Managing Your Workflow System

(1)

SUNGARD SUMMIT 2007 | sungardsummit.com 1

A Community of Learning

Managing Your Workflow System

Presented by: Michael Brzycki, SunGard Higher Education

March 20, 2007 Course ID 650

(2)

Introduction

• Topic:

• Learn how to leverage and manage the different technical capabilities of Workflow

• Agenda:

• Architecture • Access Control • Core Integration • High Availability

(3)

Workflow Architecture

Requirements Deployment Architecture Key Components

(4)

Multi-Tier Architecture

Browser

Workflow EngineWorkflow Engine

Oracle Application Server Oracle Application Server

Oracle Containers for J2EE

OC4J_Workflow OC4J_Workflow HTTP Server (Apache) HTTP Server (Apache) Oracle Application Server Oracle Application Server

OC4J_Workflow OC4J_Workflow HTTP Server (Apache)

HTTP Server (Apache) Banner

SQL Database

E-Mail Server Luminis Web Portal

(5)

5

Course ID 650

Oracle Http Server (OHS) Component

• Apache Web Server

• Handles http or https requests

coming from Web Browser or Web Service before delegating to

OC4J_workflow instance.

• Mod_oc4j

• Apache Module for delegating requests to OC4J J2EE

container

• Can delegate to multiple OC4J instances if cluster present

HTTP Server (Apache) HTTP Server (Apache)

(6)

Oracle Container For Java (OC4J)

• J2EE Container

• Enterprise Java beans

• Presentation Logic

• JSPs / Servlets • Http Sessions

• Workflow Administration Logic

• Automatic Activity Execution

OC4J_Workflow OC4J_Workflow

(7)

7

Course ID 650

Workflow Engine

• Polls for External Events

• Instantiates new Workflows

• Routes work items to worklists

• Performs workflow and work item life cycle changes

(8)

configuration.xml

• Core configuration file for Workflow

• Data Sources

• E-mail Server

• # of connections

• Port Settings

• Deployment names

• Web Protocols

• Log Settings

• Gets stored in the database during deployment

• Need to update configuration upon any changes and restart any running oc4j and workflow engine instances

(9)

9

Course ID 650

Bootstrap Files

• A bootstrap file contains administrative data that is normally stored in the database (such as users, roles, workflow definitions) but can be exported in a

convenient file archive

• Use bin\export and bin\import to create and push workflow administration data from one system to another

• Use bin\extractwd for extracting a single workflow

definition and its dependent objects from an exported bootstrap file

(10)

Access Control

Authentication Authorization

(11)

11

Course ID 650

Authentication

• Workflow supports several authentication options to

provide Single Sign On (SSO) with key integrations.

• Workflow Authentication – The users and their passwords are stored internally within the Workflow application.

• External Authentication – Allows an external source to be put in place to validate a user password.

• Can have both Workflow Authenticated and Externally Authenticated Users.

(12)

External Authentication

• Types of External Authentication

• LDAP Authentication – This method allows the user name and password to be authenticated by an LDAP server.

• Required for Luminis integration.

• Disables ability within Workflow to change passwords and puts the ownership of passwords in the LDAP

server.

• Banner Authentication – This method of authentication allows the user name and password to be validated against the Banner

database.

• Desirable when using password expiration with Banner and not using Luminis.

• Disables ability within Workflow to change passwords and puts the ownership of passwords in the Banner database.

(13)

13

Course ID 650

External Authentication Setup cont’d

• A user account that is to be authenticated via an External Authentication source must have “External

Authentication” enabled with the user account name

entered below it. By default, the same workflow logon id is used.

• Example from

(14)

Example: Luminis SSO (4.3)

• Edit the LDAPMappingAuthenticator properties in

configuration.xml to map to the LDAP server host location and LDAP configuration

• Edit the accounts of all workflow users with Luminis accounts to externally authenticate using Luminis ID’s

<ClassName>com.sct.workflow.security.LDAPMappingAuthenticator</ClassName> <Properties>

(15)

15

Course ID 650

Authorization

• Workflow functionality is guarded by Security Groups

and Role Assignments.

• For an end user to view or manipulate a Workflow object, the user must have an effective Role authorized for the Security Group which grants access.

• Example:

• ug_admin_bcc Æ Business Component Access • ug_admin_events Æ Business Event Access • ug_admin_roles Æ Role Management Access

(16)

Workflow Organizations

• As of Workflow 4.3, Role assignments carry a

required Organization

property that restricts the objects which the user has access to

• Organizations are defined under Workflow System Administration

• May map to a department or an Institution (under MIF)

• Organizations allow us fine grain control to share or hide Workflow objects between different sets of users

(17)

17

Course ID 650

Authorization Example

• For example, Security group

‘ug_admin_modeler_read’ grants

access to view workflow definitions in the Workflow Modeler

• In order to have access to open the modeler and view workflow definitions in the Admissions department:

• Ensure role is authorized for the security group

• In Security Management, add Role Authorization ‘Coordinator’ to

‘ug_admin_modeler_read’

• Assign the user to the role at the organization

• In Role Management, add a user assignment for ‘jsmith’ to the role ‘Coordinator’ at the organization ‘Admissions’

(18)

Authorization Considerations

• Use wfroot (super user) sparingly

• Setting up Organizations • Command line tools

• Give users/roles enough privileges to do their job and

no more

• For Multiple Organizations

• Decide if business processes will be administered by a central team or by local department leads

• Establish Business Analysts and Administrators for each Banner MIF institution

• Business Analysts and Administrators need access at Root in order to modify global objects

• Business Components • Business Events

(19)

Core Integrations

Event Posting Data Retrieval via Automated Activities E-mail

(20)

Workflow Events

• Events are SIGNALS

to workflow to do something

• Table Updates = Workflow Events

• Events may carry Information

• Keys for later primary key lookup

• Data for evaluating event guard conditions

• Department or MIF codes

(21)

21

Course ID 650

Recipe for Creating an Event

• Define the Event in Banner

• Define the Event in Workflow (Event Wizard)

• Add a database trigger to fire the event to workflow

• Gokparm.sendParameterList( name, parameters )

DECLARE

v_Params gokparm.t_parameterlist; BEGIN

...

Gokparm.Send_Param_List( 'APPLICATION_SUBMITTED', v_Params);

... END;

(22)

Event Guards

• You may not want to fire a workflow on every update to Student Admissions (SARCHKL)

• Place a guard (if condition) in the trigger starting the event

• Fine if only a single workflow is mapped to event

• Define an Event Guard Condition in Workflow

• Each workflow to event association may have its own guard condition

• Sufficient Event Parameters Must Be Provided

• Check a decision early in the workflow to stop the process if necessary.

(23)

23

Course ID 650

Working with Events

• Events may be generated manually via the “Simulate Event” button in Workflow (useful during modeling)

• Event Failure may arise when required Event Parameters are omitted or inadequate mapping to an effective Workflow

Model

• Failed events may be Replayed

• Event processing may be temporarily disabled (useful during maintenance)

• Configuration.xml (enabled flag)

<EventDispatcher> <EventProvider

name="Banner W-Event Provider #1“

classname="com.sct.workflow.engine.externalevent.provider.BannerTableExternalEventProvider” enabled="true">

(24)

Data Retrieval via Automated Activities

• Retrieve Additional Information from

the Banner DB or any other DB with internal SQL Automated Activities

• Fetched data is mapped into context

parameters and may be used as part of our e-mail notification.

(25)

25

Course ID 650

Automated Activities

• Three kinds of Automated Activities

• Automated Stored Procedure • Automated SQL Query

• External Automated Activity (ex. Perl Script )

• Launch Parameters and Parameter Mappings

are used to share information between an activity and a workflow

SQL Database

(26)

Creating the Get_Applicant_Details Activity

• Formulate your query

• Register the query as a Business Component

• Associate the Business Component to Activity

Definition Step in the Workflow Model

(27)

27

Course ID 650

SQL Query vs. Stored Procedure

• SQL Query

• Queries only

• Quick to Make

• Possibly done by Business Analyst

• Stored Procedure

• Pre-compiled

• Can perform Updates • Complex operations • Requires IT resource

(28)

Data Sources

• Configuration Wizard is used to set up the initial Banner

Automated Activity Data Source

• You can add additional Data Sources by editing the

configuration.xml and tying to a Product Type

• Data Sources may be used to segregate access, refer to

other Oracle databases, and even access non-Oracle (ex. SQL Server) databases via JDBC-ODBC driver

<Url>jdbc:oracle:thin:@localhost:1521:mydb</Url> <Username>wombat</Username>

<Password>appler0cks23</Password> </DataSource>

…

(29)

29

Course ID 650

E-mail

• Send notifications with built in E-mail Activity

• Works with any SMTP compliant Mail Server

• Configuration is defined during installation

• Configwizard

• Workflow Context Parameters can be used in any of the e-mail parts (to, from, subject,

body, etc)

E-Mail Server

(30)

(31)

31

Course ID 650

E-mail Alerts

• Allow alerts to be raised and processes halted

when the system has failed to send a notification in behalf of an e-mail activity

• During workflow modeling, set the e-mail failure

response to either:

• Ignore (default) – simply log error in workflow log file and continue processing to next activity in workflow

• Warn – to publish an information Alert but continue processing to next activity in workflow

• Stop – to publish an alert and suspend the current workflow thread

(32)

(33)

33

Course ID 650

E-mail Alerts continued

Note: An e-mail is considered successfully sent if all the recipient addresses are well formed and the e-mail server accepts the message. It is not a

(34)

High Availability and Failover

Clustering Concepts Oracle Application Server Clustering Workflow Engine Clustering

(35)

35

Course ID 650

Clustering

• Cluster: a group of servers and other resources that act like a single system and enable high availability and, in some cases, load balancing and parallel processing

• Allows for Failover

• Promotes scalability

• Both the Oracle Application Server and the Workflow Engine may be clustered

(36)

Managed Clusters in Oracle Application Server

• Set up cluster using Application Server Control

(Enterprise Manager) or command line tools

• In Oracle 10.1.2 (R2), must create Farm first • Create cluster

• Create OC4J instance

• Deploy workflow ear from application server control interface

• Configure Load Balancer

• Cluster configuration storage

• 10.1.2 (R2)

• File-based or Oracle Infrastructure

• 10.1.3 (R3) (Future support with pending 4.4)

(37)

37

Course ID 650

Some Load Balancer Options

• Hardware Load Balancer

• More reliable in practice

• Multiple Http Servers avoids yet another single point of failure

• Route based on IP address, etc.

• Software Load Balancer (mod_oc4j)

• Easy to set up / inexpensive

• Single Http Server (Apache) dispatching to multiple OC4J instances

(38)

Hardware Load Balancer

OC4J_Workflow OC4J_Workflow HTTP Server (Apache) HTTP Server (Apache)

Browser

Hardware Load Balancer

(39)

39

Course ID 650

Software Load Balancer (mod_oc4j)

Browser

HTTP Server (Apache) HTTP Server (Apache)

mod_oc4j

(40)

Additional Oracle App Server Set-up Tips

• Do not refer to ‘localhost’ in Workflow’s configuration.xml or configwizard

• Absolutely keep the time clock on all server nodes synchronized to the exact same time of day!!!

• Each member of a cluster must be on a common OS (R2)

• Make changes to cluster and configurations files using Application Server Control (Enterprise Manager) as much as possible

• Keep OPMN in sync

(41)

41

Course ID 650

Workflow Engine Clustering

• Increases scalability and failover for

areas of the system that deal with core workflow instance and event handling

• Basic Recipe:

• Add new engine instance in configuration.xml using configwizard

• Copy engineinstaller.jar from workflow home to target server and directory location

• Extract contents (jar xf engineinstaller.jar) • Install (java –jar engine.jar –install)

• Start new engine (bin/startengine)

(42)

Multiple Engine Set-up Tips

• Possible to run multiple engines on single server

• Edit configuration.xml to have multiple engine configs • For example, main and main2

• Use different ports for each engine configuration

• If you change the Workflow datasource properties, you

will need to roll out a new engine installer.

• Any other changes to configuration.xml, simply require

a restart

• (Again) Absolutely keep the time clock on all server

nodes synchronized to the exact same time of day!!!

• No load balancer – engine nodes cooperate with each

(43)

Advanced Integrations

Luminis Integration MIF Enabled Banner Custom or Third Party Integration

(44)

Luminis Integration

• Workflow provides three channels for

inclusion in your portal home page

• Worklist channel for work item notification

• Shortcuts channel to starting workflows

manually

• Alerts channel for process administration

• Single Sign On for seamless traversing

• Luminis Look and Feel

(45)

45

Course ID 650

Workflow Luminis Channels

Workflow Channel Suite

• Worklist

• Shortcuts

(46)

Integrated Workflow-Luminis Tab

Full Product immersion via Tabbed Interface

•Single Sign On

(47)

47

Course ID 650

Connecting Workflow and Luminis

• Enable Luminis Integration and External

Authentication

• configuration.xml

• Luminis ldap server

• Deploy the Workflow Channel stub

• wftool car

• Copy workflow.car to Luminis cars directory

• Register the workflow system with Luminis

• configman –i workflowCar.properties

(48)

One more thing on setting up Luminis SSO

• Edit the LDAPMappingAuthenticator properties in configuration.xml to map to the LDAP server host location and LDAP configuration

• Point to same LDAP server (internal or external) that Luminis uses

• Define search.user and search.password if not accessing LDAP server anonymously

• Most support calls fall under the parent distinguished name or search user authentication to LDAP server not set correctly

• Configuration properties will change slightly in pending 4.4 to accommodate changes with Luminis IV

<ClassName>com.sct.workflow.security.LDAPMappingAuthenticator</ClassName> <Properties>

</Properties>

(49)

49

Course ID 650

MIF Enabled Banner

• MIF architecture uses Oracle Virtual Private Database

(VPD) to segregate data among institutions in a single database

• Each institution is given a unique MIF code

(or rather VPDI_CODE)

• Any MIF enabled tables (or modules) will contain an

additional VPDI_CODE column.

• When a MIF enabled table is queried, the architecture

applies the current MIF code as an invisible Where clause against the VPDI_CODE column

• MIF code is set by calling a stored procedure before making the query

(50)

How Workflow Handles MIF

• Workflow uses Organizations to get same benefits and

to communicate with MIF enabled Banner

• Cost efficiency of managing a single deployment • But with the Data separation similar to multiple

deployments

• Organization represents a MIF institution rather than

simply a department in this scenario

• Each Organization may be assigned a MIF code

• Required when launching or querying an object in Banner that is using MIF

• Workflow will look up the MIF code for the current workflow instance when communicating with Banner

• Do not set MIF code If the Banner object is not using MIF

(51)

51

Course ID 650

Setting the MIF Code

•Assign the MIF Code for each child organization to corresponding VPDI_CODE being used in MIF Banner

(52)

Launching MIF Banner from Workflow

• Workflow and Banner target must be kept synchronized.

• If the workflow instance has a MIF code assigned, then the target Banner system must be MIF enabled.

• Launched Banner session will be locked to the MIF code

associated with the workflow instance

• VPD selector in Banner will be disabled

• Subsequent launches will reuse existing Banner session

if the MIF code is the same.

• If a Banner work item for a different MIF code is

launched, a new Banner session will be opened to service the launch request.

(53)

53

Course ID 650

Querying the MIF Banner Database

•Two new MIF-aware (automated activity) Technology Types have been added to Workflow 4.3 to handle a SQL query or calling a stored procedure against the Banner database.

• MIF-aware SQL Query

• MIF-aware Stored Procedures

•Define just like regular (non-mif) automated activities.

•The MIF code will be set automatically in Banner before performing the database operation

• Workflow Alert if the MIF code is not assigned.

•Separate Bootstrap

• MifTypes.xml

(54)

Custom or Third Party Integration

• Workflow has long supported launching of

desktop applications, access to external databases, and fire-and-forget launching of server side scripts.

• For increased custom integration or simply to

extend the capabilities of the Workflow

product, Workflow now offers a Web Service API for communicating back and forth

between workflow.

(55)

55

Course ID 650

Workflow Web Service

• A web service allows different machines to

communicate over a network using existing web technologies.

• The Workflow Web Service adheres to the WS-I Basic

Profile 1.1 specification which is well supported among both Microsoft and Java development kits.

• Specifies a Web Services Description Language (WSDL) file for describing operations and messages.

• Developer Friendly

(56)

Workflow Web Service Messages

• The Workflow Web Service provides a set of messages

(operations) that can be passed between your custom application and Workflow

Event Creation:

• postExternalEvent

• Data Passing:

• getWorkItemContext • setWorkItemContext

• State Manipulation

• completeWorkItem • releaseWorkItem

(57)

57

Course ID 650

(58)

Workflow Bundled Examples

• Found in \examples\ws

• Full source code and bootstrap data

• ‘Transfer Student’ example is a scenario for posting

events from the command line perhaps to call from a batch or shell script or even the windows scheduler.

• ‘Get Stock Quote’ example demonstrates using a

business component to call out to another web service. In this example, it obtains a delayed stock quote from a public service. The value is returned to workflow via a “setWorkItemContext” xml message to the workflow web service.

(59)

59

Course ID 650

(60)

Developing and Deploying Custom Applications

• When developing/testing new components, write tracer

messages to an application log to monitor if the application performed correctly

• Do not assume environment or path variables are

correct the first time

• Automated Activity Scripts need to be accessible from

the same Oracle Application Server that is calling out to them

• Desktop applications need to be accessible from user’s

client machine

• No SSO mechanism for external web interfaces at this

(61)

61

Course ID 650

Summary

• Architecture

• Modern tiered design accessing business objects in an Oracle Application Server

• Access Control

• Banner and Luminis SSO • Security Group authorization • Core Integration

• Event, SQL, and E-mail – Oh my! • High Availability

• Clustering for Failover and Scalability • Advanced Integration

• Luminis Set-up • MIF Banner

(62)

(63)

63

Course ID 650

Thank You!

Michael Brzycki

[email protected]

Please complete the online class evaluation form

Course ID 650

SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners.