Tag: content server integrated windows authentication

Why Oscript solutions are not passé

Over the years in my work with OpenText Livelink I am fortunate to associate myself with like minds and who like me share their code,goodwill and advice selflessly .I cherish and hold their friendship above all professional accolades I have ever got.Recently I had lunch with Ossie Moore  Ossie’s LinkedIn it was very short and I would have loved it to last longer as we could talk shop endlessly.Most of what I write in this has bearing to our lunch and he did steer this post. Ossie  for people who do not know him is quite a character.Let’s say you had a requirement,most of us would probably settle for a pretty decent code either in oscript,lapi as that was the predominant development methods one had at the time.Not Ossie he would probably write our kind of code and before releasing it would have at least two more better implementations,he would have thought about the user coming through the web,the other interfaces LL explorer and so on.That is the difference.

Let’s look at ECM deployments in major organizations.

X Organization has identified a massive unstructured data problem.X has a new manager on the block who has had experience with a technology vendor.Insert <vendorname> here. This is how most ECM deployments happen a lot of people passionate in some technology who would solutionize the deployment to suit the vendor.Most of them are assisted by Gartner, Forrester those kinds .I started working in OT technology before these rating companies came up with a barometer of wants so I am going to continue with my cynicism.

So after X Organization will roll out a OOB approach ,people are brought in.Naturally if the product is user friendly and easy its use will grow.Simple things like user activity,data growth etc are good ways to identify its usefulness.Now most people would want to send the link of the objects hoping that it won’t break on re-organizing the structure or re parenting as most of document work revolves around.So you may want to invest on something that people have put thought on like a GUID based system(Livelink, DCTM).Frankly I know only Livelink and DCTM very little. I hate Sharepoint (we call it $carepoint) with a passion because the smallest of things are so difficult to get  done.Good UI all the world has gone for it anything complex you have to buy or build with an array of .net developers different frameworks the works.It also could be that I have only been programming in that and spending time in LL so over the years the idiosyncracies of builder,CSIDE none of these matter to me now because Oscript really has not changed every much.Oscript is just a huge possibilities language. One of my mentors very famous in OT circles John Simon would joke like this.You have a problem you try solving in Oscript.You will spend about 3 to 4 days on it later to find out that what you need is totally available,no need to kludge just poor documentation that is all.

So if you were eager to get into using livelink to its full extent do these things

  1. Challenge a OT person or a OT solution marketer to what they are offering you. Challenge them extremely hard if it is offered at $$$ a user or so.That is how they make their money on licenses.
  2. Challenge if the pitch is towards Oscript is bad that spoils your chances of upgrade.There’s an element of truth in that.I have seen people hacking their way into core code,weblingo such no nos that shows inexperience and desperation. Oscript is not understanding the creation of a request handler,webnodeaction or eventscripting it is an all round knowledge of the product the passion about the product.You can immediately tell if the programmer knows anything because if they start saying about new subtypes you may want to ask them what prompted them to create a subtype, because many times those people have access to the oscript tutorials and the “Hello World” of oscript introduces them to that.You really want a Oscripter who will follow what OT advises them of doing in that case it is very rarely  a bad fit.
  3. Challenge if the pitched solution ends up working only in the webgui what about EC,what about SOAP,what about REST,what about Search

Oscript has years to go if the LL solution is still being used by customers.It can be learned to work wonders for you.The other aspect and full credit to Ossie here is LL software is the most open product much more open than opensource a oscripter can see the entire internals of it so people like me,John,Ossie all have found bugs and we all engage the good OT developers on our finds.Most senior and passionate oscripters continue to do so.There ‘s so much openness and welcoming in the OT programming community,people like David Templeton ,Kyle  Swidrowich and a countless amount of good people who have been striving to keep this open and getting communities to try it out for a better product.They have helped me and a lot of others and you can also get in into the action.

You just need the drive and passion to master LL that is all it takes.Well that maybe true for any technology 🙂

Advertisement

Common Debug Protocol

****************************************** ***START UPDATE 10/3/2016*****************

LAPI and its client installer has become very hard to find. Moreover clients written in LAPI  in say Java/.NET will only work if your Livelink a.k.a Content Server is of version less than CS16.Readers who are new to LL programming is encouraged to read this to the approach and not to the exact lines of the code.What I mean is when you used to program in LAPI you were basically passing parameters to discrete calls by modelling it based on the webgui of livelink .SOAP based webservices called CWS is also the same,so if you do not try to do the task in the webgui and try to understand the business rules you will almost have no success in CWS too. OT is notorious for not putting fully functioning use cases and a walk through,so whenever possible I write code assuming the user has not worked in Livelink for X number of years and try to educate you all. Livelink,Content Server,Enterprise Server all of this has been Livelink’s marketing brand name changes over the years.CS i sused in many of the integrations like AGA, XECM, RMLINK  and you know you are programming against livelink if you see a link that looks like this  http(s)://somefriendlyURL/livelink.exe|cs.exe|llisapi.dll|cs.dll|livelink.In many places SAP/ SP /Exchange will be configured to talk to Archive Server and then they will use Livelink to read into archive server and turn that into LL objects for better presentment/RM and other aspects. The AGA product is moving away from LAPI(not sure totally or not) to REST API in LL.

**********************************************END UPDATE****************************

 

 

In most cases I have noticed that programmers brought into livelink a.k.a Content Server web server programming lack a general understanding of livelink and its business rules.The Vendor maintained links   is written almost to a starting novice but again people will run into problems.To mitigate this one has to have a simple protocol

  1. Ask the livelink team a representative container(folder ,project,compound documents,document work spaces all of them are shells or containers to hold additional objects) that the CWS programmer can access using the webgui.
  2. Ask how is authentication enforced.In almost 90% of places it will be SSO(NTLM,IWA,other LDAP methods)
  3. In most cases CWS application where you source the WSDL’s from will be “anonymous” because that is the level of documentation OT gives admins which means that the CWS user has to be manual user in livelink also known as a user with a password the livelink admin team gives you
  4. I have published several successful posts here  that allow me to do SSO(IWA/NTLM) that is because I know how to set it correctly.Most of it was looking at IWA webservices samples.
  5. I have installed and configured OTDS as well ,it is a re-directional(kerberos implementation) .Simply put when you access a link such as http://localhost/livelink/llisapi.dll if OTDS authentication is involved your call is redirected to the OTDS server(Tomcat in the version I tried).The kerberos token that is prevalent in your domain login is used to establish who you are against a configured LDAP appliance like AD and returned back to the livelink server.Anybody who knows enough about livelink URL’s know the web escaped URL’s, you should see the re-direction when using wireshark or fiddler as well.  This ideas are my interpretaion and not OT’s so take this with a piece of slat.
  6. The above OTDS authentication is overkill if Livelink was employed as a DMS or in your org people know that Livelink is there.It would make sense to tunnel xECM SAP Users your piggy backing on MYSAPSSO2   mostly integrations form other systems who want a seamless experienec.Altogether it is very easy to setup and implement save for the fact that creating SSO against AD is basically a one click operation.

Allright so what is the post about

If you are a .NET CWS/EWS programmer you will basically be sending this token with each service client call because livelink is http and state based and you never know if  the request is being handled by the same server or the same thread.

You would see .NET code like this

DocumentManagement.OTAuthentication dmOTAuth = new DocumentManagement.OTAuthentication();
ContentService.OTAuthentication     csOTAuth = new ContentService.OTAuthentication();
SearchService.OTAuthentication      ssOTAuth = new SearchService.OTAuthentication();

and things like

string token = authclient.AuthenticateUser(username, password);
if (token != null)
{
ssOTAuth.AuthenticationToken = token;
dmOTAuth.AuthenticationToken = token;
csOTAuth.AuthenticationToken = token;

}

contextID = dm.GetVersionContentsContext(ref dmOTAuth, dataID, 0);

the above is akin to a logged in user trying to download.the ref keyword is modern .net above 2.5 CLR or higher

If you are a JAVA CWS/EWS

In Java, however, you don’t need to do this and instead you set authentication information into the object representing the service. In your code you do this

setSoapHeader((WSBindingProvider) search, otAuth);

There are many more subtle differences with Java and .NET but for the most part it should work cleanly

If one were interested in debugging at the livelink server

  • Method 1: Login to the livelink URL that usually ends in /llisapi.dll or livelink.exe or livelink.Do you see an authentication screen that looks like an HTML page and not one that looks like a windows auth prompt?.If you were seamlessly taken into the application then this “instance” of livelink server has its authentication set to some authentication.assuming the simplest mechanism it could be IWA also interchangeably known as NTLM,SSO etc etc.
  • Method 3-Put Fiddler and learn how to use it when you hit a webserver.Then you can actually see your WSAPI client code making requests in Action.Many  times they are going to indicate something.
  • Method 4: There is a livelink sysadmin request handler that goes like <LIVELINKURL>?func=admin.testargs.Do you see “REMOTE_USER” filled and a auth mechanism something resembling this  AUTH_TYPE =Negotiate REMOTE_USER =DOMAIN\USERID or userid@domain REQUEST_METHOD =GET Then chances are this livelink is protected by a auth method other than “anonymous” Most webservices samples written by OT pertains to simple anonymously authenticated livelink servers.Do you have SSO samples lying in the web or here.Sure search for Guy Pomerleaux or me for a few who have ventured with it in the forums .Just by trial and error of the Web.Config and App.Config I have suceeded.Why wouldnt OT put a official sample,guesses are different web server different ways of deploying livelink,too much work to officially support it although the OTDS mechanism is kind of a middleware to address that 🙂
  • Method 5:Search Debugging Livelink when people or programs search use the Livelink Search API to call it. While it looks integrated believe it or not the searching is a different software and it can be used for any general purpose searching.Read OT history as the first searching company in the world(Yahoo search Engine :).Sometimes it becomes difficult to create queries properly so it is very easy however I do it like this.Isolate a named server(some address that wont be like a LB URL).Find that server’s Opentext.ini and in the [options] area add wantSearchLogs=true.Then run a search from the GUI.In all likelihood for each search you will find a new txt file that will contain the query.Try to understand it and repurpose. Similar files will exist in the Admin server for prospector queries and intelligent classification queries.

Now I have given you many pointers that would lead to successful coding.However let it be known that a livelink can be configured in very many different ways such as an admin can put a expiration  of livelink cookie to a very low value,you could be bouncing off livelink servers ,your code may come from a redirected system such as SAP or SP lots of problems could occur if the architecture is not well understood by replying people like me or even you.I am not a OT employee but have worked enough to know certain things that could occur.So my simple request to you would be to as much as possible educate yourself and the forum about the same. Also try the simplest mechanisms of OT code first to iron out the difficulties.It should not be too  hard.

Single Sign On and Content Web Services for a livelink server

04/28/2016 Why am I keeping this ?This is obsolete like hell

04/17/2013 APPU—–NOTE THIS IS OUTDATED INFORMATION BUT SETUP WISE IT WILL HELP.

IF YOU ARE ON A UPDATE LEVEL 9 AND UP YOUR EXPERIENCES WILL GREATLY BE IMPRESSED

IF YOU ARE A NOVICE TO INTEGRATED WINDOWS AUTHENTICATION (IF YOU RUN LIVELINK IN WINDOWS IIS AND USE AD FOR THAT)LEARN THAT FROM THE WEB AND UNDERSTAND THAT LIVELINK USES THAT UNDER THE COVERS(OSCRIPT CODE IN DIRECTORY SERVICES MODULE) TO GRANT YOU SINGLE SIGN ON.I AM YET TO TRY MY HANDS ON JAVA BASED OTDS(RCS) BASED DIRECTORY SERVICES

Many users who know me from my contributions ask me to write code that helps with their livelink problems.In many cases it is very new programmers who get assigned to write these.They expect almost without success to find snippets of livelink webservice code thru google etc.I have not frankly understood programmer hurry like this but when you program it does not hurt to put a rational outline on what you are trying to do.In any case OT official dom is very notorious for non hand holding.In fact when I first started writing Dr Lapi I seriously doubt if there was a working sample of lapi code you could find in the web.Now that they have started to tell people not to use LAPI they need to put a lot of working examples as a livelink implementation can become very complicated over years of use and maturity.Also customization can alter ways of its working.

SSO or single sign on is not impersonation in livelink.If you have a ID in livelink with System Admin privileges it is very easy to gain access to livelink and do things as another user.While that sounds very insecure the actions are all audited.It is available in Unix,MS and many other applications hence impersonation is nothing to be considered as lowly.However I take exception when you advertise impersonation as SSO.

SSO is mostly applied to a company Intranet.When people and computers need to be managed they would employ a directory server which usually understands the LDAP protocol.In MS centred organization you would hear as Active Directory,in novell it is NDS,in IBM it may be a Domino or is it Tivoli? server,in SUN /ORACLE places it could be their ldap server.When you sign into a domain held computer unbeknownst to you you have established a trust between your device and the company network.So any other application need to trust you for what you are.that is proper SSO.In web application when you hit a IWA enabled website your browser exchanges a 401 challenge which when successful will populate certain environment variables the famous one REMOTE_USER.In a proper livelink SSO exchange we take that env variable and sign you in.In the livelink database such a user would be called a ‘Externally Authenticated’ user.

Well here’s how I got my CS10 Update 6 VM working with SSO code.I write a long word document detailing my challenges but this is the best short way I can give to the community.My research material is uploaded in the communities web site.In retrospect OT is expecting you to use the OTDS java web server maybe to get applications to integrate.That is when you hear terms such as RCS etc.

LIVELINK SETUP

  1. I configured otdsintegration to use webserver authentication.Meaning otdsintegration oscript module allows you a radio button to do web server authentication.I did not configure OTDS(RCS) as I do not have a domain and AD in my VM.
  2. I made the IIS VD for livelink IWA
  3. I checked whether I could login as my domain user in my case my user called ‘Administrator’ I verified what admin.testargs passed in to me
  4. I downloaded old directory services code and installed it luckily there was aversion for CS10.I had to because the otdsintegration module gets you web authentication but not web services authentication.
  5. I put my computer on IPv4 to first test it
  6. I made these changes to my opentext.ini
  7. [Security]
  8. #REM when you install directory services module you can get this ospace
  9. Authentication=NTLM
    #REM when IPV6 is installed the crazy looking things is a oscript bug and its defeat by me found thru builder
    CGIHosts=::ffff:127.0.0.1,fe80::2d54:a6cb:b5d2:b145%11 I think the code is looking for socket.pPeeraddress
  10. which is the address of the client in fact they should not do that but in IPv4 it is all OK
    #REM127.0.0.1 is added by livelink code but the computers IPv4 address
    #CGIHosts=
  11. the Web.Config changed for NTLM for the livelink webservices  application

CLIENT CODE C# SETUP

  1. App.Config reflected to the same NTLM auth as in Web.Config
  2. Added System.IO
  3. That is about it.

Client stack traces are almost impossible to understand unless you understood livelink code.Since I understood it and was able to understand what they were doing I am providing this.Your setup could vary I have no clue.

Link 1-Interested programmers could see my setup for CS10U6 here—

Link2-The C# solution containing a basic piece of code Kyle Swidrowich Created which I repurposed 🙂

Link3-Livelink Web.Config tthat you have to do for webservices

Link4-My experience when Livelink was 9.7.1wanted to write SSO code