EMC® Documentum® eRoom Version 7.4 Installation, Upgrade, and Configuration Guide P/N 300-006-636 A02 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.EMC.com Copyright © 2008 EMC Corporation. All rights reserved. Published March 2008 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners. Revision History: March 2008: Initial release. March 2008: Revised PDF settings. CONTENTS 1 Chapter 1: Pre-installation and Upgrade Requirements eRoom server versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Standard installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional requirements for using eRoom 7 with Windows Cluster Services Additional requirements for eRoom Enterprise . . . . . . . . . . . . . . . . . Additional requirements for eRoom integration with Information Rights Management (IRM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional requirements for eRoom 7 for Microsoft SQL Server. . . . . . . . Ensuring sufficient disk space . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing to install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up an install account . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up a File Server account . . . . . . . . . . . . . . . . . . . . . . . . . . Setting up a file server directory . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the index server (Advanced installations only). . . . . . . . . . . . Shutting down applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . Selecting a web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . 1-9 1-14 1-17 1-18 1-18 1-18 1-19 1-19 1-20 1-20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 . 2-2 . 2-5 . 2-5 . 2-6 . 2-6 . 2-7 . 2-8 . 2-8 . 2-9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 . 3-2 . 3-2 . 3-2 Chapter 3: eRoom and NT Server Default Permissions eRoom 7 rights and NTFS rights. Default required permissions . . Checking eRoom permissions . . For more information . . . . 4 . 1-1 . 1-1 . 1-2 . 1-2 . 1-4 . 1-5 . 1-5 Chapter 2: Installing eRoom 7 Installing eRoom 7 for SQL Anywhere . . . . . . . . . . . . . Installing eRoom 7 for Microsoft SQL Server . . . . . . . . . Additional Procedures for eRoom Enterprise . . . . . . . . . Installing DFC on the eRoom 7 server. . . . . . . . . . . Creating a dedicated eRoom 7 template folder. . . . . . Creating dedicated content server accounts . . . . . . . Enabling use of Content Server by eRoom 7 . . . . . . . Installing Web Publisher on the eRoom server . . . . . . Configuring Web Publisher servers for use with eRoom Getting Started using eRoom 7. . . . . . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 4: Uninstalling eRoom 7 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide iii Contents A Appendix A: Upgrading from eRoom 6 eRoom 6 background. . . . . . . . . . . . . . . . . . . . eRoom 7 differences . . . . . . . . . . . . . . . . . . . . eRoom 7 and external directory connections . . . Upgrade planning and preparation . . . . . . . . . . . Hardware configurations . . . . . . . . . . . . . . Member, group, and facility migration. . . . . . . . . . Members . . . . . . . . . . . . . . . . . . . . . . . . Facilities and groups . . . . . . . . . . . . . . . . . Server provisioning (Advanced Installation only) Additional procedures and information . . . . . . Upgrade troubleshooting . . . . . . . . . . . . . . . . . Upgrade components . . . . . . . . . . . . . . . . . . . Logs to gather . . . . . . . . . . . . . . . . . . . . . . . . Backup of registry keys . . . . . . . . . . . . . . . . . . Upgrade testing . . . . . . . . . . . . . . . . . . . . . . . Contacting technical support . . . . . . . . . . . . . . . B C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 . A-2 . A-3 . A-4 . A-5 . A-6 . A-6 . A-7 . A-7 . A-8 . A-8 . A-9 . A-9 A-10 A-10 A-10 Creating an SMTP mail account on a mail server for eRoom usage Administrative eRoom inbox settings . . . . . . . . . . . . . . . . . How do end users direct email to particular inboxes? . . . . . . . . Conversion of mail messages to eRoom inbox pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix B: Configuring eRoom Inboxes B-1 B-2 B-2 B-3 Appendix C: Configuring a Reverse Proxy Server with eRoom 7 Configure the reverse proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 Configure the eRoom web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-3 D Appendix D: eRoom Security Guidelines eRoom server operating system hardening . . . . . . . . . . . . . . . . . eRoom security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using eRoom within an internal network . . . . . . . . . . . . . . . . . . Using eRoom in the extended enterprise. . . . . . . . . . . . . . . . . . . Scenario 1: eRoom on the extranet . . . . . . . . . . . . . . . . . . . Scenario 2: Using eRoom within a DMZ . . . . . . . . . . . . . . . . Scenario 3: Using eRoom with a proxy server . . . . . . . . . . . . . Scenario 4: Using eRoom with a two-tiered authentication system . Scenario 5: Using eRoom with a Single Sign-on (SSO) system . . . . Scenario 6: Using eRoom in a Virtual Private Network (VPN) . . . iv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1 . D-1 . D-4 . D-4 . D-5 . D-7 . D-8 . D-9 D-10 D-10 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Contents E Appendix E: Clustering Environment Setup Before you begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clustering overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . Hardware configuration requirements . . . . . . . . . . . . . . . Operating system, network, and disk installation . . . . . . . . . . . . Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Microsoft’s Cluster Service . . . . . . . . . . . . . . . . Cluster Service setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . eRoom software installation . . . . . . . . . . . . . . . . . . . . . . . . Pre-eRoom software installation checklist . . . . . . . . . . . . . Overview of the eRoom installation in a clustered environment. Applying eRoom maintenance releases to the cluster environment . . Adding a failed web or database cluster node back to the cluster . . . Additional resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-1 . E-1 . E-4 . E-4 . E-5 . E-6 . E-6 . E-6 . E-7 . E-8 . E-8 . E-9 E-10 E-11 E-12 F Appendix F: Troubleshooting Web Publisher G Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Agent host configuration . . . . . . . . . . . . . . . . . . . . Authentication Agent configuration . . . . . . . . . . . . . Before you begin . . . . . . . . . . . . . . . . . . . . . . RSA SecurID Agent configuration (on eRoom server). eRoom 7 server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .G-1 .G-3 .G-3 .G-3 .G-7 v Contents vi EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements 1 1 eRoom server versions Requirements for eRoom 7 vary depending on the type of eRoom 7 installation and the type of database you use. eRoom 7 is available in two different installations. Standard installation The Standard installation is limited in the number of servers that can be used. Typically, the eRoom 7 server (web server), and file server reside on the same machine, although the file server directory can be placed on a separate machine from the eRoom 7 server. (If you have the Microsoft SQL Server version of the Standard installation, the database server can also reside on a different machine.) The Standard installation is available in two different database versions: ■ One provides an embedded SQL Anywhere database. ■ One lets you use Microsoft’s SQL Server, which includes support for Microsoft SQL Server 2000. “eRoom 7 for Microsoft SQL Server” refers to this version. The Microsoft SQL Server version can be installed in an environment that uses Microsoft Windows Cluster Services. (Configuring eRoom 7 to take advantage of this service requires some extra Windows environment procedures.) EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–1 Chapter 1: Pre-installation and Upgrade Requirements System requirements Advanced installation The Advanced installation is a multi-server version, in which the web server, indexing server, database server, and file server can reside on different machines, and there can be multiple web, file, and database servers. The Advanced installation can only be used with Microsoft SQL Server. It can be installed in an environment that uses Microsoft Windows Cluster Services. (Configuring eRoom 7 to take advantage of this service requires some extra Windows environment procedures.) System requirements ■ The following requirements are minimums for production environments. In some cases, requirements are lower for evaluation or other nonproduction purposes. ■ The following requirements apply specifically to eRoom. When using eRoom Enterprise, the browser must be compatible with both eRoom and the Documentum Client being used. ■ For information on the requirements for eRoom Enterprise and on configuring eRoom 7 to work with Content Server, refer to Additional requirements for eRoom Enterprise on page 1-5 in this guide. ■ For information on configuring the IRM server for using the eRoom integration with rights management, see Additional requirements for eRoom integration with Information Rights Management (IRM) on page 1-9. ■ For the latest system requirements for the localized eRoom products, see the eRoom 7 Localized Product Installation and Release Notes for this version. 1–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements Client Hardware ■ 1 GHz 32-bit (x86) or 64-bit (x64) processor ■ 1 GB RAM ■ 40 GB hard drive with at least 15 GB free disk space Server(s) ■ 900 MHz single processor ■ 1 GB RAM ■ 512 MB free disk space (for eRoom server). File server disk space requirement depends on usage. Index server requirement is approximately 50% of total file usage. Note: The optional eRoom plug- Note: In the Standard installation, the database and index in client requires 10MB free disk server are on the same machine as the eRoom server, thus space. requiring more disk space. Software The following can be used for ■ Microsoft Windows 2000 Server, Service Pack 2 or higher browser only-access, or the with recommended the optional eRoom plug-in: ■ Microsoft Windows 2000 Advanced Server, ■ Microsoft Windows Vista1 Service Pack 2 or higher recommended ■ Microsoft Windows XP 1 and Service Pack 2 ■ Microsoft Windows Server 2003, Standard Edition, Service Pack 2 recommended ■ Microsoft Windows 2003, ■ Microsoft Windows Server 2003, Enterprise Edition, Service Pack 1 recommended Service Pack 2 recommended The following can be used with the thin client only: ■ Microsoft Windows Server 2003 R2, Standard Edition, Service Pack 2 recommended ■ Apple Macintosh OS 8.5, 8.6, ■ Microsoft Windows Server 2003 R2, Enterprise Edition, or 9.x Service Pack 2 recommended ■ Apple Macintosh OS X 10.x ■ Sun Solaris 2.7 or higher ■ HP-UX 10.20 or higher ■ Linux RedHat 7.x or higher ■ Microsoft Cluster Services on Microsoft Windows 2000 Server or Microsoft Windows Server 2003 The following can be used for evaluation purposes only: ■ Microsoft Windows XP Professional 1. Refer to eRoom Release Notes for supported Windows Vista configurations. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–3 Chapter 1: Pre-installation and Upgrade Requirements System requirements Supported browsers: Supported database platforms: ■ Microsoft Internet Explorer 6.0* and 7.0* ■ Microsoft SQL Server 2000, Standard or Enterprise Edition, Service Pack 2 - Supported on Windows 2000 operating system only ■ Microsoft Internet Explorer for Mac 5.1.6, 5.2.x† ■ Mozilla Firefox 1.x and 2.x ■ Apple Safari 1.3, 2.x† ■ Microsoft SQL Server 2000, Standard or Enterprise Edition, Service Pack 3 - Supported on Windows 2000 and Windows 2003 operating systems ■ Microsoft SQL Server 2000, Standard or Enterprise Edition, Service Pack 3a - Supported on Windows 2000 and Windows 2003 operating systems ■ Microsoft SQL Server 2000, Standard or Enterprise Edition, Service Pack 4 - Supported on Windows 2000 and Windows 2003 operating systems ■ Microsoft SQL Server 2005, Standard or Enterprise Edition, Service Pack 2 - Supported on Windows 2003 operating system ■ SQL Anywhere (embedded) - eRoom Standard installation only *Supported for use with eRoom Real Time Services. †Limited to browser-only access. Port requirements If you are using eRoom 7 with a separate file server that resides behind a firewall, or if you are using eRoom 7 for Microsoft SQL Server and the Microsoft SQL Server server resides behind a firewall, there are a few unique firewall port requirements you should be aware of: ■ 389 (for LDAP) ■ 3268 (for Active Directory Global Catalog) ■ 2060 (for FullText) ■ For eRoom 7 for Microsoft SQL Server, the use of Microsoft Distributed Transaction Coordinator (MSDTC) is required. MSDTC ensures transactional integrity when eRoom 7 writes to both the site database and to an eRoom database. MSDTC requires the following open ports: ❒ 135 RPC EPM (End Point Mapper) ❒ 1433 TDS SQL (for TCP/IP traffic) 1–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements ❒ 1434 SQL 2000 (for Integrated Security) ❒ 5100-5200 MSDTC (Dynamically assigned) ■ If your site uses a separate file server that resides behind the firewall, then the following open ports are required: ❒ 137 NETBIOS Name Service (for browsing requests of NetBIOS over TCP/IP) ❒ 138 NETBIOS Datagram Service (for Browsing datagram responses of NetBIOS over TCP/IP) ❒ 139 NETBIOS Session Service. (For file sharing and print sharing) ❒ 445 Common Internet File System (CIFS) Additional requirements for using eRoom 7 with Windows Cluster Services If you plan to use eRoom 7 with Microsoft Windows Cluster Services, the following requirements also apply: ■ Windows 2000 Advanced Server or Windows 2003 Enterprise Server ■ Active/passive cluster pairs only (not active/active) ■ Microsoft SQL Server (not Sybase) installed on a separate machine ■ Hardware configurations in which Clustering Services are supported for Windows (see http://www.microsoft.com/hcl/) For information on setting up a clustering environment in preparation for installing eRoom 7, see Appendix E: Clustering Environment Setup. Additional requirements for eRoom Enterprise If you plan to use eRoom Enterprise (an integrated environment consisting of eRoom 7 and Documentum’s Content Server ECM system), you must use version 7.3 of eRoom or higher. The following requirements also apply. NOTE: For additional information on these requirements and on configuring eRoom 7 to work with the Content Server, refer to Additional Procedures for eRoom Enterprise on page 2-5 in this guide. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–5 Chapter 1: Pre-installation and Upgrade Requirements System requirements Microsoft SQL Server If you use eRoom for Microsoft SQL Server, and you already have a Microsoft SQL Server server set up for use by Documentum, you must create a new instance of the Microsoft SQL Server server for use by eRoom. This is necessary because Documentum requires a case-sensitive sort order, while eRoom requires a case-insensitive sort order. Documentum Foundation Classes (DFC) DFC version 5.2.5 or higher must be installed on each machine where the eRoom 7 server software is installed. A DFC installer is available for download with eRoom 7. You must increase the DFC resources used for connecting the eRoom 7 server and the Documentum server by editing the dmcl.ini file within DFC. See also: Installing DFC on the eRoom 7 server on page 2-5 in this guide. Web Publisher In order to use eRoom 7 with Documentum Web Publisher, you must install a copy of Web Publisher version 5.2.5 or higher on the eRoom server. eRoom 7 only needs to access Web Publisher files; Web Publisher does not need to run on the eRoom server. See also: Installing Web Publisher on the eRoom server on page 2-8 in this guide. Documentum templates If you want to make Documentum templates available for users who publish eRoom 7 files to Documentum, you will need to create dedicated template folders within the Documentum repositories eRoom 7 will use. See also: Creating a dedicated eRoom 7 template folder on page 2-6 in this guide. 1–6 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements Documentum Content Server account You must create a dedicated Documentum account with superuser privileges for each repository that eRoom 7 will use. This is the account you specify on the Site Settings page as the Content Server account (also for communities that have their own Content Server connections). When you upgrade a site to eRoom version 7.4, you can use the same dedicated Content Server account used in an earlier release. However, if you are upgrading multiple sites that link to the same repositories on the Content Server, and you are not upgrading all of the sites at the same time, eRoom recommends creating a new Content Server account and using that account for all of the upgraded sites. This ensures that both the upgraded and pre-upgraded sites will receive proper event notifications for changes to linked files in those repositories. Before you upgrade a site, in this case, specify the new Content Server account on the settings page for that site (and, if appropriate, for communities with connections to that Content Server). See also: Creating dedicated content server accounts on page 2-6 in this guide. Documentum Connector The Documentum Connector must be enabled site-wide in the Content Server Connection section of the General page in eRoom Site Settings; for any community that will use eRoom Enterprise, enable the Content Server connection in the Content Server section of the General page in Community Settings as well. Documentum Webtop Documentum’s Webtop (version 5.2.5 or higher) requires the Internet Explorer browser, version 5.5 or later. Documentum Media Services If you need Thumbnail or Rendition support, Documentum Media Services version 5.2.5 or higher must be installed and configured to work with Content Server. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–7 Chapter 1: Pre-installation and Upgrade Requirements System requirements eRoom WDK Component If you want to display in eRoom the properties of files that are linked to Documentum’s Content Server, or if you want to perform a Content Server search, and you currently have WDK 5.2.5 installed, you must install the eRoom WDK Component. You can obtain the installer from the Powerlink site (http://powerlink.emc.com). However, if you have WDK 5.3 installed, the WDK Component is already included. eRoom upgrade utility for Documentum repositories Once you upgrade all servers in your site to eRoom version 7.4, you complete the upgrade process by running a utility that updates all Documentum repositories that contain content linked to the site. The ERDocbaseUtil.exe utility is a command-line application included in the eRoom 7.4 installation kit. It removes all obsolete information from a repository following the eRoom upgrade to version 7.4. You can run this utility at your convenience, however, since linked content in any non-updated repositories will continue to work with 7.4. By preserving the old linked content information in the linked repositories you can, for example, run a mock upgrade at a site as many times as you like before approving the upgrade of a production site. Run ERDocbaseUtil for each repository (docbase) that provides linked content to an eRoom site. It must be run on an eRoom server on which Documentum DFC has been installed. Note that to remove obsolete event registrations in a repository, you must run ERDocbaseUtil with the same credentials of the Content Server account that was used to create the event registrations in the first place. When you enter ERDocbaseUtil with no arguments at the command prompt, the following usage information is displayed: > ERDocbaseUtil Usage: ERDocbaseUtil -db docbase [-br docbroker] -u docbaseuser -w password [-of outputfile] [-cmd report [-type obsolete|current]] [-cmd remove [-safe]] where 1–8 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements docbase is the name of a docbase that contains linked content docbroker specifies the docbroker that eRoom uses to connect to the docbase. Its format is either 'hostname' or 'hostname:port' where, in the former case, the default docbroker port 1489 is understood. If this parameter is not given, this application relies upon the ambient dmcl.ini file to determine the docbroker to use. docbaseuser is a docbase account with superuser privilege password is the clear text password for the given docbaseuser outputfile is the name of the output file (default is stdout) -cmd report (default if -cmd is absent) means generate a report of all obsolete (if -type is absent) or current synch relations, event registrations, and event notifications. -cmd remove means remove all obsolete synch relations and all event registrations and event notifications created by this docbaseuser. With the -safe option, do not update docbase, just show what would have been updated. Additional requirements for eRoom integration with Information Rights Management (IRM) This section describes steps you must take in order to enable and use the eRoom integration with IRM. ■ Configure the eRoom Adapter server extension on the IRM server. ■ Create an authentication domain for eRoom on the IRM server. ■ Install the IRM server root certificate in the Trusted Root Certification Authorities store on your eRoom server. For instructions on configuring the eRoom server with IRM server information, see the Site administration topic, Site Settings: Rights Management section, in eRoom online Help. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–9 Chapter 1: Pre-installation and Upgrade Requirements System requirements Supported IRM server version and minimum IRM Client version The supported IRM server version is 3.4.0.1493. The IRM Client versions required for single sign-on are: ■ IRM Client for Microsoft Office 4.1.0.1504 or later ■ IRM Client for Adobe Acrobat 4.2.0.1518 or later About the eRoom Adapter The eRoom Adapter is used to authenticate and authorize access to a protected eRoom document. It allows the IRM server to communicate with the eRoom server to authenticate the eRoom user and to obtain eRoom access control/IRM settings. To enable this configuration, the eRoom Server installation program for all eRoom editions installs the file eRoomAdapter.zip into the folder \\Program Files\eRoom\eRoom Server\IRM Server Files. This .zip file contains the eRoom Adapter server extension needed to authenticate eRoom users and authorize access requests for content stored in eRoom 7.4 or later. Configuring the eRoom Adapter In order to use eRoom 7.4 or later to control access to IRM-protected content, configure the IRM Server to use the eRoom Adapter extension as follows: 1. Log in to the IRM Server system and close any instances of Server Configure. 2. Copy the contents of eRoomAdapter.zip to a new folder on your IRM Server system, for example C:\Program Files\EMC IRM\EMC IRM Server\eRoom Adapter. 3. Launch the Command Prompt and navigate to the new folder. 4. Register the server extension by issuing the following command: regsvr32 eRoomServerExtension.dll 5. Launch the IRM Server Configure application and choose Open Server from the Configure menu. 1–10 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements 6. Select the server instance you want to open, enter its password, and then click OK. 7. Open the Extensions tab. 8. From the list of extensions, select the eRoom Adapter extension and click Configure. The IRM Server eRoom Adapter Configuration dialog box opens. 9. Enter the eRoom Authentication Server URL. The value should be similar to: http://myserver.com 10. Enter a value for Authorization cache duration. This is the number of seconds that authorization information for an eRoom user is cached. Setting this value to 0 prevents caching; however, the extension queries the eRoom server for every authorization request the IRM client makes, which can decrease performance. A typical setting is 600 seconds. 11. Click OK. Creating an Authentication Domain for eRoom After configuring the IRM Server to use the server extension, create an authentication domain for eRoom by performing the following steps: 1. Launch the IRM Server Administrator application and log in as an administrator. 2. Choose Authentication Domains from the Users menu to open the Authentication Domains dialog box. 3. In the tree, select the Password entry, and then click Add. The Add Password Domain dialog box opens. 4. In the Domain Name field, enter a value such as eRoom. 5. For Authentication Type, pick Extension Domain. 6. From the Server Extension drop-down list, select eRoom Adapter and click OK. This returns you to the Authentication Domains dialog box. 7. To save your new domain, click Save. 8. Create an IRM Server group that includes the newly defined domain. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–11 Chapter 1: Pre-installation and Upgrade Requirements System requirements 9. Set all the permissions that an eRoom user might need. For example, enable “View”, “Print”, “Select Text and Graphics” and “Edit”, and set a maximum lease duration. Note that when you authenticate, you must either specify the fully qualified user name (such as \\eRoom\username), or mark the newly created domain as the default password domain. To do this, select the domain in the list of domains, click Default, and then click Save. About logging The eRoom Adapter server extension uses the Log4CPP library for logging debug and error information. You can configure the logging by editing the log4cpp.properties file, which is in the same directory as the eRoomServerExtension.dll file. The default log4cpp.properties file logs errors only to the irm-eroom.log file in the server directory (which is the same directory that contains the file authentica.cfg). The default file contains a directive indicating that only errors are to be logged. The directive looks like this: log4j.rootCategory=ERROR, A1 If you want to log debug information, change the directive to look like this: log4j.rootCategory=DEBUG, A1 For more information about Log4CPP capabilities, see http://log4cpp.sourceforge.net. Getting the IRM Server root certificate and installing it in the Trusted Root Certification Authorities store Save the IRM Server certificate using the following steps: 1. Go to IRM Server Configure. 2. Under Server Certificate, click View PEM. 3. Click Save As and save the certificate in PEM format. 1–12 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements Install the saved IRM Server certificate in the Trusted Root Certification Authorities store on the eRoom server by using the following procedure: 1. Open the Run dialog box (Start > Run), enter mmc, and click OK. 2. In the Console window, pick Add/Remove Snap-in from the File menu. 3. In the Add/Remove Snap-in dialog box, click Add. 4. In the Add Standalone Snap-in dialog box, select Certificates in the Available Standalone Snap-ins list, and then click Add. 5. On the Certificates snap-in page, pick the Computer account option and then click Next. 6. On the Select Computer page, pick the Local computer option and then click Finish. 7. In the Add Standalone Snap-in dialog box, click Close. 8. In the Add/Remove Snap-in dialog box, click OK. 9. In the MMC console window, expand the Certificates (Local Computer) node, expand the Trusted Root Certification Authorities node. 10. Right-click the Certificates node, and pick All Tasks > Import. 11. On the Welcome to the Certificate Import Wizard page, click Next. 12. On the File to Import page, click Browse and locate the certificate file you saved in PEM format (using the preceding procedure), and then click Next. 13. On the Certificate Store page, accept the default setting, place all certificates in the following store, and then click Next. 14. On the Completing the Certificate Import page, click Finish. 15. Click OK in the Certificate Import Wizard dialog box informing you that the import was successful. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–13 Chapter 1: Pre-installation and Upgrade Requirements System requirements Additional requirements for eRoom 7 for Microsoft SQL Server If you are going to use the eRoom 7 for Microsoft SQL Server database version, the following requirements also apply. Microsoft SQL Server account Although eRoom can log into an existing account, we recommend creating a new Microsoft SQL Server account specifically for eRoom to use. The account must use Microsoft SQL Server authentication, not Windows NT authentication, and must at least have dbcreator rights to install. NT network and domain For performance reasons, we recommend installing Microsoft SQL Server and eRoom 7 for Microsoft SQL Server on different machines on the same NT network and same domain. Microsoft SQL Server client software If you decide to install Microsoft SQL Server on a separate server, you must install some additional items on the eRoom 7 server machine. In particular, you must install the Client Connectivity option found on the Microsoft SQL Server installation CD. For Microsoft SQL Server 2000, you must also install the Management Tools option. Reboot the web server after installing the Client software. Default port Microsoft SQL Server defaults to port 1433 but this port can be changed, if appropriate. 1–14 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements MSDTC If your Microsoft SQL Server server resides behind the firewall, you must use Microsoft Distributed Transaction Coordinator (MSDTC) to ensure transactional integrity. (See the Port requirements on page 1-4 for additional details.) TCP/IP For optimal eRoom performance, set the Microsoft SQL Server to communicate with client applications using TCP/IP. To confirm this setting, choose from the Start menu Programs > Microsoft SQL Server 2000> Client Network Utility, and then set the Default Network Library to “TCP/IP”. To do this, make sure only the TCP/IP protocol is enabled in the General tab of the Microsoft SQL Server Client Network Utility. Service packs You should stop the Microsoft SQL Server services and apply any required service packs. You can download the service packs from http://www.microsoft.com/downloads. Microsoft SQL Server version From the registry, you can find out which version of Microsoft SQL Server you are running. Check the product version of sqlservr.exe. Microsoft SQL Server default settings Microsoft SQL Server must be installed with the following Microsoft defaults: ■ Character Set: 437 U.S. English ■ Sort Order: 1252 ISO character set, 52 nocase_iso Dictionary order, case- insensitive. (Other sort orders like binary are not supported. To verify Microsoft SQL Server sort order, from the Microsoft SQL Server Query Analyzer run the SQL Statement sp_helpsort.) ■ Unicode Collation: 1033 General Unicode ■ Unicode Style: Case-Insensitive EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–15 Chapter 1: Pre-installation and Upgrade Requirements System requirements Additional installs On the same web server where the eRoom Server software will be installed, install (from the Microsoft SQL Server installation CD) the Microsoft SQL Server Client Network Utility and, for Microsoft SQL Server 2000, management tools. Converting from Sybase to Microsoft SQL Server If you are upgrading to eRoom version 7.4 from any version of 7.x, and you want to convert from using Sybase to using Microsoft SQL Server, then you must upgrade to the Sybase version of eRoom version 7.4 first, and then install the Microsoft SQL Server version of eRoom 7.4. This avoids problems with Help and ASP files that would otherwise occur as the result of changing databases from 7.x to 7.4. Information you need to collect The eRoom 7 installation asks for three things related to your Microsoft SQL Server: ■ Server Name – Choose or type the name of the machine on which Microsoft SQL Server is running. ■ User Name – Enter the login ID for the Microsoft SQL Server account you want eRoom to use. ■ Password – Enter the password for the above login ID. 1–16 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements System requirements Ensuring sufficient disk space It is important to ensure that your eRoom installation (including the file server, index server, and server data) has room to grow. The files and directories that will grow in size depend on whether you have the Standard installation of eRoom 7 or the Advanced installation. NOTE: When you upgrade from eRoom 6 to eRoom 7, files will be moved from their eRoom 6 locations to the new eRoom 7 locations that you specify during the install process. Version Disk partition recommendations Standard Installation, SQL Anywhere Use separate partitions for the following and make sure they have sufficient room to grow: ■ the File Server directory you specify ■ the eRoom Data directory (on SQL Anywhere, this includes the site and facility databases, the full-text search databases, and the optional log files) Standard Installation, Microsoft SQL Server Use separate partitions for the following and make sure they have sufficient room to grow: ■ the File Server directory you specify ■ the site and facility databases ■ the eRoom Data directory (on Microsoft SQL Server, this includes the full-text search databases and the optional log files) Advanced Installation, Microsoft SQL Server Use separate partitions for the following and make sure they have sufficient room to grow: ■ the File Server directory you specify ■ the eRoom Data directory (in this version, this includes only the optional log files, which are not very large, and -- if you are using eRoom Enterprise--a Documentum Foundation Classes working directory.) EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–17 Chapter 1: Pre-installation and Upgrade Requirements Preparing to install Preparing to install Setting up an install account All installations For both Standard and Advanced installations of eRoom 7, the Windows account used to install the eRoom software must have administrative rights for the server and must also have “Act as part of the operating system” rights. If this right is not set, the eRoom install will set it and prompt you to log out then log in again. Advanced installations only Because an eRoom 7 Advanced installation spans multiple servers connected to a single site, we recommend that you set up a dedicated Windows account for installing and administering eRoom 7. This account should be a domain-level account that is added to the local administrator’s group on the server(s). By making this a domain-level account, you ensure that the login is common across multiple servers and the user credentials will be identical. In the case of servers located within a DMZ (not on a domain), create a local account and use a standard naming convention for install accounts across all servers. Setting up a File Server account Standard installations only If you intend to store files uploaded to eRoom 7 in a directory on the eRoom 7 server itself, then you do not need to set up a File Server account for the Standard Installation. However, if you intend to store your file server share on a different machine than eRoom 7, you must set up an account (either domain or local) for access to the file server. The account does not need any special Windows rights (administrative rights, for example). 1–18 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 1: Pre-installation and Upgrade Requirements Preparing to install Advanced installations only For all Advanced installations, you must create a Windows account for eRoom 7 to use to access the file server share (the location where eRoom 7 files are uploaded and stored). The account should be a domain account, unless you are installing eRoom 7 within a DMZ. The account does not need any special Windows rights (administrative rights, for example). Setting up a file server directory All installations All eRoom 7 installations require a file server directory to contain uploaded files. Because the Site Creation wizard prompts you for this directory after you install eRoom 7, you should create this directory before launching the install. In addition, you must also share the file server directory via Windows file sharing (unless you are both placing the file server directory on the same machine as eRoom 7 and performing a Standard installation). The only account that needs share access to the file server directory is the File Server account discussed in the previous section. NOTE: If you create the file server directory on a shared drive on a cluster configuration, then you must also create a clustered file share resource for this shared drive in the Cluster Group. This resource needs the permissions set up for the File Server account to access the data files. Otherwise, the shared drive will not be available after a failover. Installing the index server (Advanced installations only) If you intend to perform an Advanced installation, you should prepare for this installation by downloading and running the index server setup program on the machine you want to use as an index server. (This setup file is listed as the eRoom 7 Search Engine Installation and is located with the eRoom 7 files on the Documentum download site.) When you create an eRoom 7 site, you are asked for the name of the index server. You can then enter the name of the machine on which you installed the index server. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 1–19 Chapter 1: Pre-installation and Upgrade Requirements Preparing to install If you install the index server after creating the eRoom 7 site, or if you do not enter the name of the index server when you create the eRoom 7 site, then you will need to add the index server (once installed) to the eRoom site by means of the eRoom MMC snap-in. Shutting down applications To install the eRoom server, close all applications temporarily. Disable virus scanners during the installation. Restart applications after installation and reenable virus scanners. Selecting a web site When you install eRoom server, you are prompted for a web site on which to install eRoom. You can use the default web site, or you can use an additional web site that you created within IIS. Refer to IIS online documentation for information about how to set up IIS with multiple web sites. eRoom recommends testing an additional web site configuration before installing the eRoom software. 1–20 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 2: Installing eRoom 7 2 1 This chapter explains how to install eRoom 7. Once the eRoom 7 files are installed, and your server has re-booted, the install program leads you through the steps to set up or join an eRoom site. An eRoom 7 site consists of one or more servers that support a population of eRooms and users. All servers in a site share a common membership. Consequently, members can log into the site and then not have to log in again during the same session—even if they go to different eRooms and servers. A site can be as small as a single server, but (with the Advanced installation) can have many servers. A site can be subdivided into multiple communities. Installing eRoom 7 onto a server with no previous eRoom installation involves these procedures: ■ Running the Setup program to install the software ■ Running the Site Setup program to set up or join an eRoom 7 site ■ Specifying Site Settings Installing eRoom 7 for SQL Anywhere Log in to your web server under the administrator account you established in the section Setting up an install account on page 1-18 in this guide. Download and run the eRoom 7 installer. Only the Standard installation of eRoom 7 is available for SQL Anywhere. Follow the instructions in the Setup program until the installation completes. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 2–1 Chapter 2: Installing eRoom 7 Installing eRoom 7 for Microsoft SQL Server Installing eRoom 7 for Microsoft SQL Server eRoom recommends installing Microsoft SQL Server and eRoom 7 for Microsoft SQL Server on different machines on the same NT network and same domain, or on any fully-trusted domain. 1. Install Microsoft SQL Server before you install eRoom 7 for Microsoft SQL Server. (Note that binary sort order is not supported.) For cluster services only (for more details, see Appendix E: Clustering Environment Setup): ❒ Install Microsoft SQL Server Client (including the management objects) on both cluster nodes. ❒ Change the IIS anonymous user on both nodes to a common domain user (such as EROOM\CLUSTER_USR), as follows: On your desktop, right-click the My Computer icon and Manage. In the Computer Management MMC snap-in, go to Services and Applications, Internet Information Services, Web Sites. Right-click Default Web Site and pick Properties. On the Directory Security tab, in the “Anonymous access and authentication control” section, click Edit. In the Authentication Methods dialog box, specify the User name (with domain) for the anonymous access account (for example, <domain_name>\CLUSTER_USR). ❒ Change the recover settings for IIS Admin and W3SVC services, as follows: In the Computer Management MMC snap-in, go to Services and Applications, Services. Rightclick IIS Admin and pick Properties. On the Recovery tab, set “First failure” to Take No Action. Perform the same steps for World Wide Web Services (W3SVC). 2. On the same server where the eRoom Server software will be installed, install (from the Microsoft SQL Server installation CD) the Microsoft SQL Server Client Network Utility and, for Microsoft SQL Server 2000, management tools. ❒ Although eRoom can log into an existing account if you prefer, we recommend creating a new Microsoft SQL Server account specifically for eRoom to use. 2–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 2: Installing eRoom 7 Installing eRoom 7 for Microsoft SQL Server ❒ The account must use Microsoft SQL Server authentication, not Windows NT authentication, and must have dbcreator rights. ❒ Apply any Microsoft SQL Server Service Packs (stop the Microsoft SQL Server services first). Reapply any NT service pack after applying the Microsoft SQL Server Service Packs. You can download Service Packs from: http://www.microsoft.com/downloads ❒ Before installing eRoom 7 for Microsoft SQL Server, test your connection to the Microsoft SQL Server using the Microsoft SQL Server Client Network Utility. 3. Log in to your web server under the administrator account you established in the section Setting up an install account on page 1-18 in this guide. For cluster services only: To install, move the cluster group to this node (if this is not already the active node). EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 2–3 Chapter 2: Installing eRoom 7 Installing eRoom 7 for Microsoft SQL Server 4. Download and run the preferred eRoom 7 for Microsoft SQL Server installer. Both the Standard installation and Advanced installation of eRoom 7 are available for Microsoft SQL Server. For cluster services only (for more details, see Appendix E: Clustering Environment Setup): Install eRoom on the first node, placing all eRoom program files, eRoom web site files, and data on the shared drive. The following locations are recommendations: ❒ eRoom Web directory: <Shared Drive>:\inetpub\eRoom ❒ eRoom Server Administration directory: <Shared Drive>:\eRoom\eRoom server ❒ eRoom Server Data directory: <Shared Drive>:\eRoom Data Install eRoom on the second node: ❒ Move the cluster group from the first node to the second node. ❒ Install eRoom. You will not be prompted for the location of eRoom files, since that information was entered during the first install. ❒ The eRoom install creates a facility with an initial set of eRooms. 5. Follow the instructions in the Setup program until the installation completes. If you are planning to use eRoom Enterprise, you must also complete the procedures in the following section. Otherwise, go to the section Getting Started using eRoom 7 on page 2-9 in this guide. 2–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 2: Installing eRoom 7 Additional Procedures for eRoom Enterprise Additional Procedures for eRoom Enterprise If you are planning to use eRoom Enterprise, which combines eRoom 7 with Documentum’s Content Server, you must also complete the procedures in this section. Installing DFC on the eRoom 7 server Documentum Foundation Classes (DFC) must be installed on the same server(s) as eRoom 7. A DFC installer is available for download with eRoom 7. 1. Log in to your web server as administrator. 2. Download and launch the DFC installer. 3. Follow the instructions in the Setup program until the installation completes. 4. After the Setup program is finished, you must re-boot. 5. Edit the dmcl.ini file for DFC to increase the resources used for connecting the eRoom 7 server and the Documentum server. The dmcl.ini file resides in the \WINNT directory of the machine on which you are installing DFC. Edit it by adding the following lines: [DMAPI_CONFIGURATION] cache_queries = T client_codepage=UTF-8 client_cache_size=1000 connect_pooling_enabled=T max_session_count=100 max_collection_count=100 (You can also find a copy of these lines in the ...eRoomServer\dmcl_settings.txt file of your installed copy of eRoom 7.) These settings are the recommended minimums. 6. If you are installing the DFC after installing eRoom 7, you must run the eRoom Checker to configure the correct permissions on Documentumrelated files and folders. Locate the ERChecker executable in the ...\Program Files\eRoom\eRoom Server directory and specify a check for General Site Consistency and All File Permissions. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 2–5 Chapter 2: Installing eRoom 7 Additional Procedures for eRoom Enterprise Creating a dedicated eRoom 7 template folder If you want eRoom 7 users to be able to choose Documentum template files when publishing a file to Documentum, you must create a folder for the template files within each repository that eRoom 7 will use. The folder(s) must meet the following criteria: ■ They must be named eRoom Templates and placed within the /System cabinet of the repository. ■ They must have world write access. Creating dedicated content server accounts You must create a dedicated Content Server account with superuser privileges for use by eRoom 7. The account must be created for each repository that eRoom 7 will access, and the account login name and password must be the same for each repository. (eRoom accepts only one login and password for Documentum access.) Be sure to make a note of the login name and password for the account(s) you create, so that you can enter them on the eRoom 7 Server Settings page. The two most convenient ways to add a single user to a repository are to use either the Documentum Administrator utility or the Webtop utility (if available at your site). For information on adding a user account with Documentum Administrator, refer to the Documentum Content Server Administrator’s Guide. For information on adding a user account with Webtop, refer to the Documentum manual Webtop User Guide. 2–6 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 2: Installing eRoom 7 Additional Procedures for eRoom Enterprise Enabling use of Content Server by eRoom 7 Once both eRoom 7 and DFC are installed on the server, and you have created a dedicated Documentum administration account, you must enable use of eRoom 7 with Content Server in eRoom Site Settings. 1. Open Site Settings in one of two ways: ❒ Remotely – Enter in your browser the URL servername.com/eRoom, and then go to Site Settings. ❒ Locally – Use the eRoom Microsoft Management Console (MMC) snap- in by choosing Start > Programs > eRoom Administration > eRoom Server Administration. 2. On the General page of Site Settings, scroll down to the Content Server Connection section. 3. Make sure the “Allow Content Server connections” check box is selected. 4. Enter the Login name and Password for the dedicated Content Server account you created for your repositories. 5. Specify any other options you prefer for the remaining Documentum settings. (For example, if you are going to use Documentum’s Webtop interface, enter the Webtop URL.) 6. Scroll to the top of the Site Settings page and click Apply. 7. Scroll back down to the Content Server Connection section. A Test button is now available. 8. Click Test to verify that the Login name and Password you provided affords access to Documentum. NOTE: You must also specify a Content Server administration account for any community that has its own Content Server connection. For details about site and community Documentum Content Server settings, see the eRoom Administration section of eRoom 7 online Help. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 2–7 Chapter 2: Installing eRoom 7 Additional Procedures for eRoom Enterprise Installing Web Publisher on the eRoom server Web Publisher is an easy-to-use, browser-based interface that enables nontechnical users to easily create, manage, and publish content for multiple, multilingual Web sites. If you are planning to use eRoom 7 with Documentum Web Publisher, you must also complete the procedures in this section. In order for the eRoom server to communicate with application servers running Web Publisher, a copy of Web Publisher must be installed on the eRoom server. If a supported application server is not already installed on the eRoom server, then an application server must first be installed before installing Web Publisher. 1. Install a supported application server (for example, BEA WebLogic or Apache Tomcat) on the eRoom server. 2. Install Web Publisher (Web_Publisher_5.2.x_windows.exe) on the eRoom server. NOTE: You do not need to run either the application server or Web Publisher on the eRoom server; you only need to install it there. If you receive errors when attempting to work with Web Publisher files, or if you are unable to see Web Publisher files or folders, please see Appendix F: Troubleshooting Web Publisher. Configuring Web Publisher servers for use with eRoom To enable the “Go to Content Server...” command in eRoom to work correctly with Web Publisher servers, perform the following procedure on each Web Publisher server that eRoom will connect to. 1. Locate the XML file wp\config\app\contextsensitive_view_config.xml. 2. Open the file, and under the <actions_list> tag enclosed within the <component> tag, add the following line: <an_action_name=”search” valid_by_default=’true’/> 3. Log into Web Publisher as a user with administrative privileges. 4. Press the Ctrl key while clicking the Documentum icon in the top-right corner of the page. 2–8 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 2: Installing eRoom 7 Getting Started using eRoom 7 5. Click the Configuration button. 6. Click the “Re-configure View Sensitive Action” link. 7. Wait until the process finishes, and then close the pop-up window. Getting Started using eRoom 7 Refer to the eRoom 7 Online Help for product documentation (for administrators as well as end users). To open Help, click “?” in the control bar at the top of an eRoom page. ■ For information about new features in eRoom 7, see the What’s new in eRoom 7 topic. ■ For details about the user interface, see the guided tour in the Working in your eRoom topic (Basics section). ■ For information about coordinating an eRoom, see the section Coordinating an eRoom. ■ For site and community administration details, see the Administration section. ■ For information on managing eRoom membership (including the use of NT domain and LDAP directories), see the Membership section. Visit the Powerlink site (http://powerlink.emc.com) for additional Support Note information. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 2–9 Chapter 2: Installing eRoom 7 Getting Started using eRoom 7 2–10 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 3: eRoom and NT Server Default Permissions 3 1 There are default permissions set up for an eRoom installation. Organizational standards may vary from enterprise to enterprise. These permissions can be changed to “harden” the security of the server. Follow the Microsoft Windows recommendations for hardening NT, 2000, or 2003 IIS security. However, any configuration changes should be sufficiently tested prior to installing eRoom. eRoom 7 rights and NTFS rights Access rights set in the eRoom application are not passed down as NTFS rights to the operating system (NT/2000/2003). Conversely, general NTFS permissions for each NT user on the server do not apply to eRoom objects or files. The eRoom application user rights determine access control to the application (communities and eRooms) and rights to eRoom-specific objects. Windows NTFS permissions that are important are the IUSR Account (anonymous access account) used by IIS and the eRoom Server user account created by the eRoom application. Both accounts are used to access server resources. However, the IUSR account access is limited in scope. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 3–1 Chapter 3: eRoom and NT Server Default Permissions Default required permissions Default required permissions The following are some of the default permissions required for installing eRoom: ■ Installation/Admin Account: Act as Part of the OS - required for eRoom installation and administration. ■ eRoom Server: Log on Locally - eRoom application must “logon” as this user account to access system resources. This is set during eRoom installation. ■ eRoom FileShare Account: Access Computer from Network - required for fileshare access. ■ IUSR account: Logon locally and Logon as a batch job - IIS sets these by default. Anonymous access requires these. Refer to Windows hardening guides for more information regarding local security policies required for the IUSR account. Checking eRoom permissions eRoom provides a utility called the eRoom Checker that does a deep permissions check on the eRoom web server. It checks and lists a detailed permission checklist for the entire server, including registry and directories for the IUSR and System NT Accounts. In addition, it checks the integrity of database objects and can make permissions repairs and add missing facilities and eRooms to the site database. You run eRoom Checker from the eRoom Server Administration MMC snapin. Please contact eRoom Technical Support for assistance with running this utility. For more information For more information about the eRoom Checker utility, see the eRoom Diagnostic and troubleshooting tools section of the System Administration section of eRoom 7 online Help. 3–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 3: eRoom and NT Server Default Permissions Checking eRoom permissions For more information on Windows NT permissions and security, see the following Web resources: ■ Default Permissions for IIS 6: http://support.microsoft.com/default.aspx?kbid=812614 ■ Minimum Permission for IIS 5: http://support.microsoft.com/default.aspx?scid=kb;EN-US;271071 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 3–3 Chapter 3: eRoom and NT Server Default Permissions Checking eRoom permissions 3–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Chapter 4: Uninstalling eRoom 7 4 1 Use the following procedure to remove everything associated with an install of eRoom 7. NOTE: Do not perform this procedure if you still have eRoom data you want to save or recover. 1. Shut down the eRoom Monitor (if you installed the eRoom client on the same machine as the eRoom Server). 2. Use the eRoom MMC snap-in to delete the site. (Select the eRoom folder, right click, and choose All Tasks > Delete Site). 3. Open the Control Panel and pick Add/Remove Programs. 4. Choose eRoom Server and click Remove. If prompted to remove files no longer in use, you can select “Yes” at your discretion. 5. After removing eRoom 7, reboot. 6. After rebooting, verify the following: ❒ If your ...\eRoom Data directory (or whatever else you named it during install) has been removed. If not, remove it (provided a backup isn't needed or doesn't currently exist). ❒ If you are using Microsoft SQL 2000, then also ensure the eRoom databases within Microsoft SQL Enterprise Manager have been removed. If not, delete them. 7. Verify that registry entries have been removed. ❒ Run Registry Editor. (Start > Run > Regedit) ❒ Select HKEY_LOCAL_MACHINE\SOFTWARE\. ❒ Find the eRoom key under the software key. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide 4–1 Chapter 4: Uninstalling eRoom 7 ❒ Verify that the eRoom key is removed. If not, delete the HKLM\Software\eRoom\eRoom Server key. Do not do this if you still want to keep eRoom data. 8. Verify that the eRoom Server files have been removed. Go to the following directories and delete the following files if they exist (these are defaults -- installation locations may vary): /inetpub/eRoom - remove eRoom directory 9. Verify that all virtual roots have been removed from IIS: ❒ Open the Internet Service Manager to check all “eroom” roots. ❒ If any still exist, right-click and delete all the “eRoom” virtual directories/applications. 10. Make sure that IIS Services are started and that you can access the IIS default home page. Then you can re-install eRoom if needed. 4–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix A: Upgrading from eRoom 6 A 1 eRoom 6 background eRoom 6 installations typically included an IIS web server containing the eRoom application and a separate Microsoft SQL Server database server. Alternatively, in SQL Anywhere installations, databases resided on the web server. File attachments to an eRoom were all stored on the web server (or a SAN storage device connected to the web server). An eRoom configuration might have also included integration with Documentum’s Content Server, Real Time Server, MS Project Viewer, and CAD Viewer. Members on each eRoom server were typically managed by the eRoom Server Member List (SML), and facilities provided logical groupings of members and eRooms. A directory listing of eRooms was limited to a specific facility. Typically, customizations were developed to provide a more comprehensive list of eRooms or facilities for a specific server or across multiple servers. The SML may have also been connected to an NT Domain or LDAP directory for both authentication and synchronization. In a multi-server eRoom environment, in many cases all eRoom servers were connected to an external LDAP or NT4 directory connection. However, each eRoom server had its own server settings, which were administrated independently of other servers. Administration customizations had to be performed separately on each eRoom server. With previous versions of eRoom, facility and eRoom creation was serverbased. Only eRoom server administrators could create facilities. Additionally, facility administrators (or users with create eRoom rights) within a particular facility could create eRooms only within that facility. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide A–1 Appendix A: Upgrading from eRoom 6 eRoom 7 differences eRoom 7 differences In eRoom 7, membership and administration are now centralized within an eRoom site. The eRoom site contains information about one or more servers and the members and eRooms within the site. Multiple eRoom 6 servers can be combined into an eRoom 7 site. Within an eRoom site, communities now provide logical groupings of members and eRooms. A site can have multiple communities, and each community can have its own independent administrator. For administrative purposes, all members must be native to only one community. However, members of a community (or the entire community itself) can be added to another community as guests. Members can be added to the eRoom 7 community member list (as a “local member”), or they can authenticate/synchronize to an external directory, such as LDAP or an NT4 domain. The concept of a facility still exists in eRoom 7, but facilities reside within an individual community. Each facility maintains its own settings page for database templates, inboxes, custom fields, and custom icons only. However, facility administration and membership/ synchronization rules that applied in eRoom 6 are no longer relevant in eRoom 7. New eRoom provisioning functionality determines which server machine and community an eRoom is created in. The following illustration depicts the structure of an eRoom 7 site: eRoom 7 Site community A A–2 community B member list facility A1 facility A2 member list facility B1 member A1 eRoom A1 eRoom A4 member B1 eRoom B1 member A2 eRoom A2 eRoom A5 member B2 eRoom B2 member A3 eRoom A3 eRoom A6 Guest A1 eRoom B3 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix A: Upgrading from eRoom 6 eRoom 7 differences There are several important eRoom 7 differences you can see in this illustration. In particular: ■ A site can include multiple communities, which in turn can include multiple facilities. ■ Although sites and communities can contain multiple facilities, a facility still represents a distinct database file. However, the eRoom 7 site database now contains information on servers, communities, facilities, membership, and licensing across the entire eRoom 7 site. ■ Facilities must be created within a particular community, and eRooms must be created within a particular facility. Other important differences not depicted in the illustration include the following: ■ Membership is now administered at the community level rather than at the facility or server level. ■ The only member synchronization that now occurs is between the eRoom site and its communities (which in turn synchronize with an external directory, if applicable). There is no longer any member synchronization between SMLs and facility member lists. ■ When adding members to an eRoom, coordinators can search for any member of the community, regardless of which facility the eRoom resides on. ■ There are no longer any facility administrators in eRoom 7; they have been replaced by community administrators. ■ There are still facility settings pages in eRoom 7, but they now only control facility-level inbox functionality, custom icons, custom fields, and database templates. eRoom 7 and external directory connections eRoom 6 supported the use of external directory connections at the server and the facility level. eRoom 7 associates Windows NT Domain or LDAP connections with communities only. An eRoom 7 directory connection is added to a community, and the directory members automatically become members of a group within the community. This directory group cannot be deleted unless the directory connection is deleted from the community. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide A–3 Appendix A: Upgrading from eRoom 6 Upgrade planning and preparation Prior to upgrading to eRoom 7, identify where the current eRoom 6 directory connections are located (SML- or FML-based). Then identify the eRoom 7 community these directory connections should reside in. If your eRoom 6 directory connection is connected to your eRoom 6 SML, the eRoom 7 upgrade will translate directory connections to the community that contains your SML. Most likely the “Main” community of members will contain all members from all server member lists for the purpose of the eRoom 7 upgrade. By default, the upgrade will create a group (of the same name as the directory connection) within the community containing all members from the external directory connection. After the upgrade, you can later add new communities and move directory connections to new communities as desired. Upgrade planning and preparation Performing an upgrade requires considerable preparation and planning. Before you launch the installation process, make sure you know which servers you will use for various functions (web server, database server, file storage, etc.) In addition, you must set up several accounts and directories that you will be asked to specify by the installation and upgrade programs. Finally, you must carefully decide and plan how you would like to bring your existing eRoom 6 facilities and rooms into an eRoom 7 site, as there are different ways to do this, each with advantages and disadvantages. Please read this section carefully and plan accordingly before you begin the upgrade process. A–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix A: Upgrading from eRoom 6 Upgrade planning and preparation Hardware configurations The following table shows typical ways you might distribute eRoom 7 site components among various server machines. With the Advanced installation*, in addition to the possibilities depicted in the table, you could also use more than four servers and have multiple instances of various site components (Microsoft SQL Server database, web server, file server, etc.). Number of servers Server eRoom 7 Site components Standard Advanced One server Server 1 All components on the same server. All components on the same server. (This Advanced install configuration for testing only.) Two servers Server 1 Web server SQLA database Indexing server Web Server Server 2 eRoom file server Microsoft SQL Server database Indexing server eRoom file server Server 1 Web server Indexing server eRoom file server Web server Indexing server (or on file or database server) Server 2 Microsoft SQL Server database eRoom file server Server 3 (Not applicable) Microsoft SQL Server database Server 1 Web server Web server Server 2 eRoom file server Microsoft SQL Server database Server 3 Microsoft SQL Server database eRoom file server Server 4 (Not Applicable) Three servers Four servers Indexing server *See “eRoom server versions” on page 1-1 for details about Standard and Advanced installations. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide A–5 Appendix A: Upgrading from eRoom 6 Member, group, and facility migration Member, group, and facility migration Members When you upgrade, the Migration wizard asks whether you want to create a new community as the main community for site members, or add members to an existing community. If you have already defined a community for your primary member community, you would use that one rather than create a new community. Also, you can create new communities later, if necessary, via Site Settings. In addition to the main community (which has the original site name), the Migration wizard automatically creates a satellite community for each of the following: ■ each eRoom 6 facility that was not linked to the Server Member List (SML). ■ each eRoom 6 facility that was linked to the SML, but also contained non- SML members. ■ each SML group that was specifically linked to by at least one eRoom 6 facility. (All eRoom 6 facilities that pointed to the same SML group and had no non-SML members are consolidated into the main community.) All members of these satellite communities remain native to the main community, and are assigned as guest members of their satellite communities. This ensures convenience of administration, while preserving the eRoom 6 member divisions in case you need them. If you like, you can later eliminate the satellite communities to further consolidate membership. The following are some circumstances in which you might choose to keep groups and facilities in separate communities rather than consolidating them into the main community. ■ You might want communities to strictly observe organizational/political boundaries. For example, a specific web server might be delegated solely for accessing eRooms and data belonging to a particular subsidiary or department. ■ You might want to create a separate community for administrative purposes. For example, if different administrators currently manage different eRoom 6 communities, you might want to preserve this practice in eRoom 7. A–6 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix A: Upgrading from eRoom 6 Member, group, and facility migration ■ You might want to impose more restrictive access for particular projects. For example, you might want to create an executive community or a merger-related community. Facilities and groups The Migration wizard also asks you where you want to move your existing eRoom 6 facilities and local groups. The default option is to move them all into the main community. Depending on your needs, a centralized main community containing all the facilities and groups may be easier to administer than keeping facilities and groups in separate communities. Furthermore, end users don’t need to be concerned about which server or facility an eRoom resides on. Alternatively, you can choose to keep your facilities and groups in their separate satellite communities, reflecting their eRoom 6 organization. This option allows you to delegate facility and group management to the community administrators of the satellite communities. Server provisioning (Advanced Installation only) Among the new administrative features in eRoom 7 Advanced installation is server provisioning. This involves determining which servers new eRooms are created on in order to ensure that the load shared by different servers is balanced. You can either establish your own preferences for a provisioning policy, or let eRoom 7 make provisioning decisions automatically (based on the relative capacity of the available servers of each type). You can also establish provisioning groups, which allow servers to be chosen based on the type of eRoom involved. Provisioning groups are often created based on geographical or organizational criteria—for example, you might reserve one set of servers for North American clients, another for European clients, and so on. When a “North America” eRoom is created, eRoom chooses the appropriate servers from those assigned to the “North America” provisioning group. If that group designates multiple servers of a particular type (web, database, file, full text index), then eRoom uses relative capacity logic to choose the best server of each type from the set available to “North America.” EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide A–7 Appendix A: Upgrading from eRoom 6 Upgrade troubleshooting When you migrate a facility from Room 6 to eRoom 7 (after you have created an initial site), and if you have defined provisioning groups or specified multiple options for various server types, you are asked to choose server assignments for the migration. If necessary, administrators can re-provision at any time after the migration. Multiple eRoom 6 servers can be added to an existing eRoom 7 site, by joining that site. Consequently, not all eRoom 6 servers need to be upgraded at once. When joining an existing site, it is important to identify which database server, file server, and index server will contain the data prior to upgrading. Additional procedures and information If, in addition to upgrading from eRoom 6, you are also reconfiguring your installation, you may need to meet additional requirements and perform additional procedures, using information provided in this manual as follows: ■ Appendix B: Configuring eRoom Inboxes ■ Appendix D: eRoom Security Guidelines ■ Appendix E: Clustering Environment Setup If you have made API customizations in eRoom 6, refer to the API Help for information on whether you need to update those customizations for eRoom 7. If you have created eRoom XML Query Language applications or queries, see the XML Help for information on changes to the XML schemas and to query targeting. Both the API Help and the XML Help are available from within the eRoom 7 Help environment. Finally, you must evaluate and revise your eRoom 6 backup procedures so that they are effective for eRoom 7, since the basic structure and organization of eRoom 7 differs from that of eRoom 6 in important respects Upgrade troubleshooting This section contains information on troubleshooting potential problems with the eRoom 7 upgrade process. If you encounter difficulties, read this section and try to isolate where the problem occurs, which might suggest possible solutions. See also: “Chapter 3: eRoom and NT Server Default Permissions A–8 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix A: Upgrading from eRoom 6 Upgrade components Upgrade components Broadly speaking, the upgrade process consists of three main subcomponents: ■ Program file installation - If the upgrade fails during program file installation, the problem is most likely related to permissions. Check to see if strict Windows Domain Group policies might be preventing you from installing the application. Also make sure that you have created an install account (as described in the Setting Up An Install Account section) and logged in with that account when you started the installation (as directed in the Upgrading from eRoom 6 to eRoom 7 section). ■ Site creation - If the upgrade fails during site creation, the problem may be related to database connectivity or Windows permissions. Again, check to see if strict Windows Domain Group policies might be preventing you from setting up a site. ■ Facility migration - If the upgrade process fails during facility migration, the problem is most likely related to SQL connectivity or to a data issue specific to an individual facility database. Logs to gather It is important to gather the following logs if your upgrade fails. They are helpful if you need to contact Technical Support: ■ ERSSvrInstallLog.txt, located in the c:\Winnt directory. ■ eRoomerrors.log, located in the eRoom Data directory you specified during program file installation. ■ Migration log, located in the ...\Program Files\eRoom\eRoom Server directory with this name: Migration Log<data>.txt EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide A–9 Appendix A: Upgrading from eRoom 6 Backup of registry keys Backup of registry keys Note that the upgrade process backs up your eRoom 6 registry keys (hklm\software\eroom and hklm\software\odbc). These are backed up in the …\Program Files\eRoom\eRoom Server directory. These may be required for a restore back to eRoom 6 or request by Technical Support. Upgrade testing It is important to test your upgrade in a separate environment prior to converting your production eRoom servers. Become familiar with eRoom 7 functionality, data storage, and the entire eRoom upgrade process. Proper planning can help ensure a successful migration. Contacting technical support Before contacting Technical Support, please gather the above-mentioned logs and if possible take screen shots of any error messages you encounter. For technical support, visit the Powerlink site (http://powerlink.emc.com). A–10 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix B: Configuring eRoom Inboxes B A An eRoom inbox is a special folder that can receive and store email messages (and their attachments). By cc’ing email messages about your project to your eRoom, you can create an automatic archive of project correspondence. To retrieve email messages, eRoom logs into an SMTP account on a mail server, just as if it were a mail client like Outlook Express or Eudora. Creating an SMTP mail account on a mail server for eRoom usage Establishing an SMTP service and domain 1. In the IIS Admin Console on the eRoom server that will host the SMTP service, make sure the SMTP service is installed. 2. Make sure there is a virtual SMTP domain configured within the IIS Admin Console. 3. In the Incoming section of the Email page of eRoom Site Settings, enter the name of the SMTP domain from the previous step into the “Email address domain” field. Creating the inbox 1. In an eRoom, click create and pick the Inbox item. 2. Provide a name and description for the inbox. 3. Complete the inbox address by filling in the “Address” field in front of the domain name. 4. Click OK to create the inbox. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide B–1 Appendix B: Configuring eRoom Inboxes Administrative eRoom inbox settings Each inbox you create follows the same process. Multiple inboxes can reside in a single eRoom. All inboxes must have unique email addresses. eRoom enforces this by changing email addresses for inboxes that are copied. Administrative eRoom inbox settings The eRoom Scheduler Service accesses the SMTP accounts to retrieve mail for all eRoom inboxes. You can disable the inbox functionality in eRoom Site Settings by clearing the “Check for email sent to inboxes” check box under the Scheduler section. When inboxes are enabled, you can use the eRoom Server Tuning dialog box to set the interval at which the eRoom Scheduler checks for new mail delivered to the SMTP service. The default setting checks every five minutes. How do end users direct email to particular inboxes? eRoom delivers mail to the inboxes based on their addresses. The Scheduler checks for mail in the drop directory specified in the SMTP service (IIS Manager). For single-server sites, mail is delivered to the appropriate inboxes. For multi-server sites, mail on servers other than the one with the SMTP service is temporarily stored in the ~Mail Drop folder on the main file server. When the Scheduler runs on other servers, it looks for mail in this folder and directs it to the appropriate inboxes. B–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix B: Configuring eRoom Inboxes Conversion of mail messages to eRoom inbox pages Conversion of mail messages to eRoom inbox pages eRoom converts each email message sent to an inbox to an eRoom page as follows: ■ The subject line becomes the title of the page. ■ The page itself contains an email icon ( ) for replying to the sender and the text of the message. ■ File attachments are created as attachments to the new eRoom item. If eRoom cannot determine the type of attachment (because it is using a nonstandard MIME type), eRoom creates a file attachment as a text file called “Attachment N.txt” where N is a number greater than zero. Users can rename this file if they like. HTML email messages: The inbox feature supports HTML email messages. eRoom restricts the HTML content of eRoom items so that they can be edited with our rich text editor. Incoming email messages in HTML format have all non-supported HTML stripped from them, including style sheets, script (VBScript and JavaScript), and other non-standard tags. It is important to note that all script is removed, which prevents potential security problems caused by malicious script. Inline images are retained, and can be edited in the rich text editor. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide B–3 Appendix B: Configuring eRoom Inboxes Conversion of mail messages to eRoom inbox pages B–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix C: Configuring a Reverse Proxy Server with eRoom 7 C A Follow these steps to configure eRoom 7 with a reverse proxy (RP) server. This configuration ensures that eRoom requests are properly redirected through the reverse proxy to the eRoom web server. First you configure the reverse proxy, and then the eRoom web server. IMPORTANT: Verify that the reverse proxy server you are using is fully supported to work with eRoom Server 7. If you’re not sure, contact eRoom Support at the Powerlink site (http://powerlink.emc.com). For this example, assume that: ■ End users want to access eRoom by using eroom.company.com. ■ There are two servers, as follows: Server Description Fully Qualified Domain Name IP Address app1 eRoom Server app1.company.com 192.168.1.100 proxy reverse proxy Server proxy.company.com 192.168.1.99 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide C–1 Appendix C: Configuring a Reverse Proxy Server with eRoom 7 Configure the reverse proxy server Configure the reverse proxy server 1. Configure the public DNS server to resolve eroom.company.com to the reverse proxy server IP (192.168.1.99). NOTE: In some configurations, two IP addresses might be required for the reverse proxy server (one or two NIC cards)—one IP for external (Internet) use, and one for internal network use. In this configuration, DNS should resolve to the external (Internet) IP. TCP/IP settings can be set in Windows Control Panel / Network Settings. Consult with a qualified network IT person to make sure the reverse proxy network settings are correctly configured before testing with eRoom server. 2. Configure the reverse proxy server to redirect to the eRoom server, using its fully-qualified domain name. Example From: https://proxy.company.com To: https://app1.company.com 3. Test accessing the default home page (of the eRoom web server) from a client workstation. For testing purposes, the host file on a client workstation can be configured to resolve eroom.company.com to the external IP of the reverse proxy (if you skipped step 1 for DNS setup). 4. Configure the RP to redirect all the /eRoomXXX virtual roots on the reverse proxy server to forward to the eRoom server. These include /eRoom /eRoomASP /eRoomData /eRoomExtpages /eRoomHelp /eRoomReq /eRoomSetup /eRoomXML Example From: https://proxy.company.com/eRoomasp To: https://app1.company.com/eRoomasp NOTE: If you want to disable the reverse proxy server for users inside the firewall, you can do so on the Edit eRoom Server dialog, accessible through the eRoom MMC snap-in. (This requires that internal users can resolve the reverse proxy DNS name.) C–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix C: Configuring a Reverse Proxy Server with eRoom 7 Configure the eRoom web server Configure the eRoom web server 1. Choose Start > Programs > eRoom Administration > eRoom Server Administration to open the eRoom MMC snap-in. 2. Right-click on the eRoom server and choose “Edit Server”. 3. In the “Full Servername” field, enter the reverse proxy server name. 4. In the Reverse Proxy Server section, select the check box labeled “This eRoom server is being used through a reverse proxy server”. 5. Specify any other Reverse Proxy Section settings as necessary. Notes When overriding the eRoom web server name in eRoom Server Settings, the following notes apply: ■ If the reverse proxy cannot be reached from the eRoom server, you may map the reverse proxy’s IP address to the eRoom server so that the eRoom MMC snap-in will continue to work on the eRoom server. ■ The override web server name set in eRoom Server Settings must also be used to ensure that URLs in eRoom email notifications and invites/alerts are sent out using the public name eroom.company.com rather than the internal eRoom server name app1.company.com. This allows end users to click the link in eRoom emails and resolve to the reverse proxy (as long as DNS is correctly set up). On securing the configuration ■ When securing both the eRoom and proxy servers, use proper care and testing to ensure that the security does not impair functionality of either application. ■ SSL can be installed on the reverse proxy to ensure a secure connection with client workstations. This means clients would use “https://” instead of “http://”. ■ SSL can also be installed on the eRoom web server to ensure a secure connection between the RP and the eRoom server. However, some proxy servers may not be able to redirect to a web server with “https://”. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide C–3 Appendix C: Configuring a Reverse Proxy Server with eRoom 7 Configure the eRoom web server ■ In eRoom 7, an SSL certificate must be installed on the eRoom web server for eRoom to recognize “https://” instead of “http://”. eRoom automatically recognizes that the SSL certificate is installed and required. After applying the SSL certificate to the eRoom server, you need to ensure that users use SSL (users cannot have the choice of whether or not to use https:// in the URL address). Otherwise, the URL addresses in the notifications, alerts, and invitations will be incorrect. For instructions on how to force the use of SSL for connected users, refer to the Support Notes on the Powerlink site (http://powerlink.emc.com). ■ If an SSL certificate cannot be installed on the eRoom web server, an alias might be created so that “http://” requests get translated to “https://” automatically. C–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix D: eRoom Security Guidelines D A eRoom server operating system hardening Properly configured and maintained, with appropriate security patches, Microsoft’s IIS is a robust platform that can substantially reduce the risks inherent in running Internet-accessible applications. The most critical issue to consider for network applications like eRoom 7 is the availability of remote services. Access to all services must be restricted to those necessary for the server to function. This is typically done at two levels: network and host. At the network level, we strongly recommend using firewalls and routers to restrict access to services (ports). At the host level, NT-based customers can use TCP/IP filtering to limit exposure of unnecessary services. Win 2000based customers can use IPSec filters to perform this task more efficiently, because they can be applied on the fly, and they correctly block ICMP. It is especially important that you either block or disable access to such standard Windows services as NetBIOS/SMB resource sharing. Attackers may perform known techniques to reveal the names of system accounts and perform password-guessing attacks via these services. eRoom security By default, eRoom provides password-protected entry into eRooms and can synchronize user names and passwords through NT/Win2000 Domains or LDAP. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide D–1 Appendix D: eRoom Security Guidelines eRoom security How does the eRoom server recognize a legitimate eRoom client? Before granting access to information, eRoom asks users to log into the specified eRoom with a user name and a self-selected password. Once the eRoom server authenticates the user, it generates a random session ID that serves as a secure key for the duration of the session. This session ID makes the server resistant to any unauthorized capture, alteration, and retransmission of a communication stream. To properly log out from eRoom and destroy this session ID, users must exit the browser. When logging into the eRoom Server via the browser, users can check "Save password" on the Login dialog box, and eRoom saves the password in an encrypted form. The password is vulnerable to reuse, however, if it is stolen and copied to another machine. For added security, the eRoom administrator can disable the save password option. On the server side, the eRoom server does not store passwords for users that come from a Windows NT/2000 domain, Active Directory, or LDAP directory. The passwords of other users are stored on the eRoom server and encrypted using MD5 hashing. The server can also be configured to record failed login attempts. External directories can be configured with account lockout rules, for example, to disable an account after multiple failed login attempts. These rules are effective with eRoom authentication for accounts coming from such directories. On the client side, eRoom access is provided by means of a browser. The browser can be augmented with plug-in components. The plug-in enhanced browser uses a Microsoft ActiveX control for its main functionality. The control, ERAdddin.OCX, is programmatically marked “safe for scripting” and thus avoids a security check that validates the code’s authenticity (i.e. that the identity of the control’s author can be verified by a trusted third party). Since safe-for-scripting controls have been exploited within other software products to perform unauthorized actions on end-user systems, eRoom implements a mechanism whereby trusted servers are tracked and the control is not accessible except by those servers on the trusted list. In addition, eRoom provides an alternative for customers who wish to avoid using ActiveX technology entirely--they can use the thin client (a server-side configuration parameter can force all users to connect with the thin client only). D–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix D: eRoom Security Guidelines eRoom security Although eRoom has taken steps to obfuscate user credentials stored on the rich-client system, we cannot guarantee that a dedicated, resourceful attacker could not obtain this information given enough time. Thus, client environments should also be well protected through policy and physical security mechanisms. How is access to eRoom information controlled? Access control is available from the facility level down to each individual object in an eRoom. eRoom member lists define who can access each eRoom and facility on the server and access control lists manage access to all eRoom objects. Access control is fully implemented at the server. That means that even in the unlikely event that the client code is compromised, or if the server is being “spoofed,” the server continues to enforce access limitations. The server has no implicit trust of client-side code; it performs authentication and authorization checks based solely on credentials provided by the client, such as name and password. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide D–3 Appendix D: eRoom Security Guidelines Using eRoom within an internal network Using eRoom within an internal network eRoom uses standard HTTP for all its communications, in both directions. Consequently, if your systems and firewalls are configured so that a specific person can use a web browser to access a certain web server, then the user can also access an eRoom running on that server. Access to the eRoom server via the browser uses JavaScript to perform some actions. In addition, the eRoom “rich client” uses plug-in components to provide additional services to the user. Consequently, it is important that the browser and firewall configurations do not block either of these. If the firewall allows no applications, you need to specify that the following applications be allowed to pass through the firewall: application/Octet-stream. Using eRoom in the extended enterprise Many current eRoom customers use their eRooms with employees, suppliers, clients, and partners that are not part of their internal network. They require a security solution that enables continuous remote access to the eRoom application. The following sample scenarios present common configurations that customers use and the security technologies that they require. D–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix D: eRoom Security Guidelines Using eRoom in the extended enterprise Scenario 1: eRoom on the extranet Many eRoom customers put their eRoom server on the extranet. Installing eRoom on a web server outside the firewall means that securing, or “hardening”, the server becomes very important. The most important thing you can do to ensure the security of such a configuration is to ensure that the only ports enabled on the Windows NT or Windows 2000 Server are those necessary for the required services. Such services include either of the following: ■ HTTP (port 80) ■ HTTPS (port 443) Depending on your company’s needs, you might also make one or more of the following accessible through the firewall: ■ SMTP (port 25) ■ POP3 (port 110) ■ SQL 2000 (port 1433) Make sure that no File Services, FTP, or similar services are enabled. This configuration provides three levels of defense: ■ Windows NT and Windows 2000 Server's security to protect access to all resources ■ Microsoft IIS Web Server for security ■ eRoom software to protect access In addition to hardening the server, eRoom recommends using SSL and digital certificates to protect information during transmission in the extranet environment. About Secure Sockets Layer (SSL) SSL is a protocol designed to provide security during the transmission of sensitive data over TCP/IP. SSL provides data encryption, server authentication, and message integrity for data transmission over the Internet. SSL can provide a secure transport layer for communications with your eRoom Server. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide D–5 Appendix D: eRoom Security Guidelines Using eRoom in the extended enterprise Since some forms of eRoom authentication are based on protocols that send Base64-encoded passwords, an authentication session can be captured and analyzed using eavesdropping tools. The risk of an attacker being situated properly on the public Internet in a position to eavesdrop on such traffic is low. Nevertheless, the risk is present, and may be greater for large organizations with multiple network segments between eRoom servers and clients. eRoom Server Administrators should be aware of the risks involved in using eRoom “out-of-the-box” without SSL configured. We recommend using SSL. About digital certificates Digital certificates are available for both the server and the client. A serverside digital certificate is analogous to an ID card for the server. Verified by a third-party certificate authority, a digital certificate is a complete set of information about its owner, based on an Internet standard. What are the advantages of using digital certificates? Together with SSL, digital certificates secure communications on the Web by providing the following: Authentication. When a server has a Digital ID, all client browsers know that they are dealing with a legitimate source. The client can then verify the identity of the server before accepting the public key to begin the SSL session. Message privacy. All traffic between the server and browser is encrypted using a unique "session key." Each session key is used with only one customer during one connection, and that key is itself encrypted with the server’s public key. These layers of privacy protection guarantee that information cannot be intercepted or viewed by unauthorized parties. (Note: Encryption is provided in both directions even if only the server has a Digital ID.) Message integrity. The contents of all communications between the server and the browser are protected from being altered en route. Each element of that transmission knows that what it receives is exactly what was sent from the other side. Using a recognized certificate is the easiest and most reliable way to enable SSL. eRoom and the Internet Server Access API will work correctly with SSL and Digital Certificates when using either Microsoft Internet Explorer or Netscape Navigator. D–6 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix D: eRoom Security Guidelines Using eRoom in the extended enterprise When communication with the server is encrypted with SSL, login information is securely delivered to the server, which then authenticates the user's name and password. This ensures that the eRoom client cannot be spoofed into revealing a user name and password pair. All communication is then encrypted for the life of the user’s session. eRoom supports all versions of SSL technology, though SSL v3 or higher is recommended due to the cryptographic enhancements contained in this version. Scenario 2: Using eRoom within a DMZ A DMZ is a firewall-protected network space that allows limited access to web-based services by outside parties. Although DMZs are widely used within corporate IT organizations to protect public web servers, they are increasingly required for business-to-business activities, including transaction-based applications and collaboration tools such as eRoom. There are many possible variations of the DMZ, but the basic concept is that external users are allowed access on a limited number of ports (often just the SSL port) to hosts on the DMZ subnet. There is essentially an “external firewall” that does packet-level filtering to allow specific access by port to hosts in the DMZ and then there is an “internal firewall” that prevents any access to internal hosts. DMZ At this most basic level, barriers to entry for external users are low. The security risk is “contained” in the DMZ and can be further reduced by requiring all SSL-connections and disabling all other ports. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide D–7 Appendix D: eRoom Security Guidelines Using eRoom in the extended enterprise As mentioned previously, each company needs to decide whether or not to open up the internal firewall for specific services, such as SMTP mail access or Microsoft SQL Server database. DMZ Scenario 3: Using eRoom with a proxy server The next level of security is usually implemented by requiring a stronger authentication process through a proxy server. Proxy servers act as mediators for all communication between the user on the internal corporate network and a service on the Internet. Proxy servers can improve security by performing more intelligent filtering – that is, they are more capable of filtering HTTP by content type (for example, to remove Java or JavaScript) and better at virus detection than package filtering systems. Because of their positioning between a client and the Internet, proxy systems also generate new IP packets for the client, thus protecting clients from malformed IP packets. A more secure version of this configuration is the reverse proxy server. In this scenario, eRoom resides within a protected segment of the network with the reverse proxy in the DMZ. External users’ requests are captured by the reverse D–8 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix D: eRoom Security Guidelines Using eRoom in the extended enterprise proxy server and forwarded to the eRoom server. The reverse proxy server adds an additional level of security by hiding the eRoom servers’ true network address as well as by applying application layer rules. Scenario 4: Using eRoom with a two-tiered authentication system The most secure environments require the use of a two-tiered authentication system such as SmartCards or RSA SecurID. These technologies require two forms of authentication, based on something the user knows, such as a PIN number, and something the user has, a physical authenticator. Both are required to access the network. This level of access is available when using browser access with or without the optional plug-in, although there may be some limitations to the plug-in functionality. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide D–9 Appendix D: eRoom Security Guidelines Using eRoom in the extended enterprise Scenario 5: Using eRoom with a Single Sign-on (SSO) system Single sign-on (SSO) systems combine ease-of-use and security. An SSO solution, such as Netegrity SiteMinder, performs user authentication and often combines it with entitlement management. In such a situation, a user logs into the system only once, and then has enterprise-wide access to all authorized resources. The SSO system enforces access policies as well. Both with and without the optional plug-in, eRoom supports Netegrity SiteMinder, although there may be some limitations to the plug-in functionality. Netegrity integration requires a Documentum Consulting engagement. Scenario 6: Using eRoom in a Virtual Private Network (VPN) Clients can access eRoom servers using Virtual Private Networks (VPNs). Server information and user data is encrypted, protecting clients from unauthorized access. VPN can be used over phone lines or over the Internet. This allows corporations hosting eRoom to expand access to the server without incurring large IT costs. The ISP is used to establish an encrypted tunnel. The tunnel creates a secure connection between the user and the enterprise customer's network over the Internet and is indistinguishable from a point-to-point connection. DMZ D–10 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix E: Clustering Environment Setup E A Before you begin Installing eRoom in a Clustered Environment involves the following: ■ Hardware configuration ■ Operating System, Network, and Disk Setup (on each node) ■ Microsoft Windows Cluster Service installation ■ eRoom installation This document complements Microsoft’s Step-by-Step Guide to Installing Cluster Service: http://www.microsoft.com/windows2000/techinfo/ planning/server/clustersteps.asp. You can download it from Microsoft’s Web site and use it for your eRoom cluster setup. NOTE: The Index server must be installed on a separate machine and cannot be installed as a clustered resource. Clustering overview How clustering works The main benefit of configuring eRoom in a cluster is to minimize application downtime (by eliminating human intervention in the case of a hardware, operating system, or application problem). Both the eRoom web server and Microsoft SQL Server server can be configured in a cluster. An eRoom clustered environment consists of the following: ■ Cluster hardware platform. Cluster-aware hardware EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide E–1 Appendix E: Clustering Environment Setup Clustering overview ■ Operating system. Windows 2000 Advanced Server (IIS 5) or Windows 2003 Enterprise Server (IIS6). Microsoft Cluster Service. ■ Database server. Microsoft SQL Server 2000 (separate from the web server). While Internet Information Server (IIS) and the eRoom application must run on the same cluster, eRoom recommends that you run the Microsoft SQL Server database on a separate cluster or server. This configuration improves system performance, robustness, and scalability; distributes possible failure points; and provides faster failover/recovery times. ■ Shared disk. Shared disk storage external to the eRoom Server is required for clustered environments. While the goal of a clustered environment is to provide high availability, by no means should it be viewed as the only backup to production. This means that the cluster should include Disk Arrays and be backed up daily to provide data recovery in worst-case situations. ■ eRoom application. The eRoom 7 application installation for Microsoft SQL Server. A two-cluster node consists of two physical servers—one server is the primary node and the second server is the secondary node. In an Active/ Passive cluster, the primary node is the server that actively responds to client requests, while the passive node sits quietly awaiting a failover. Both the eRoom web server and Microsoft SQL Server servers run as a primary node. Should the primary node fail, then the secondary node takes over. When you build a two-node cluster using Windows 2000 Advanced Server and Microsoft Clustering Service, each node must be connected to a shared disk array using either SCSI cables or fibre channel. Typically, this shared disk array is a standalone unit that houses a RAID 5 or RAID 10 disk array. All of the shared data in the cluster must be stored on this disk array. Otherwise, when a failover occurs, the secondary node in the cluster cannot access it. Keep in mind that clustering does not help protect data or the shared disk array on which it is stored. Therefore, make sure the shared disk array is very reliable and includes fault-tolerance. E–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix E: Clustering Environment Setup Clustering overview In addition to connecting both servers to a shared disk array, both nodes of the cluster are connected to each other via a private network. Each node uses this private network to keep track of the status of the other node. For example, if the primary node experiences a hardware failure, the secondary node detects this (via the private network) and automatically initiates a failover. How eRoom clients know what to do when a failover occurs In a cluster configuration, you assign the web server its own virtual name and virtual IP address (the Microsoft SQL Server server also has its own unique virtual name and IP). Both web servers in the cluster share the virtual name and address, and clients connect to the web cluster using the virtual name. As EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide E–3 Appendix E: Clustering Environment Setup Requirements far as a client is concerned, there is only one physical server, not two. In an Active/Passive cluster design, the primary node responds to the client’s requests. If the primary node fails to respond, a failover to the secondary node occurs, and the cluster still retains the same virtual name and IP address (with a new physical server responding to client requests). The failover period can last a few minutes. For the Microsoft SQL Server server, the exact amount of time depends on the number and sizes of the databases on Microsoft SQL Server, and how active they are). During this failover time (of either eRoom or the Microsoft SQL Server server), clients are be unable to access eRoom. Once a failover occurs, you must find out what caused the failover, and then take the necessary action and correct the problem. Requirements Hardware requirements ■ Cluster aware hardware. For a list of Microsoft supported cluster hardware devices, please refer to: http://www.microsoft.com/hcl ■ Two Network adapters for each node in the cluster (Five IP addresses are required after the Operating System installation). ■ External Shared Storage Device and storage cables to attach shared storage device to all computers. ■ Each node’s hardware should be identical for easier configuration and compatibility. NOTE: At all times, refer to your vendor’s documentation regarding cluster hardware connections an disk configuration. E–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix E: Clustering Environment Setup Requirements Hardware configuration requirements The following are general hardware configuration steps that may apply in any cluster setup: ■ With each node and the storage device powered off, ensure that each node is connected to the shared storage device properly. ■ Power on the shared storage device only and ensure that the shared storage is set to ‘cluster mode’. This may be a switch on the shared storage device itself to enable ‘cluster mode’. ■ Power on each node separately and ensure that the SCSI cards are configured correctly. Again, check your vendor’s documentation regarding SCSI card configuration. Refer to the Appendix of Step-by-Step Guide to Installing Cluster Service (http://www.microsoft.com/ windows2000/techinfo/planning/server/clustersteps.asp) for information on Cluster SCSI connections. ■ By default, some SCSI cards may be in cluster mode but ‘disabled’. Ensure that each SCSI card is cluster enabled. Each SCSI card (on each node) must have a unique initiator ID (a different number for each card on each node). For example, if the initiator ID is set to 7 on node 1, then set the initiator id to 6 on node 2. Typically, you can configure the SCSI cards during a boot of an individual node and by pressing a particular hot key (such as ‘Ctrl-M’) during SCSI card initiation. Refer to vendor documentation. ■ Refer to hardware vendor’s documentation to assign the Shared Storage drives to an array and to assign the level of RAID to be used. For example: Local system drives = RAID 1 (mirrored) Shared storage device = RAID 5 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide E–5 Appendix E: Clustering Environment Setup Operating system, network, and disk installation Operating system, network, and disk installation Requirements ■ Windows 2000 Advanced Server Operating System -- must be installed on both nodes. ■ Name resolution method (such as DNS). ■ All disks on each node should be formatted as NTFS. ■ Each node should belong to the same domain. ■ Each node should have its own server name. ■ Domain User account for the Cluster Service. ■ A total of five IP addresses required. For the operating system, network, and disk installation, please reference Microsoft’s Step-by-Step Guide to Installing Cluster Service (http:// www.microsoft.com/windows2000/techinfo/planning/server/ clustersteps.asp). Be sure to reference the “Power Sequencing” chart within this guide to find out when each node (or the storage) should be powered on or off. There are no special considerations relating to eRoom 7 for Microsoft SQL Server setup. Installing Microsoft’s Cluster Service Use the instructions in this section as a supplement to the instructions in Microsoft’s Step-by-Step Guide to Installing Cluster Service (http:// www.microsoft.com/windows2000/techinfo/planning/server/ clustersteps.asp). The instructions in this section contain essential information on how to install Microsoft’s Cluster service so that it works with eRoom 7 Clustering. 1. Operating system installation – Install Windows 2000 Advanced Server on each node. 2. Network setup – Once each operating system is installed on each node, set up the Network. Each cluster node requires at least two network adapters—one adapter connected to a public network and one connected E–6 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix E: Clustering Environment Setup Cluster Service setup to a private network consisting of cluster nodes only. A total of five IP addresses are used. Verify connectivity and create the domain account used for the cluster service. 3. Disk setup – Using Windows Disk Management Utilities, ensure disks are formatted as NTFS and are designated as Basic. Create the drive partitions and assign drive letters. When configuring your drive partitions, be sure to set up the Quorum disk partition on a RAID array prior to configuring the cluster services (recommended 500mb for the Quorum disk). 4. Cluster service setup – Set up and validate the Cluster Service on both nodes per the Microsoft instructions. See the special notes in the next section. Cluster Service setup eRoom currently supports only Active/Passive clustering for the eRoom web and database servers. The setup of the Cluster Service is the last step prior to installing the eRoom software. Please reference Microsoft’s Step-by-Step Guide to Installing Cluster Service (http://www.microsoft.com/windows2000/ techinfo/planning/server/clustersteps.asp). When you finish installing the cluster service, continue following the Microsoft Guide steps to validate the setup on Node 1 and continue with the Node 2 setup. Be sure to test the failover by moving the “Cluster Group” to the passive node. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide E–7 Appendix E: Clustering Environment Setup eRoom software installation NOTE: In steps 9 to 11 of the Microsoft procedure, we recommend that you leave the default name for the new cluster as “Cluster Group.” If you want to change this name, it is best to do so after installing the eRoom software. Refer to eRoom Support Note 21631 for additional information. Cluster Group eRoom software installation Pre-eRoom software installation checklist ■ The cluster hardware is set up, configured, and validated. ■ The operating system, network, and disks are set up, configured, and validated. ■ The cluster service is installed and running and a successful failover of the cluster group has been tested. ■ A cluster group is created with the appropriate resources, including the cluster name, IP address, and shared disk resources. E–8 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix E: Clustering Environment Setup eRoom software installation ■ Microsoft SQL Server 2000 (recommended on a separate server) is properly configured and ready for the eRoom installation. Both nodes must have access to the Microsoft SQL Server. ■ Microsoft SQL Server Client Network Utility and admin tools are installed on both nodes prior to the eRoom installation. ■ No cluster resources (for example, the IIS Resource) need to be created on the eRoom web servers within the Cluster Service Administrator. eRoom installs its own resource dll (ercluster.dll) to the %systemroot%\cluster on each web server node. The eRoom resource is installed with no special dependencies on other cluster resources. ■ The IIS Services are often configured to run iisreset.exe on failure. Disable this through the Microsoft Windows Services console. ■ Domain IUSR anonymous web user account setup is used on both nodes. While not required, eRoom recommends deleting the default web site within IIS (unless other applications must use it). Create a new web site and assign the new web site the virtual IP address of the cluster. The home directory path of the new web site should point to a new home directory (similar to the inetpub\wwwroot directory) on the shared storage device. Assign the domain IUSR account to the new web site properties within the Internet Service Manager. In addition, grant read rights to the new NTFS directory for the domain IUSR account. Overview of the eRoom installation in a clustered environment 1. Follow any pre-installation instructions in Appendix A: Upgrading from eRoom 6, on page 1, in this manual. 2. Before installing eRoom, create a cluster group containing the shared disk resources, and verify the Cluster Service is running prior to installing eRoom and a Cluster Group is created containing the shared disk resources. 3. Install eRoom on the first node. Ensure that node 1 is the active node. When prompted during the install, place all eRoom program files and data on a logical drive on the shared storage drive. Do not place eRoom or IIS files on the Quorum drive/partition. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide E–9 Appendix E: Clustering Environment Setup Applying eRoom maintenance releases to the cluster environment Since eRoom is not completely installed until it is installed on both nodes, you don’t create the initial facility until the second node is installed. 4. Install eRoom on the second node. Move the cluster group from the first node to the second node. Install eRoom on node 2 again. You are not prompted for the location of eRoom files, since you already entered information during the first node install. The eRoom install now creates a facility with an initial set of eRooms. Once the eRoom installation is complete, you can move the cluster group back to the first node. 5. Ensure that IIS and eRoom services are started. 6. Verify the web site eRoom is installed on is started (within IIS Admin console). Applying eRoom maintenance releases to the cluster environment 1. Install eRoom 7.x on the active node 1. 2. Move the cluster group to node 2 and install the eRoom maintenance release there as well. 3. Move the cluster group back to node 1. NOTE: The eRoom install needs access to the shared storage and must be applied to the active node. Keep in mind that the eRoom program files and data are on the shared storage. E–10 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix E: Clustering Environment Setup Adding a failed web or database cluster node back to the cluster Adding a failed web or database cluster node back to the cluster Adding an eRoom web server back to the cluster 1. Rebuild the failed node. This includes the hardware, operating system, and service/security packs. 2. Install SQL 2000 Client network utility and reboot. 3. Run the cluster service setup and add the failed node back to the existing eRoom cluster. 4. Copy the c:\winnt\cluster\ercluster.dll to the failed node in the same directory path. 5. Run the following from a command line to synchronize the active node IIS configuration to the passive node. Navigate to the c:\winnt\system32\inetsrv\ directory. Run: iissync firstnode secondnode (where firstnode and secondnode are the server names of each node). 6. Move the cluster group to the newly rebuilt node. 7. Remove the eRoom Resource listed within the Cluster Administrator UI. (Note: the resource type will still exist; you are only deleting the eRoom Resource via the UI). 8. Install eRoom application on the newly rebuilt node. (This install should pick up the directory locations automatically and “convert” existing facilities). 9. Test eRoom access, creating facilities, and failover. Adding a Microsoft SQL Server 2000 back to the cluster Microsoft SQL Server Enterprise Edition installs Microsoft SQL Server executables and program files on both nodes. If the active node fails, you can find directions to rebuild the node and add it back to the cluster within Microsoft SQL Server Books Online (BOL). The basic process is as follows: 1. Run the Microsoft SQL Server setup program. 2. Remove the failed node from the configuration. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide E–11 Appendix E: Clustering Environment Setup Additional resources 3. Repair the node. 4. Run Setup program again. When you add that node back into the Microsoft SQL Server 2000 configuration, Microsoft SQL Server reinstalls and reconfigures itself appropriately. Additional resources ■ Microsoft Support Policy for Server Clusters (includes: SANs and Geographically Dispersed Clusters): http://support.microsoft.com/ default.aspx?scid=kb;en-us;Q309395 ■ Microsoft: Step by Step Guide to Installing Cluster Service: http:// www.microsoft.com/windows2000/techinfo/planning/server/ clustersteps.asp ■ Microsoft: Microsoft Cluster Server General Questions: http:// www.microsoft.com/NTServer/Support/faqs/clustering_faq.asp ■ Frequently Asked Questions - SQL Server 2000 - Failover Clustering: http:// support.microsoft.com/default.aspx?scid=kb;en-us;Q260758 ■ Installation order for SQL Server 2000 Enterprise Edition on Microsoft Cluster Server: http://support.microsoft.com/default.aspx?scid=kb;enus;Q243218 ■ Recommended private "Heartbeat" configuration on a cluster server: http:// support.microsoft.com/default.aspx?scid=kb;en-us;Q258750 Also see Microsoft SQL Server Online Books for more information on Microsoft SQL Server Clustering. E–12 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix F: Troubleshooting Web Publisher F A Problem Troubleshooting steps When attempting to import a file from Content Server into eRoom, Web Publisher files and folders fail to appear. Verify that you have correctly installed eRoom version 7.2 or later. Versions prior to 7.2 do not display Web Publisher files and folders. When attempting to check out a Web Publisher Verify that Web Publisher has been installed on the file from eRoom, you receive the error, “Web eRoom server. Note: Web Publisher does not need to Publisher is not installed on the eRoom Server”. be running on the eRoom server. Verify that the Class Path system environment variable contains the fully qualified path and filename for wcm.jar (typically located in ...\program files\documentum\shared). When attempting to check out a Web Publisher file from eRoom, you receive the error “The eRoom-to-WCM connector service is not installed”. Verify that there is a copy of the file eroom.jar located in the eRoom 7 installation directory (typically ...\program files\eRoom Server 7). Verify that the Class Path system environment variable contains the fully qualified path and filename for wcm.jar (typically located in c:\program files\documentum\shared). Verify that the Class Path system environment variable contains the fully-qualified path and filename for eroom.jar. When right-clicking on an eRoom item linked to a Web Publisher file and choosing “Go to Content Server...”, an error dialog appears with an error similar to this: “JumpOperation: failed to initialize form: InvokeMethod() failed while calling: onInit This startupAction:search is not properly defined. Cannot execute”. Verify that you have correctly completed the instructions in this manual for setting up eRoom Enterprise to work with Web Publisher (see “Additional Procedures for eRoom Enterprise” on page 2-5). EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide F–1 Appendix F: Troubleshooting Web Publisher F–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix G: Integrating eRoom 7 with RSA SecurID Authentication G A eRoom’s native support for RSA SecurID Authentication enables project teams from across the extended enterprise to safeguard access to their business-critical intellectual property managed within eRoom collaboration spaces. This appendix describes how to implement the RSA SecurID/ eRoom integration. Agent host configuration To facilitate communication between the eRoom 7 server and the RSA Authentication Manager v6.1 / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the eRoom server within its database and contains information about communication and encryption. To create the Agent Host record, you need the following information: ■ Host name of the eRoom server ■ IP addresses for all network interfaces When adding the Agent Host Record, configure the eRoom server as a “Communication Server.” The RSA Authentication Manager uses this setting to determine how to communicate with the eRoom server. NOTE: Host names within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide G–1 Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Agent host configuration Refer to the appropriate RSA Security documentation for additional information about creating, modifying and managing Agent Host records. G–2 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Authentication Agent configuration Authentication Agent configuration Before you begin This section provides instructions for integrating EMC Documentum eRoom 7 with RSA SecurID Authentication. In order to perform the tasks in this section, you should have working knowledge of all products involved, the ability to perform the tasks, and access to the product documentation for all the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. The following procedures are not intended to suggest optimum installations or configurations. RSA SecurID Agent configuration (on eRoom server) On the Authentication Manager Server, locate the file named “sdconf.rec” in c:\windows\system32. Copy this file to the same directory on the eRoom server (c:\windows\system32). EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide G–3 Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Authentication Agent configuration Next, install the RSA Authentication Agent 6.1 on the eRoom server. During the installation, select a custom installation and make sure that only the Local Authentication Client (LAC) component is checked. When prompted, enter the location of the sdconf.rec file from your primary RSA Authentication Manager server (c:\windows\system32), and choose the install location. For now, choose to configure authentication later and perform the installation. G–4 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Authentication Agent configuration Reboot the eRoom server and navigate to the newly installed RSA Agent (Start > Program Files > RSA Security). EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide G–5 Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Authentication Agent configuration Now, perform a test authentication request to the Authentication Manager Server by navigating to Authentication Test, Direct Authentication Test. The username and token records must already exist or be created with the Authentication Manager prior to performing this test. If the Authentication Test is successful, continue to the eRoom server configuration. Otherwise, troubleshoot the connectivity between the eRoom server and the Authentication Manager Server before proceeding. One common reason the test may fail is if the RSA Auth Mgr Authentication Engine Service is not started on the RSA Authentication Manager Server. G–6 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Authentication Agent configuration eRoom 7 server configuration The eRoom server relies on installation of the RSA Authentication Agent for RSA SecurID Authentication support. After the RSA Agent has been installed and the Authentication Test has succeeded, log in to the eRoom server as an administrator. Navigate to the Passwords page of eRoom Site Settings page. EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide G–7 Appendix G: Integrating eRoom 7 with RSA SecurID Authentication Authentication Agent configuration At the bottom of the Passwords page, the SecurID option is enabled. Specify the members who must authenticate with SecurID; All or Selected Members. Click to open the member list of the SecurID member group, where you can add members to or remove members from that group. After applying any change; if All is selected, then all users must use SecurID to authenticate access into eRoom. If only Selected Members are added to the SecurID member group, then only those members in the group must use RSA SecurID to authenticate into eRoom. G–8 EMC Documentum eRoom Version 7.4 Installation, Upgrade, and Configuration Guide