Friday, July 19, 2013

Authentication failed for user DMC_WDK_PRESETS_OWNER with docbase XXXXXXX

  • The default password for the user is 'webtop'. You may check that.
    If not, you can reset it as it is defined as inline password.

     Enabling the BOF Global Registry
    ===================================
    The following section outlines the steps required to enable the BOF Global Registry using the Documentum Administrator (DA) application.
    -Log into Documentum Administrator (DA) as an Administrator in the Repository where you want to enable TBO/SBO functionality.
    -In Classic view, in the tree, click on the Administration node. In the page that appears, under the heading "User Management", click on "Search for Users".
    -Search for the following user: 'dm_bof_registry" (enter this value next to the User Name label, and click Search).
    -View the properties of this user 'dm_bof_registry" (click the (i) icon).
    - The properties page will appear. From the properties page, ensure the following options and values are set to the following:
      User State: Active
      User Source: Inline Password
      Restrict Folder Access: System
    - For security purposes, change the default password (make a note of the new password).
    - Click OK on the 'dm_bof_registry' user 'Properties' page
Posted by at No comments:

Wednesday, July 17, 2013

Troubleshoot the BOF user setup to allow connecting to a Global Repository/ Global Registry

Symptoms
Need to troubleshoot the BOF user setup to allow connecting to a Global Repository/ Global Registry.

Cause
Troubles using BOF (TBOs/SBOs) or using version 6 web clients and be caused due to incomplete or incorrect configuration.

Resolution
To use BOF (TBO/SBO) requires that at least one of your Repositories be designated as the BOF Global Registry. Each Application Server must identify the BOF Global Registry it will use via the dfc.properties file.

There are two parts to setting up the BOF Global Registry:
1) making sure the dm_bof_registry Repository user is active.
2) making sure that the dfc.properties file on your Application Server(s) are correctly referencing the Repository that is acting as the BOF Global Registry and has the listed the correct user information for the dm_bof_registry user.

1. Verifying that a Repository is the BOF Global Registry:
===================================
-Using Documentum Administrator (DA), log into the Repository that should be the BOF Global Registry, using an administrator account.
-In Classic view, in the left navigation tree, click on the Administration node. In the page that appears, under the heading "User Management", click on "Search for Users".
-Search for the following user: 'dm_bof_registry" (enter this value next to the User Name label, and click Search).
-View the properties of this user dm_bof_registry" (click the (i) icon).
-Make note of the user's 'State' and 'User Login Name'.
If the user State is 'Inactive', then this Repository is not the BOF Global Registry. To make this Repository the BOF Global Registry, follow Steps 2-4.
If the BOF Global Registry user is 'Active', you need to verify some information in your dfc.properties file on your Application Server(s).
From the Application Server machine, locate the dfc.properties file.
Open this file in any text editor. Ensure the following three attributes are set in the dfc.properties file:
  dfc.bof.registry.repository =
  dfc.bof.registry.username =
  dfc.bof.registry.password =
Without the above three entries, the BOF Global Registry will not be set.
If these entries are missing or values are not complete, you will need to add and populate these values.  See the following steps for more details.

2. Enabling the BOF Global Registry
===================================
The following section outlines the steps required to enable the BOF Global Registry using the Documentum Administrator (DA) application.
-Log into Documentum Administrator (DA) as an Administrator in the Repository where you want to enable TBO/SBO functionality.
-In Classic view, in the tree, click on the Administration node. In the page that appears, under the heading "User Management", click on "Search for Users".
-Search for the following user: 'dm_bof_registry" (enter this value next to the User Name label, and click Search).
-View the properties of this user 'dm_bof_registry" (click the (i) icon).
- The properties page will appear. From the properties page, ensure the following options and values are set to the following:
  User State: Active
  User Source: Inline Password
  Restrict Folder Access: System
- For security purposes, change the default password (make a note of the new password).
- Click OK on the 'dm_bof_registry' user 'Properties' page.

3. Verifying the dfc.properties file
====================================
On each Application Server, locate the dfc.properties file. Open this file in any text editor. Ensure the following three attributes are set in the dfc.properties file:
  dfc.bof.registry.repository =
  dfc.bof.registry.username =
  dfc.bof.registry.password =
Without the above three entries, the BOF Global Registry will not be set.
Note: The password supplied in the entry 'dfc.bof.registry.password' must be consistent with the password provided when setting the 'dm_bof_registry' password via Documentum Administrator (DA). The password must also be encrypted. For information on how to encrypt the password, see the next section in this document, entitled 'Encrypting Passwords for the dfc.properties file'.

4. Encrypting Passwords for the dfc.properties file
===================================================
The password provided in the 'dfc.properties' file must be encrypted. A utility is provided to encrypt this password. The following section outlines the steps required to invoke the password utility program to encrypt a password.
From a command prompt, go to the $DOCUMENTUM_SHARED/config folder and execute the following:
    java com.documentum.fc.tools.RegistryPasswordUtils <password>
Note- If you are using java methods that use the TBOs/SBOs then you will need the following entries on the %DM_Home/config/dfc.properties file as well
  dfc.bof.registry.repository =
  dfc.bof.registry.username =
  dfc.bof.registry.password =

 =================================================== 
Posted by at No comments:

Thursday, July 11, 2013

SSO Configuration in Documentum 6.7

SSO Configuration

1) User Creation
Create these two users: <DocumentumHTTP> and <DocumentumCS>
Check:
Use Kerberos DES encryption types for this account
This account supports Kerberos AES 128 bit encryption.
2) Create Keytab
2.1) Keytab used by the Content Server

ktpass /pass <PWD_CS> ‐out <repository_name>.0001.keytab ‐princ CS/<repository_name>@<FQDN> ‐crypto ALL +DumpSalt ‐ptype

/mapOp set /mapUser <DocumentumCS>@<FQDN>

2.1.1)From AD User Properties, Update Delegation for user <DocumentumCS>
check : Trust this user for delegation to any service (Kerberos only)
2.1.2)Copy this keytab file under <repository_name>.0001.keytab under    \\<CS_ServerName>\%DOCUMENTUM%\dba\auth\kerberos\
2.2) Keytab used by all your web application.
C:\>ktpass /pass <PWD_HTTP>‐out <DocumentumHTTP>.keytab ‐princ HTTP/<HTTP_ServerName>.<abc.itu.ch>@<ABC.ITU.CH> ‐crypto ALL +DumpSalt
‐ptype KRB5_NT_PRINCIPAL /mapOp set /mapUser <DocumentumHTTP>@<ABC.ITU.CH>
2.2.1)From AD User Properties, Update Delegation for user <DocumentumHTTP>
check : Trust this user for delegation to any service (Kerberos only)
2.2.2) Copy Keytab file under \\<HTTP_ServerName> \%CATALINA_HOME%\<DocumentumHTTP>.keytab
This path will be named <HTTP_KEYTAB_PATH>
B ‐ From your Web Application Server
Web Application Server : <HTTP_ServerName>
Update file webapps\<taskspace>\wdk\app.xml
<!‐‐ Kerberos SSO authentication scheme configuration ‐‐>
<kerberos_sso>
<enabled>true</enabled>
<browsers>
<windows>
<ieversions>6.0,7.0,8.0</ieversions>
<firefoxversions>2.0,3.0,3.5</firefoxversions>
</windows>
</browsers>
<!‐‐ Enable login fall back to DocbaseLogin scheme ‐‐>
<docbase_login_fallback>false</docbase_login_fallback>
<!‐‐ Mandatory configuration: Provide the kerberos realm / domian name. ‐‐>
<domain><fqdn></domain>
</kerberos_sso>

We need to up update linuxe /etc/krb5.conf file with below
default_realm = <ABC.ITU.CH>
forwardable = true
ticket_lifetime = 24h
clockskew = 72000
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
<ABC.ITU.CH> = {
kdc = <AD_ServerName>.<abc.itu.ch>
admin_server= <AD_ServerName>.<abc.itu.ch>
}
[domain_realm]
.<abc.itu.ch> = <abc.itu.ch>

Tracing

Now we need collect additional trace from WDK application.
1.            Edit the following entries in <web-app-root>/WEB-INF/classes/log4j.properties:
log4j.rootCategory=ERROR, file
log4j.category.MUTE=OFF
# Enable trace messages from WDK:
log4j.logger.com.documentum.web=DEBUG
# stdout is a ConsoleAppender that uses a PatternLayout:
log4j.appender.stdout.threshold=ERROR
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p [%t] %c - %m%n
# file is a FileAppender that uses a PatternLayout:
log4j.appender.file=org.apache.log4j.RollingFileAppender
log4j.appender.file.File=/tmp/wdktrace.log
log4j.appender.file.MaxFileSize=10500KB
log4j.appender.file.MaxBackupIndex=10
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=[%d{ISO8601}|%-5p|%-22t|%C|%M|%-4L] %m%n

This will send the trace to the "/tmp/wdktrace.log" file.

2.            Edit the <web-app-root>/WEB-INF/classes/com/documentum/debug/TraceProp.properties file by modifying the following parameters:
-              Set SESSIONENABLEDBYDEFAULT to true
-              Set SESSION to true
-              set SESSIONHANDLE to true
3.            Restart the application server.
4.            Clear the browser cache.
5.            Start the browser and log in to the WDK-based application.


Debugging

java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
This could mean that Jboss not configured correctly for Kerberos SSO authentication.

Please attach login-config.xml file from Jboss Application Server.
please provide JAVA_OPTS used by JBoss 4.3 EAP.
krb5.conf file from Application Server host

Additionally try to enable authentication trace on Content Server and reproduce issue.
API> apply,c,NULL,SET_OPTIONS,OPTION,S,trace_authentication,VALUE,B,T
Reproduce issue
API> apply,c,NULL,SET_OPTIONS,OPTION,S,trace_authentication,VALUE,B,F
Then attach docbase log with authentication trace inside.

In Wndows 7 we need to enable newtwork security as mentioned in


docu33143_White-Paper--EMC-Documentum-Kerberos-SSO-Authentication-—-A-Detailed-Review.pdf


We need to apply patch08 on the content server to resolve the issue between the user_name and user_login_name
Posted by at 1 comment:

How to Increase the search results in WEBTOP

to increase search result in webtop we need configure in the dfc.property file .

add below 2 entries and number of rows to be displayed

dfc.search.maxresults_per_source=1000

and dfc.search.maxresult=10000
Posted by at No comments:

DM_SESSION_E_CLIENT_AUTHENTICATION_FAILURE in docbase log

it happens some time while the communication between the docbase and docbroker or server upgraded also.

Solution is to remove or rename\ dfc.keystore


Posted by at No comments:

[DM_SERVER_I_LISTENING] and [DM_SERVER_I_IPV6_DISABLED in Content server Log

Cause
This is just an info message and will not impact any services. IPv6 is next generation internet protocol and is successor to IPv4. IPv6 is for larger address space (128 bit) as against 32 bit of IPv4. Customer should check with system admin to configure IPv6 for host machine OS if supported. IPV6 provides flexibility in allocation addresses and routing traffic and eliminates the primary need for network address translation .

Resolution
Still if you do want to see IPV6 warning message, you can disable it, add following entry to server.ini

ip_mode=V4ONLY
Posted by at No comments:

Monday, July 1, 2013

JBOSS java.net.SocketException: Too many open files

While user trying move more than 1 gb to webtop or more this kind of error ocuured in Jboss server.

java.net.SocketException: Too many open files
at java.net.PlainSocketImpl.socketAccept(Native Method)
at java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:396)
at java.net.ServerSocket.implAccept(ServerSocket.java:522)
at java.net.ServerSocket.accept(ServerSocket.java:490)
at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket(DefaultServerSocketFactory.java:61)
at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:309)
at java.lang.Thread.run(Thread.java:722)

We had experienced the similar error on RHEL 5 under moderate load.
It appeared that default max open files limit is just 1024 which is too low.
Check: ulimit -n
Fix for current session: ulimit -n 102400

Persistent fix: echo yourusername - nofile 102400 >>/etc/security/limits.conf and restart session
Posted by at No comments:
Subscribe to: Posts (Atom)