Tag: integrated windows authentication

Metadata for the brave

Metadata  in Livelink (Yawn ContentServer) is mostly by a Object Called Categories.A Category Object again is of subtype 131 and it can have versions.Its content or version file looks like XML and translates the data structure for use with Livelink.When some one adds a Category to an Object like Document,Folder etc  what you are essentially doing is requesting the latest copy of the Category Template(131) or it will be the Category applied to the parent container.Then it goes through an oscript/weblingo layer where it paints the structure like is it a Text? is it Mandatory and so on.Increasingly I see OT advising customers to use SETS and that too with Multiple Values.I tried to stay away from SETS in my design because it is next to impossible to write reports when there is more than one value involved 🙂

A Picture is worth a thousand words so I am showing a Category called SapCategory as you can see I have some that are very self descriptive however these terminology is probably worth understanding.In Livelink projects you will affix useful metadata{ a set of categories(131), some Classifications(199) or RM Classifications (551) }.OT has prided itself on capability of its search and indexing engine(after all OT was the first guys to index the OED and that greatly increases the work they put in this ) so all this metadata that you put and inherit it down to millions of items is supposed to find you patterns of knowledge in your organization.The xECM side of the house puts technical categories so does AGA so that in first shot looking at the object metadata one can even say what it purports to be.Classifications and RM Classifications look like category metadata but they allow alternate taxonomies and navigation structures.

MVA-Multi Valued Attribute indicate by the + and – signs.In any case if you only have one Value also it is internally a List of values.On top of it now all Livelink servers can have that in more than one language . OT does not the make category metadata multi language but our good friends at Cassia ECM make it and sell it through OT.

Set -The Set is a place holder where in you can define more and more primitive datatypes and it looks aesthetically pleasing(?) or even easier to understand data.Both Sets and Categories subtype will say AttrType=-18 and AttrID indicates the position.

For techies see my revelation to the world I think the link is permanently lost

There is a simple Request Handler called attributes.dump ( perhaps it is hidden in the admin.index pages and you might need a SA prv) you will see that the Set Identifier does not have a Attribute ID

Nobody from OpenText has told the programming world or developers how to look at this DataStructure well not in so many words at least.. Everyone is using their own methods do something.How many SET parsing/example  requests happen in the OT KB and OT answers cryptically? Or as a Java or a C# programmer is one supposed to be that intelligent to figure everything out? I believe it is very shortsighted of OT to push towards their professional services,or WebReports to achieve anything and everything.Since the move from LAPI some hobby programmers have shown the parsing.I have had countless requests from developers who wanted to see how to go about it so this is a way to help them. Actually since all ReturnValues are coded for OOP apparently this is much easier than in LAPI days but still a new programmer cannot be expected to become a livelink knowledgeable person for participating in one project.

Imagine a Node Object like Document or Folder has had a category attached,then its values are in its MetaData Object.The MetaData Object consists of AttributeGroups which are akin to List of Categories.So if you have applied 7 Categorise expect 7.These 7 will show you empty shells or filled shells of information.

So I have this and another category attached /applied to an object

As you can see those are the two categories or an AttributeGroups Object of two AttributeGroup.OK so if you isolate one AttributeGroup you will get the individual keys(Attributes).OK then you need to test/cast these complex structures from their Livelink given out DataValue to things people can understand Namely StrinValue,IntegerValue and DateValue.Now if a Set is encountered you will get a TableValue object.Now the TableValue will contain a excel row like representation and is a RowValue Object.Once you isolate the RowValue into its DataValue you will get its IntegerValue,StringValue and such like.Good thing they did not allow a Set inside a Set 🙂

The key of an Attribute is made up of <category dataid>_<version>_<attributeID>

So hopefully the code I post in C# helps a poor soul.Now please understand that the Category Data Structure is a pretty complicated way how the Data is shown,how the Data is held in a Table and how the reporting table has been considered. When we were in the LAPI era the entire structure was given to you as a LLValue Object out of which you had to get the Types isolated and program.This was me in 2004 battling out a worked out example in LAPI documentation   which actually did not work if you actually cut and pasted the sample.So I just took it as a challenge and trying to learn the OT debugger and its Script actually helped me with it

 

Link to Code File coming soon 🙂 One thing I noticed in 2017 against CS16 is now OT has already built a category called “External Att” with some commonly asked of functionality Good Job…

Hopefully they might be trying to get rid of the “Additional Node Attributes” piece in OT

Screen Cap of when I run the code against a Node in LL.You can optimize the loops when you understand how the code is supposed to be written.Frankly my intention is to show  you how  to iterate the DataStructure.

 

A C# file that I wrote that takes a NodeID in Livelink and spits out Category Info

Including Sets & MVA

 

 

Advertisement

What is Enterprise Web Services a.k.a Content Web Services

****************************************** ***START UPDATE 10/3/2016*****************

LAPI and its client installer has become very hard to find. Moreover clients written in LAPI  in say Java/.NET will only work if your Livelink a.k.a Content Server is of version less than CS16.Readers who are new to LL programming is encouraged to read this to the approach and not to the exact lines of the code.What I mean is when you used to program in LAPI you were basically passing parameters to discrete calls by modelling it based on the webgui of livelink .SOAP based webservices called CWS is also the same,so if you do not try to do the task in the webgui and try to understand the business rules you will almost have no success in CWS too. OT is notorious for not putting fully functioning use cases and a walk through,so whenever possible I write code assuming the user has not worked in Livelink for X number of years and try to educate you all. Livelink,Content Server,Enterprise Server all of this has been Livelink’s marketing brand name changes over the years.CS i sused in many of the integrations like AGA, XECM, RMLINK  and you know you are programming against livelink if you see a link that looks like this  http(s)://somefriendlyURL/livelink.exe|cs.exe|llisapi.dll|cs.dll|livelink.In many places SAP/ SP /Exchange will be configured to talk to Archive Server and then they will use Livelink to read into archive server and turn that into LL objects for better presentment/RM and other aspects. The AGA product is moving away from LAPI(not sure totally or not) to REST API in LL.

**********************************************END UPDATE****************************

 

Many people seem to have understood my post  about LAPI 

The AGA (Sharepoint to Livelink Integration) product is the only officially supported OT product that seems to use old lapi binaries.Most of us have moved away for using it although when you are in a time crunch you can still use it.If you still want to use lapi make sure you are writing client code in java which takes care of most inconsistencies regarding 64/vs 32 bit J# problems.If you are a modern day .net buff see how old lapi can be run in new .net ways.

Back to CWS/EWS- Livelink is branded Content Server so it is no surprise that its API reflects that.The binaries that make up the wsdl is delivered without any additional installation  in the same file path as the livelink server is installed.So if you run your livelink in a IIS webserver,you just “expose” the  code from OT into a application.If you run your livelink in a Tomcat server then just dump the war file and TC will do the magic.The Web.Config in both he deployments make sure where it can talk to.For e.g in a livelink install if you see the Web.Config say localhost & 2099 when you call the beautiful code form your client it sends all that “stuff” into the livelink “server” listening on “localhost” and “2099”.None of this is hard coded and most livelink organizations will not use localhost resolution.And as a client api programmer you don’t need to worry too much.Ask for a webgui account before you start any livelink programming.It will keep you sane.What you are programming with a language is the same “business rules'” that livelink will throw to your code.Typical “new” programmer things like expecting category workspaces,enterprise workspaces to be 2004 & 2000 should be avoided the mistakes are very commonly seen in even vended applications.there are many livelinks in the world that do not have those ids.BTW like many others I also thought that to write java client code I had to have livelink running in a java app server.No I regularly now write .Net clients against a TC deployed WSAPI and java clients against a IIS deployed WSAPI. I also have written oscript based CWS things that is only needed when OT supplied stubs & proxies won’t cut a particular task.BTW when you install Records management,Physical Objects,Classifications they all deploy their CWS API.As your administrator to deploy that if you wanted to do programming against those functionalities . I advocate bundling  everything under one website it makes the admin’s life easier well they are unsupported by OT but I do it anyway

Once you are prepared to first write your lines of code you may want to understand what you are doing.

  1. Livelink is a protected/authenticated DMS application so it will check if you have a valid account and if you have permissions to a particular object. BTW OpenText is the company making these products as far as I know there is not a product(binary) in that name.many consultants I have worked with refers to “we have given stuff to OpenText” which ain’t happening because there is  nothing called that you can hand it to” In webgui the authentication is achieved primarily by putting a userid and password,almost nobody uses this method now or by a authentication service.In most companies if the application is IIS served that means you will almost for certain be vetted by IWA.  Unfortunately OT does not provide samples ,I have written things and many others have done it too.   nobody But ultimately your code has to pass a webserver and pass into the application layer
  2. OT markets a TC (java stack) application called OTDS .It is some very simple java code that interacts with livelink,active directory or other LDAP sources .It relies on your call being passed off to a OTDS server which uses industry standard methods to create a auth token.In many simple installs it is akin to the cookie that is given to your browser after login.OT provides samples using that.It also will be mandatory in several OT installs which are primarily not a DMS.Like SAP integration,AGA integration and so on.You now have “kewl” tools like Fiddler,Wireshark etc to debug many things
  3. If you  have a authentication token half the battle is one,you can now try simple things like adding folders,documents,applying categories to etc when you stumble simply bring up the web ui browser and see what you are trying is possible in “that” livelink.Because code you may have got working in another project may not because every livelink install can define its business rules differently 🙂
  4. These conditions can be tested in a matter of minutes by using  SOAPUI  .Once you have gotten in with a auth token and accessed enterprise workspace or perosnal workspaces,then switch to a java client ide or a .net ide . SOAPUI can only be used for certain aspect,things will get extremely complex when you encounter category/attribute data structures(funny the push to get away from llvalue data structures in lapi is still there albeit using data structures like AttributeGroups) so soapui will not cut it.

Other Buzzwords you may hear in a Livelink based project

  • REST API. OT has been forced by the programming world to have a REST API implementation available in kick butt livelink installs.Note every call with a REST API is akin to you accessing livelink via a browser so save yourself some head ache by not designing bulk loader things with it.You may want to show off your livelink in a mobile application.BTW I think AppWorks is the marketing hype name for that.
  • Search API-when you are in a livelink session and type a search term it is the Search API that is working for you.You can create cool search based apps with it.For heaven sake resist the temptation to write lapi or CWS code for livelink search it ain’t very easy and it si convoluted.
  • ELS API- It is the wrapper connecting Livelink and archive server .The definition is not technically correct.If you wanted a SAP system to use Records management or Business Work Spaces you would put this middle ware called (old name RCS). This is a solution… means utimately you will have to pay people who know SAP Basis configuartion & Functional  , Livelink configuration and Archive server configuration.Recently a guy asked me about CMIS  . I looked at it and I told him to concentrate on the 3 aspects and he figured it out note that CMIS is a industry protocol  and ot uses that in a ELS API layer for some objective I know not. Most solutions you will hear terms like Archive Link ,RM Link,ECM Link 

Happy Livelink API or CWS or EWS programming

How to use WCF Livelink web services to create a quasi single sign on or login with cookie equivalent of lapi

Recently OT Dev said that don’t really spend time on the Search SOAP service but use the Restful search API that has been there all along these years.

Since almost everything in livelink is served off a URL one of the first things it needs is authentication.For livelink deployments who do not have Single Sign On based on web server auth it is inconvenient that a webapp designed in C# provides links to a livelink URL for e.g I may have an href called “My Assignments” and then I may link it to my livelink server url and the query string ending in personal .assignments

I really don’t think organizations using livelink still use userid/password but this will probably help those users.

http:://my livelinkurl/livelinkvd/llisapi.dll?func=personal.assignments

Now everybody reading this should know that livelink will look for a cookie if not it will present a login screen. Our attempt is to use the token (cookie) returned to us by the CWS auth routine and make sure we can pass it off to a livelink URL or making the request to livelink as if one had logged in and subsequently performing operations.

In my example I am doing this with a LL 9.7.1 version so the ref key word is not used.For newer CWS the ref keyword is needed

SETUP

LL9.7.1 Oracle,IIS6, webserver is anonymous,livelink auth scheme is livelink ,No RCS present,No Dir Svcs module in deployment

in SSO deployments calling a livelink URL from a auth user’s computer results in a pass thru experience so none of this circus is needed anyway.

What I found was if you were adding the LlCookie to the request you have to do a lot of coding as in the user in this thread.I found several hits in the web

to spoof the Cookie but a lot of code for somethingthat you know is not that secure anyway

RE RE RE RE RE Get Region Name

He first gets the auth token and uses cookie setting code to call the search API.

While that is all good and dandy  if you have access to  a web debugging tool like Fiddler if you capture traffic for the first auth call you can see your userid+password

if it is a HTTP connection.I am not sure what it will look if my livelink was HTTPS.So I would just build a userid/password url and specify everything in NextURL.

So if I was coding a C# app and wanted to call my search system in livelink I would just use the simple approach

http://llappu971vm:8080/livelink/livelink.exe?func=ll.login&username=livelinkuser&password=livelinkpassword&nextURL=%2Flivelink%2Flivelink.exe%3Ffunc=ll%26objId=670175%26objAction=browse%26viewType=1

In the above URL the Func=ll.login sets the Cookie and then the NextURL is indicated,it is just webescaped for transmission

Single Sign On and Content Web Services for a livelink server

04/28/2016 Why am I keeping this ?This is obsolete like hell

04/17/2013 APPU—–NOTE THIS IS OUTDATED INFORMATION BUT SETUP WISE IT WILL HELP.

IF YOU ARE ON A UPDATE LEVEL 9 AND UP YOUR EXPERIENCES WILL GREATLY BE IMPRESSED

IF YOU ARE A NOVICE TO INTEGRATED WINDOWS AUTHENTICATION (IF YOU RUN LIVELINK IN WINDOWS IIS AND USE AD FOR THAT)LEARN THAT FROM THE WEB AND UNDERSTAND THAT LIVELINK USES THAT UNDER THE COVERS(OSCRIPT CODE IN DIRECTORY SERVICES MODULE) TO GRANT YOU SINGLE SIGN ON.I AM YET TO TRY MY HANDS ON JAVA BASED OTDS(RCS) BASED DIRECTORY SERVICES

Many users who know me from my contributions ask me to write code that helps with their livelink problems.In many cases it is very new programmers who get assigned to write these.They expect almost without success to find snippets of livelink webservice code thru google etc.I have not frankly understood programmer hurry like this but when you program it does not hurt to put a rational outline on what you are trying to do.In any case OT official dom is very notorious for non hand holding.In fact when I first started writing Dr Lapi I seriously doubt if there was a working sample of lapi code you could find in the web.Now that they have started to tell people not to use LAPI they need to put a lot of working examples as a livelink implementation can become very complicated over years of use and maturity.Also customization can alter ways of its working.

SSO or single sign on is not impersonation in livelink.If you have a ID in livelink with System Admin privileges it is very easy to gain access to livelink and do things as another user.While that sounds very insecure the actions are all audited.It is available in Unix,MS and many other applications hence impersonation is nothing to be considered as lowly.However I take exception when you advertise impersonation as SSO.

SSO is mostly applied to a company Intranet.When people and computers need to be managed they would employ a directory server which usually understands the LDAP protocol.In MS centred organization you would hear as Active Directory,in novell it is NDS,in IBM it may be a Domino or is it Tivoli? server,in SUN /ORACLE places it could be their ldap server.When you sign into a domain held computer unbeknownst to you you have established a trust between your device and the company network.So any other application need to trust you for what you are.that is proper SSO.In web application when you hit a IWA enabled website your browser exchanges a 401 challenge which when successful will populate certain environment variables the famous one REMOTE_USER.In a proper livelink SSO exchange we take that env variable and sign you in.In the livelink database such a user would be called a ‘Externally Authenticated’ user.

Well here’s how I got my CS10 Update 6 VM working with SSO code.I write a long word document detailing my challenges but this is the best short way I can give to the community.My research material is uploaded in the communities web site.In retrospect OT is expecting you to use the OTDS java web server maybe to get applications to integrate.That is when you hear terms such as RCS etc.

LIVELINK SETUP

  1. I configured otdsintegration to use webserver authentication.Meaning otdsintegration oscript module allows you a radio button to do web server authentication.I did not configure OTDS(RCS) as I do not have a domain and AD in my VM.
  2. I made the IIS VD for livelink IWA
  3. I checked whether I could login as my domain user in my case my user called ‘Administrator’ I verified what admin.testargs passed in to me
  4. I downloaded old directory services code and installed it luckily there was aversion for CS10.I had to because the otdsintegration module gets you web authentication but not web services authentication.
  5. I put my computer on IPv4 to first test it
  6. I made these changes to my opentext.ini
  7. [Security]
  8. #REM when you install directory services module you can get this ospace
  9. Authentication=NTLM
    #REM when IPV6 is installed the crazy looking things is a oscript bug and its defeat by me found thru builder
    CGIHosts=::ffff:127.0.0.1,fe80::2d54:a6cb:b5d2:b145%11 I think the code is looking for socket.pPeeraddress
  10. which is the address of the client in fact they should not do that but in IPv4 it is all OK
    #REM127.0.0.1 is added by livelink code but the computers IPv4 address
    #CGIHosts=
  11. the Web.Config changed for NTLM for the livelink webservices  application

CLIENT CODE C# SETUP

  1. App.Config reflected to the same NTLM auth as in Web.Config
  2. Added System.IO
  3. That is about it.

Client stack traces are almost impossible to understand unless you understood livelink code.Since I understood it and was able to understand what they were doing I am providing this.Your setup could vary I have no clue.

Link 1-Interested programmers could see my setup for CS10U6 here—

Link2-The C# solution containing a basic piece of code Kyle Swidrowich Created which I repurposed 🙂

Link3-Livelink Web.Config tthat you have to do for webservices

Link4-My experience when Livelink was 9.7.1wanted to write SSO code