Tag: content server NTLM

Common Debug Protocol

****************************************** ***START UPDATE 10/3/2016*****************

LAPI and its client installer has become very hard to find. Moreover clients written in LAPI  in say Java/.NET will only work if your Livelink a.k.a Content Server is of version less than CS16.Readers who are new to LL programming is encouraged to read this to the approach and not to the exact lines of the code.What I mean is when you used to program in LAPI you were basically passing parameters to discrete calls by modelling it based on the webgui of livelink .SOAP based webservices called CWS is also the same,so if you do not try to do the task in the webgui and try to understand the business rules you will almost have no success in CWS too. OT is notorious for not putting fully functioning use cases and a walk through,so whenever possible I write code assuming the user has not worked in Livelink for X number of years and try to educate you all. Livelink,Content Server,Enterprise Server all of this has been Livelink’s marketing brand name changes over the years.CS i sused in many of the integrations like AGA, XECM, RMLINK  and you know you are programming against livelink if you see a link that looks like this  http(s)://somefriendlyURL/livelink.exe|cs.exe|llisapi.dll|cs.dll|livelink.In many places SAP/ SP /Exchange will be configured to talk to Archive Server and then they will use Livelink to read into archive server and turn that into LL objects for better presentment/RM and other aspects. The AGA product is moving away from LAPI(not sure totally or not) to REST API in LL.

**********************************************END UPDATE****************************

 

 

In most cases I have noticed that programmers brought into livelink a.k.a Content Server web server programming lack a general understanding of livelink and its business rules.The Vendor maintained links   is written almost to a starting novice but again people will run into problems.To mitigate this one has to have a simple protocol

  1. Ask the livelink team a representative container(folder ,project,compound documents,document work spaces all of them are shells or containers to hold additional objects) that the CWS programmer can access using the webgui.
  2. Ask how is authentication enforced.In almost 90% of places it will be SSO(NTLM,IWA,other LDAP methods)
  3. In most cases CWS application where you source the WSDL’s from will be “anonymous” because that is the level of documentation OT gives admins which means that the CWS user has to be manual user in livelink also known as a user with a password the livelink admin team gives you
  4. I have published several successful posts here  that allow me to do SSO(IWA/NTLM) that is because I know how to set it correctly.Most of it was looking at IWA webservices samples.
  5. I have installed and configured OTDS as well ,it is a re-directional(kerberos implementation) .Simply put when you access a link such as http://localhost/livelink/llisapi.dll if OTDS authentication is involved your call is redirected to the OTDS server(Tomcat in the version I tried).The kerberos token that is prevalent in your domain login is used to establish who you are against a configured LDAP appliance like AD and returned back to the livelink server.Anybody who knows enough about livelink URL’s know the web escaped URL’s, you should see the re-direction when using wireshark or fiddler as well.  This ideas are my interpretaion and not OT’s so take this with a piece of slat.
  6. The above OTDS authentication is overkill if Livelink was employed as a DMS or in your org people know that Livelink is there.It would make sense to tunnel xECM SAP Users your piggy backing on MYSAPSSO2   mostly integrations form other systems who want a seamless experienec.Altogether it is very easy to setup and implement save for the fact that creating SSO against AD is basically a one click operation.

Allright so what is the post about

If you are a .NET CWS/EWS programmer you will basically be sending this token with each service client call because livelink is http and state based and you never know if  the request is being handled by the same server or the same thread.

You would see .NET code like this

DocumentManagement.OTAuthentication dmOTAuth = new DocumentManagement.OTAuthentication();
ContentService.OTAuthentication     csOTAuth = new ContentService.OTAuthentication();
SearchService.OTAuthentication      ssOTAuth = new SearchService.OTAuthentication();

and things like

string token = authclient.AuthenticateUser(username, password);
if (token != null)
{
ssOTAuth.AuthenticationToken = token;
dmOTAuth.AuthenticationToken = token;
csOTAuth.AuthenticationToken = token;

}

contextID = dm.GetVersionContentsContext(ref dmOTAuth, dataID, 0);

the above is akin to a logged in user trying to download.the ref keyword is modern .net above 2.5 CLR or higher

If you are a JAVA CWS/EWS

In Java, however, you don’t need to do this and instead you set authentication information into the object representing the service. In your code you do this

setSoapHeader((WSBindingProvider) search, otAuth);

There are many more subtle differences with Java and .NET but for the most part it should work cleanly

If one were interested in debugging at the livelink server

  • Method 1: Login to the livelink URL that usually ends in /llisapi.dll or livelink.exe or livelink.Do you see an authentication screen that looks like an HTML page and not one that looks like a windows auth prompt?.If you were seamlessly taken into the application then this “instance” of livelink server has its authentication set to some authentication.assuming the simplest mechanism it could be IWA also interchangeably known as NTLM,SSO etc etc.
  • Method 3-Put Fiddler and learn how to use it when you hit a webserver.Then you can actually see your WSAPI client code making requests in Action.Many  times they are going to indicate something.
  • Method 4: There is a livelink sysadmin request handler that goes like <LIVELINKURL>?func=admin.testargs.Do you see “REMOTE_USER” filled and a auth mechanism something resembling this  AUTH_TYPE =Negotiate REMOTE_USER =DOMAIN\USERID or userid@domain REQUEST_METHOD =GET Then chances are this livelink is protected by a auth method other than “anonymous” Most webservices samples written by OT pertains to simple anonymously authenticated livelink servers.Do you have SSO samples lying in the web or here.Sure search for Guy Pomerleaux or me for a few who have ventured with it in the forums .Just by trial and error of the Web.Config and App.Config I have suceeded.Why wouldnt OT put a official sample,guesses are different web server different ways of deploying livelink,too much work to officially support it although the OTDS mechanism is kind of a middleware to address that 🙂
  • Method 5:Search Debugging Livelink when people or programs search use the Livelink Search API to call it. While it looks integrated believe it or not the searching is a different software and it can be used for any general purpose searching.Read OT history as the first searching company in the world(Yahoo search Engine :).Sometimes it becomes difficult to create queries properly so it is very easy however I do it like this.Isolate a named server(some address that wont be like a LB URL).Find that server’s Opentext.ini and in the [options] area add wantSearchLogs=true.Then run a search from the GUI.In all likelihood for each search you will find a new txt file that will contain the query.Try to understand it and repurpose. Similar files will exist in the Admin server for prospector queries and intelligent classification queries.

Now I have given you many pointers that would lead to successful coding.However let it be known that a livelink can be configured in very many different ways such as an admin can put a expiration  of livelink cookie to a very low value,you could be bouncing off livelink servers ,your code may come from a redirected system such as SAP or SP lots of problems could occur if the architecture is not well understood by replying people like me or even you.I am not a OT employee but have worked enough to know certain things that could occur.So my simple request to you would be to as much as possible educate yourself and the forum about the same. Also try the simplest mechanisms of OT code first to iron out the difficulties.It should not be too  hard.

Advertisement

Single Sign On and Content Web Services for a livelink server

04/28/2016 Why am I keeping this ?This is obsolete like hell

04/17/2013 APPU—–NOTE THIS IS OUTDATED INFORMATION BUT SETUP WISE IT WILL HELP.

IF YOU ARE ON A UPDATE LEVEL 9 AND UP YOUR EXPERIENCES WILL GREATLY BE IMPRESSED

IF YOU ARE A NOVICE TO INTEGRATED WINDOWS AUTHENTICATION (IF YOU RUN LIVELINK IN WINDOWS IIS AND USE AD FOR THAT)LEARN THAT FROM THE WEB AND UNDERSTAND THAT LIVELINK USES THAT UNDER THE COVERS(OSCRIPT CODE IN DIRECTORY SERVICES MODULE) TO GRANT YOU SINGLE SIGN ON.I AM YET TO TRY MY HANDS ON JAVA BASED OTDS(RCS) BASED DIRECTORY SERVICES

Many users who know me from my contributions ask me to write code that helps with their livelink problems.In many cases it is very new programmers who get assigned to write these.They expect almost without success to find snippets of livelink webservice code thru google etc.I have not frankly understood programmer hurry like this but when you program it does not hurt to put a rational outline on what you are trying to do.In any case OT official dom is very notorious for non hand holding.In fact when I first started writing Dr Lapi I seriously doubt if there was a working sample of lapi code you could find in the web.Now that they have started to tell people not to use LAPI they need to put a lot of working examples as a livelink implementation can become very complicated over years of use and maturity.Also customization can alter ways of its working.

SSO or single sign on is not impersonation in livelink.If you have a ID in livelink with System Admin privileges it is very easy to gain access to livelink and do things as another user.While that sounds very insecure the actions are all audited.It is available in Unix,MS and many other applications hence impersonation is nothing to be considered as lowly.However I take exception when you advertise impersonation as SSO.

SSO is mostly applied to a company Intranet.When people and computers need to be managed they would employ a directory server which usually understands the LDAP protocol.In MS centred organization you would hear as Active Directory,in novell it is NDS,in IBM it may be a Domino or is it Tivoli? server,in SUN /ORACLE places it could be their ldap server.When you sign into a domain held computer unbeknownst to you you have established a trust between your device and the company network.So any other application need to trust you for what you are.that is proper SSO.In web application when you hit a IWA enabled website your browser exchanges a 401 challenge which when successful will populate certain environment variables the famous one REMOTE_USER.In a proper livelink SSO exchange we take that env variable and sign you in.In the livelink database such a user would be called a ‘Externally Authenticated’ user.

Well here’s how I got my CS10 Update 6 VM working with SSO code.I write a long word document detailing my challenges but this is the best short way I can give to the community.My research material is uploaded in the communities web site.In retrospect OT is expecting you to use the OTDS java web server maybe to get applications to integrate.That is when you hear terms such as RCS etc.

LIVELINK SETUP

  1. I configured otdsintegration to use webserver authentication.Meaning otdsintegration oscript module allows you a radio button to do web server authentication.I did not configure OTDS(RCS) as I do not have a domain and AD in my VM.
  2. I made the IIS VD for livelink IWA
  3. I checked whether I could login as my domain user in my case my user called ‘Administrator’ I verified what admin.testargs passed in to me
  4. I downloaded old directory services code and installed it luckily there was aversion for CS10.I had to because the otdsintegration module gets you web authentication but not web services authentication.
  5. I put my computer on IPv4 to first test it
  6. I made these changes to my opentext.ini
  7. [Security]
  8. #REM when you install directory services module you can get this ospace
  9. Authentication=NTLM
    #REM when IPV6 is installed the crazy looking things is a oscript bug and its defeat by me found thru builder
    CGIHosts=::ffff:127.0.0.1,fe80::2d54:a6cb:b5d2:b145%11 I think the code is looking for socket.pPeeraddress
  10. which is the address of the client in fact they should not do that but in IPv4 it is all OK
    #REM127.0.0.1 is added by livelink code but the computers IPv4 address
    #CGIHosts=
  11. the Web.Config changed for NTLM for the livelink webservices  application

CLIENT CODE C# SETUP

  1. App.Config reflected to the same NTLM auth as in Web.Config
  2. Added System.IO
  3. That is about it.

Client stack traces are almost impossible to understand unless you understood livelink code.Since I understood it and was able to understand what they were doing I am providing this.Your setup could vary I have no clue.

Link 1-Interested programmers could see my setup for CS10U6 here—

Link2-The C# solution containing a basic piece of code Kyle Swidrowich Created which I repurposed 🙂

Link3-Livelink Web.Config tthat you have to do for webservices

Link4-My experience when Livelink was 9.7.1wanted to write SSO code