relationship to an
organization object. Administrators have full access to all objects within their
organization. ROOT administrators have full access to all objects in User
Management.
Certificate user
A certificate user holds a certificate and usually represents an application user
who provides SSO access tokens, such as SAP NetWeaver Portal
Department
Departments are hierarchical grouping structures. Departments can contain
positions, superiors and departments.
Domain
A domain represents an external user name space in the sense of a Windows
domain, or a part of an LDAP directory. Principals in a domain are addressed in a
specific way. Specific attributes of a domain's principal are mapped to the
internal equivalent.
External user/External group

An external user or group is uniquely defined in a domain.
Group
A group is a group of principals. Groups can contain users and other groups.

Glossary
Organization
User Management is grouped with this structure element in independent parts.
Clientele processing means that users or administrators of an organization may
know about the existence, but not the content, of another organization. Principals
of one organization cannot be referenced in a different organization.
Position
A position describes the function of a user in departments.
Position in department
A position in department builds up the relationship between a user and a
department. It can contain one user or no user, and a role is assigned.
Position in department in project

A position in department in project builds up the relationship between a position in
a department and a project. It holds one position or no position in department,
and therefore, one user or no user, and a role is assigned.
Principal
A principal is an object in the user management system that can be referenced for
authorization and access control. The following objects are principals:
• user
• group
• department
• security group
• project
• role
• position
• position in department
• position in department in project
Projects
Projects are a hierarchical grouping structure. Projects can hold positions in
departments and in projects.

Glossary
Referenced user/group
A referenced user or group is an external user or group with an internal
reference, a unique identifier. External principals are only referenced on
demand.
• Referenced principals can become members of internal principals for
application specific grouping.
• Free attributes can be set on referenced principals.
Role
Roles can be assigned to the principals “Position in department” and “Position in
department in project”.
Securities
In User Management Client security groups with assigned users are created for
TCP Service.
Single Sign-On (SSO)

The UMS provides general SSO mechanism for all UMS based applications.
Additionally access tokens from external systems like SAP can be accepted and
converted to UMS tokens. The mechanism can be programmatically extended for
additional, external access tokens.
SSO
See: Single Sign-On (SSO)
Superior
• Superior can be assigned to Departments, Projects and Positions in ....
• Superior is always a Position in department.
• The superior relationship is only evaluated by TCP Service.
• The superior of a Position in ... is found by searching the hierarchy
upwards till the first hit.
User
A user is a principal who is able to access applications. A user can be
authenticated and has identification and authorization information.

Index
ASP.NET State Service starting
configuring TCP Web Client 294
ASP.NET version
A Assigning Classifications 130
Access information Attribute enrichment
User ManagementServer 277 configuring a LDIF enrichment provider
Actions 280
Classifications 127 Attributes
Delete related audit entries 124 editing of process classes 51
Ad Hoc process viewing of process classes 51
process class 49 viewing of process instances 55
Adding viewing of work items 61
columns 39 Audit entries
custom views 66 Delete related audit entries 124
filter conditions 68 deleting 124
new process groups 48 displaying 121
Adding new system 43 Exporting 125
Admin password Obsolete 123
TCP Context Server 238 Printing 125
User ManagementServer 278 Properties 124
Administering queries 122, 123
Open Text TCP 133 searching 121
Age before Purging parameter Audit settings
jobs (TCP Context Server) 196 User ManagementServer 277
Agents Auditing 121
audits 96 of User ManagementServer 262
clearing counters 96 Audits 36
displaying 93 agents 96
editing 96 process class 51
registering 94 process groups 48
starting 95 process instances 55
stopping 96 work items 60
unregistering 95
Apache Tomcat B
SSL configuration 375 Backups
Archive database Database 335
MS SQL Server (Backup) 337 MS SQL Server 337
Oracle 336 Oracle 336
ArchiveLink URL generation BAM reports
settings 138 deleting 81
ASP.NET configuration settings displaying 81
configuring TCP Web Client 293 updating 82

Index
BizEffectiveUser 117 Comments 36

Browser process instance 56
SSL communication to TCP Web Client work items 63
393 Configuration
Build query 202 SSL 373
SSO configuration on TCP Web Client
C 303
Cache configuring of User Web proxy server 371
ManagementServer 260 Configuration package
Calendar service 170 Configuring TCP Application Server 161
CAP RM 237
configuring 284 Configuring
CD-ROM certificate store 173
Product ISO image 24 Enterprise Process Services Application
Certificate (PS package) 161
SSO configuration on TCP Web Client LDIF enrichment provider 280
299 TCP Web Client 293
Certificate export Configuring CAP
Apache Tomcat 377 User ManagementServer 284
Certificate store Configuring TCP Web Client
configure 173 activating out of office functionality 294
Certificates ASP.NET configuration settings 293
importing 188 ASP.NET version 293
managing 187 changing viewer URL 296
SecKeys 395 log file configuration 298
Certification authority 342 security settings 293
Classification 127 starting ASP.NET State Service 294
Assignable 127 Connecting class
Assigning 130 inflight changes 97
creating 127 Connecting to Enterprise Process Services
deleting 128 41
displaying 129 Context menu 35
editing 128 conventions 25
hit list 129 Counters
Parent 127 clearing for agents 96
queries 129, 130 Creating
tree 130 custom view of an existing process class,
Cloning process instance or work item 66
custom views 68 custom views 66
Closing jobs 84
project 45 work queues 74
Cluster nodes Custom view
Display status 257 of a process class 52
Display URL 257 process instance 56
synchronization of User Custom views
ManagementServer 261 adding 66
Columns Ccloning 68
adding or removing 39 creating 66
changing order 39

Index
creating a custom view of an existing gen_prop 312

process class, process instance or work Inbox 315
item 66 Prepdoc 314
deleting 68 Psdt 319
displaying 65 terminology 313
editing 67 DocuLink folders
classification 130
D displaying 130
Data source Documentation overview 23
Oracle 228 Domain configuration
Oracle RAC 227 LDAP directory server 280
SQL Server 226 Livelink ECM – Enterprise Server 279
Tomcat 225 Domains (external)
Database parameters 279
Backups 335
monitoring 333 E
Database access Edit permissions 40
User ManagementServer 274 Editing
Delete after retention period agents 96
jobs (TCP Context Server) 191 attributes of process classes 51
Deleting custom views 67
audit entries 124 filter conditions 69
BAM reports 81 jobs 92
custom views 68 user of work items 59
jobs 91 values of work item attributes 61
process groups 48 work queues 80
work queues 79 Enabled user 265
Deleting system 44 Encoding
Displaying IXATTR 314
agents 93 Enrichment provider LDIF
audit entries 121 configuring 280
BAM reports 81 EnrichmentProviderModule
custom views 65 configuring a LDIF enrichment provider
DocuLink folder structure 130 280
jobs 84 Enterprise Process Services
process classes 50 adding principals 269
process groups 47 Environment variables
process instance 53 DMS_DOCUMENTS_PER_TRANSACTIO
work items 58 N 315
work queues 73 Error
dmsPrepdoc Fulltext indexing 207
DocTool 314 Rendering 207
dmsremotecmd 190 eSign
doctodms enabling 268
DocTool 315 Exiting
DocTools Process Administrator 31
description 313 Exporting
dmsPrepdoc 312, 314 audit entries 125
doctodms 312, 315

Index
External domain and users GUI 119

SSO configuration on TCP Web Client TCP Configuration 134
306
External domains H
parameters 279 Hard Query Fetch Limit 232
External groups and users Hierarchical organization structure
referencing in TCP 263 defining 270
F I
Files Icons
ATTRIBUTES 314 reference 109
doctodms_stored_docs.txt 315 Import certificates 188
IXATTR 314 Inbox
META_DOCUMENT_INDEX 314 DocTool 315
Filter conditions Indexing scenario
adding 68 permissions 325
editing 69 Inflight changes
searching with 70 connecting class 97
Filter fields process class 97
reference 110 re-link instances 101
Filter section 33 Rre-link exceptions 102
Filtering Internet Information Services (IIS) Manager
process classes, process instances and settings
work items 68 SSO configuration on TCP Web Client
Filters 303
User ManagementClient 248 ISO image
Folder permissions Product ISO image 24
306 J
Fulltext indexing Java Viewer URL
Error 207 configuring TCP Web Client 296
JBos
G SSL configuration 387
General project settings 138 JBoss
Grantee groups 346 Signed URLs 395
Graph 37 Jobs
process class 52 creating 84
Groups deleting 91
add new group 266 displaying 84
assigning users or groups 267 editing 92
disable 268 starting 91
Grantee groups 346 stopping 91
managing parameters 290 Jobs (TCP Context Server) 190
reference 263 delete after retention period 191
Revokee groups 346 manual 190, 197
standard 345 pipeline enqueueing 191
Groups (external) purge 191
referencing in TCP 263 reindex for fulltext index 191

Index
remove from fulltext index 191 Multi-value properties 246

rendition generation 191 Multiple TCP Web Clients
scheduled 190, 198 installing 306
K N
Kept after Purging (Max Number) Navigation tree 33
jobs (TCP Context Server) 196 NTLM settings 144
Key management of archive server 187 Number of items per page 42
Keywords
BIZ_APPLICATION 318 O
BIZ_DOC_RT_GROUP 318 Open Text TCP certificates 342
BIZ_DOC_RT_USER 318 Open Text TCP projects 135
BIZ_ENCODING_BASE64_UTF8N 318 Management 136
BIZ_PLG_EVENT 318 Open Text TCP security settings 342
BIZ_REG_INDEXING 318 Opening
DMS_DOCID 318 project 45
DMS_DOCTYPE 315 OpenText Online 26
DOCID 314 Oracle RAC
IXATTR_ENCODING 314, 315 Data source 227
PILE_INDEX 318 Order of columns
TCP 318 changing 39
TCP Context Server 315 Organization structure (hierarchical)
defining 270
L Organizations
Large uploads 295 managing parameters 287
LDAP directory server Out of office functionality (activating) 294
domain configuration 280
LDIF enrichment provider P
configuring 280 Paging and sorting search results 35
List area 33 Password
Livelink ECM – Enterprise Server changing password of User
domain configuration 279 ManagementServer 266
Log file configuration settings 40
configuring TCP Web Client 298 TCP Context Server 238
Log on User ManagementServer 278
Process Administrator 31 PDMS Web Client Single Sign-On
Logging 145 See “PDMS Web Client SSO”
log levels 199 PDMS Web Client SSO
Logging directories configuration 142
User ManagementServer 274 Permissions 40
Logging on to a system 44 indexing scenario 325
process class 48, 52
M Pipeline enqueueing
Members jobs (TCP Context Server) 191
Display 257 Pipelines
Menu bars 33 CODMS 311
Meta documents 314 CODMSR3 311
Monitoring 145 EXDMS 311

Index
EXDMSPMS 311 audit entries 124

EXDMSR3 311 Multi-value 246
SCDMS 311 properties of work items 62
TCP Context Server 311 Proxy mechanism
Port binding sets (JBoss) enabling 269
adapt or add 168 PS package
Prepdoc configuring Enterprise Process Services
DocTool 314 Application 161
Printing PS_DATA 319
audit entries 125 PS_MODE 319
Process class PS_OBJECT 319
audits 51 PS_PRIORITY 319
changing status 50 PS_SPI 319
custom view 52 Psdt
editing attributes 51 DocTool 319
graph 52 Purge
inflight changes 97 jobs (TCP Context Server) 191
permissions 52
viewing attributes 51 Q
Process class definition Queries
transporting 105 Audit Entries 122
Process classes Classification classes 129
displaying 50 Classification tree 130
filtering 68 Obsolete audit entries 123
Process group Query builder 202
audits 48 Query Fetch Limit 234
permissions 48 Query Timeout 235
Process groups
adding new 48 R
deleting 48 Re-configuring TCP Application Server
displaying 47 161
Process instance Re-link exceptions
displaying 53 inflight changes 102
filtering 68 Re-link instances
Process instances inflight changes 101
audits 55 Records Management
changing status 54 Configuration Package 237
comments 56 Recovery
custom view 56 doctodms 315
viewing attributes 55 Reference 109
Profiling 145 groups 263
Program User ManagementClient 249
starting 31 users 264
Program window 33 Refreshing information 38
Project Registering
opening 45 agents 94
Project settings 138 Reindex for fulltext index
Properties jobs (TCP Context Server) 191
Add 246

Index
Remove from fulltext index SSO

jobs (TCP Context Server) 191 configuring TCP Web Client 299
Removing parameters in UMS 285
columns 39 SSO checkers
Rendering conifguring 257
Error 207 SSO TCP Web Client
Rendition generation adding external domain and users and
jobs (TCP Context Server) 191 testing 306
Rendition jobs in TCP Context Server 213 changing Internet Information Services
Reports (IIS) Manager settings 303
BAM 81 configuring the checker module on User
Resuming ManagementServer 301
work items 60 configuring User ManagementServer 302
Revokee groups 346 creating a certificate 299
Root organization updating TCP Web Client configuration
managing parameters 286 303, 306
SSO with SAP Enterprise Portal
S Configuring checker context 285
Searching Standard groups 345
audit entries 121 Standard users 350
with filter conditions 70 Starting
SecKeys agents 95
configuration 395 jobs 91
Security groups Process Administrator 31
assigning users 270 Static logging
Security settings User ManagementServer 276
configuring TCP Web Client 293 Status
TCP Application Server 367 changing status of process classes 50
Session management changing status of work items 58
configuring 262 process instances 54
Signed URLs work items 63
configuration 395 Status bar 33, 35
JBoss 395 Stopping
Sorting and paging search results 35 agents 96
SSL jobs 91
Browser - TCP Web Client 393 System
configuration 373 adding new system 43
TCP Application Server - TCP Context deleting system 44
Server 385 logging on to a system 44
TCP Application Server - User System settings
ManagementServer 383 configure number of items per page 42
TCP Context Server - User test connection 41
ManagementServer 379 time out 41
TCP Web Client - TCP Application Server System user
389 BizEffectiveUser 117
SSL configuration
JBoss 387 T
Tomcat 375 TCP
customizing MIME types 214

Index
Inbox 315 Test connection

TCP Application Manager (PDMS UI only) system settings 41
117 Testing connection to Enterprise Process
TCP Application Server Services 41
security settings 367 Time out
SSL communication to TCP Context time interval for connection response 41
Server 385 Tomcat
SSL communication to TCP Web Client certificate export 377
389 Data source 226, 227
SSL communication to User SSL configuration 375
ManagementServer 383 Transporting
TCP Configuration agent registration 108
starting 133 job configurations 107
TCP Configuration GUI 134 process class definition 105
TCP Context Server reports 106
admin password 238 work queues 105
configuration packages 223 Troubleshooting
connection settings 138 User Management 272
jobs 190 typography 25
password 238
Sample files 329 U
settings 237 Unregistering
SSL communication to TCP Application agents 95
Server 385 Unreserving
SSL communication to User work items 60
ManagementServer 379 Updating
TCP Document Pipelines 311 BAM reports 82
TCP Context Server ACL mapping 186 Uploads
TCP Context Server ArchiveLink calls 186 large 295
TCP Context Server archives URLs
viewing and configuring 181 Signed
TCP Context Server database See “Signed URLs”
ACL cache 219 User Management
component information 220 troubleshooting 272
connection pool 220 User ManagementServer
consistency checks 217 access information and audit settings 277
debugging 218 admin password 278
entity type hierarchy 219 configuration and logging directories 274
query cache 219 database access 274
reorganizing 217 password 278
status 218 reconfiguring 273
table information 221 SSL communication to TCP Application
updating statistics 217 Server 383
TCP Web Client SSL communication to TCP Context
configuring 293 Server 379
SSL communication to browser 393 SSO configuration on TCP Web Client
SSL communication to TCP Application 302
Server 389 static logging 276
SSO 299

Index
User ManagementServer checker module editing attributes 61

SSO configuration on TCP Web Client editing current user 59
301 filtering 68
Users resuming 60
add certificate 265 status 63
add new user 265 unreserving 60
Assigning to security groups 270 viewing attributes 61
disable 268 viewing properties 62
enabled user 265 Work queues
managing parameters 288 creating 74
of work items editing 59 deleting 79
reference 264 displaying 73
standard 350 editing 80
Users (external)
referencing in TCP 263
Users password of User
ManagementServer
changing 266
resetting 266
V
Viewers
configuring 296
Viewing
attributes of process classes 51
attributes of process instances 55
attributes of work items 61
properties of work items 62
W
Web proxy server
configuration 371
Web Viewer URL
web.config
installing multiple TCP Web Clients 306
large uploads 295
log file configuration 298
out of office configuration 294
303
viewer URL configuration 296
Windows Viewer
Work items
audits 60
changing status 58
comments 63
displaying 58

Open Text Transactional Content Processing 10.0.1 Administration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Open Text Transactional Content Processing 10.0.1 Administration Guide

Uploaded by

Copyright:

Available Formats

Open Text Transactional Content

This guide describes the administration of all basic components

Copyright © by Open Text Corporation, Open Text Inc.

Part 1 Open Text Process Administrator 27

2 Introducing Process Administrator........................................ 33

3 Defining settings ..................................................................... 39

TCP100001-AGD-EN-5 Open Text Transactional Content Processing iii

3.4.2 Setting time interval for connection response........................................ 41

5 Managing projects ...................................................................45

6 Managing process groups ......................................................47

7 Managing process classes......................................................49

8 Managing process instances ..................................................53

9 Managing work items ..............................................................57

iv Open Text Transactional Content Processing TCP100001-AGD-EN-5

9.7 Viewing work item attributes .................................................................. 61

10 Managing custom views ......................................................... 65

11 Managing work queues........................................................... 73

12 Managing BAM reports ........................................................... 81

13 Managing jobs ......................................................................... 83

14 Managing agents ..................................................................... 93

TCP100001-AGD-EN-5 Administration Guide v

14.5 Stopping agents ..................................................................................... 96

15 Inflight changes .......................................................................97

16 Transporting settings ............................................................105

Part 2 Open Text TCP Application Server administration 115

19 Administering audit entries...................................................121

vi Open Text Transactional Content Processing TCP100001-AGD-EN-5

20 Administering classification................................................. 127

21 Administering Open Text TCP.............................................. 133

22 Re-configuring TCP Application Server............................... 161

23 Configuring and customizing the TCP application ............. 167

TCP100001-AGD-EN-5 Administration Guide vii

Part 3 Open Text TCP Context Server administration 175

24 Major administration tasks....................................................177

viii Open Text Transactional Content Processing TCP100001-AGD-EN-5

26 Administering the database.................................................. 217

27 Re-configuring TCP Context Server via configuration

Part 4 Open Text User Management Server administration 239

28 Working with User Management Client................................ 241

TCP100001-AGD-EN-5 Administration Guide ix

29 Working with User Management...........................................253

30 Re-configuring User Management Server ............................273

31 Managing configuration parameters ....................................279

x Open Text Transactional Content Processing TCP100001-AGD-EN-5

Part 5 Open Text TCP Web Client administration 291

32 Configuring TCP Web Client................................................. 293

Part 6 TCP Document Pipelines administration 309

33 Overview of TCP Document Pipelines for TCP Context

TCP100001-AGD-EN-5 Administration Guide xi

35 Permissions for the indexing scenarios ..............................325

Part 7 Databases administration 331

37 Monitoring the database........................................................333

Part 8 Security in TCP 341

39 Standard groups and users ..................................................345

40 Changing passwords of end users and standard users .....355

41 Security measures .................................................................363

xii Open Text Transactional Content Processing TCP100001-AGD-EN-5

46 Configuration for SecKeys and signed URLs...................... 395

GLS Glossary 399

IDX Index 403

TCP100001-AGD-EN-5 Administration Guide xiii

i What is Open Text Transactional Content

TCP100001-AGD-EN-5 Open Text Transactional Content Processing xv

xvi Open Text Transactional Content Processing TCP100001-AGD-EN-5