Server Manager Start Administer Application Servers Application Servers Select Application Server Edit Settings Edit Application Server Settings
In the Edit Application Server Settings dialog window, you define essential settings for log files, e-mail notification processing, and asynchronous processes, such as SSL encryption, HTTP port, escalation procedure, and session time-out.
If you received a new license key, it can be entered here. You can also obtain additional information about the number of licenses.
If your Internet connection is set up through a proxy, the proxy server area allows you to enter the required settings. This allows you to check the URLs defined in the project that refer to external links.
1. Edit the settings.
E-mail notification
Use default virtual SMTP server - Select this check box if you want to use the default server.
Name/IP of mail server - Enter the IP address or host name of the mail server that you want to use for the e-mail notification.
From - In this box, enter your name as it should appear with outgoing messages. It can take the form of an e-mail address or server name. For example:
[email protected] or company.com.
User name, Password - Enter the account name and the password that your Internet service provider has given to you for accessing the SMTP.
Port - Enter the port of your mail server.
License
License key - This shows the license key that was entered during installation. If you have a new license key, follow the steps below:
1. Enter your License key.
2. Click OK to confirm.
Check - Click this link to open a dialog window that will inform you about available licenses and their validity. If the current application server is part of a cluster, this link is available for one application server only.
Asynchronous processes
Query interval - Here you can enter the interval (in seconds) of how often the application server should search the database server for new asynchronous processes waiting to be completed. The default setting is 60 seconds.
Number of simultaneous processes - Here you can define how many simultaneous asynchronous processes this application server should accept.
Select one of the following settings:
-1 = The application server is allowed to start any number of processes.
Administering Application Servers Editing Connections
0Server Manager05/2009
0 = The application server is not allowed to start any processes.
1 - 500 = Insert the number of processes (max. 500) that may be performed simultaneously on the application server.
Log file settings - Decide here which events should be logged and where the log files are to be saved.
Home directory - Enter the path for the home directory of the log files. In this home directory, subfolders are automatically created for the individual log files when the first log file is written. You can enter a path on the application server or the UNC path of another accessible computer. If you do not enter a path, the log files are written to the default log directory, <Installation directory>\Open Text\WS\MS\ASP\LOG. Changes to the directory path become effective as soon as you close the dialog window.
Note:
In a cluster installation, different physical directories must be entered for each server. Because the installation log files are created before Management Server is started, they are always found in the default log directory. The same applies to the dberror.log log file in the Common subdirectory.
User name - Enter the user name that you use to log on to the server where the log files are to be saved.
Password - Enter the password for the user name.
No logging - Select this option if you do not want any events to be logged.
Full logging - Select this option if you want to log all events.
Other settings
Permit ActiveX controls - Select this check box to allow ActiveX controls. You also need to enable ActiveX controls in Internet Explorer under Tools -> Internet Options -> Security. ActiveX controls are used for the following functions:
The drag-and-drop operation in the text editor
For more information, see the Text Editor section in the SmartTree documentation or Help.
The drag-and-drop operation in SmartEdit
For more information, see the Editing Content Elements chapter in the SmartEdit documentation.
Using Microsoft Word as the text editor
For more information, see the Editing Content Elements chapter in the SmartEdit documentation.
Refresh task alert - Use the drop-down list to define whether the task alert should be refreshed, Never, Only the current language variant, or in All language variants. By default, the task alert is refreshed every four minutes.
Every time the task alert is refreshed, the system searches the database for tasks that are assigned to the particular user. This process generates a load on the application server and the database server. This load increases with the number of users and the number of language variants that have been set up. The administrator can reduce this load by completely eliminating the process or limiting the search to only tasks in the current language variant of the user.
Administering Application Servers Editing Connections
0Server Manager05/2009
Do not allow profile changes - Select this check box to prohibit users from changing their profiles during the logon procedure. If selected, the logon menu will not display the Edit profile after logon check box. For application servers in a cluster, this setting only applies to the current application server. This allows you to selectively activate this function for specific application servers in a cluster.
Only permit logon using SSL encryption - Select this option to specify that logon to the application server must use SSL encryption.
Stop SSL encoding after logon - The virtual directory can be secured completely or partially by the SSL (Secure Sockets Layer). SSL is not provided with
Management Server. It can be purchased from an appropriate supplier. Determine whether or not SSL encoding is applied only during logon to the application server.
HTTP port - Management Server requires this port specification in order to find the correct port when changing from HTTPS to HTTP. The default port is 80. If this port cannot be accessed, you will not be able to change to HTTPS.
HTTPS port - HTTPS is a secure version of the generally applied HTTP. The default port is 443.
Checking interval for asynchronous workflow reactions - Here you can define the interval for checking workflow reactions such as the escalation interval or automatic page expiration. The default setting is 30 minutes.
Session-Timeout - Enter the number of minutes that should elapse before a session times out. The default setting is 70 minutes. If several application servers are organized into a cluster, this value applies to the entire cluster.
RDExecute-Timeout - Enter an interval in seconds. The timeout takes effect in the execution of server-side script code. The default setting is 10 seconds. If you enter a value lower than 10 seconds, the value of 10 is saved automatically.
PreExecute-Timeout - Enter an interval in seconds. The timeout takes effect in the execution of active templates. The default setting is 10 seconds. If you enter a value lower than 10 seconds, the value of 10 is saved automatically.
Private digest element - Enter the private section of a digest which was created with the MD5 algorithm. This is only necessary if, for example, you want to enable authentication for a portal integration using a digest. For more information, see the information box below.
Validity of digests - Enter a validity for the digest in minutes. For more information, see the information box below.
HTTP Proxy server - Select this check box if you intend to use a proxy server.
Proxy server - Enter the name of the proxy server you intend to use.
Proxy server port - Enter the designated port of the proxy server.
Use external PDF converter - Select this check box if you intend to use an external PDF converter for Word, Excel, and PowerPoint files. If Use external PDF converter is selected, the Insert into page as HTML option will no longer be available for Convert selected documents item in the element properties of a Media Element dialog window. The files to be converted are added to the preconversion directory and then
Administering Application Servers Editing Connections
0Server Manager05/2009
converted by the external converter. Once the converted file lands in the Conversion directory, the PDF file is adopted in Management Server. Depending on your settings, the source file is deleted from the preconversion directory and the converted file is deleted from the conversion directory.
Conversion input directory - Enter the path to the preconversion folder.
Conversion output directory - Enter the path to the conversion folder.
After converting file delete it from preconversion folder - Select this check box if you want to delete the files contained in this directory after they have been converted.
After converting file delete it from conversion folder - Select this check box if you want to delete the files contained in this directory after they have been converted.
Automatic user log on.
IIS authentication - Select this option to allow user logon with IIS authentication.
For more information, see the information box below.
Activate logon via a saved cookie - You can control user logon by using saved cookies.
Length of validity of cookies in hours - Enter the length of time that a cookie should be valid (in hours).
Cookie name - Enter the name of the cookie.
2. Click OK to confirm.
Notes on IIS Authentication
Management Server can also make use of the logon information provided for a Windows user, which means that no additional logon is required.
Setting Up IIS Authentication Configure the following settings:
1. Open Internet Information Services on your application server.
2. Open the CMS folder under Default Web Site.
3. Open the shortcut menu for the WinAuth subfolder and select Properties.
4. Select the Directory Security tab and click Edit in the Control anonymous access and authentication area.
5. Clear the Anonymous logon check box and, depending on the situation in your network, select one of the check boxes for Authenticated Access.
If default settings are valid for this directory during installation, the modification is executed by the installation routine.
Administering Application Servers Editing Connections
0Server Manager05/2009
Access Violations on RDCMS_XMLServer COM+ Component Access violations may occur when accessing the COM+ component
RDCMS_XMLServer because once authentication via IIS is complete, all ASP pages are authenticated using the authenticated user's identity. You have the following options to correct this situation:
Deactivate Windows authentication in IIS for the CMS directory
You can clear all of the check boxes for the virtual IIS directory CMS in the Authenticated Access area and just allow anonymous access. This means that the user (after authentication against IIS) makes use of the anonymous user identity.
If default settings are valid for this directory during installation, the modification is executed by the installation routine.
Extend access authorizations
Add users or groups to the RedDotRole for the components. Add the users/
groups that are able to log on using IIS authentication.
Deactivate the access test for this COM+ component
To deactivate the access test for this component, call up the component properties, select the Security tab, and clear the Enforce access check for this application check box in the Authorization area.
Notes on Configuration in Management Server
Select IIS authentication in the application server settings in Server Manager.
Authentication also works for users from the internal account system.
When importing users from other directory services, you can determine whether you want to allow IIS authentication for them. IIS authentication is permitted by default.
Circumventing IIS Authentication
IIS authentication can be deactivated by adding the DisableAutologin=1 parameter to the URL. The logon dialog URL would then look like this: http://servername/cms/
ioRD.asp?Action=ShowLoginMask&DisableAutologin=1 Notes on Integrations
Because this method of authentication does not use passwords, it is not
recommended. Otherwise, care must be taken when integrations, for example, require user name and password authentication.
Identical Users in Different Domains
Management Server cannot differentiate between users with the same names in different domains. This means, for example, that two users could log on to
Management Server with the same user name. In such a case, you need to deactivate the logon authentication via IIS for both users.
Using IIS Authentication from Outside the Domain
If domain users use Windows sessions outside the domain to log on and authenticate against IIS, their Internet Explorer session will become a domain session. If the computer is left on after working with Management Server without closing Internet Explorer, other users can use the logon information of the first user by calling up the Management Server URL. Users who have identified themselves in this manner need to ensure that no unauthorized access is initiated. If this is not possible or this is
Administering Application Servers Editing Connections
0Server Manager05/2009
perceived as a security risk, IIS authentication logon from outside the domain should not be used. In this case, the simpler direct Management Server logon should be used instead.
User Authentication Using a Digest
It is possible to identify and authenticate a user in Management Server using a digest that was created with the MD5 algorithm. This authentication method can be used for portal integrations. Authentication requires three steps:
The portal integration sends a digest to Management Server as part of a URL.
Management Server checks the authenticity of the digest.
If the digest is correct and valid, the user is logged on to Management Server.
Step 1: The portal integration sends a digest to Management Server as part of a URL
The portal has to include the digest in the URL that opens the required page in Management Server. In the following example of a URL for editing a page in SmartEdit, the Digest parameter is required for authentication:
http://<application server>/cms/ioRD.asp?Action=ShowLoginMask&LngId=EN&
Structure of the body of the digest
The digest body comprises several elements, which have to be separated by pipe (|) characters. The body of the digest contains the digest created by the portal
integration, as well as three significant elements. These are the user name
(Loginname), the time stamp (Timestamp), and the GMT time bias (TimeBias). There may be any number of elements between the logon name and the time stamp, to increase the variance of the digest. The digest does not transmit any passwords.
Because the pipe character is used as a separator for the various digest elements, the digest elements must not contain this character.
An overview of the body of the digest:
Loginname|...|Timestamp|TimeBias|Digest
Loginname
No particular formatting rules apply to the logon name. The only rule is that the pipe character (|) is not allowed.
Timestamp
Format: yyyymmddHHnnss (YearMonthDayHourMinuteSecond).
The year must be entered as a four-digit number, all other values as two-digit numbers. The time must be entered in 24 hour format.
Example: 20050829145501 to obtain the time stamp 2005-08-29 14:55:01
Administering Application Servers Editing Connections
0Server Manager05/2009
TimeBias
Format:[+/-]HH:nn (SignHour:Minute).
The plus or minus sign must be entered. All numeric values must have two digits.
The time must be entered in 24 hour format.
Example: +13:00
Digest
The digest must be entered as a hexadecimal number. All letters must be upper case, and all numeric values must have two digits.
Example: 7C072DE6355A81B976CE9AC32A
Step 2: Management Server checks the authenticity of the digest
To check the authenticity of the digest, Management Server creates another digest. It uses all characters in the digest body transmitted, except for the digest from the portal and the pipe that precedes it. Management Server adds the pipe character and the private section of the digest to determine the digest. You enter the private section of the digest in the application server settings, in the Private digest element box. If the digest determined matches the digest from the portal, the time stamp is used to check the age of the digest. The digest is valid if the age is less than the value specified in the Validity of digests box.
Step 3: If the digest is correct and valid, the user is logged on to Management Server
If a valid digest and a valid Management Server logon name are transmitted, the user is logged on and directed to the page specified. No further authentication in Management Server is required (logon dialog, cookie authentication etc.). If there is no free user session, the user session that has been inactive for the longest time is used.
Changing the License Key
When you change the Management Server license key, all the modules and roles assigned to users are checked and updated. If the number of licenses has been reduced for a specific module, the module assignment is adapted accordingly.
Example: Ten users have been assigned the SmartTree module. The new license key contains only four SmartTree licenses. Thus, six of the ten users will no longer be able to use the SmartTree module. Their project roles will be adjusted accordingly.
Management Server checks each user ID to determine whether a user is allowed to keep his or her module, starting with the user who has the lowest level user ID.
Administrators with the Server Manager option can change this automatic assignment.
Administering Application Servers Editing Connections
0Server Manager05/2009
Escalation Requirements
To ensure that the escalation will work properly, the following requirements must be met:
An e-mail (one or more) must be set up as the escalation reaction to the release level in the workflow.
A time must be set in the workflow reaction of the respective release level that applies to the escalation reaction.
In the Task Manager, check whether the GenDispatcher has started.
If you now create or edit a page and submit it to the workflow, the page will be submitted for release according to the usual workflow. If the page is not released within the set time limit (escalation time in hours), the escalation reaction is triggered and e-mail is sent out. The procedure is repeated in accordance with the specified escalation interval.
The escalation procedure depends on the value that was configured in Server Manager under Checking interval for asynchronous workflow reactions. When the escalation procedure is set to one hour for the workflow reaction and the checking interval for the server is 120 minutes, it results in a query as to whether the escalation procedure should be set to 120 minutes. If necessary, change the server settings according to the desired escalation procedure.
Configuring ActiveX Controls in the Internet Explorer
To configure ActiveX Controls in the Internet Explorer, select Extras -> Internet Options -> Security -> Custom Level for the Local intranet.
1. Edit the following settings for ActiveX controls and plug-ins:
1. Enable the option Script ActiveX controls marked safe for scripting.
1. Enable the option Script ActiveX controls marked safe for scripting.