Professional Documents
Culture Documents
Processing
Administration Guide
TCP100001-AGD-EN-5
Open Text Transactional Content Processing
Administration Guide
TCP100001-AGD-EN-5
Rev.: 12. Dec. 2011
This documentation has been created for software version 10.0.1.
It is also valid for subsequent software versions as long as no new document version is shipped with the product or is
published at https://knowledge.opentext.com.
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Email: support@opentext.com
FTP: ftp://ftp.opentext.com
For more information, visit http://www.opentext.com
PRE Introduction 15
i What is Open Text Transactional Content Processing? ........................ 15
ii About this documentation ...................................................................... 18
ii.i Target Readership ................................................................................. 18
ii.ii Structure of this documentation ............................................................. 18
ii.iii Documentation overview........................................................................ 23
ii.iv Further documentation ........................................................................... 24
ii.v How to find documentation .................................................................... 24
ii.vi Conventions ........................................................................................... 25
iii Contact information ................................................................................ 26
1 Getting started......................................................................... 31
1.1 Starting Process Administrator and logging on...................................... 31
1.2 Exiting Process Administrator ................................................................ 31
4 Managing systems...................................................................43
4.1 Adding new system ................................................................................ 43
4.2 Deleting system...................................................................................... 44
4.3 Logging on to a system .......................................................................... 44
17 Reference ...............................................................................109
17.1 Icons..................................................................................................... 109
17.2 Filter fields............................................................................................ 110
18 Prerequisites ..........................................................................117
18.1 Managing system users ....................................................................... 117
18.2 Working with TCP Application Manager (PDMS UI only) .................... 117
31.2.1 Configuring checker context for internal session ID token .................. 285
31.2.2 Configuring checker context for SSO with SAP Enterprise Portal....... 285
31.2.3 Configuring checker context for signed URL ....................................... 285
31.2.4 Configuring checker context for signed user ....................................... 286
31.3 Managing parameters for the root organization................................... 286
31.4 Managing parameters for organizations .............................................. 287
31.5 Managing parameters for users ........................................................... 288
31.6 Managing parameters for groups......................................................... 290
45.7 Configuring SSL communication between TCP Web Client and TCP
Application Server ................................................................................ 389
45.7.1 Preparing TCP Application Server ....................................................... 389
45.7.2 Exporting the SSL certificate of the TCP Application Server ............... 390
45.7.3 Securing the ArchiveLink communication ............................................ 391
45.7.4 Securing the Web Service communication .......................................... 391
45.8 Configuring SSL communication between browser and TCP Web
Client .................................................................................................... 393
45.9 For Websphere/AIX only: Configuring IAIK Security Provider ............. 393
Automating Content-centric business processes are often customer facing (internal or external).
content-centric These customer facing processes are often highly repetitive, driven by fixed content
processes
and require integration into existing applications. To provide a faster customer case
management response, organizations are required to react immediately on changing
market requirements and new regulations. The management of transactional
content improves process efficiency, cuts processing cost (that is cost per
transaction), shortens elapsed time, enables change, and provides an audit log and
management overview of transactional processes. Sample applications are Accounts
Payable, Claims Management and Digital Mailroom solutions.
Independent Open Text TCP provides an infrastructure for access to transactional content,
access to independent of third-party software. For example, SAP documents can be accessed
transactional
content securely and consistent by internal or external business entities. Thus, the amount of
inquiries and paper mail will be drastically reduced, leading to cost reduction and
compliance with internal and mandated regulations. Sample applications are self-
service solutions, supplier portals, and compliant internal (or external) access to SAP
documents.
In addition, elaborate user management specifies access rights on various levels, to
meet security policies.
Web-based A TCP application is accessible via a Web browser. Thus, no client installation is
interface needed and you can access the application via intranet, extranet or internet.
System TCP consists of several components each with its unique functionality.
architecture
Presentation layer
There are two ways to access a TCP application:
• TCP Web Client – TCP Web Client is what you see, when you access a TCP
application in a Web browser. It is your interface to the system and lets you
interact.
• Enterprise Connect – With Enterprise Connect, you can upload and access
Open Text TCP documents using Microsoft Office and Windows Explorer.
Application layer
TCP Application Server – TCP Application Server is the core of TCP. It controls
the services for document archiving and retrieving. The services communicate
with the connected repositories and handle requests, such as queries from the
TCP application.
Enterprise Process Services – As a member of the Open Text Content Services
family, Enterprise Process Services provides functionality for managing
structured business processes functionality. Enterprise Process Services is a
multi-purpose process engine that drives business processes and brings all
required documents to each process step. Through the technical interface of
Enterprise Process Services - available as Web Service (SOAP) - other systems
can interact and utilize its functionality. Enterprise Process Services is tightly
integrated into TCP and provides tools for designing, running, monitoring and
analyzing business processes.
Repository layer
TCP Context Server along with the process database and other external
repositories (databases and other data sources) stores all data except for attached
content files. These are stored by Open Text Enterprise Library Services.
Customization and Administration tools
Customization and Administration tools help you to set up, customize and
manage the system.
• TCP Modeler – creates and customizes a TCP application.
• Process Designer – implements business processes for a TCP application.
• Process Administrator – monitors and administers the process flow.
• TCP Configuration (Web-based) – allows the administrator to control
access to the system and to the documents contained within it. Furthermore,
general project administration and availability is handled here.
• TCP Context Server Administration / Context Server Configuration – are
two Web-based tools for administering TCP Context Server.
• User Management Client – is the administration tool for configuring User
Management Server.
Knowledge Center, select the product family page, and then click the
Documentation link. In case, the required product belongs to the Livelink ECM
– Enterprise Server family, click the Livelink Module Documentation link and
select the product from the list.
Note: You can find the latest information on manuals and online help files for
each product in the corresponding Release Notes. This includes the
identification codes of the current documentation.
ii.vi Conventions
User interface
This format is used for elements in the graphical user interface (GUI), such as
buttons, names of icons, menu items, and fields.
Filenames, commands, and sample data
This format is used for file names, paths, URLs, and commands at the command
prompt. It is also used for example data, text to be entered in text boxes, and
other literals.
Note: If you copy command line examples from a PDF, be aware that PDFs
can contain hidden characters. OpenText recommends copying from the
HTML version of the document, if it is available.
KEY NAMES
Key names appear in ALL CAPS, for example:
Press CTRL+V.
<Variable name>
Angled brackets < > are used to denote a variable or placeholder. The user
replaces the brackets and the descriptive content with the appropriate value. For
example, <server_name> becomes serv01.
Internal cross-references
Click the cross-reference to go directly to the reference target in the current
document.
External cross-references
External cross-references are usually text references to other documents.
However, if a document is available in HTML format, for example, in the
Knowledge Center, external references may be active links to a specific section in
the referenced document.
Warnings, notes, and tips
Caution
Cautions help you avoid irreversible problems. Read this information
carefully and follow all instructions.
Important
Important notes help you avoid major problems.
This part describes the administration of Enterprise Process Services using Process
Administrator.
With Process Administrator you perform the following tasks:
• Manage the processes you have defined in Process Designer (process classes).
• Present forms to the user
• Monitor active processes (process instances)
• Observe steps of processes (work items)
• Control permissions for security objects
Content This part contains the following chapters:
“Getting started” on page 31
This chapter describes how to start and connect to other systems.
“Introducing Process Administrator” on page 33
This chapter describes the elements of the graphical user interface of Process
Administrator.
“Defining settings” on page 39
This chapter describes the main settings for Process Administrator.
“Managing systems” on page 43
This chapter describes how you manage several systems with Process
Administrator.
“Managing process groups” on page 47
This chapter describes how to work with process groups which can be
referenced in a process using Process Designer.
“Managing process classes” on page 49
This chapter describes the management of defined processes (or more precisely,
process classes). These process classes first have to be created in Process
Designer.
“Managing process instances” on page 53
When a user starts a new process, a new process instance of this process class is
created. This chapter explains how to monitor processes that are already
underway.
“Managing work items” on page 57
A process instance contains work items. This chapter explains how to work with
these.
“Managing custom views” on page 65
This chapter describes how to create custom views which filter specific process
classes and process instances.
With Enterprise Process Services only one default project with one default
profile is provided.
Jobs
The jobs node contains periodically executed automation tasks.
Agents
The agents node contains programs for background working.
Filter section
The filter section in the top right-hand corner shows the filters which are marked
as searchable. For further information, see “Filtering process classes, process
instances and work items” on page 68.
List area
The list area displays process information.
Status bar
The status bar is located at the bottom of the program window. It shows status
information about the connection. For further information, see “Status bar” on
page 35.
On the right, you will see various information, depending on what you choose to
select in the navigation tree on the left.
To view audits:
1. Right-click and select View Audit on the context menu.
The Audit dialog box opens and displays the system activities.
2. Click on the table header to sort the column for certain criteria.
3. Click OK to close the dialog box.
To view comments of process instances and work items added in TCP Web
Client:
1. Right-click on a process instance or work item and select View comments on the
context menu.
The Comments dialog box opens and displays the comments.
2. Click on the table header to sort the column for certain criteria.
3. Click OK to close the dialog box.
To view the graph of process classes and the status information for process
instances and work items:
• Process class – Right-click on a process class and select View Graph on the
context menu.
The Class Graph opens and some properties as Name, Author, Version and
Creation time are displayed. No additional information for the steps and
connections are displayed.
• Process instance – Right-click on a process instance and select View Status
Info on the context menu. Additional process status information is displayed.
For further information on status information (frame, color, exclamation mark),
see section 3.5 "Checking route of a process" in Open Text BPM Web Process
Manager - User Guide (PR100001-UWB).
• Work item – Right-click on a work item and select View Status Info on the
context menu. Additional process status information is displayed. For further
information on status information (frame, color, exclamation mark), see section
3.5 "Checking route of a process" in Open Text BPM Web Process Manager - User
Guide (PR100001-UWB).
To resize the graph dialog and zoom the graph image, click one of the magnifying
glasses.
To assign permissions:
1. Right-click on a system, process group or process class and select Edit
Permissions on the context menu.
The Permissions dialog box opens.
2. Edit the permissions. For further information on permissions, see section 9
"Working with Permissions" in OpenText Process Designer - Customizing Guide
(PR-CPD).
confirm it. In the fifth text box you see the Domain. It is the currently logged on
domain and read only.
3. Click Save to save the new password.
The Password dialog closes.
3. Enter time in millisecond to define the time span (Time out) waiting for a
response from Enterprise Process Servicess.
For example, if you enter 30000, the defined timeout occurs after 30 seconds.
4. Enter the number of items in per page. It is used for paging and sorting (see
“Paging and sorting search results” on page 35).
5. Click Test connection. If successfully connected, click Next.
6. Select one or more projects and click Finish.
The new system is added.
To log on to a system:
1. Right-click on a system and select Log On on the context menu.
The Log On dialog box opens.
2. Enter your user name, password, and domain name.
3. Click Log on to connect to the server.
You can add process groups and reference these groups in the process properties of
a process using Process Designer. For further information, see OpenText Process
Designer - Customizing Guide (PR-CPD). To select a process group in the drop down
menu of Process Designer it must be created in Process Administrator.
Refreshing the Right-click on a process group and select Refresh on the context menu to retrieve
view the status from Enterprise Process Services and update the view.
Ad Hoc process The Ad Hoc process uploads a new process class. The process class is activated and
a process instance is created immediately.
All Ad Hoc process classes are listed in the Ad Hoc process group.
No process graph is available for Ad Hoc processes and therefore the process classes
cannot be opened in Process Designer.
Refreshing the Right-click on a process group and select Refresh on the context menu to retrieve
view the status from Enterprise Process Services and update the view.
Copying list Right-click on a process group and select Copy on the context menu to copy the list
information information to the clipboard (ID, Process Class Name etc.). Example:
PC9D405F8995EB66A200F55D7F41B119CA; Joint Mile Stone; Active; 11.09.-
2006 14:20:44;
Refreshing the Right-click on a process instance and select Refresh on the context menu to retrieve
view the status from Enterprise Process Services and thus update the view.
Copying list Right-click on a process instance and select Copy on the context menu to copy the
information list information to the clipboard (ID, Process Class Name etc.). Example:
PI9D3B916B95EB66A200F55D7FF45B0548; 001-TestCase-Iteration23-Demo;
11.09.2006 14:15:29; 150;
There is a tab displayed for each data object. The attributes of the data object are
displayed in a list. The default data object for process attributes is named _default.
Tabs displaying constant data objects are marked constant.
Tabs displaying private data objects are marked private.
Attributes that are imported from a record type (from a connected repository), are
not listed, providing no corresponding document has been added to the process
instance. During this stage, the tab is marked reserved.
Multiple values are separated with [ ].
Refreshing the Right-click on a process group and select Refresh on the context menu to retrieve
view the status from Enterprise Process Services and update the view.
Copying list Right-click on a process instance and select Copy on the context menu to copy the
information list information to the clipboard (ID, Process Class Name etc.). Example:
WI9D3B916B95EB66A200F55D7F3F2FC12C; Active; 11.09.2006 14:15:29;
Refreshing the Right-click on a custom view and select Refresh on the context menu to retrieve the
view status from Enterprise Process Services and update the view.
If you create a custom view for a process instance, the process instance id is
used in the custom view name.
To edit custom views, see “Editing custom views” on page 67.
Note: If process attributes are used in a view configuration, the value is always
the attribute value at attribute index 0.
Tips:
• You can find information about names, data objects and record
types of process attributes in the View Attributes dialog of process
classes.
• For an overview of field types, see “Filter fields” on page 110.
For further information on attributes, see section 8 "Working with
Dispositions" in OpenText Process Designer - Customizing Guide (PR-CPD).
Record type
The record type is required for process attributes. For example, if the filter
condition evaluates a virtual process attribute stored in a repository like
Livelink, enter the record type which contains the property.
Type
The type is required for process attributes. You must select the type of the
evaluated process attribute here.
Condition
The condition defines the evaluation operation. It depends on the data type
of the Field which condition can be selected.
Value
The value represents the default field value.
Tip: You can add “wildcards” to filter values when you use the
conditions Like or NotLike.
• Use an asterisk (*) as a substitute for one or more characters.
• Use a question mark (?) as a substitute for one character.
• For example, use G* to find all values that start with G, or M?ller to
search for Miller and Muller.
Searchable
Select the search flag to display the filter conditions in the filter section. For
further information, see “Searching with filter conditions” on page 70.
4. Click OK to save your changes.
1. Select the custom view you want to search for with filter conditions.
The filter conditions are displayed.
2. Modify the values as required in the third column.
3. Click Search.
The results are displayed in the list area.
For further information on filters, see “Editing filter conditions” on page 69.
Refreshing the Right-click on a work queues node or a work queue in the list area and select
view Refresh on the context menu to retrieve the status from Enterprise Process Services
and update the view.
Format
Enter a .Net specific type formatter that can either be a predefined value
depending on the field type or a custom formatter with a defined free-text.
Width
Enter the column width in pixel.
Sortable
Mark it to allow the user to sort the work queue by this column.
Note: If a work queue definition contains a multivalue property then
disable sorting, otherwise the work queue is no longer accessible.
Sort Order
Define the sort order of the column by Descending or Ascending. You can
select only one column for sorting.
Filter
An asterisk in the filter button marks an already existing filter (...*).
To define a filter, click the filter button ....
The Edit Work Queues Filer dialog box opens.
Field
Displays the field name.
Source
Displays the source name.
Allow the user to change this filter
Select the check box to allow the user to change the filter criteria for this
column.
Notes:
• OpenText recommends to have as less as possible filterable
columns for performance reasons. Filtering can decrease the
refresh times for the end users.
• If the user changes the filter criteria and applies it, the
predefined filter is replaced with these settings and cannot be
reset.
• TCP: You can customize more filter options as can be displayed.
Therefore the search result does not match the search criteria and
more hits are displayed. Supported filters are:
• For boolean: only
• For date/time: >= and <
• For other types: = and Like
Operator
Displays the operator depending on the field type.
• =: equal
• !=: unequal
• >: greater
• <: lower
• >=: greater or equal
• <=: lower or equal
• Like: like
Tip: You can use the “wildcards” to search for users:
• Use an asterisk (*) as a substitute for one or more characters.
• Use a question mark (?) as a substitute for one character.
• For example, use G* to find all values that start with G, or
M?ller to search for Miller and Muller.
Criteria
Displays the filter criteria depending on the field typ.
Click New to add a new filter and select an operator from the predefined list
depending on the field type.
Click OK to save your changes.
Click Finish.
The new work queue is created and displayed in the list area.
Refreshing the Right-click on BAM Reports and select Refresh on the context menu to retrieve the
view status from Enterprise Process Services and update the view.
Refreshing the Right-click on the Jobs node or a job in the list area and select Refresh on the
view context menu to retrieve the status from Enterprise Process Services and update the
view.
Transform rule
eps.maintenance:CleanupProcessInstance
Description
The job selects only finished or aborted process instances and
removes them from the process database.
Miner
Object type
ProcessInstance
Transform rule
eps.miner:ActivitiesDailyMonthlyYearly
Description
Creates analysis on steps and process instances.
Object type
ProcessInstance
Transform rule
eps.miner:Process InstanceDailyMonthlyYearly
Description
Creates analysis on process instances only.
Object type
TimestampTopic
Transform rule
eps.miner:VMStatsHourlyDailyMonthly
Description
Creates technical statistics about the virtual machine of every
application server node.
Select the transform rule which is executed on the object type and click Next.
Tips:
• The “*” character is used to specify all values. For example, “*” in
the minute field means “every minute”.
Pay attention to the effects of “*” in the day-of-week and day-of-
month fields.
• The “?” character is allowed for the day-of-month and day-of-week
fields. It is used to specify “no specific value”. This is useful when
you need to specify something in one of the two fields, but not the
other. For further information, see the examples below.
Pay attention to the effects of “?” in the day-of-week and day-of-
month fields.
• The “-” character is used to specify ranges For example “10-12” in
the hour field means “the hours 10, 11 and 12”.
• The “,” character is used to specify additional values. For example
“MON,WED,FRI” in the day-of-week field means “the days
Monday, Wednesday, and Friday”.
• The “/” character is used to specify increments. For example “0/15”
in the seconds field means “the seconds 0, 15, 30, and 45”. And
“5/15” in the seconds field means “the seconds 5, 20, 35, and 50”.
• The “L” character is allowed for the day-of-month and day-of-week
fields. This character is short-hand for “last”, but it has different
meaning in each of the two fields. For example, the value “L” in the
day-of-month field means “the last day of the month”.
If used in the day-of-week field it simply means “7” or “SAT”. But if
used in the day-of-week field after another value, it means “the last
xxx day of the month”, for example “6L” means “the last Friday of
the month”. Using the “L” option it is important not to specify lists,
or ranges of values, as you will get confusing results.
• The “W” character is allowed for the day-of-month field. This
character is used to specify the weekday (Monday-Friday) nearest
the given day. For example, if you specify “15W” as the value for
the day-of-month field it is “the nearest weekday to the 15th of the
month”. So if the 15th is a Tuesday, then it will start on Tuesday the
15th. If the 15th is a Saturday, it will start on Friday the 14th, and if
Expression Meaning
0 012 * * ? Start at 12pm (noon) every day
0 15 10 ? * * Start at 10:15am every day
0 15 10 * * ? Start at 10:15am every day
0 15 10 * * ? * Start at 10:15am every day
0 * 14 * * ? Start every minute starting at 2pm and
ending at 2:59pm, every day
0 0/5 14 * * ? Start every 5 minutes starting at 2pm
and ending at 2:55pm, every day
0 0/5 14,18 * * ? Start every 5 minutes starting at 2pm
and ending at 2:55pm, AND start every
5 minutes starting at 6pm and ending at
6:55pm, every day
Expression Meaning
0 0-5 14 * * ? Start every minute starting at 2pm and
ending at 2:05pm, every day
0 10,44 14 ? 3 WED Start at 2:10pm and at 2:44pm every
Wednesday in the month of March
0 15 10 ? * MON-FRI Start at 10:15am every Monday, Tues-
day, Wednesday, Thursday and Friday
0 15 10 15 * ? Start at 10:15am on the 15th day of
every month
0 15 10 L * ? Start at 10:15am on the last day of every
month
0 15 10 ? * 6L Start at 10:15am on the last Friday of
every month
0 15 10 ? * 6#3 Start at 10:15am on the third Friday of
every month
Click Next.
information on the PMQL syntax, see Open Text Enterprise Process Services
10.0.1 PMQL - Process Management Query Language
(https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=15
252881&objAction=browse&viewType=1).
The PMQL query consists of a fixed part (depending on the job type) and a
dynamic condition part which can be configured.
Conditions support two different replacement tags:
• Last run time of the dispatcher: {_dispatcher.LastRunTime}
<And>
<ProcessInstance.Status
Condition="=">2</ProcessInstance.Status>
<ProcessInstance.ProcessClassName
Condition="Like">*</ProcessInstance.ProcessClassName>
<ProcessInstance.EndTime
Condition=">">{_dispatcher.LastRunTime}</ProcessInstance.End
Time>
</And>
• Current time with a given offset, for example 60 days back (h for hours, d
for days): {_dispatcher.CurrentTime,-60d}
<And>
<ProcessInstance.Status
Condition="=">2</ProcessInstance.Status>
<ProcessInstance.ProcessClassName
Condition="Like">*</ProcessInstance.ProcessClassName>
<ProcessInstance.EndTime
Condition="<">{_dispatcher.CurrentTime,-
60d}</ProcessInstance.EndTime>
</And>
Click Finish.
The new job is created and displayed in the list area.
To start an job:
• Right-click on a job and select Start on the context menu.
The job is started.
Tip: You can select multiple jobs.
To stop an job:
• Right-click on a Job and select Stop on the context menu.
The job is stopped.
Tip: You can select multiple jobs.
To edit a job:
1. Right-click on a job and select Edit on the context menu.
The Edit Job dialog box opens.
2. To modify general settings as required, see step 2 in “Creating new jobs” on
page 84.
3. To modify schedule settings as required, see step 3 in “Creating new jobs” on
page 84.
4. To modify condition settings as required, see step 4 in “Creating new jobs” on
page 84.
5. Click OK to save your changes.
To add agents and reference these agents in the process properties of a process using
Process Designer, see section 5.3.1 "Details on Using the Agent Step" in OpenText
Process Designer - Customizing Guide (PR-CPD).
For further information on agents, for example permissions, types, see Open Text
Enterprise Process Services Agent Framework
(https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=15252881
&objAction=browse&viewType=1).
Upgrading To upgrade agents import the new agent registrations, see “Importing agent
agents registrations” on page 108.
Note: The special permissions AgentAdministration control who can view or
change agents.
Refreshing the Right-click on the Agent node or an agent in the list area and select Refresh on the
view context menu to retrieve the status from Enterprise Process Services and update the
view.
To register an agent:
1. Right-click on the Agents node and select Register Agent on the context menu.
The Agent Registration dialog box opens.
2. Modify the fields as required:
Agent Id
Enter the id of the Enterprise Process Services agent.
Agent Type
Mark the Agent Type you want to use: Asynchronous, Synchronous,
External.
Agent class name
Enter the class name for the agent type asynchronous or synchronous, for
example com.opentext.ecm.bpm.agent.ScriptAgent.
For an external agent type the class name is specified as
com.opentext.ecm.bpm.agent.ExternalAgent and must not be changed.
To unregister an agent:
1. Right-click on an Agent and select Unregister on the context menu.
The Confirm Agent Unregister dialog box opens.
Tip: You can select multiple agents.
2. Click Yes to unregister the agent.
The agent is unregistered and removed from the list area.
To start an agent:
• Right-click on an Agent and select Start on the context menu.
The agent is started.
Tip: You can select multiple agents.
To stop an agent:
• Right-click on an Agent and select Stop on the context menu.
The agent is stopped.
Tip: You can select multiple agents.
To edit an agent:
1. Right-click on an Agent and select Edit on the context menu.
The Edit Agent Registration dialog box opens.
2. Modify the values as required (see “Registering agents” on page 94) and click
OK to close the dialog box.
Important
• Properties of deleted or added steps (nodes) and connections are not
listed.
• Existing work items of the old instance will not be changed. This
means, for example, if a work item exists on a step with a time
restriction in the superior process class, the time restriction is not
added to this work item after the re-link. If a new work item is
created the restriction of the superior process class will be assumed.
• For the “creation date” and “author e-mail” changes (possible to set
via Process Designer) no information will be listed.
• Renaming of objects, for example connections, is similar to deleting
and adding them.
• Some elements (time restrictions, client systems, permissions, class
attachment references and data restrictions) are distributed from
“process class” over “step” to “connection”. If one of this elements
will be added, removed or changed the proper error/difference is
added more times to the displayed result list.
Note: The superior process class can only be set if no errors exist.
Tip: You can save the differences of the process classes in a XML file.
Right-click on Save difference list and select the destination.
4. Click Previous to solve the errors or click Finish to set the successor class.
To solve errors either select another process class or upload a new process class
without errors and select this new process class.
1. Select the process class or process instance(s) you want to re-link, right-click and
select Advanced - Re-Link Instances on the context menu.
The Lock all selected process instances dialog box opens.
2. The number of found process instances which will be locked is displayed.
Note: Only process instances with status active or transition can be locked.
Click Next.
The Re-link process instances dialog box opens.
3. The status of the process instances is set to transition. Further information is
displayed:
• Available number of process instances which will be re-linked.
• Number of process instances with work items reserved by users.
• A list of work items which could not be locked. These work items are
reserved by users.
Tip: You can save information about the work items reserved by users in a
XML file. Right-click on Save list and select the destination.
Click Finish to re-link the process instances.
4. All process instance are re-linked and set to active.
If the process class of the process instance does not have any successor process
class the instance cannot be re-linked. Also a process instance cannot be re-
linked if a data object with the same name as the successor process class is
attached on a process class.
Tip: You can save the result of the re-link process in a XML file. Right-click
on Save list and select the destination.
Click Close to close the dialog box.
Not allowed Changes for following elements and properties are not allowed:
changes for
elements and
properties
Element “Attribute”
• Change values of an attribute (only change no remove/add)
Note: If you change the values of a disposition field these changed values are
only displayed for new instances. For running instances the old disposition
values are displayed.
Not allowed Changes for the following step types are not allowed:
changes for step
types
Tip: The preferred way to deploy an existing process class definition to another
system is uploading the original process definition using Process Designer.
Downloading the definition in Process Administrator should only be used if
the original process definition is lost.
A sub folder with the name of the profile is created containing the two xml files
with the work queue configurations.
17.1 Icons
Process groups The following table provides an overview of all available process group and process
and process class icons.
classes
Classes active as Process classes that can be selected in the Reports list by the
report user
Active classes Active, can be selected from the Start Process list by the user
Invisible classes Invisible, cannot be selected by the user. Process class and
the instances or work items are not visible for the user, not
even via a report
Inactive classes Inactive, cannot be started, instances are processed to the
end node as designed
Process The following table provides an overview of all available icons of process instances.
instances
Work items The following table provides an overview of all available work item icons.
Jobs The following table provides an overview of all available job icons.
Agents The following table provides an overview of all available agent icons.
The following table provides an overview of available filter fields for process
instances.
The following table provides an overview of available filter fields for process work
items.
Property Field
Id String
CurrentStep String
CurrentConnection String
Title String
ProcessInstance String
User.Id String
User.Email String
User.DisplayName String
User.Name String
User.WqlId String
LastUser.Id String
LastUser.Email String
LastUser.DisplayName String
LastUser.Name String
LastUser.WqlId String
OriginalUser.Id String
OriginalUser.Email String
OriginalUser.DisplayName String
OriginalUser.Name String
OriginalUser.WqlId String
AgentId String
SubProcessWorkItemId String
LastUser.OutOfOffice Integer
Property Field
User.OutOfOffice Integer
Status Integer
ReceivedAction Integer
SentAction Integer
DueTimeCount Integer
Priority Integer
OutOfOffice Integer
Disposition Integer
ExceptionStatus Integer
CreationTime Long
DueTime Long
PostponeTime Long
OpenedTime Long
ReceivedTime Long
SentTime Long
StepLate Boolean
This part describes the administration of TCP Application Server using TCP
Configuration and TCP Application Manager.
With TCP Configuration and TCP Application Manager you perform the following
tasks:
• Administer auditing and classification
• Create and manage TCP projects
• Maintain the connections to other servers in the TCP landscape
• Monitor the logging
• Re-configure TCP Application Server
Content This part contains the following chapters:
“Prerequisites” on page 117
This chapter describes how to set up the effective system user and how to deploy
the TCP Application Manager.
“Administering audit entries” on page 121
This chapter explains how to set up and manage the auditing functionality.
“Administering classification” on page 127
This chapter explains how to manage the classification functionality.
“Administering Open Text TCP” on page 133
This chapter describes how to monitor and administer TCP using the TCP
Configuration. It also contains a section about the re-configuration of TCP
Application Server.
“Re-configuring TCP Application Server” on page 161
This chapter describes the re-configuration of TCP Application Server using the
TCP Configuration Web GUI or TCP installer.
“Configuring and customizing the TCP application” on page 167
This chapter describes how to configure the TCP application via changes of the
configuration files. It is also explained how the application can be rebuilt and
deployed.
• Deploy TCP Application Manager. This tool is needed for the auditing as well as
classification administration. For details, see “Working with TCP Application
Manager (PDMS UI only)” on page 117.
Important
TCP Application Manager is available only with PDMS UI.
2. Deploy the project in TCP Configuration; see “Open Text TCP Application
Server administration” on page 115.
With the single-sign-on feature, you do not have to log on to PDMS Web Client
explicitly. If configured accordingly, your general system log on can be used to
access PDMS Web Client directly. In this case, the log on page is skipped and the
starting page, respectively the group selection page is displayed immediately.
Note: If your computer uses the HTTP protocol and SSL (Secure Socket Layer)
to communicate with the server, it may be necessary to install an SSL certificate
on your computer when you start the program for the first time. This SSL
certificate identifies the addressed server as a trustworthy source.
For questions concerning the installation of such certificates, contact your
system administrator.
Important
While any user with the required permission can view the audit entries for a
particular item directly within PDMS UI, only a designated Record
Manager/Administrator belonging to the group AuditOfficers can work
with TCP Application Manager.
2. In the resulting hit list, open the Properties page for the item.
3. Select the Audit entries action.
All available audit entries for that item are displayed as a hit list.
The Audit Entries hit list displays all audit entries that match the specified criteria.
The Obsolete Audit Entries hit list displays audit entries containing the Delete
event for an item.
Tip: You can delete several individual audit entries at once by performing a
multiple selection in the hit list and then using the Delete action in the function
bar.
Tip: You can also print or export this hit list; see “Exporting and printing lists
of audit entries” on page 125.
Depending on the settings in Options, either the current page or the entire hit list is
printed.
Depending on the settings in Options, either the current page or the entire hit list is
exported.
To create a classification:
1. Expand the selection list in the general functions area and select Classification
as the item type to create.
Property Description
Classification name Name of the classification
Assignable Option whether the classification is allowed to be assigned
to an item by the users.
Only deactivate for obsolete classifications or classifica-
tions that are used to structure the classification hierarchy.
Parent Name of the superior classification in the classification
tree.
If no Parent is defined, a root classification is created.
Important
When you delete a classification, all subclassifications are deleted, as well,
whereas assignments of those classifications to items are NOT deleted. Thus,
rather than deleting classifications, OpenText recommends making them
unassignable for further items by deactivating the Assignable option (see
“Editing classifications” on page 128).
If you must delete a classification, delete the assignments of any items to the
classification and its subclassifications first, and then delete the
classifications.
To delete classifications:
1. In the classification tree or hit list, find the classification you want to delete, and
click Delete .
If the icon is not available in the hit list, click Show properties and actions to
switch to the Properties page and select the Delete action there.
2. Click Confirm to confirm the deletion.
The classification and all its subclassifications are deleted.
<root_class>:<subclass1>:<subclass2>:...
The DocuLink tree is displayed in the navigation area. The subclassifications of the
currently open folder are displayed as a hit list in the working area.
classifications, are still listed in this field. However, if you deselect such a
classification and save the settings, the unassignable or deleted
classification is no longer available.
If the Classification property is included in a query assignable classifica-
tions are available as search criteria. Unassignable classifications are only
listed in the PDMS Web Client, whereas not in the TCP Web Client. De-
leted classifications are not available as search criteria.
Navigation area
The navigation area on the left is divided into the following sections:
General
General settings for TCP Application Server. For details, see “General project
settings” on page 138, “Managing access for ArchiveLink calls” on page 186,
“Configuring Single Sign-On (SSO) for PDMS UI” on page 142 and
“Logging” on page 145.
Projects
List of available projects on TCP Application Server. The project name is an
active link to the project page. For details, see “Projects overview” on
page 135 and “Managing projects” on page 136.
Configuration packages
Packages to re-configure TCP Application Server. For details, see “Re-
configuring TCP Application Server” on page 161.
Working area
The working area displays the selected page. Initially, it displays the Projects
Overview page.
General functions area
The general functions are available on all the pages:
Icon Function Description
Add Project Opens the New Project page.
Status
• A green icon shows that the project is running.
• A red icon shows that the project is stopped due to an error with starting or
reloading the project (e.g. invalid GUI configuration). For details check the
log file (see “General” on page 145).
About Open Text Transactional Content Processing
Shows information about the current software version.
Reload Configuration
Reloads the new configuration of all TCP applications on the server to put the
changes into effect without restarting TCP Application Server. Also, if you add
or remove a project, you have to click this button to see the changes in the TCP
application.
Warning
Consider that after a reload of the configuration the active users (TCP
Web Client and PDMS Web Client) are disrupted in their work. The
users get a corresponding message and are forced to relogin to continue
work.
Thus, it is recommended to perform the reloading of the configuration in
times where no or only few users are affected.
The following changes cannot be made on the fly and force a restart of the
application:
• Enable or disable SSO
• Changes to the Enterprise Process Services configuration packages
• Adding or changing application server datasources
Project Name
Enter a descriptive name for the project.
Description
Enter a description of the project.
Project Identifier
Enter the project identifier from TCP Modeler. For details, see Open Text TCP
Modeler - Customization Guide (TCP100001-CGD).
Note: A project identifier can only be used once in all projects.
System User
Enter the name of the system user for your project. The default user name is
BizEffectiveUser_default. For details, see “Managing system users” on
page 117 and Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
Password
Enter the password for the system user.
Domain
Enter the domain for the system user.
Default Repository Id
Enter the default repository ID. Usually the default entry is the project name.
Note: You have to change this value for projects you migrated from BPM
Server 9.7.1. In this case you have to enter “Context” as Default Repository
ID (see also OpenText Transactional Content Processing - Upgrade Guide (TCP-
DGD)).
TCP Context Server URLs
The URL of the TCP Context Server host or hosts, if a cluster is used. Separate
URLs of different cluster nodes with a new line.
This setting is pre-configured with the URL defined during installation.
Note: TCP projects on one TCP Application Server can use different
Context Servers as long as User Management Server is the same.
TCP Context Server Protocol
Select whether to use the http protocol or the https protocol for SSL
communication with TCP Context Server. For information on further settings for
SSL, see “Configuration for SSL” on page 373.
Actions
The Actions bar is available only on the Edit Project page.
Icon Tool tip Description
OK Saves your settings.
Click Reload Configuration on the Projects Overview
page to apply this change to the TCP application.
Delete Project Deletes the project.
Click Reload Configuration on the Projects Overview
page to delete the project.
The general project settings specify the connection to TCP Context Server and
ArchiveLink URL generation. The settings are used for the ClientLib of TCP Context
Server. The default value of a parameter is given in square brackets.
New: With patch TCP-1001-068 or higher, the ArchiveLink URL generation is
defined by the general settings ArchiveLink Host, ArchiveLink HTTP Port,
ArchiveLink HTTPS Port and ArchiveLink SSL Mode.
Protocol Handler
HTTP protocol handler [JAKARTA]
(Property name: DS_PROTOCOL_HANDLER)
Default Project
Project settings such as access right or presentation settings of the default project
are used in situations where no project is yet selected, mainly in the project
selection dialog of the TCP application.
The following settings from ADC.properties are used:
adc.browser.disableCaching and adc.config.content.encoding.
ArchiveLink Host
The host name used to process the ArchiveLink requests. In case of a clustered
environment, enter the host name of the load balancer, otherwise the name of the
TCP Application Server.
Default value: Name of the TCP Application Server that was specified during the
installation.
ArchiveLink HTTP Port
The HTTP port used to process the ArchiveLink requests. In case of a clustered
environment, enter the HTTP port of the load balancer, otherwise the HTTP port
of the TCP Application Server.
Default value: HTTP port of the TCP Application Server that was specified
during the installation by the port binding set.
ArchiveLink HTTPS Port
The HTTPS port used to process the ArchiveLink requests. In case of a clustered
environment, enter the HTTPS port of the load balancer otherwise the HTTPS
port of the TCP Application Server.
Default value: Port binding set specified during the installation + 8443, for
example 38443.
ArchiveLink SSL Mode [SSL Off]
Select On if you want to use SSL for ArchiveLink. In this case provide also the
ArchiveLink HTTPS port (see above). For more information about SSL
configuration, see “Configuration for SSL” on page 373.
ArchiveLink Extended Info [Off]
Select On if you want to retrieve extended information for each component of a
document.
Important
If you select On, it takes significantly more time to display a document
stored in a TCP Business Object Layer repository.
Important
If your load balancer or Web proxy server is an Apache server with SSL and
you use an Internet Explorer for working with the TCP systems, you must
remove the following settings in the Apache's ssl.conf file to use SSO :
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Important
If you change SSO enabling for a current project, you must re-deploy
TCP, which will destroy all current sessions.
• Defining an SSO key store, key alias, and an SSO user in the security settings, see
“Security settings for TCP Application Server” on page 367
• Extending the URL for logging on to a PDMS Web Client as follows:
http://<host>:<port>/TCP/SSO/<projectName>
If the project with the given project name does not exist, the project selection
page is displayed in case you have access to more than one project. Otherwise
the log on page of the single project is displayed.
Important
The NTLM protocol on the domain controller must be activated and
special settings on the clients are required. For details, see “Configuring
NTLM settings on the clients” on page 144.
For Firefox/Mozilla:
• Define TCP Application Server as a trusted server. To do so, change the browser
configuration as follows:
a. In the browser address bar, enter about:config.
b. Enter ntlm as a filter.
c. In the displayed list of configuration parameters, find network.automatic-
ntlm-auth.trusted-uris. Set the value to the name of the host as specified
in the URL.
For example, for the URL
https://myhost:<port>/TCP/SSO/<projectName>, enter the value
myhost.
For the URL
https://myhost.opentext.net:<port>/TCP/SSO/<projectName>, enter
the value myhost.opentext.net.
You can enter several hosts, separated by commas.
d. After editing the configuration, restart Firefox.
21.5 Logging
21.5.1 General
This section describes configuration issues for the logging, monitoring and profiling
features. The logging is based on the log4j package of the Apache Jakarta Project
(see http://jakarta.apache.org/ for detailed information on advanced
configuration).
Main categories
The three main categories containing categories (subcategories) to configure
logging for certain kinds of events. Each main category can be configured
independently.
Logging
For debugging (see “Configuring the logging categories” on page 146)
Profiling
Duration of special actions on the application server (see “Configuring the
profiling categories” on page 152)
Monitoring
Basic events in the application, for example request received (see
“Configuring the monitoring categories” on page 156)
Subcategories
All main categories have subcategories. Subcategories describe particular
occurrences or problems. The subcategories are described in the corresponding
section for each main category.
Level
The level configures the log level for a category to be logged.
If a specific level is set for a category, all entries of this level and the higher levels
will be logged. This means that if the level Warning is set, all entries for Fatal,
Error and Warning are logged.
Appender
The appender specifies the format of the logging entry, whether it is stored as an
entry in the log file or sent as an e-mail notification, etc. The appender can be
configured in the file <TCP installation directory>\custom\ixosappconf.-
jar\log4j.xml.
Log files The log files are written into the directory:
directory JBoss: <jboss-home>\server\<your-configuration>\log\
WebSphere: <WAS_HOME>\profiles\<your-profile>\logs\
• Logging is written into a file named TCPApplication.log.
• Monitoring is written in a file named TCPApplication_monitor.log.
• Profiling is written in a file named TCPApplication_profiling.log.
• TCP configuration changes are logged in a file named
TCPApplication_appconfig.log.
Important
Ensure that the project base URL is set to be able to define the settings in
the GUI, see Project Base URLs on page 140.
• In an XML file in the TCP J2EE application – In this case, the logging settings
are permanent.
The log4j.xml file is located in the ixosappconf.jar in the application EAR
file (tcpappserver.ear).
The settings are similar for both methods and are described for the individual
categories in the following sections.
Important
The logging will always be written to the log file on the host that processes
the request. If a session is started, all requests will be processed by the same
host. However, the log on page is independent from the session and may be
processed by another host of the cluster. So, possibly, the logging of the log
on page and the logging of the session will each be written on a different
host.
To configure logging:
1. Select Logging in the general section of the TCP Configuration GUI.
The following page is displayed:
2. Select all the logging categories that you want to set to a particular log level.
You can use SHIFT or CTRL to make multiple selections.
3. In the Log Level list box, select the appropriate log level. The log level for the
categories changes immediately. The new log levels are displayed in the
Categories area.
4. Repeat the process for the next log level.
TCP
Problem Subcategories
Log-in, user management Log-in
ADCSession
ADCDirectAction
ixos.adc.acc
Problem Subcategories
Rights ixos.adc.acccontrol
Description Subcategories
Complete Process Service (without com.opentext.ecm.bpm
WQL)
Process agents com.opentext.ecm.bpm.agent
Description Subcategories
Repository service com.opentext.ecm.bpm.repositories
Variable Description
<Log Level> Indicates the selected log level
<Time stamp> Indicates when the action occurred
<Thread> Thread that initiated the log entry
<Class+Method> Class and method that created the log entry
<Loglevel-dependant Can be various types of information, depending on the log
information> level, for example the error message or stack trace
To change the configuration of the standard logging, change the <root> entry:
<root>
<priority value="WRN"
class="ixos.log4j.LogPriority" />
</root>
<appender name="A1" class="ixos.base.log4j.LogPriority">
<param name="File" value="\temp\logging.log" />
<param name="Append" value="true" />
<param name="MaxBackupIndex" value="10" />
<param name="MaxFileSize" value="20MB" />
<layout class="ixos.base.log4j.ExtPatternLayout">
<param name="ConversionPattern"
value="%c{2}\t%d\t%m\t%n" />
</layout>
</appender>
The default appender for the logging is set to a FileAppender, which writes to a file
named TCPApplication.log.
If you want to write the logging entries of this subclass to a file other than the
default file, you can configure another appender and set it to the subcategory. This
example writes to the file \temp\usermodel.log:
<category class="ixos.base.log4j.LogCategory"
name="ixos.adc.eof.usermodel"
additivity="false">
<priority value="DBG" class="ixos.base.log4j.LogPriority" />
<appender-ref ref="A5" />
</category>
<appender name="A5" class="org.apache.log4j.FileAppender">
<param name="File" value="\temp\usermodel.log" />
<param name="Append" value="true" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern"
value="%c{2}\t%d\t%m\t%n" />
</layout>
</appender>
additivity="false" means that the logging events are only written to the
appender configured for this subcategory. true would also write to the appenders
of parent categories.
To configure profiling:
1. Select Profiling in the general section of the TCP Configuration GUI.
The following page is displayed:
2. Select all the profiling categories that you want to set to a particular log level.
You can use SHIFT or CTRL to make multiple selections.
3. In the Log Level list box, select the appropriate log level. The log level for the
categories changes immediately. The new log levels are displayed in the
Categories area.
4. Repeat the process for the next log level.
Level Description
PROF Profiling entry, no different levels. The entry
contains the duration of the specific action.
NOPROF Profiling is off
Variable Description
<Used time> Indicates the time required to perform the action.
<Action> Corresponds with the subcategory without the main category pre-
fix, for example doc.upload.
<Action- Can be various types of information, depending on the action, for
dependant values> example the uploaded document.
To configure monitoring:
1. Select Monitoring in the general section of the TCP Configuration GUI.
The following page is displayed:
2. Select all the profiling categories that you want to set to a particular log level.
You can use SHIFT or CTRL to make multiple selections.
3. In the Log Level list box, select the appropriate log level. The log level for the
categories changes immediately. The new log levels are displayed in the
Categories area.
4. Repeat the process for the next log level.
ALERT/FAIL
ADMIN
Variable Description
<Log Level> Indicates the selected log level.
<Action> Corresponds with the subcategory without the main category pre-
fix, for example user.login.
<Time stamp> Indicates when the action occurred.
<Action- Can be various types of information, depending on the action, for
dependant values> example the user that logged in.
To change the configuration of the standard logging, change the <root> entry (e.g.):
<category class="ixos.base.log4j.MonitorCategory"
name="MONITOR"
additivity="false">
<param name="delimiter" value="\t" />
<priority value="ADMIN"
class="ixos.base.log4j.MonitorPriority" />
<param name="escalationThreshold" value="10" />
<param name="escalationInterval" value="60" />
<appender-ref ref="A3" />
<appender-ref ref="A2" />
<\category>
<appender name="A3" class="org.apache.log4j.FileAppender">
The escalationThreshold defines how many FAIL events must occur in the same
subcategory in the time interval defined in escalationInterval (in seconds) in
order to send an ALERT. In this example, an ALERT is sent if more than 10 false log-
ons occur in 60 seconds.
For the MONITOR category, an e-mail appender is defined, which sends an e-mail if
an ALERT event occurs.
A configuration for a subcategory works the same way as with logging.
Important
If you save the changes of the configuration, current user sessions are
terminated immediately!
2. In the log on window, use the Admin log on Admin and the password you
entered during installation or configured afterwards (see “Changing password”
on page 135). The TCP Configuration opens.
3. In the Configuration Packages section of the navigation area, click PS. The PS
page opens.
You must adapt host, port, and work queue ID of the link depending on
your environment. You can retrieve the work queue ID via Process
Administrator.
Example:
Dear {workItem.currentUser.displayName},
The work item
http://myserver/tcpweb/Tcp.aspx?UID={workItem.currentUser.id}&
SelectedProject&ProtocolVersion=1.0&CientMode=Full&GroupID&Act
ionID=Open&ActionTarget=OpenText.Ecm.Tcp.Model.WorkItemAction&
Property1={workItem.id}&Property2={_default.systemWQ_ID} was
assigned to you.
Tip: You can store the work queue ID in a data field and access it via
replacement tag in the link; in the example, this is
{_default.systemWQ_ID}.
Default Exception Action
Select if an e-mail is sent for each work item that causes a problem at the
asynchronous engine handling.
File appserver.ear\deployment.xml.default:
Only needed for WebSphere application server! For registering custom jar files
that contain ejbs in WebSphere application server the file deployment.xml in
tcpappserver.ear must be replaced. To do so, copy the given example file
deployment.xml.default to deployment.xml and add for every custom jar file
containing ejbs a separate EJBModuleDeployment line. The ID must be greater
than the IDs of already defined EJB-ModuleDeployments.
Directory configuration.data.add:
Allows inserting or updating entries in the configuration table. The key-value-
pairs defined in properties files in this directory are mapped to the according
columns (sName and sValue) of the configuration table. If the key is set to delete
the value is interpreted as sName entry to be deleted from configuration table.
Some characters must be escaped in properties files if they occur in name or
value:
• “\” must be written as “\\”
• “: ” must be written as “\:”
Directory custom.jar:
Files and directories added to this directory are packed into a file custom.jar.
The generated file is afterwards inserted into the file tcpappserver.ear.
File ddo.jar\META-INF\hivemodule.xml.default:
For replacing the file hivemodule.xml in ddo.jar, copy the given example file
hivemodule.xml.default to hivemodule.xml and adapt it.
Directory ear.add:
Files and directories added to this directory are inserted into the
tcpappserver.ear file.
Important
Do not insert a file custom.jar into this directory.
Also files that already exist in the default file tcpappserver.ear are not
allowed.
File ixosappconf.jar\log4j.xml.default:
For changing logging behavior the file log4j.xml in ixosappconf.jar can be
replaced. To do so, copy the given example file log4j.xml.default to
log4j.xml and adapt it.
Files port.binding.sets\portBindingSet.<portSetName>.properties:
Only used for port binding in JBoss application server! Adapt given or add new
port binding sets in this directory. <portSetName> is referenced by the parameter
jboss.port.binding.set in the installation parameters used for rebuilding the
TCP application. To take care of changes made to port binding set, the complete
installation must be repeated.
File ps-server-engine-core.jar\calendar\calendar.xml.default:
For administrating the calendar service replace file calendar.xml in ps-
server-engine-core.jar. To do so, copy the given example file
calendar.xml.default to calendar.xml and adapt it (see “Configuring
calendar service” on page 170).
File application.xml.add:
Jar files put to directory ear.add must be registered in file META-
INF\application.xml of tcpappserver.ear. To do so, the content of file
4. To work with the custom agent you must register it (see “Registering agents” on
page 94).
calendar.xml The calendar.xml defining the working hours and scheduled blocks has the
following definition:
The block of working hours defines working days which contains working blocks. A
working day has an office, a time zone like “Europe/Berlin” (Java ID of the time
zone) and a day of week (starts with Sunday = 1, Monday = 2, … ). The start and
end time of a working block has to be defined in the specified time zone (for
example “Europe/Berlin”). A working day can contain an arbitrary number of
working blocks.
• Hour: An hour is represented by a number from 0 to 23 (17h = 5pm).
• Minute: A minute is represented by a number from 0 to 59.
• Second: A second is represented by a number from 0 to 59.
<WorkingDay>
<DayOfWeek>2</DayOfWeek>
<TimeZone>Europe/Berlin</TimeZone>
<Office>Kempten</Office>
<WorkingBlock>
<StartTime>
<Hour>8</Hour>
<Minute>0</Minute>
<Second>0</Second>
</StartTime>
<EndTime>
<Hour>12</Hour>
<Minute>0</Minute>
<Second>0</Second>
</EndTime>
</WorkingBlock>
<WorkingBlock>
<StartTime>
<Hour>13</Hour>
<Minute>0</Minute>
<Second>0</Second>
</StartTime>
<EndTime>
<Hour>17</Hour>
<Minute>0</Minute>
<Second>0</Second>
</EndTime>
</WorkingBlock>
</WorkingDay>
Scheduled blocks define holidays. A scheduled block has an office, a time zone like
“Europe/Berlin” (Java ID of the time zone), a comment and a start/end date.
• Month: A month is represented by a number from 1 to 12 (1 = January).
• Day: A day is the day of the month. The first day of the month has value 1.
• Hour: An hour is represented by a number from 0 to 23 (23h = 11pm).
• Minute: A minute is represented by a number from 0 to 59.
• Second: A second is represented by a number from 0 to 59.
<ScheduleBlock>
<TimeZone>Europe/Berlin</TimeZone>
<Office>Kempten</Office>
<Comment>New Year</Comment>
<StartDateTime>
<Month>1</Month>
<Day>1</Day>
<Year>2005</Year>
<Hour>0</Hour>
<Minute>0</Minute>
<Second>0</Second>
</StartDateTime>
<EndDateTime>
<Month>1</Month>
<Day>1</Day>
<Year>2005</Year>
<Hour>23</Hour>
<Minute>59</Minute>
<Second>59</Second>
</EndDateTime>
</ScheduleBlock>
• Default Office:
The Default Office is used if there is no office set for a user.
• Office User Property:
The Office User Property defines the name of the User Management Server
property containing the office of a user. The default value is Location. This name
is used when property in the configuration is empty.
This part describes the administration of TCP Context Server using TCP Context
Server administration and TCP Context Server configuration.
With TCP Context Server administration and TCP Context Server configuration you
perform the following tasks:
• Monitor the performance and working of the server
• Setup and maintain the connections to other servers in the TCP landscape
• Administer and backup the database
• Re-configure TCP Context Server if necessary
Content This part contains the following chapters:
“Major administration tasks” on page 177
This chapter gives an overview of the major administration tasks.
“Administering TCP Context Server” on page 179
This chapter contains the administration task which must be performed on TCP
Context Server
“Searching with the query builder” on page 202
This chapter explains how to build valid SQL statements with the query builder
“Administering the database” on page 217
This chapter contains maintenance tasks for the databases, such as back up.
“Re-configuring TCP Context Server via configuration packages” on page 223
This chapter explains how to re-configure certain functions of TCP Context
Server.
Important
Changing the default user may impact access to existing documents.
Consequently, either the default ACLs or the ACLs of the archived
documents may have to be changed.
Click OK.
To administrate forms:
1. Open the TCP Context Server administration in a browser window by entering
http://<TCP Context Server>:<port>/archive/admingui in the address bar
and log on as DMSAdmin.
2. In the navigation area, click Form overlay to display information about the
forms.
• Start-Of-Assignment
• Start-Of-Offset
• Start-Of-Page
• Start-Of-FormularID
For details on these parameters, see Open Text Imaging Windows Viewer - User Guide
(CLWVW090700-UGD).
If you have not uploaded a FORM.INFO file, this file contains the default values. For
details on upload, see Form info on page 186.
Viewing the Click View entity information to display the technical information stored in TCP
Entity Context Server for the form and its components.
Information
The Components of <document ID> page opens.
Click <component name> to display the component with Windows Viewer.
Content
Use the Browse button to upload the first page of the form, that is the first
component. You can add pages later. For details, see “To change a form:” on
page 185.
3. Click OK. The application returns to the Forms page. The list shows the new
form.
Important
If you change an already used and activated form, these changes are
immediately in place for the next viewing request. Therefore, be careful with
changes, and use the version scheme to create new forms.
To change a form:
1. In the navigation area, click Form overlay.
This page displays an overview of the parameters for all the forms:
2. On the Forms page, click Edit form in front of the form you want to modify.
The Edit form page opens.
3. You can change the following parameters or files:
Status
Select a status in the list box.
Activation date
Enter the activation date of the form. Use the format yyyy-MM-dd.
Upload
Select a file to upload:
Form info
Upload the FORM.INFO file created by Windows Viewer and link it to the
form.
For information on how to change the layout and position of the form
overlay, see Open Text Imaging Windows Viewer - User Guide
(CLWVW090700-UGD).
Content
Add another component (page) to the form.
Click Browse to navigate to the appropriate file.
4. Click Submit.
The application returns to the Forms page. If you added a new component, you
can see that the number of components has increased accordingly.
You can specify a user for each logical archive, and assign default permissions to
this user with an ACL. When documents are archived via ArchiveLink, these default
permissions are used instead of the permissions of the system record type. For
details, see Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
Note: You can only set, view and remove default ACLs when you are logged
in as a member of the DMSCustomizers group (for example DMSCustomizer)
with the domain _internal.
2. In the navigation area, click Key management to manage security keys and
certificates.
The following features are available:
• Show current private key and certificate
Displays details to the private key and the corresponding public certificate.
Click Show Cert. to view the certificate.
• Replace current private key and certificate
Use this feature if you want to replace the default private OpenText key with
one from a trust center.
1. Click Browse to select a pem containing the key certificate pair (certificate
and key).
2. Click Upload Cert. to replace the current key and certificate by the pair
selected in step 1.
• Send certificate to the Archiving Services
After uploading the new pem file, you must send it to the Archiving Services
where it will be activated. Select which logical archive the certificate should
be used for and confirm with Send Cert.
You must enable the certificate on the archive server. For details, see section
7 "Configuring Security Settings" in OpenText Archive Server - Administration
Guide (AR-ACN)).
• Create internal user corresponding to the private key
Some scenarios (like following hyperlinks in print lists, accessing some
forms) require the creation of an internal user from the internal certificate. To
create such a user, you must be logged on as an User Management Server
administrator.
Click Create User to create an internal user.
The name of the new user is ixos. That user's password should be changed
within User Management Client.
• Show enabled user certificates
Click OK to display all enabled user certificates.
• Show disabled user certificates
You must be logged on as a User Management Server administrator.
Click OK to display all disabled user certificates
context specified by the default user. This user is created with the Import Certificate
Wizard. The signed URLs are specified by SAP within the ArchiveLink 0045 interface.
SSO checker for signed URLs is configured by default in User Management (see
“Configuring the SSO checkers” on page 257) and the need for a signature must be
activated via the logical archive on the archive server (see section 7.2.3 "SecKeys
from SAP" in OpenText Archive Server - Administration Guide (AR-ACN)).
This wizard creates an enabled default user in User Management and sets the
necessary rights.
Note: You can only perform this wizard as User Management Server
administrator.
To import certificates:
1. Open the TCP Context Server administration in a browser window by entering
http://<TCP Context Server>:<port>/archive/admingui in the address bar
and log on as DMSAdmin.
2. In the navigation area, click Import certificates to start the Import Certificate
Wizard.
3. Authenticate as UMS administrator
a. To authenticate as User Management Server administrator, enter its user
name, clientele, domain and password.
b. Click Next.
4. Choose archive
a. Select the logical archive to be enabled.
b. Click Next.
5. Set user rights
a. Enter the name of the default user you want to create. The default user gets
the rights needed for the creation of a user.
b. Click Next.
6. Send certificate from the leading application
Open your leading application (for example SAP) and send the certificate to
TCP Context Server.
7. Import certificate
Transfer a certificate from the leading application.
a. Open your leading application (for example SAP) and send the certificate to
TCP Context Server.
b. If the certificate is sent successfully, click Next.
Figure 25-1: Manual and scheduled TCP Context Server job execution
Important
The delivered retentionjob.js script is only a sample and starting
point for custom development. After a standard installation, there are no
entity types in the system for which a retention period is defined;
therefore by default this script will not find anything to delete. Contact
OpenText Global Services if you want to use retention management.
Notes:
1. Parameter is only relevant for scheduled execution. Do not enter parentheses.
startCODMSR3
This job starts the COLD document pipeline to process data and documents
to be archived into TCP Context Server. Attributes are archived to SAP.
Recommended scheduling: hourly.
startCODMSXSL
This job starts the COLD document pipeline to process XML data to be
archived into TCP Context Server.
Recommended scheduling: hourly.
startCODMSXSLR3
This job starts the COLD document pipeline to process XML data to be
archived into TCP Context Server. Attributes are archived to SAP.
Recommended scheduling: hourly.
startEXDMS
Starts the batch import document pipeline to process data and documents
which are to be imported into TCP Context Server.
Recommended scheduling: hourly.
startEXDMSR3
Starts the batch import document pipeline to process data and documents
which are to be imported into Context Server and SAP.
Recommended scheduling: hourly.
Purge job
This job removes stored information about previously executed jobs from TCP
Context Server. This includes message protocols that each job creates in the
var\log\messages directory of TCP Context Server installation as well as some
statistics placed in the TCP Context Server database for each job execution.
This job uses the settings Job Age before Purging and Jobs Kept after
Purging (Max Number). Configure these parameters as desired in the
DMSCORE package in the TCP Context Server Configuration Web GUI. For
details, see “Configuring Context Server (DMSCORE)” on page 232.
Recommended scheduling: daily, during after-hours
Note: If you want to abort a running job, click Abort. Then the job is aborted
immediately. You cannot resume an aborted job.
3. Set the parameters for the communication between the scheduler and TCP
Context Server, see “Setting communication parameters on the archive server”
on page 198.
4. Create and schedule the TCP Context Server jobs, see “Scheduling TCP Context
Server jobs” on page 199.
If you want to
change the
password, en-
crypt it with the
command line
tool enc.
DMS_CLIENTELE Organization name in User Management defaultcliente
le
25.7 Logging
TCP Context Server delivers an elaborate logging system for troubleshooting.
OpenText recommends that you use the default log level WARN for all components
during normal working times. For details, see “Static logging” on page 200.
For troubleshooting, extend the log level dynamically. For details, see “Dynamic
logging” on page 200).
Log levels The different levels of logging are:
Static logging The static log level of the whole TCP Context Server is defined in the parameter Log
Level within the TCP Context Server configuration package COMMON. For details,
see “Configuring static logging (COMMON)” on page 229.
Dynamic logging For troubleshooting, it is possible to set the log level for selected categories
dynamically in the TCP Context Server administration.
Note: The log level will be reset to the values defined in the TCP Context
Server configuration package DMSCORE with the next server restart.
2. In the TCP Context Server section of the navigation area, click Undo checkout.
The Find records page opens.
3. Select whether you want to search for locked or checked out records.
4. Enter the user and its domain who locked or checked out records (e.g user
DMSAdmin and domain _internal). In addition or alternatively, you can select
the record type of the records.
5. If you want to refine the query, enter display name, date and/or record ID. You
can use wildcards for the display name: % matches any chars, _ matches one
char, \ for escaping.
6. Click Search to start the search.
A list with the locked or checked out documents opens. Above this list, the
search parameters are displayed.
7. Select Unlock in front of the document(s) for which you want to undo the
checkout and click OK.
To build a query:
1. Open the TCP Context Server administration in a browser window by entering
http://<TCP Context Server>:<port>/archive/admingui in the address bar.
2. In the TCP Context Server section of the navigation area, click Build query.
The Query Builder page opens in a new window.
3. Build your query. If you use the Internet Explorer, you copy an element (for
example operator, entity type, property or relation) into the query field by
clicking on it. If you use another browser, do this by copy and paste.
4. Additionally, you can enter parameter values in the Parameter section to build a
query that uses parameters.
5. Select the appropriate options in the Options section.
Fetch limit
Limits the number of displayed hits to the value entered. You are informed if
the query produced more hits than displayed. Default is 200.
Timeout
Time in seconds a query may take to be executed. The query will be
terminated, when the timeout is reached. Use this option to avoid a
performance reducing action on your database while you are still testing
your query. Default is 10 seconds.
Format XML
Beautifies the XML you entered. Default is yes.
Show SQL
Displays the SQL statement that was formed according to your XML query.
Depending on the complexity of your XML query, there may be more than
one SQL statement. In this case they are numbered from 1 to n. Default is no.
Show Execution Plan
Displays the database execution plan or plans that are a result of the SQL
statement. Execution plans reveal the activity of a database while processing
the query. This information is provided for debugging and mainly intended
for use by OpenText Global Services. Default is no.
Execute
Executes the query. For testing and debugging, disable this option. Default is
yes.
Tip: If you request support, enable Show SQL and Show Execution Plan,
disable Execute and make the result page available to your contact person at
OpenText.
Host name
Name of the Livelink fulltext host
Fulltext server URL
URL of the fulltext host, for example
http://ll_server/livelink/livelink.exe
Slice path
Specifies the directory in the fulltext carrier from which the XML Activator
process reads data as XML file. The carrier writes the documents into this
directory.
Propagate regions
The propagate regions functionality forwards the definition of the properties
to be indexed to the Livelink. This saves configuration efforts. Select one of
the following options:
• Propagate regions in case the Livelink fulltext server is already running
and the fulltext carrier is running on the same host as the Fulltext Server.
The bootstrap file is part of the carrier installation and must be manually
copied to the Slice directory. This file will be indexed as first file and will
make the regions (TCP properties) known on Livelink side.
• Don't Propagate regions in case the Fulltext Server does not run yet. You
must propagate the regions later.
• Propagate regions and create bootstrap file to create a bootstrap file
which is sent to the Livelink for indexing to make the regions known
there. This requires that the fulltext carrier runs on the Context Server
host.
You can set this option also later.
5. Click OK to save your settings. You return to the Fulltext Servers overview
page.
Important
Follow these instructions after the fulltext configuration:
1. After creating the search template, you must specify the search template
ID in the <id name> tag (of the XML configuration file) to avoid errors,
for example <id name="My_Fulltext_Solution"
template="MY_FULLTEXT_OWNERID_208">. For details, see section 12.4
"Specifying the search template ID in XML configuration file" in Open
Text Transactional Content Processing - Scenario Guide (TCP100001-GCS).
2. The fulltext configuration must not be changed if it is already used for
indexing, that is a fulltext filter that uses this configuration is defined
and documents are created with this document type.
3. You can define only one fulltext filter for a document type (= record
type).
4. Define the filter for exactly that operation that TCP Modeler delivers via
the Fulltext button. For details, refer to section 2.2.4 "Filters - fulltext
and rendition jobs" in Open Text TCP Modeler - Customization Guide
(TCP100001-CGD).
5. New configurations may be added, but the new configuration can only
be used for document types that are not already used for storing
documents.
6. Use only one single fulltext carrier per fulltext configuration, even if the
other carrier runs on a different computer.
Columns
The following table shows the columns with their descriptions.
Column Description
Error Code Displays the error code number
Number of Errors Displays the numbers of errors if you
have activated the show cumulated er-
rors option.
Error description Start of the error description.
Click Show cumulated errors right to
the Error Description column header to
switch to the detailed description of the
error queues.
Host (origin) Displays the name of the fulltext or rendi-
tion server where the error occurs
DocID Display the docid of the document which
failed during fulltext indexing or render-
ing.
Record type Display the record type of the document
Timestamp Displays the time when the error occured
If the error is caused by a faulty connection to the fulltext (indexing) engine, restart
all processes for the whole error queue after solving the connection problem.
Note: This operation may take several seconds. You have to refresh the
browser window to see the results.
You can restart the selected errors to test if your troubleshooting has solved the
problem.
You can restart a single error class to restart all errors of the same error class:
If the problem could not be solved, you can delete the error in the error queue.
5. Create jobs in the TCP Context Server administration. For details, see “Creating
rendition jobs in TCP Context Server administration” on page 213.
6. Customize the supported source MIME types. For details, see “Customizing the
supported source MIME types” on page 214.
7. Define filters in TCP Modeler. For details, see section 2.2.4 "Filters - fulltext and
rendition jobs" in Open Text TCP Modeler - Customization Guide (TCP100001-
CGD).
2. In the login window, enter user login, password, and domain. Use the Admin
login for administration tasks.
The TCP Context Server configuration opens.
3. In the Configuration Packages section of the navigation area, click FILTER.
The FILTER page opens.
The upper part contains common filter parameters and the Fulltext User
Password which is not relevant here. The common filter parameters have
default values which you need only to re-configure in rare cases, for example
after changing the password of the FilterUser user. The lower part starting
with Render All in One contains the parameters specific for rendering.
4. Enter the following settings:
Filter
Global switch for enabling or disabling filter handling. You can only use the
fulltext or rendition server if the filter is on. Default is on.
Filter Log Level
Log level for filters. For a description of the log levels, see “Logging” on
page 199. Default log level is WARN.
Filter Update Configuration Interval (sec)
This interval indicates how often the filter reads the filter configuration. To
modify the filter configuration in TCP Modeler, see section 4.2.6 "Filters" in
Open Text TCP Modeler - Customization Guide (TCP100001-CGD). Default is
300 seconds. This is the recommended setting.
Filter User Password
Enter the password for the user FilterUser. You do not define or change
the password here, but in User Management Client.
Render All in One
Default is Yes, that is, all components of a record are merged into a single
rendition. This option enables you, for example to render multiple single-
page TIFF files that belong together into one document.
Render Configurations File
Default is <Tomcat>/webapps/archive/config/setup/rendertypes.xml.
Specify the file that contains your rendering configurations. Within TCP
Modeler, you reference to one of these configurations within this file. For
details, see section 6.5 "Defining filters in Open Text TCP Modeler" in Open
Text Rendition Server - Installation and Administration Guide (RS090701-IGD).
Render Eliminate Duplicate Jobs
Default is on. This is the recommended setting. Disable this option for
troubleshooting purposes only.
Render Queue Size
Length of the rendition job queue in the memory. Default is 10. Use as small
a number as possible. The following is the formula to calculate the minimum
size: <Number of rendition servers> multiplied by <number of concurrent
connections> plus a small safety.
Render TCP Context Server URL
Specify the URL of the source document. Default is:
http://<TCP Context Server>:18080/archive.
You can use HTTP or HTTPS. Default port number for HTTP is 18080.
Default port number for HTTPS is 18090.
Check your installation of ArchiveLink for the correct path. By default this is
/archive.
All aspects of creating and scheduling jobs on TCP Context Server are covered in
detail in “Using jobs to perform administrative tasks” on page 190.
Required parameters for dmsremotecmd:
• --host <TCP Context Server>
• --port <TCP Context Server>
• --user DMSAdmin
• --password <not encrypted password of DMSAdmin>
• --domain _internal
• --clientele <clientele> renderjob
Note: renderjob must be the last entry in the parameter list of the
command.
Example: dmsremotecmd --host duffy --port 18080 --user DMSAdmin --
password geheim --domain _internal --clientele defaultclientele
renderjob
The documents are rendered according to the scheduling of the rendering job. If
problems occur, the documents are queued in an error queue. For details, see “Using
the Rendition Server error queues” on page 216.
Important
The configurations done in the rendertypes.xml file must match the
capabilities of the Adlib Express Server. This means that you must exclude
existing source MIME types that are not supported by Adlib.
Every document of a MIME type that is not supported results in a rendition error
queue entry.
To start a reorganization:
1. Open the TCP Context Server administration in a browser window by entering
http://<TCP Context Server>:<port>/archive/admingui in the address bar
and log on as DMSAdmin.
2. In the Database section of the navigation area, click Administration.
The Administration page opens with a list of the jobs you can execute.
3. Click the button next to Reorg ACL or Reorg Entity types.
If you want to view the stack traces in the log, click Dump stack traces to log. The
page reopens with the message Stack traces dumped to log. . The log file is stdout
which is visible in the Tomcat log file. To view the log files, switch to the Tomcat
server log directory and open the newest stdout log file.
To start the TCP Context Server GUI use one of the following ways:
• Open the TCP Context Server configuration in a browser window by entering
http://<TCP Context Server>:<port>/archive_config in the address bar.
Enter Admin and the password you specified during installation and click Log
on.
• Open the TCP Context Server administration in a browser window by entering
http://<TCP Context Server>:<port>/archive/admingui in the address bar
and log on as DMSAdmin. In the navigation area, click Context Server
configuration.
Important
Consider that the Tomcat server must be restarted if the data source is
created new or is changed.
If the access to the database is configured via data source, this configuration
must be done manually for all TCP Context Servers in a clustered
environment.
<TOMCAT_HOME>/webapps/archive/META-INF/context.html
<TOMCAT_HOME>/webapps/archive_config/META-INF/context.html
For details, see “Maintaining the Apache Tomcat data sources” on page 225.
Secondary DB Connectivity – JDBC URL
JDBC URL of the database.
For example:
jdbc:oracle:thin:@//<database host>:<listener port>/<listener
global database name>
or
jdbc:sqlserver://<database host>:<TCP/IP network protocol
port>;databaseName=<name of database>
Caution
Handle this option with care. Only select Yes if you want to drop the
TCP Context Server database schema, in particular all database
tables. As a result, all kind of data and configurations stored before
will be deleted.
Important
• The two context.xml files for User Management Server must be
identical.
• The two context.xml files for TCP Context Server files must be
identical.
• Tomcat always restarts the Web application after you saved an edited
context.xml file.
name
Provide a name for the connection and follow the naming convention
jdbc/<connection>. This name is displayed in the DBU (User Management
Server) or DBM (TCP Context Server) configuration.
type, factory, driverType
Leave the values as provided unless you know what you are doing.
serverName
Provide the name of the database host.
portNumber
Port of the Oracle listener. Default is 1521.
serviceName
Listener global database name, for example DMS or UMS.
description
Description of the connection for your information.
url="jdbc:oracle:thin:@(description=(address_list=(address=(host=<vir
tual
database host 1>)(protocol=tcp)(port=<listener port>))
(address=(host=<virtual database host
2>)(protocol=tcp)(port=<listener
port>))
(failover=on)(load_balance=on))(connect_data=(service_name=<listener
global database name>)))" description="Oracle RAC
Datasource" />
name
Provide a name for the connection and follow the naming convention
jdbc/<connection>. This name is displayed in the DBU (User Management
Server) or DBM (TCP Context Server) configuration.
type, factory
Leave the values as provided unless you know what you are doing.
url
With the URL you can address one or more database hosts. The following
example breaks the URL line of code into a more readable format. After editing
it, remove the line breaks and put the URL in one long line.
jdbc:oracle:thin:@
(description=
(address_list=
(address=(host=rac1-vip)(protocol=tcp)(port=1521))
(address=(host=rac2-vip)(protocol=tcp)(port=1521))
(address=(host=rac3-vip)(protocol=tcp)(port=1521))
(failover=on)
(load_balance=on)
)
(connect_data=(service_name=UMS))
)
Note: For TCP Context Server, the last line must contain DMS (instead of
UMS).
• address – identification of one database host. Add a line for each host.
• host – name of the database host. For Oracle RAC, use the virtual host name
which is typically identified by the -vip suffix.
• protocol – type of protocol, typically tcp.
type="com.microsoft.sqlserver.jdbc.SQLServerDataSource"
factory="com.microsoft.sqlserver.jdbc.SQLServerDataSourceObjectFactor
y"
class="com.microsoft.sqlserver.jdbc.SQLServerDataSource"
serverName="<database
host>" portNumber="<database port>"
databaseName="<database
name>" dataSourceDescription="SQLServer Datasource" />
name
Provide a name for the connection and follow the naming convention
jdbc/<connection>. This name is displayed in the DBU (User Management
Server) or DBM (TCP Context Server) configuration.
type, factory, class
Leave the values as provided unless you know what you are doing.
serverName
Name of the database host.
portNumber
Port of the database host. Default is 1433.
databaseName
Name of the database. For example, UMS or DMS.
dataSourceDescription
Description of the connection for your information.
response time for Archive and Storage Services. Value 0 means that there is
no timeout.
3. Click Save.
Important
Do not add TCP Context Server as a known server in the Archiving and
Storage Administration, because this will lead to problems. See section 12
"Adding and Modifying Known Servers" in OpenText Archive Server -
Administration Guide (AR-ACN).
To disable a logical archive, see “Configuring the archive access” on page 182.
Note: You should use a HTTPS URL. The only exception would be a
common secure environment of User Management Server and TCP
Context Server.
HTTPS Connect URLs
HTTPS URL of User Management Server. You can enter more than one URL
if you are using more than one User Management Server. Enter each URL in
a separate line. Use the protocol field to select whether you want to use http
or https.
Protocol
Protocol to be used to communicate with User Management Server. If you
select http, the URLs in the HTTP Connect URLs field are used, else the
URLs in the HTTPS Connect URLs field are used.
3. Click Save.
<Attribute>=<property type>
Log Classes
Logging for extra classes. Enter the following format:
<classname>=<loglevel>
Log Level
Log level for TCP Context Server start-up. For a description of the log levels,
see “Logging” on page 199. Default log level is WARN.
Log Performance Statistics
Flag for enabling or disabling the logging of performance statistics in
ixdms.log. Default value is off. Use logging for debugging, for example for
analyzing very long response times.
Mime Type Derivation
Allowing or prohibiting MIME Type Derivation. Default value is on, that is
TCP Context Server tries to determine the MIME type via the file extension if
the client sends content without content type or with a pseudo MIME type.
My Host Aliases
Enter aliases if you want to refer to the host by different names (for example
in lower case and upper case) or if you use different network adapters.
Separate the aliases by commas.
My Host Name
You can specify a host name if you use an environment with multiple host
names.
Notes Validation
Flag for enabling or disabling the validation of the XML structure in the
notes. Default value is on.
Query Fetch Limit
This fetch limit for queries indicates the maximum number of hits to be
fetched from the server. Such a limit helps you to keep the server load below
a certain level. This limit affects only the users and groups which are not in
the UnlimitedQueryResultGrantees group. Default value is 500. Enter 0 to
remove the fetch limit.
Hard Query Fetch Limit
Note: The Hard Query Fetch Limit setting is only available if patch
TCP-1001-005 or higher is installed on your system.
Maximum number of hits that a query can return. Default value is 0 which
means that there is no limit. In contrast to the Query Fetch Limit, this limit
affects all groups. OpenText strongly recommends that you specify a much
larger value for the Hard Query Fetch Limit than for the Query Fetch
Limit. OpenText recommends a range of 10000 up to a maximum of 100000,
depending on the main memory. This prevents that the query allocates a
significant percentage of the available main memory.
Protocol Stack
Defines the protocol stack. The default value is set to TCP based protocol
stack.
3. Click Save.
The message The re-configuration was successful. You must restart the
application for the changes to take effect. appears.
4. To make your changes effective, restart TCP Context Server.
3. Click Save.
The message The re-configuration was successful. You must restart the
application for the changes to take effect. appears.
4. To make your changes effective, restart TCP Context Server.
This part describes the administration of User Management Server. There are
different types of administrators involved with User Management:
• ROOT administrators are responsible for the User Management system as a
whole.
• Organization administrators adapt the User Management to the needs of a
company, department or subdepartment. They have the right to manage their
own organization, but have no access to other organizations.
These groups have different administration tasks (see “Major administration tasks”
on page 177).
Content This part contains the following chapters:
“Working with User Management” on page 253
This chapter explains the different administration tasks for the User
Management.
“Working with User Management Client” on page 241
This chapter describes the graphical user interface for the administration of the
User Management.
“Managing configuration parameters” on page 279
This chapter provides configuration parameters for external domains, Single
Sign-On, organizations, groups, and users.
7. Start the configured MMC via double-click on the *.msc file, or add the *.msc
file to the Start menu.
2. Enter the system name and the URL of User Management Server.
To change these settings later, select the system node and go to Settings.
Left pane You see the hierarchical structure of the User Management.
Right pane The right pane shows the content of the structure object that is selected
in the left pane.
Menu bar In the Action menu, you find the commands relevant for the object that
is selected in the left or right pane. The same commands are available in
the shortcut menu. Use the Favorites menu to define and organize your
favorites.
Navigation This toolbar provides buttons to go back and forward, one level up, and
toolbar to show or hide the left pane.
Commands This toolbar provides buttons for some commands from the Action
toolbar menu, depending on the selected object.
Help button Click to start online help for User Management Client.
Filter toolbar This toolbar is available if you select the User or Groups nodes. For de-
tails on filters, see “Using filters” on page 248.
Note: Some GUI elements are part of the MMC. These are not described in this
documentation. For information on these elements, open the Help menu and
click Help Topics to open the MMC online help.
3. Change the properties. A list of all properties and their meaning is available in
“Managing configuration parameters” on page 279.
4. Click OK.
To add properties:
1. Select the principal, for example a group.
2. Right-click and select Properties from the context menu.
The properties dialog opens.
3. Click Add.
A new row is added in the properties table.
4. Enter the name, value and type of the new property.
For users, groups and configuration, you can add multi-value properties. Select
a *Multi property type and add a second row with the same property name
and the same property type.
5. Click OK.
To use a filter:
Normally, the filter applies to the display name.
1. Click Filter by Name/Logon to filter the Name or Logon column.
2. Select one of the filter methods as described below.
Only the users or groups starting with the chosen letter are displayed.
To filter by prefix:
You can define your own start search pattern for the filter function.
1. Select the Users or Groups node or a specific group in the Hierarchy node.
28.7 Reference
Commands The following table provides an overview of all available commands.
Users
Groups
Positions
Roles
Department
Projects
Add an external Do- Organization “Adding an external User Management
main External Do- system” on page 256, such as LDAP or a
mains Windows domain.
New configuration Configuration Adds a new SSO configuration to work
with access tokens from an external SSO
solution. A proper Checker Module is
required for these new token types.
New Security Security group Adds a new security group.
Add User Security group “Assigning users to security groups” on
page 270
New User Users “Adding new users” on page 265
New enabled User Users Creates a new user and sets the password
(the user cannot change it).
Reset Password Right pane: “Changing/resetting user password” on
Users page 266
Member of Right pane: Shows the groups where the selected user
Users or group is included. If you have selected
Groups a role, the assigned users are listed.
Roles
Certificate Right pane: “Adding a certificate user” on page 265
Users
Promote to Signing Right pane: “Enabling eSign for administrators and
Admin Users users” on page 268
Promote to Signing Right pane: “Enabling eSign for administrators and
User Users users” on page 268
New Group Groups “Adding new groups” on
page 266(internal groups)
New Position Positions Adds a new position.
Users
Groups
Positions
Roles
Departments
Projects
Refresh Right pane: Connects to User Management Server and
Organization updates the user management elements
Configuration from the database.
Security groups
Users
Groups
Positions
Roles
Departments
Projects
Help all elements Opens the online help for User Manage-
ment Client.
To add organizations:
1. Log on as ROOT administrator.
2. Select the <Server> node , right-click and select New Organization from the
context menu.
The New Organization dialog opens.
3. Enter the organization name considering “Naming recommendations for
organizations, domains, and departments” on page 255 and click OK.
The new organization is displayed in the tree structure.
4. Define administrators for this new organization:
a. Add new users. For details, see “Adding new users” on page 265.
b. Assign these users to the Admin node of the new organization. For details,
see “To assign users to a group:” on page 267.
Note: You can also reference users from an external domain. For details,
see “Adding an external User Management system” on page 256).
5. Define the properties of the organization. For details, see “Defining the
organization settings” on page 263
b. Go to Properties again. The properties list should now contain also the
specific properties for your domain type.
c. Change the configuration properties for your domain type. The properties
list can have several pages, use the Browse button and scroll to navigate.
• See “Configuring a domain for Livelink ECM – Enterprise Server user
management” on page 279.
• See “Configuring a domain for LDAP directory server” on page 280.
7. Click OK.
8. Now you can reference groups and users to the internal User Management. For
details, see “Referencing groups and users from an external domain” on
page 263. Log on as one of the referenced users, right-click User Management
Server and select User Logon.
The user gets an access token when he or she logs in to the first OpenText
application. All other OpenText applications accept this access token. Therefore,
no additional logon is necessary during this session.
Note: For users whose access tokens must not time out (such as
BizEffectiveUser_default and FulltextUser), set the invalidation
period as user attribute for that user. Define the property
invalidationPeriodMinutes and enter the value in minutes (see
“Managing parameters for users” on page 288).
Use this mechanism with caution, as the session store can grow without
limits if used incorrectly.
SSO with SAP NetWeaver Portal
If you want to use encrypted cookies from the SAP NetWeaver Portal, add and
configure the SAPSSOCheckerModule.
The user name at the portal is stored in a cookie. User Management Server can
decrypt and check this cookie in order to get the user name. If the user name is
recognized by User Management as an internal or external user, the user gets an
access token.
The user name storing the certificate must be identical with the SAP workplace
name.
Create a certificate user for this scenario. For details, see “Adding a certificate
user” on page 265).
SSO with signed URL
If you want to handle signed URLs specified by the ArchiveLink protocol,
configure the SignedURLChecherModule.
The name of the certificate user must be the same as the name of the user who
signs the URL (the authID).
To get the certificate, send it via putcert from the leading application to TCP
Context Server. This can be managed by the Import Certificate Wizard, see
“Protecting the client connection” on page 188.
The checker module checks the format of the URL and the signature from the
leading application. If both are valid and the URL is not expired, the module
checks the unlimitedCertificate property on the user specified in the authID.
If this property is set to true, all users specified in the user parameter are
accepted without further check. If this property is set to false (recommended),
the limitedCertificateUserIds properties of the user specified in the authID
are evaluated. Only if the user specified in the user parameter of the URL is
specified in this property, the access is granted.
Create a certificate user for this scenario, that is assign a certificate to a special
user (see “Adding a certificate user” on page 265). The name of the certificate
user must be the same as the name of the user who signs the URL (the authID).
For SAP applications, you may also send a certificate via putcert to TCP
Context Server. This can be managed by the Import Certificate Wizard, see
“Protecting the client connection” on page 188.
In both cases, you must configure the user certificate after it has been assigned to
the certificate user. For details, see “Configuring the certificate user” on
page 266).
To enable SSO:
1. Select the Configuration node for your organization, right-click and select
New configuration from the context menu.
The New configuration dialog opens.
Note: The SessionIdCheckerModule has already been created with the
organization. Select this module and choose Properties to edit this module.
2. Enter the required parameters for the SSO module. The parameters depend on
the scenario:
• See “Configuring checker context for internal session ID token” on page 285
• See “Configuring checker context for SSO with SAP Enterprise Portal” on
page 285
• See “Configuring checker context for signed URL” on page 285
• See “Configuring checker context for signed user” on page 286
3. Click OK.
3. Click OK.
in the ROOT clientele. The value contains the times for the domain
synchronization, each entry separated by a semicolon ;.
CacheTimeMinutes
Defines how frequently all external domains are synchronized.
Default value: 60 minutes.
Do not schedule domain synchronization to frequently as it causes some
load on the external system, and also blocks User Management Server
3. Click OK.
3. Click OK.
To configure auditing:
1. Open the User Management Server configuration in a browser window by
entering http://<User Management Server>:<port>/ums_config in the
address bar.
2. In the log on window, enter user logon, password and domain. Use the Admin
logon for administration tasks. User Management Server administration opens.
3. Click UMS.
4. Choose an audit level.
Audit level Meaning
NOAUDIT No actions are logged.
ADMIN Only actions of the administrator are
logged.
MODIFY Modifying actions of all users are logged
(default).
LOGIN Modifying actions including logon of all
users are logged.
READ All actions including read actions are
logged.
5. Enter the audit log size in MB. The default is 5 MB. When the audit log file has
reached the defined size a new file is created. The audit log files are saved as
umsaudit.log in the \webapps\ums\WEB-INF\log directory.
Property Description
userCertificateBinary Identifier of the actual certificate
unlimitedCertificate Identifier if certificate owner can sign
unlimited user access tokens
The default is FALSE.
limitedCertificateUserIds Identifier for which user the certificate
owner can sign user access tokens
a. Enter the additional default properties of the new user. For details, see
“Managing parameters for groups” on page 290.
b. Add new properties if needed. For details, see “Adding additional and
multi-value properties” on page 246.
3. Click OK.
The new group is displayed in the Groups node.
Note: The DMS customizer must decide which groups should be added.
3. Drag the selected user to the group in the Groups subnode of the Hierarchy
node .
The user is assigned to the group.
Note: You can create groups' hierarchies with any number of levels but only
two hierarchical levels are displayed, not a tree. If a group has more than one
sublevel, you must select the subgroup on the upper level in order to see its
subgroup.
Notes:
• When a user or a group is disabled, he becomes invisible in the User
Management, for example in the Admin node or in a position.
• The disabling of the user does not affect the validity of an already granted
access token. The access token becomes invalid after the invalidation period
ends.
eSignRole=signingAdmin
The user is a signing administrator, and can add other users to the group of
signing users.
eSignRole=signingUser
The user is a signing user.
Tip: In the following procedure, replace the <principal> variable with the
principal you want to add, for example Role.
Note: Users are not assigned directly to projects but via positions. The
position source for projects is the Department subnode in the Hierarchy
tree. Only positions, and thus the assigned users, from there are accepted.
2. Repeat this step until you have reproduced your project structures.
29.6 Troubleshooting
If you have problems with the User Management, consult the Knowledge Center
User Management Server
(https://knowledge.opentext.com/knowledge/llisapi.dll/open/15446872). In
particular, the entry
https://knowledge.opentext.com/knowledge/llisapi.dll?func=ll&objId=15451041&
objAction=ArticleView&viewType=1 provides hints on troubleshooting,
configuration tests and information on logging.
The log files are named ums.log or ums.log.n (with n being a number) and are
located in the <tomcat>/webapps/ums/WEB-INF/log directory on User
Management Server.
To change the password for User Management Server, see “Changing password for
User Management Server” on page 278.
Note: Apart from the different paths the Tomcat maintenance is identical for
User Management Server and TCP Context Server. Therefore, the Tomcat
maintenance section exists only in the “Context Server administration part ”
(see “Maintaining the Apache Tomcat data sources” on page 225), but is also
referenced by the “User Management Server administration section.” part.
Important
Consider that the Tomcat server must be restarted if the data source is
created new or is changed.
If the access to the database is configured via data source, this configuration
must be done manually for all User Management Servers in a clustered
environment.
<TOMCAT_HOME>/webapps/ums/META-INF/context.html
<TOMCAT_HOME>/webapps/ums_config/META-INF/context.html
For details, see “Maintaining the Apache Tomcat data sources” on page 225.
Secondary DB Connectivity – JDBC URL
JDBC URL of the database.
For example:
jdbc:oracle:thin:@//<database host>:<listener port>/<listener
global database name>
or
jdbc:sqlserver://<database host>:<TCP/IP network protocol
port>;databaseName=<name of database>
Caution
Handle this option with care. Only select Yes if you want to drop the
User Management Server database schema, in particular all database
tables. As a result, all kind of data and configurations stored before
will be deleted.
Important
Do not change the DMS clientele later as it is used by TCP Context Server to
connect to User Management Server. If you change it, you need to re-
configure TCP Context Server, too.
Functionality
• The enricher is part of User Management Server.
• The enrichment provider instances are controlled by the enricher.
/**
* Specifies the UMS-side of the id-matching, MUST exist per
configured type
* and will be returned by the getPerTypeSettings() call.
*/
public final static String UMS_ID_ATTR =
"EnrichmentProvider.umsIdAttr";
/**
* Initialize the provider with its specific configuration data,
such as connection settings.
* This configuration data is read from configure of the UMS
domain and the full domain configuration is passed.
* This will be called at system startup and after any change to
the configuration.
*/
void init( Map<String, String> config ) throws ProviderException;
/**
* This method will be called regularly and executed in the
background, so that the provider can prepare/refresh
* an internal cache of enrichment data. Additional calls to
getAllPrincipals() might arrive during this call
*/
void prepareRefreshOfProviderCache() throws ProviderException;
/**
* This method will be called to make visible the cached
enrichment data.
* The UMS server does not respond during this call, so this
should just quickly update some references.
*/
void refreshProviderCache() throws ProviderException;
/**
* Get a map of configuration settings, where the keys are the
types of UMS principals,
* which this instance provides enrichment data for.
* Keys are from the ixos.sec.util.Constants.TYPE_ values.
* Supported are user, group, department, position,
positionindepartment, role.
* The Map per type contains settings such as the UMS_ID_ATTR.
*/
Map<String, Map<String, String>> getPerTypeSettings();
/**
* Get the enrichment data of all those principals of the given
type, for which enrichment data is available.
* This will be called by the UMS to add the enrichment data to
the UMS principals.
• token
ixos.sec.sso.modules.SessionIdToken
• expirationPeriod
Defines the inactivity timeout in seconds. The default is 2100.
• invalidationPeriod
Defines the maximum session life time in seconds. The default is 72000.
• token
ixos.sec.sso.modules.SAPSSOToken
• UserDomain
Configures domain name of domain where user and groups can be found. The
default is _internal.
• token
ixos.sec.sso.modules.SignedUrlAccessToken
• SignedURLUpdatePeriod
Defines the updating period of signed URL handler for changes to certificate
users.
• SignedURLExpirationPeriod
For high-volume scenarios with SignedURLs this optional configuration
parameter is available, to reduce the validity period of the UMS internal
SignedUrlAccessToken. Set it in the configuration of the
SignedUrlAccessToken for the proper organization. The value gives the validity
of the token in seconds, so a value like 60 would avoid storing these tokens
longer then 60 seconds and thus greatly reduce the memory requirements in
such scenarios.
• importUnknownSignedUsers
To enable the automatic reference of users, who access the system with a
SignedUserAccessToken and are not yet referenced, add this key to the
configuration of the SignedUserAccessToken. The existence of the key alone
triggers the behavior, but still choose an intuitive value like true.
This automatic reference will only happen, if the signing-user referenced in the
given token can sign ANY user, which is indicated by the
unlimitedCertificate attribute of the signing user.
• token
ixos.sec.sso.modules.SignedUserAccessToken
• importUnknownSignedUsers
To enable the automatic reference of users, who access the system with a
SignedUserAccessToken and are not yet referenced, add this key to the
configuration of the SignedUserAccessToken. The existence of the key alone
triggers the behavior, but still choose an intuitive value like true.
This automatic reference will only happen, if the signing-user referenced in the
given token can sign ANY user, which is indicated by the
unlimitedCertificate attribute of the signing user.
CacheLogRefreshSeconds
Defines the period of time after which the node data in a UMS cluster is
synchronized. For details, see “Configuring caching” on page 260.
SessionCacheSize
Defines the cache size for sessions. For details, see “Configuring session
management” on page 262.
SessionStoreCleanupTimes
Defines specific times to perform the cleanup of the db-session store. For
details, see “Configuring session management” on page 262.
• PasswordMinLength
Specifies the minimum length for a password.
The default is 6 letters.
• MaxFailedLoginAttempts
Maximum number of false log on attempts after which the user account will be
locked.
It is possible to unlock the account after a defined period (see
AutoUnlockPeriod property).
• AccountLockingForImport
Defines whether the MaxFailedLoginAttempts property is also relevant for
referenced users.
The default value is false, because this may lead to conflicts with the account
locks in the external system.
• FailedLoginAttempts
Number of failed log-ons in a row.
• invalidationPeriodMinutes
Defines the period after which the access token becomes invalid. This is relevant
for an application user to prevent the access token from timing out during
lengthy processes such as fulltext indexing.
• ixPwdExpires
Defines the date when the user password will become invalid.
• ixUniqueIdentifier (read-only)
Unique user ID.
• Language
The language settings for the user. The defined value is used per default when
creating a user for the organization.
• Login (read-only)
The logon of the user.
• limitedCertificateUserIds
Identifier of the user for which the certificate owner can sign user access tokens.
• Organization (read-only)
The name of the organization to which this user belongs.
• OutOfOffice
Set this property to 1 if the user is out of the office. This causes a dedicated
OutOfOfficeRule to be applied in TCP. The parameter has no affect on User
Management Server itself.
• Password
The password of the user. If you want to edit this field, the Password dialog box
opens (see “Changing/resetting user password” on page 266). This property is
only available to internal users.
• proxyIds
Identifiers of other users who are allowed to act as proxy for the user. You can
enter more than one value.
• State
Use enable to introduce the new user. If this user leaves the organization, use
disable.
• TimeZone
The time zone of the user. This is relevant if the user works in a different time
zone than User Management Server.
• Initials
The user's initials.
• unlimitedCertificate
Identifier used when certificate owner can sign unlimited user access tokens.
• userCertificateBinary
Identifier of the actual certificate.
3. Right-click the folder and select Properties. Then go to the ASP.NET tab.
4. Select ASP.NET version 2.
5. Click Ok.
Tips:
• Setting the MaxHistoryPathLength to 0 hides the breadcrumbs. In that
case, back navigation is possible only via the back buttons in the
different views.
• If the actual length of the breadcrumbs exceeds the configured length,
the path is cut from the left, where the cutting is indicated by a
symbolic entry “...”. Despite of the restricted length shown at the UI,
the path exists virtually in full length. I.e. when navigating back, the
path successively fills from the left.
<configuration>
<system.web>
<httpRuntime
executionTimeout="1200"
maxRequestLength="102400"
useFullyQualifiedRedirectUrl="false"
minFreeThreads="8"
minLocalRequestFreeThreads="4"
appRequestQueueLimit="100" />
</system.web>
</configuration>
3. Enable the JavaViewerURL key and enter the URL to Java Viewer, for example
<add key="JavaViewerURL" value="http://JVhost/JAVAVW" />
3. Enable the WebViewerURL key and enter the URL to the Web Viewer, for
example
<add key="WebViewerURL"
value="http://myserver:18080/WebViewer/viewer.srv" />
4. Enable the <Defaultclientele> key and set the value to the clientele of the User
Management Server associated to the application. The default value is
defaultclientele.
Important
If you use Web Viewer you must add the following setting to the Web
Viewer viewer.cfg file:
HTTP_PROTOCOL_COOKIE_POLICY=ignoreCookies
For more information on the viewer.cfg file, see section 4.1 "Configuration
files" in OpenText Imaging Web Viewer - Installation and Configuration Guide
(CLWEBV-IGD) of the version you want to install.
3. To use always the same Windows Viewer window when the user opens a
document, perform the following steps:
New: The reuse of the Windows Viewer window for all documents to be
opened is a new feature of patch TCP-1001-072.
a. Make sure that patch TCP-1001-072 or higher is installed. For more
information about patches, see
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/14866608.
b. Go to the directory <IIS installation directory>\wwwroot\tcpweb\-
config.
To enable SSO:
Perform the following steps to enable SSO with the TCP Web Client, User
Management Server and the Microsoft Windows Operating System:
Note: You can use SSO only with Microsoft Internet Explorer but not with
other Web browsers.
1. See “Creating a certificate” on page 299.
2. See “Configuring the checker module on User Management Server” on
page 301.
3. See “Configuring User Management Server” on page 302.
4. See “Updating TCP Web Client configuration” on page 303.
5. See “Changing Internet Information Services (IIS) Manager settings” on
page 303.
6. See “Setting folder permissions” on page 306.
7. See “Adding external domain and users” on page 306.
Note: Do not use copy & paste. Type in the whole command.
3. To add the certificate to the local machine store, open a command prompt and
enter mmc.
The MMC opens.
4. Go to File - Add/Remove Snap-In, click Add and select Certificates.
5. Click Computer account.
6. Select Local computer, click Finish, then click Close and Ok to return to the
MMC main window.
7. Go to Certificates (Local Computer) - storetcp - Certificates and open TCPCert.
Tip: The certificate is needed in cer format and thus the certificate file
created with makecert (tcpcert.cer) can be used.
3. Enter the path to the file tcpcert.cer.
4. Set the property unlimited Certificate to true.
To adapt the value of tcpcertuser, use the value of the certificate user you
created before, see step 1.
2. Change the following settings for identity and authentication in the
<system.web> section of the web.config file:
3. Double-click Authentication.
a. In the Connections pane, click the name of the computer, in this example
VMSCSTCP-32–01. The VMSCSTCP-32–01 Home pane opens.
b. Double-click ISAPI and CGI restrictions.
c. Set ASP.NET 2.0.50727 to Allowed.
4. Remove the check mark from the check box Enable anonymous access and
select Integrated Windows authentication.
5. Click Ok and Ok to close the Properties dialog.
6. In Internet Information Services (IIS) Manager, go to Web Service Extensions.
To test SSO:
• Log on with the URL http://<computer>/tcpweb/login.aspx.
No logon dialog appears, instead you have to select the group if more than one
group is available.
To install multiple TCP Web Clients on Windows Server 2008 with Microsoft IIS
7:
1. In the wwwroot folder, copy the tcpweb directory and rename it, for example to
tcpweb2.
2. For the local group IIS_IUSRS, set the folder permissions to Full Control for:
• C:\Inetpub\wwwroot\tcpweb\forms
• C:\Inetpub\wwwroot\tcpweb\log
For details, see step 3 in “Setting folder permissions”.
3. In IIS Manager convert the directory (in this example tcpweb2) to an
application. Do this by right-clicking the folder and selecting Convert to
Application.
4. Enable Anonymous Authentication, see step 3 in “To change Internet
Information Services (IIS) Manager settings in IIS 7 (on Windows Server 2008):”.
5. Double-click the name of the virtual folder, in this example tcpweb2.
The tcpweb2 Home pane opens.
Troubleshooting tip
In case the tcpweb2 application cannot be accessed properly, try the following
steps:
1. Edit C:\Windows\System32\inetsrv\config\applicationHost.config.
2. In the applicationHost.config file, copy all existing <location> sections
where the path starts with Default Web Site/tcpweb and add them to the
end of the file. Rename the paths to Default Web Site/<tcp_sso_dir> (in
this example Default Web Site/tcpweb2) in each of the copied sections.
Example for a <location> section to be copied:
<location path="Default Web Site/tcpweb">
<system.webServer>
...
</system.webServer>
</location>
Basic TCP .
scenario
1. The dmsPrepdoc DocTool fetches the document ID and writes the ATTRIBUTES
file as in the standard scenario.
2. The gen_prop DocTool reads the ATTRIBUTES file and writes an XML file that
contains all the properties used in TCP Context Server.
3. The doctodms DocTool sends the document and corresponding properties to
TCP Context Server.
4. The Inbox DocTool sends the document identifier to the TCP Application
Server for PDMS UI Inbox late indexing scenarios.
5. The psdt DocTool starts a workflow and attaches the document, for example for
TCP GUI late indexing scenario.
doctodms Send document and Sends the document components and at-
attributes to TCP Con- tributes to TCP Context Server.
text Server
dmsformid Select Overlay Form Part of the forms overlay scenario; re-
from TCP Context trieves the Record ID of the form from
Server TCP Context Server and writes it to the
COMMANDS file as DMS_OVERLAY_FORM. For
PDF files, the DocTool also retrieves the
archive ID and writes both IDs to the PDF
file; see also OpenText Document Pipelines -
Overview and Import Interfaces (AR-CDP).
dmsPrepdoc
The dmsPrepdoc DocTool is used to create the ATTRIBUTES file for TCP Context
Server. Basically, the behavior of this DocTool is very similar to the traditional
Prepdoc, except for the following points.
• dmsPrepdoc generates the DocID by itself, rather than retrieving it from the
storage system.
• The IXATTR_ENCODING key in the COMMANDS file allows processing data from the
IXATTR file in formats other than the one used internally.
34.2 doctodms
The main task of doctodms is to archive documents on a TCP Context Server. A (DP-
) document consists of one or more DMSDocuments, DMSIDOs, or both. Its attributes
and rendition information must be provided in an IXATTR file in the document
directory. For details, see OpenText Document Pipelines - Overview and Import
Interfaces (AR-CDP). Internally, this file is converted to an XML file named prop.xml
by the gen_prop tool. If necessary, (dummy) files for the rendered data must be
provided as well.
If the DocumentID or IDO ID already exists on Context Server, the existing attributes
and renditions will be replaced, and new attributes and renditions will be added to
the document on TCP Context Server.
You can define the number of documents to be archived in one transaction in the
environment variable DMS_DOCUMENTS_PER_TRANSACTION. The default is 100.
However, documents with renditions are always archived in a separate transaction.
The following parameters must be set in the COMMANDS file. See OpenText Document
Pipelines - Overview and Import Interfaces (AR-CDP).
DMS_DOCTYPE
Specifies the record type for the document. Unlike DOCTYPE for traditional
scenarios, the DMS_DOCTYPE key represents the business object for the document.
From the point of view of TCP Context Server, the default archive ID is defined
in the record type. As the record type in the document model contains the
business object, it is no longer necessary to map the business object to the archive
ID. Therefore, the mapping table and the corresponding key
ARCHIVID_CRITERION are not required for the TCP scenario.
Example:
DMS_DOCTYPE ixos.DMS:document
IXATTR_ENCODING
Specifies the encoding of the IXATTR file
Example:
IXATTR_ENCODING ISO8859_1
For a list of supported encodings, see OpenText Document Pipelines - Overview and
Import Interfaces (AR-CDP).
34.3 Inbox
The Inbox DocTool interacts with TCP to perform one of the following tasks:
• Create a routing item for a user or user group.
Unix $ECM_DOCUMENT_PIPELINE_CONF/config/setup
• <project>
BIZ_PROJECT
• <user>
BIZ_USER
• <password_enc>
BIZ_PASSWORD
• <domain>
BIZ_DOMAIN
• <group>
BIZ_GROUP
• <groupdomain>
BIZ_GROUP_DOMAIN
Alternatively to defining a user, group or plug-in event, the PILE_INDEX in the “Archive
mode” and the following entry can be defined:
BIZ_REG_INDEXING An indexing item is created in BIZ_REG_IN
the Indexing inbox. No parame- DEXING
ters are available.
Can be used with PDMS UI
only.
Note: For details on the COMMANDS file, see section 7.3 "The COMMANDS File"
in OpenText Document Pipelines - Overview and Import Interfaces (AR-CDP).
Archive Name
Name of a logical archive.
Conditions
Select PILE_INDEX.
Workflow
Workflow name (if required. See “Psdt” on page 319).
Extended Conditions
The Extended Conditions correspond to the COMMANDS keys; see Table 34-2.
Always set BIZ_ENCODING_BASE64_UTF8N. In addition:
Indexing – Set BIZ_REG_INDEXING.
To configure an indexing scenario, see Open Text TCP Modeler - Customization
Guide (TCP100001-CGD). For general information about indexing, see Open Text
Transactional Content Processing - User Guide (TCP100001-UGD).
Tasks – The task is sent to the user specified with BIZ_DOC_RT_USER =
<domain>\<login>. Alternatively, to specify a user group, set
BIZ_DOC_RT_GROUP = <domain>\<group name>.
For further information about plug-in events, see Open Text Transactional Content
Processing - Programming Guide (TCP-PGD).
34.4 Psdt
The psdt DocTool is used for indexing with the Pipeline scan scenario SCDMS and
batch import scenario EXDMS. It allows to start a process with a scanned document,
either in an early or late indexing scenario. For details, see “Overview of TCP
Document Pipelines for TCP Context Server” on page 311.
If configured in the COMMANDS file, the DocTool creates a process instances.
Parameters from psdt DocTool uses the following parameters from the Inbox DocTool (see “Inbox”
Inbox on page 315):
Document psdt DocTool uses the following parameters from the COMMANDS file configured in
parameters the archive mode:
DMS_DOCID Document ID, needed to attach the archived document to the process
$ECM_DOCUMENT_PIPELINE_CONF/config/setup
Process step Late indexing Logon user Dynamic rights, TCP Modeler
of the docu- needs read
ment properties
right.
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Titel|string|---- string 0 -----
|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Current_Date|datetime|2003/01/01
:01:01:01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:CustomerID|integer|00000000|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:EmployeeID|integer|00000001|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Order_Date|date|1970/01/01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Time|time|01:00:00|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:OrderID|integer|400000000|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:AccountPositionList|string|----
string 1 -----|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Total_Price|decimal|0.00|
DOC NEW
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Titel|string|---- string 2 -----
|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Current_Date|datetime|2003/01/01
:01:02:01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:CustomerID|integer|00000003|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:EmployeeID|integer|00000004|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Order_Date|date|1970/01/02|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Time|time|01:00:01|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:OrderID|integer|@400000000#Order
ID1@|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:AccountPositionList|string|----
string 3 -----|
NEWATTR ATTRIBUTES
DMS_DOCTYPE|ixos.qa.ec.test.property:Total_Price|decimal|0.00|
DMS_DOCTYPE ixos.qa.ec.test:Order
DOCTYPE MTA
COMP im ASCII_NOTE im
COMP META_DOCUMENT ASCII META_DOCUMENT
ARCHIVID A1
USE_DOCID_FROM_COMMANDS on
DOCID 12345
NOTE_TITLE_BASE64_UTF8N RE1TRG9jdW1lbnRJbmZvXzE=
Note: The ARCHIVID is optional. But if the ARCHIVID is set in COMMANDS file,
only this ARCHIVID is used. Thus the ARCHIVID of the document type is
ignored.
This part describes the monitoring and backup of all TCP databases:
• TCP Context Server database. The default name is DMS.
• Enterprise Process Services database. The default name is PS.
• Business Activity Monitoring database. The default name is BAM.
• Quartz database. The default name is QUARTZ.
• In case of JBoss: JBoss DB
• TCP Configuration database. The default name is TCP_CONFIG
• User Management database. The default name is UMS.
Note: Monitoring and backup is similar for all databases. In the following, sub-
stitute the variable <db_name> with the database name used at installation.
Content This part contains the following chapters:
“Monitoring the database” on page 333
This chapter explains how to regularly monitor databases.
“Performing a database backup” on page 335
This chapter describes how to backup databases.
2. Click Administration.
3. Click Database Administration - Storage - Tablespaces.
2. Click Server.
3. Click Storage - Tablespaces.
Important
As the TCP Context Server database is useless without the User
Management Server database, you must perform the backup of these
databases at the same time.
To avoid data loss and extended down times you, as system administrator, should
back up the database regularly and in full, and complement this full backup with a
daily backup of the log files. In general: the more backups are performed, the safer
the system is. Backups should be performed at times of low system activity.
Important
Database backups are required for all databases of the system: Archive and
Storage Services, TCP Context Server, User Management Server and TCP
Application Server with databases for processes, business activities,
scheduler (quartz), TCP Configuration and jboss cluster.
Storage media does not contain any data of the TCP database, that is you
cannot restore these databases by importing from media.
The database backup procedures are very similar for all databases.
Caution
The NOARCHIVELOG mode must not be used! In this mode, the online
redo log files are cyclically overwritten and not archived to a separate
directory. This means that complete logging of all operations is not possible.
The archived redo logs must be backed up to tape regularly. A database can only be
restored completely on the basis of the last full database backup, the archived redo
logs and the online redo logs. Only currently open transactions are lost. The
archived redo log files must be backed up completely in order to be able to restore a
database completely.
The frequency with which you perform a full database backup depends partially on
the amount of data that is saved every day. At the same time, the amount of time to
restore a database must also be considered. The longer the interval between the full
database backups, the greater the number of archived redo logs you have to apply
and, consequently, the longer the period required for restoration.
Caution
Make sure that there is always enough free storage space for the archived
redo log files as otherwise the Oracle database will come to an halt and will
not be able to continue functioning. No error message is displayed if this
occurs. Set the directory so that it is large enough (minimum 1 GB) and
monitor the amount of storage space available at regular intervals. See
“Monitoring the database” on page 333.
If large volumes of data have to be archived every day then more frequent backups
are recommended. To do this, it is not necessary to shut down the database.
1. Back up the archived redo logs from the archive directory to tape at least once a
day.
2. Check that the tape backup can be read.
3. Delete the archived redo logs at regular intervals from the archive directory. To
increase security, the archived redo logs should not be deleted until after the
next or next to last complete backup has been completed.
For detailed information on Oracle backup and recovery concepts and how to
perform backups, refer to the Oracle online documentation.
Important
Observe the following principles and settings in order to ensure that
backups can be performed successfully and completely:
• For online backups, never use the Backup tool provided by Microsoft
Windows since this tool backs up only closed files. You must always use
the SQL Server Enterprise Manager/Management Studio.
• The recovery model of the database must always be set to Full. To verify
this option, start Enterprise Manager/Management Studio and navigate
to <name of computer> - Databases - <db_name>. Right-click and select
Properties. You find the setting for the recovery model in the Options
tab.
• The Truncate log on checkpoint option must not be enabled. If this
option is enabled, the inactive part of the transaction log is deleted at a
checkpoint even though no backup of it exists.
• Never back up the data of a database and its transaction logs on the same
tape.
• You should never use the DISKDUMP or NULL backup devices that are
automatically created during SQL Server installation. It is useless to back
up to these devices.
For detailed information on Microsoft SQL Server backup and recovery concepts
and how to perform backups, refer to the Microsoft SQL Server online
documentation.
The transaction log for the master database is then also backed up automatically.
Scheduling database actions: msdb database
The msdb database contains all the scheduling information, for example
concerning regular backup processes. It must be backed up regularly, and
preferably every week. An additional backup is required after every scheduling
modification.
Data: <db_name>
This database contains all data of the server. It must be backed up regularly,
every week to every day depending on the amount of activity. To increase data
security, the data and index devices should also be backed up with RAID1 or
RAID5.
Transaction logs
Transaction logs record all database activities. Each database has its own
transaction log. A transaction log bridges the period between the last backup of
its database and a possible crash. Transaction logs must be backed up at least
once a day. Following the backup, the number of entries in the transaction log is
automatically reduced and space is created for further records (transaction log
dump). The space reserved for the transaction logs must never be filled since
otherwise the database will cease operating! Transaction logs should be backed
up by RAID1.
Recording the database structures
The procedure sp_helpdb [database] displays the structures of all the databases
running on the SQL server. You should record the output in a list that should
also be backed up regularly.
that are performed per hour, how long restoration of the database is allowed to take
and how many phases of low database load there are. The transaction log dump
should be performed during periods of low activity since this operation impairs the
performance of the database.
Note: Perform these backups at regular intervals. A backup job does not
simply back up the data but also deletes all the entries in the transaction log
(transaction log dump) relating to transactions that have been completed
(inactive part). Without this, the log directory would fill up and the database
would no longer be able to function.
Check the amount of free storage space at regular intervals.
To back up the transaction logs, set up a job in Enterprise Manager/Management
Studio that is automatically performed at regular intervals.
This part describes the security measures available when working with TCP and the
settings they require.
The following overview gives a brief explanation of some basic security-related
terms used in this chapter.
Certificate
A certificate is a digital “passport”. It is a secure electronic identity conforming
to the X.509 standard. Certificates typically contain a user's name and public key.
A certification authority (CA) authorizes certificates by signing the contents
using its CA signing private key.
Key, private key
The key, which a user keeps secret in asymmetric encryption, can encrypt or
decrypt data for a single transaction, but cannot do both. A private key normally
depends on a certificate.
Signature
A digital signature is an electronic equivalent of an individual's signature. It
authenticates the message to which it is attached and validates the authenticity
of the sender. In addition, it provides confirmation that the contents of the
message to which it is attached have not been tampered with en route from the
sender to the receiver.
Signed URL
A signed URL is an URL in the SAP ArchiveLink format that is secured with a
signature.
Content This part contains the following chapters:
“Standard groups and users” on page 345
This chapter describes the standard groups and standard users.
“Changing passwords of end users and standard users” on page 355
This chapter where and how to change the passwords apart from User
Management.
“Security measures” on page 363
This chapter gives a brief overview of the security measures used in TCP.
“Configuration of the TCP certificate user” on page 365
This chapter describes the settings for the certificate user which is used for
impersonation and security settings.
“Security settings for TCP Application Server” on page 367
This chapter describes the security settings for TCP Application Server.
“Configuration for a Web proxy server” on page 371
This chapter describes the required settings if you want to use a Web proxy
server for TCP.
1 For details refer to section 1.2.5 "Access control" in Open Text Transactional Content Processing - System Overview Guide
(TCP100001-GGD).
Important
The membership in a revokee group overrules memberships in the
corresponding grantee groups and the permissions granted by ownership or
the ACL of an entity. For example, if a user is member of the
DisposeRevokees group, the user has no permission to delete any entity
even if the user is member of the DisposeGrantees group.
Note: The revokee groups are only available if patch UMS-1001-001 or higher
is installed on your system.
BizEffectiveUser_default
Purpose TCP project standard user
Permissions – The effective user represents the actual user for the
evaluation of static permissions if dynamic permissions are switched
on. This concept (including effective and represented users) is
explained in section 10.4.1 "Understanding dynamic permissions" in
Open Text TCP Modeler - Customization Guide (TCP100001-CGD).
To toggle between static and dynamic permissions mode, use the key
adc.config.onBehalfOf in ADC.properties. The default is true,
that is dynamic permissions are used.
DMSAdmin
Purpose Administrator logon for TCP Context Server and Transactional Con-
tent Processing.
Description This user must be added to the RetentionUsers group to perform
the retention jobs. For details, see “Using jobs to perform
administrative tasks” on page 190.
This logon is also used for scheduling the execution of scripts on TCP
Context Server. For details, see “Using jobs to perform administrative
tasks” on page 190.
DMSALDefaultUser
Purpose Standard user of the ArchiveLink interface.
Description This is the user defined by default for accessing TCP Context Server
documents via the ArchiveLink protocol.
You define the access separately for each logical archive. For details,
see “Managing access for ArchiveLink calls” on page 186.
DMSCustomizer
Purpose Standard user for customizing TCP projects.
Description This user is to be used for:
• Logging on to TCP Modeler as the customizer.
• Logging on to the TCP Context Server administration as the cus-
tomizer for the Form Info Maintenance and ACL Mapping for
Content Protocol functionality.
FilterUser
Purpose The user who applies the filters.
Description This user is an internal system user.
IndexingWQ
Purpose An artificial user that is used internally to address a shared work
queue.
Description IndexingWQ is the standard user for a shared work queue.
You must create additional users for each work queue.
FulltextUser
Purpose The user who applies the fulltext operations.
Description This user is an internal system user.
ProcessService
Purpose Enterprise Process Services user.
Description This user is used for routing work items and also for accessing
document metadata during routing.
RenderUser
Purpose The user who applies the render functionality.
Description This user is an internal system user.
RMAdmin
Purpose The system user who applies the Records Management functionality.
Description This user creates, processes and finally deletes Records Management
jobs.
Then, the user must change this new password at next logon because of security
reasons. For more information, see section 3.2.3 "Changing the password" in Open
Text Transactional Content Processing - User Guide (TCP100001-UGD).
The property pwdNeverExpired of the standard users is has already been set to
true. Therefore, it is not necessary to set an explicit expiration date.
Note: Passwords are always encrypted when they are stored. The encryption
happens automatically except for the BizDPUser user.
BizDPUser
Locations of password
TCP Document Pipelines server (this is the computer where TCP Document
Pipelines are installed).
Directory: %ECM_DOCUMENT_PIPELINE_CONF%/config/setup
Files:
• DMSDP.Setup
Parameter: DMS_PASSWORD
• DT_INBOX.Setup
Parameter: BIZ_PASSWORD
Changing the password in specific locations
1. Log on to the TCP Document Pipelines server.
2. Open a command prompt.
3. Execute cd <TCP Pipeline install dir>/bin.
4. Encrypt the password by executing enc - <new password>.
As a result, the password is encrypted with two different algorithms,
resulting in two different encrypted versions for your password. The two
versions are displayed, for example:
<E0607E62214DD890>
<irokWj7rpDw=>
The first line is encrypted with the idea algorithm, the second with the
blowfish algorithm.
Note: Use only the encrypted password in the second line that is
encrypted with the blowfish algorithm.
5. Copy the second line and replace the following two parameters by the
encrypted password in the second line:
• DMS_PASSWORD in the DMSDP.Setup file
BizEffectiveUser_default
Locations of password
TCP Configuration on every project page
Changing the password in specific locations
1. Log on to TCP Configuration.
2. For every deployed project, edit this project and set the new password.
For more information about editing projects, see “Managing projects” on
page 136.
3. Reload the configuration of all TCP applications. For more information,
see “Projects overview” on page 135.
DMSAdmin
Purpose: Administration of TCP Context Server
Location of password
TCP Context Server configuration, configuration package DMSCORE.
Changing the password in specific locations
1. Log on to the TCP Context Server configuration Web GUI using the
URL
http://<TCP Context Server>:<port>/archive_config. For more
information, see “Re-configuring TCP Context Server via
configuration packages” on page 223.
2. Click the configuration package DMSCORE. For more information,
see “Configuring Context Server (DMSCORE)” on page 232.
3. Set the new password for the administrator.
4. Restart TCP Context Server.
Purpose: dmsremotecmd
Location of password
On the Archive Server in the DMSREMOTECMD.Setup file. This file is located
in the <AS-config>/config/Setup directory. The path for the <AS-
config> directory is specified in the 10AS.conf file. The 10AS.conf file
location depends on the operating system:
• Windows: C:\Documents and Settings\All Users\Application
Data\Open Text\conf_dirs
• UNIX: /etc/opentext/conf_dirs
A sample path for the DMSREMOTECMD.Setup file is
C:\Documents and Settings\All Users\Application Data\Open
Text\Archive Server 9.7.1\config\Setup\DMSREMOTECMD.Setup.
The first line is encrypted with the idea algorithm, the second with
the blowfish algorithm.
Note: Use only the encrypted password in the second line that is
encrypted with the blowfish algorithm.
5. Copy the second line (containing for example irokWj7rpDw=) and
replace the parameter DMS_PASSWORD in the DMSREMOTECMD.Setup file
by the encrypted password in the second line. Example for an entry in
the DMSREMOTECMD.Setup file:
# TCP ContextServer USER PASSWORD
DMS_PASSWORD=irokWj7rpDw=
FilterUser
Location of password
TCP Context Server configuration, configuration package FILTER.
Changing the password in specific locations
1. Log on to the TCP Context Server configuration Web GUI using the URL
RMAdmin
Location of password
TCP Context Server configuration, configuration package RM.
Changing the password in specific locations
1. Log on to the TCP Context Server configuration Web GUI using the URL
General settings
• Name: bpmcertuser
• Display name: bpmcertuser
• Mail: bpmcertuser@opentext.com
• Password: Password of the certificate user
Property settings
• userCertificateBinary (type: long string):
Copy and insert the public key which is stored in the file bpmPublicKey.txt,
located in directory <TCPAppHome>\custom (for details, see section 7.1
"Installing and configuring TCP Application Server" in OpenText Transactional
Content Processing - Installation Guide (TCP-IGD)).
• unlimitedCertificate (type: boolean): true
Tips:
• If the expiration date is exceeded, generate a new certificate.
• A certificate is generated, if the old (<TCPAppHome>\custom) was deleted. A
rebuild and deployment of the TCP application is needed, see “Rebuilding
and deploying of the TCP application” on page 169.
Tips:
• To enable SSL, see “General project settings” on page 138.
• For details on configuring Single Sign-On, see “Configuring Single Sign-On
(SSO) for PDMS UI” on page 142.
The available settings are described here. The name of the parameter in the
ClientIxosCrypto.properties file is given in brackets.
Important
Do not use ixosdemo.store in a productive environment. This store is
for test certificates only. ixosdemo.store is located on the TCP CD-ROM
in the templates\sec directory. You can copy it to the custom.jar
directory (see “Configuring an additional certificate store” on
page 173)
Value Description
The name of a certificate store file in the A certificate store file with this name
classpath. must be located in the classpath e.g. in
the custom.jar (see “Configuring an ad-
ditional certificate store” on page 173)
created during installation or rebuild of
TCP application EAR. If it is located in the
root directory and its name is
bpmcert.store, the setting must be iden-
tical to the filename.
Value Description
The name of a key store file in the A key store file with this name must be
classpath. located in the classpath e.g. in the
custom.jar (see “Configuring an addi-
tional certificate store” on page 173) cre-
ated during installation or rebuild of TCP
application EAR. If it is located in the root
directory and its name is bpmcert.store,
the setting must be identical to the file-
name.
Value Description
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Non-exportable cipher suite.
SSL_RSA_WITH_3DES_EDE_CBC_SHA Non-exportable cipher suite.
SSL_RSA_WITH_RC4_128_MD5 Non-exportable cipher suite.
SSL_RSA_WITH_RC4_128_SHA Non-exportable cipher suite. Default
value.
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 Exportable cipher suite. (Does not comply
with the security standards.)
SSL_RSA_EXPORT_WITH_RC4_40_MD5 Exportable cipher suite. (Does not comply
with the security standards.)
Value Description
deny Deny access to the server. The certificate
of the server has to be provided in the
TCP certificate store (default value).
user_check Ask the user to check the certificate. This
is not recommended in a server infra-
structure.
no_check Ignores server certificate.
• http://<application server>:<port>/TCP
• http://<application server>:<port>/tcp_al
• http://<application server>:<port>/tcp
<ContextTomcatHome>
Path of the root directory of the Tomcat installation where you installed TCP
Context Server
<ContextHost>
Name of the computer where TCP Context Server is installed
<ContextPort>
HTTP port of TCP Context Server, usually 18080
<ContextSslPort>
– HTTPS/SSL port of TCP Context Server, usually 18090
<UmsHost>
Name of the computer where User Management Server is installed
<UmsPort>
HTTP port of User Management Server, usually 18080
<UmsSslPort>
HTTPS/SSL port of User Management Server, usually 18090
<UmsTomcatHome>
– Path to the Tomcat installation where you installed User Management Server.
<TomcatHome>
Path to Tomcat installation directory of either TCP Context Server and User
Management Server. This variable is used in chapters where the description is
appropriate both.
<JavaHome>
Path to Java 5 installation
<TCPAppHome>
Path to the TCP application installation (not the JBoss installation itself).
<TCPAppHost>
Name of computer where TCP Application Server is installed. If you are using a
cluster, it is the host name of the load balancer.
<TCPAppPort>
HTTP port of TCP Application Server. For JBoss it is usually 38080 or, more
generally, <OTPortBindingNumber>8080. In a cluster, it is the HTTP port of the
load balancer.
<OTPortBindingNumber>
Number of the port binding you selected during the installation of TCP, see
“Custom TCP installation directory” on page 167
<TCPAppSslPort>
HTTPS/SSL port of TCP Application Server. For a single JBoss, it is usually
38443 or, more generally, <OTPortBinding-Number>8443. In a cluster, it is the
HTTPS port of the load balancer.
<JBossHome>
– Path to the directory where JBoss is installed.
<JBossInstance>
– Directory name of the JBoss server configuration. The full path is
<JBossHome>\server\<JBossInstance>.
For Unix:
<JavaHome>/bin/keytool -genkey -alias tomcat -sigalg
SHA1withRSA -keyalg RSA -keystore <TomcatHome>/conf/.keystore
Important
Before you can export the certificate, you must execute the steps of the
previous section, see “Configuring Apache Tomcat for SSL” on page 375
For the following secure connections, execute the steps in this section for the Tomcat
where User Management Server is installed:
• TCP Context Server and User Management Server
• TCP Application Server and User Management Server
For the following secure connections, execute the steps in this section for the Tomcat
where TCP Context Server is installed:
• TCP Application Server and TCP Context Server
In all other cases you can skip this chapter and proceed with “Configuring SSL
communication between TCP Web Client and TCP Application Server” on page 389.
For Unix:
<JavaHome>/bin/keytool -export -alias tomcat -file
<CertificateFile> -keystore <TomcatHome>/conf/.keystore -
storepass <YourStorePassword>
set "CATALINA_HOME=<ContextTomcatHome>"
set "ARCHIVE_LIB=%CATALINA_HOME%\webapps\archive\WEB-
INF\lib"
set "TOMCAT_LIB=%CATALINA_HOME%\common\lib"
set
"CLASSPATH=%CLASSPATH%;%ARCHIVE_LIB%\log4j.jar;%TOMCAT_LIB%
\iaik_jce_full.jar;%ARCHIVE_LIB%\ixosBase.jar;%ARCHIVE_LIB%
\jiaik.jar"
For Unix:
CATALINA_HOME=<ContextTomcatHome>
export CATALINA_HOME
ARCHIVE_LIB=$CATALINA_HOME/webapps/archive/WEB-INF/lib
export ARCHIVE_LIB
TOMCAT_LIB=$CATALINA_HOME/common/lib
export TOMCAT_LIB
CLASSPATH=$CLASSPATH:$ARCHIVE_LIB\log4j.jar:$TOMCAT_LIB\iai
k_jce_full.jar:$ARCHIVE_LIB\ixosBase.jar:$ARCHIVE_LIB\jiaik
.jar
export CLASSPATH
set "JAVA_HOME=<JavaHome>"
For Unix:
JAVA_HOME=<JavaHome>
export JAVA_HOME
iv. Execute the following command for each User Management Server
Tomcat certificate:
For Windows:
"%JAVA_HOME%\bin\java
ixos.sec.crypto.tools.Configurator"-import cert -
storage_file
"%CATALINA_HOME%\webapps\archive\config\setup\ixoskeys.stor
e" -input_file <CertificateFile> -alias <Alias>
For Unix:
$JAVA_HOME/bin/java ixos.sec.crypto.tools.Configurator -
import cert -storage_file
$CATALINA_HOME\webapps\archive\config\setup\ixoskeys.store
-input_file <CertificateFile> -alias <Alias>
5. Configure the certificate store in TCP Context Server, which contains the trusted
certificates, that is the certificates which are allowed for SSL. Configure this in
the IxosCrypto.properties file. For a TCP Context Server cluster, do this for
each server.
For a User Management Server cluster, the list must contain a SSL URL for
each cluster node.
Remove the non SSL URLs, starting with http://, if all clients may only
access User Management Server over SSL. In this case, you must also
change the “UMS Connect URL” on the same page on each cluster node to
the respective SSL URL. for example
https://<UmsHost>:<UmsSslPort>/ums/soap.
In case of a User Management Server cluster, the list must contain a SSL
URL for each cluster node.
d. In the Protocol field, select https.
e. Save your changes and log out.
8. Restart User Management Server and TCP Context Server.
9. Verify that the application works:
a. Open the URL https://<UmsHost>:<UmsPort>.
The Tomcat administration page displays. If it does not work, check the
following:
• Syntax error in the <UmsTomcatHome>\conf\server.xml file? Validate
the XML structure.
• Configuration error in the <UmsTomcatHome>\conf\server.xml file?
Check the Tomcat server log files in <UmsTomcatHome>\logs for details.
b. Open the URL https://<UmsHost>:<UmsSslPort>.
The Tomcat administration page displays. If it does not work, check the
following:
• Configuration error in the <UmsTomcatHome>\conf\server.xml file?
Check the Tomcat server log files in <UmsTomcatHome>\logs for details.
c. After the server has started, verify that the User Management Server log file
contains no ERROR or ixos.sec.sso.CheckerException entries. The path
of the log file is <TomcatHome>\webapps\ums\WEB-INF\log\ums.log.
d. After the server has started, verify that the TCP Context Server log file
contains no ERROR or ERR entries. The path of the log file is
<TomcatHome>\webapps\archive\WEB-INF\log\ixdms.log.
If the SSL URL is wrong, the following message appears in the log file:
ixos.sec.um.UserMgmtException: (JSEC:02053) The given list of
connectStrings is invalid: initial-connection to cluster could
not be established through [https://myhost:18099/ums/soap].
For Windows:
set "TCP_HOME=<TCPAppHome>"
set "COMMON_LIB=%TCP_HOME%\base\staging\jars\common"
set "BASE_LIB=%TCP_HOME%\base\lib"
set
"CLASSPATH=%CLASSPATH%;%COMMON_LIB%\log4j.jar;%BASE_LIB%\ia
ik_jce_full.jar;%COMMON_LIB%\ixosBase.jar;%COMMON_LIB%\jiai
k.jar"
For Unix:
TCP_HOME=<TCPAppHome>
export TCP_HOME
COMMON_LIB=$TCP_HOME/base/staging/jars/common
export COMMON_LIB
BASE_LIB=$TCP_HOME/base/lib
export BASE_LIB
CLASSPATH=$CLASSPATH:$COMMON_LIB/log4j.jar:$BASE_LIB/iaik_j
ce_full.jar:$COMMON_LIB/ixosBase.jar:$COMMON_LIB/jiaik.jar
export CLASSPATH
iii. Execute the following command for each User Management Server
Tomcat certificate:
For Windows:
<JavaHome>\bin\java ixos.sec.crypto.tools.Configurator -
import cert -storage_file <TCPAppHome>\custom\bpmcert.store
-input_file <CertificateFile> -alias <Alias>
For Unix:
<JavaHome>/bin/java ixos.sec.crypto.tools.Configurator -
import cert -storage_file <TCPAppHome>/custom/bpmcert.store
-input_file <CertificateFile> -alias <Alias>
copying the certificate. For a TCP Context Server cluster, copy all
certificates.
b. Backup the <TCPAppHome>\custom\bpmcert.store file.
c. Import the certificate into the certificate store:
i. Open a command prompt.
ii. Specify the CLASSPATH environment variable:
For Windows:
set "TCP_HOME=<TCPAppHome>"
set "COMMON_LIB=%TCP_HOME%\base\staging\jars\common"
set "BASE_LIB=%TCP_HOME%\base\lib"
set
"CLASSPATH=%CLASSPATH%;%COMMON_LIB%\log4j.jar;%BASE_LIB%\ia
ik_jce_full.jar;%COMMON_LIB%\ixosBase.jar;%COMMON_LIB%\jiai
k.jar"
For Unix:
TCP_HOME=<TCPAppHome>
export TCP_HOME
COMMON_LIB=$TCP_HOME/base/staging/jars/common
export COMMON_LIB
BASE_LIB=$TCP_HOME/base/lib
export BASE_LIB
CLASSPATH=$CLASSPATH:$COMMON_LIB/log4j.jar:$BASE_LIB/iaik_j
ce_full.jar:$COMMON_LIB/ixosBase.jar:$COMMON_LIB/jiaik.jar
export CLASSPATH
d. Execute the following command for each TCP Context Server Tomcat
certificate:
For Windows:
<JavaHome>\bin\java ixos.sec.crypto.tools.Configurator -import
cert -storage_file <TCPAppHome>\custom\bpmcert.store -
input_file <CertificateFile> -alias <Alias>
For Unix:
<JavaHome>/bin/java ixos.sec.crypto.tools.Configurator -import
cert -storage_file <TCPAppHome>/custom/bpmcert.store -
input_file <CertificateFile> -alias <Alias>
b. In the field TCP Context Server Protocol activate https as protocol for the
communication with TCP Context Server.
c. For a TCP Context Server cluster do this for each server within the cluster.
d. Save your changes.
6. Only for AIX and WebSphere – Configure the IAIK Security Provider, see “For
Websphere/AIX only: Configuring IAIK Security Provider” on page 393. In a
cluster, do this for each server.
7. Restart TCP Application Server.
8. Login to TCP GUI to verify if the application works.
For Unix:
<JavaHome>/bin/keytool -genkey -alias jboss -sigalg
SHA1withRSA -keyalg RSA -keystore
<JBossHome>/server/<JbossInstance>/conf/.keystore
Example:
b. Specify the path to the keystore file (attribute keystoreFile) and the
keystore password (attribute keystorePass). Add the following lines (for
example by uncommenting similar lines).
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
emptySessionPath="true"
keyAlias="jboss"
keystorePass="<YourKeystorePassword>"
keystoreFile="${jboss.server.home.dir}\conf\.keystore"/>
The results depends on the version of Internet Explorer that you use.
Internet Explorer 7 and 8 – The web page with the following message opens:
“There is a problem with this website's security certificate”.
Internet Explorer 6 – The Security Alert window opens because your browser
does not the consider the certificate as a trusted SSL certificate. .
2. Depending on the Internet Explorer version, proceed as follows:
For Internet Explorer 7 and 8:
a. Click Continue to this website.
b. Click the Certificate Error label to the right of the address bar.
c. Click View certificates. The Certificate dialog opens.
For Internet Explorer 6: ClickView certificate. The Certificate dialog opens.
3. Export the certificate:
a. On the Details tab, click Copy to File. The Certificate Export wizard opens.
Click Next.
b. Select DER encoded binary X.509 (.CER) and click Next.
c. Specify the file name for the certificate you want to export (for example
C:\mycert.cer) and note the path and file name. You will need it in a later
step for copying the certificate.
d. Click Next. On the last page, click Finish. The Certificate Export wizard
closes.
4. In the Certificate dialog, click OK.
5. Internet Explorer 6 only – In the Security Alert window, click Yes if you trust
that certificate and want to see the pages that are hosted on your JBoss
application server.
al.tcp_al.url=https://<TCPAppHost>:<TCPAppSslPort>/tcp_al/archive
In the case of a cluster the URL must point to the host and SSL port of the load
balancer.
5. Save your changes in the editor.
6. Save your TCP Modeler project.
7. Configure Web Viewer or Java Viewer configured for TCP Web UI to use SSL.
You must register the certificate you exported from TCP Application Server (see
Section 45.7.2) as trusted certificate in the viewer you are using.
For details, see OpenText Imaging Viewers and DesktopLink - Configuration Guide
(CL-CGD).
d. In the <client> element, for each <endpoint> element, replace the first part
of the address attributes values by the SSL URL of TCP Application Server.
Afterwards the addresses begin with https:/<TCP
AppHost>:<TCPAppSslport>.
1. Get an appropriate certificate. You can obtain server certificates from an outside
certification authority (CA), or you can issue your own server certificates by
using Microsoft Certificate Services.
2. Create an HTTPS binding on a site.
3. Test the SSL connection by creating a request to the site.
4. Optionally configure SSL options, for example making SSL mandatory.
For a detailed description for enabling SSL for IIS 7 on Windows Server 2008, refer
to the Microsoft article “How to Setup SSL on IIS 7” at
http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/.
For a detailed description for enabling SSL for IIS 6 on Windows Server 2003, refer
to the Microsoft article “Using SSL to Encrypt Confidential Data” at
http://technet.microsoft.com/en-us/library/cc738495%28WS.10%29.aspx.
to
security.provider.1=iaik.security.provider.IAIK
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
Important
Keep in mind that the application server or cluster must be restarted after
signed URLs are configured.
to:
security.provider.1=iaik.security.provider.IAIK
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
set CLASSPATH=<TCP_CD>/tools/putcert/putcert.jar
where <authId> is the name of the new default user (do not use an existing
user name) and <contRep> is the name of the archive.
6. In User Management Client:
a. Make sure that a user is created with the name <authId>.
b. Add the property invalidationPeriodMinutes and modify the property
ixPwdExpires. Use the same values as set for the user
BizEffectiveUser_default.
• In case of AIX:
iaik.security.provider.IAIK
9. In the file ADC.properties of your TCP Modeler project, create or edit these
entries:
adc.config.onBehalfOf=true
adc.alurl.mode=DMS
adc.alurl.baseurl = http://<Context Server name>:<port>/archive
adc.signurl.on=true
adc.signurl.validity.seconds=300
adc.signurl.signer=<authId>
_internal domain
Each organization has a domain known as _internal. All principals except
external and referenced principals belong to this domain.
ROOT area
ROOT is the base administration area to administer User Management Server.
ROOT administrators have global access rights. A second organization exists in
parallel to ROOT. Only administrators can log on to ROOT.
Admins
Admins is a virtual group of principals that has a special relationship to an
organization object. Administrators have full access to all objects within their
organization. ROOT administrators have full access to all objects in User
Management.
Certificate user
A certificate user holds a certificate and usually represents an application user
who provides SSO access tokens, such as SAP NetWeaver Portal
Department
Departments are hierarchical grouping structures. Departments can contain
positions, superiors and departments.
Domain
A domain represents an external user name space in the sense of a Windows
domain, or a part of an LDAP directory. Principals in a domain are addressed in a
specific way. Specific attributes of a domain's principal are mapped to the
internal equivalent.
Group
A group is a group of principals. Groups can contain users and other groups.
Organization
User Management is grouped with this structure element in independent parts.
Clientele processing means that users or administrators of an organization may
know about the existence, but not the content, of another organization. Principals
of one organization cannot be referenced in a different organization.
Position
A position describes the function of a user in departments.
Position in department
A position in department builds up the relationship between a user and a
department. It can contain one user or no user, and a role is assigned.
Principal
A principal is an object in the user management system that can be referenced for
authorization and access control. The following objects are principals:
• user
• group
• department
• security group
• project
• role
• position
• position in department
• position in department in project
Projects
Projects are a hierarchical grouping structure. Projects can hold positions in
departments and in projects.
Referenced user/group
A referenced user or group is an external user or group with an internal
reference, a unique identifier. External principals are only referenced on
demand.
• Referenced principals can become members of internal principals for
application specific grouping.
• Free attributes can be set on referenced principals.
Role
Roles can be assigned to the principals “Position in department” and “Position in
department in project”.
Securities
In User Management Client security groups with assigned users are created for
TCP Service.
SSO
See: Single Sign-On (SSO)
Superior
• Superior can be assigned to Departments, Projects and Positions in ....
• Superior is always a Position in department.
• The superior relationship is only evaluated by TCP Service.
• The superior of a Position in ... is found by searching the hierarchy
upwards till the first hit.
User
A user is a principal who is able to access applications. A user can be
authenticated and has identification and authorization information.
F I
Files Icons
ATTRIBUTES 314 reference 109
doctodms_stored_docs.txt 315 Import certificates 188
IXATTR 314 Inbox
META_DOCUMENT_INDEX 314 DocTool 315
Filter conditions Indexing scenario
adding 68 permissions 325
editing 69 Inflight changes
searching with 70 connecting class 97
Filter fields process class 97
reference 110 re-link instances 101
Filter section 33 Rre-link exceptions 102
Filtering Internet Information Services (IIS) Manager
process classes, process instances and settings
work items 68 SSO configuration on TCP Web Client
Filters 303
User ManagementClient 248 ISO image
Folder permissions Product ISO image 24
SSO configuration on TCP Web Client
306 J
Fulltext indexing Java Viewer URL
Error 207 configuring TCP Web Client 296
JBos
G SSL configuration 387
General project settings 138 JBoss
Grantee groups 346 Signed URLs 395
Graph 37 Jobs
process class 52 creating 84
Groups deleting 91
add new group 266 displaying 84
assigning users or groups 267 editing 92
disable 268 starting 91
Grantee groups 346 stopping 91
managing parameters 290 Jobs (TCP Context Server) 190
reference 263 delete after retention period 191
Revokee groups 346 manual 190, 197
standard 345 pipeline enqueueing 191
Groups (external) purge 191
referencing in TCP 263 reindex for fulltext index 191
K N
Kept after Purging (Max Number) Navigation tree 33
jobs (TCP Context Server) 196 NTLM settings 144
Key management of archive server 187 Number of items per page 42
Keywords
BIZ_APPLICATION 318 O
BIZ_DOC_RT_GROUP 318 Open Text TCP certificates 342
BIZ_DOC_RT_USER 318 Open Text TCP projects 135
BIZ_ENCODING_BASE64_UTF8N 318 Management 136
BIZ_PLG_EVENT 318 Open Text TCP security settings 342
BIZ_REG_INDEXING 318 Opening
DMS_DOCID 318 project 45
DMS_DOCTYPE 315 OpenText Online 26
DOCID 314 Oracle RAC
IXATTR_ENCODING 314, 315 Data source 227
PILE_INDEX 318 Order of columns
TCP 318 changing 39
TCP Context Server 315 Organization structure (hierarchical)
defining 270
L Organizations
Large uploads 295 managing parameters 287
LDAP directory server Out of office functionality (activating) 294
domain configuration 280
LDIF enrichment provider P
configuring 280 Paging and sorting search results 35
List area 33 Password
Livelink ECM – Enterprise Server changing password of User
domain configuration 279 ManagementServer 266
Log file configuration settings 40
configuring TCP Web Client 298 TCP Context Server 238
Log on User ManagementServer 278
Process Administrator 31 PDMS Web Client Single Sign-On
Logging 145 See “PDMS Web Client SSO”
log levels 199 PDMS Web Client SSO
Logging directories configuration 142
User ManagementServer 274 Permissions 40
Logging on to a system 44 indexing scenario 325
process class 48, 52
M Pipeline enqueueing
Members jobs (TCP Context Server) 191
Display 257 Pipelines
Menu bars 33 CODMS 311
Meta documents 314 CODMSR3 311
Monitoring 145 EXDMS 311
V
Viewers
configuring 296
Viewing
attributes of process classes 51
attributes of process instances 55
attributes of work items 61
properties of work items 62
W
Web proxy server
configuration 371
Web Viewer URL
configuring TCP Web Client 296
web.config
installing multiple TCP Web Clients 306
large uploads 295
log file configuration 298
out of office configuration 294
SSO configuration on TCP Web Client
303
viewer URL configuration 296
Windows Viewer
configuring TCP Web Client 296
Work items
audits 60
changing status 58
comments 63
displaying 58