Single Sign On and Content Web Services Update

Update 04/28/2016

Pre- Requisites– Livelink 10/10.5/16  Server configured for Single Sign On using IWA . This is for users/companies who allow REMOTE_USER to trickle into livelink. If you have configured your livelink to use OTDS or simply said if OTDS is actually responsible for providing the Authentication then this post does not address that.In CWS which involves a OTDS server you are sourcing your authentication(read a different WSDL than the livelink authentication WSDL) from that.The theory there is your wsapi computer or client will pass your kerberos authentication and OTDS will vet that with AD/DC and pass it back. This OTDS ticket is now usable in your code.


Sample Setup on the WSAPI WEBSERVER

  1. Copy the webservices from OpenText  to a folder in the IIS server.For ease we assume your livelink server is on the same host and knows how to handle REMOTE_USER.If you want to run your livelink on another server edit the Web.Config to give it the real server name and port.I doubt if my setup can span computers never tested it that way.
  2. Configure an application that looks like the screen capsso setup
  3. Make sure it has IWA turned onsso1and make sure Extended Protection is OFF
  4. If not already done create a logs directory that is at the same level as \bin and manage its permissions correctly.This can also be done by doing a setspn which is really an advanced topic.The intent is when the client code hits this WSDL the application pool identity will transfer your remote_user and windows will do all that acl
  5. Edit the Web.Config carefully after making a copy .I am showing you changes highlighted for Authentication,DocumentManagement& ContentService.The file is rife with several possibilities so start with these 3 and mature into SSL and others Web.Config
  6. Give the WSDL a whirl .If it cant create a service or the green lines it is not a fault of OT.This is all windows WCF configuration.Check Microsoft sites or google for your errors.Things I check is that if all is successful the logs directory will show windows logs
  7. If the WSDL can now be put into a real source code file and you get errors in your client file the log files will indicate the errors coming from livelink. Note if you were using code form anonymous livelink/wsapi  you need to rebuild the source after updating the wsdl’scode
  8. The above were tested on a CS10 with oscript directory services and patches for SSO. I wrote a client WS which uses windows authentication and gave it to our app dev team.

If you have the chance to code in this you will be very pleased

LAPI What is It and Should I use it ?


Realized that OT is supporting old LAPI for their product called Enterprise Scan,Escan used to be completely a client app so if the Livelink server connecting to it is CS16 then OT ask you to install a module.Surreptitiously they call it “Private Bridge Interface” which is all the LAPI Oscript code conveniently bundled into its own Ospace.My guess is this will continue until ESCAN and AGA and other OT bread winners convert to SOAP or REST.


Update:12/29/2015 OT has announced that with the launch of CS 16 there will be no server side oscript to receive lapi calls so don’t waste your time reading this or programming in it.Just keeping this for vestigial reasons.

At time of this writing circa Feb 2013. Open Text’s livelink has been in the market for about 18 years and a fairly loyal fan share.The core software was always enhanced /added on by Oscript but for programmers who wished to do utilities such as adding user’s en masse, deleting things en masse et there was LAPI which stood for Livelink Application Programming Interface  .In its inception what I used to see in around 2000,you could program in Java,which I did,there was VB6,there was then C & C++. Vended products such as Livelink Explorer,Authorlink, Autocad Integration etc was around there.In a nut shell these were the steps that one used to take.

  1. Install or copy lapi client files in your computer
  2. Write a program
  3. Compile it and run.

@RunTime the first call which everybody knew as Session creation was akin to Tel netting to the livelink server on Port 2099(default livelink server listening port). As time went by OT added a lot of calls at the LAPI server side so people built a lot of cool things.But there were problems in a way that as modern OOP languages came along they abhorred the idea that livelink was giving them Data structures(LLValue Objects) and making them work thru that.So OT did a small stint they loaded the LAPI libraries on top of a web server and called it Live Services but at that point one could write a web service call.I think it died like the OT’s foray into JavaObjects to replace or do side by side coding as in Oscript. I never understood what one would use JavaObjects for. Note I am not talking about the Oscript to Java Bridge which I have messed with and is very useful.

With the release of 9.7.1 they bundled livelink web services as part of the livelink install the idea bing a company would just use the existing IIS or Tomcat investment and start creating a plumbing conduit into livelink.At CS10 they stopped making a installer for LAPI. I am told that this is because  they do not have the development resources to make libraries in several different languages.

The new web services are strongly typed,you never need to guess what you ask livelink and what you get in return.But while that is easy for a programmer to say and do the majority of programmers are called /hired to do something against livelink has no clue how livelink works.So that is where beautifully written /working hand holding programs are needed.Also a programmer need to understand what he is trying to do which may be as simple as logging into livelink and observing the different things.Jason Smith,Scott Grasley,Kyle Swidrowich these are all great OT programmers who are putting such structure into the new web services paradigm.Whenever I find time and needs some challenging stuff I also do put up some samples but most of my time nowadays are in oscript.

Coming back to LAPI the server side remains and will there be for what I can see. If OT basically puts their foot down and remove the API on the server then your program will not work. But then gain it probably is so far around you have no cause for concern.Not having an installer should be less worrying as any old API edition will work in java or a .NET language.That is what I do.I have a new 64 bit computer.I just copy the dll’s from a 32 bit machine and work on a .Net 2.0 framework.I also lost touch of java somewhere along the way.I guess I will have to brush up because OT is going to get us all programming in Eclipse 🙂

So in conclusion it really is your preference on how to code and how well to save your investment

A LAPI call received in the heart of livelink in oscript.If the AccessEnterprise call one sample was not there your investment would suffer


Going by the same token a web services call received in livelink


As you can see when you program in a client application your call needs to come into livelink.In web services they use the web server to get into livelink code.

At this point you are able to create a lapi code page and call the web services code or a web services code piece and call lapi .Increasingly over time lapi server side will cease to be and no effort will go into its up keep.In older versions of web services they used the LAPI dispatcher to send in the web services command now I don’t think it has a dependency on that.

Chris Morley’s comment a little more computer trained person than me

Almost Diatribe from an angry user it is fun

HTTPS with Webservices in Livelink

Contrary to stuff that I do this post is basically something I hacked together to make it work.I must have received at least 50 emails for several web services questions.In the absence of OT providing good easy to understand hand holding examples I offer these.If OT ‘s thinking is basically to code a web service a developer needs to take paid training all those things have come to pass.Almost every programming language snippets are available and so there is an expectation that the Vendor provides proper code samples.What I think they should start putting quality samples like what Jason is attempting &  conducting webinars .They could do several official things such as how to code when RCS is present, what is the difference between Enterprise Library Services & Livelink web services,How does the new OTDS come into authenticationg into livelink,What one should do and not do,many things the livelink programming community needs help on.This in my mind will ensure a good talent pool of programmers out there who would do things as OT intends to.

I naturally like to understand what I am doing unfortunately in this installment I have resorted to mostly ‘trial & error’

HTTPS and Livelink Web Services code

As we learned on our SSO attempt and livelink web services this time we start with this

Part 1

  1. Make VM IPv4 and disable IPv6 it should work for IPv6 provided you do the stuff in my previous blog.
  2. Make sure the IIS7 livelink webserver is functioning fine
  3. Make sure anonymous(livelink) authentication is fine  i.e.’ we can login as the powerful ‘Admin’ and the right password.
  4. Now with our baseline favorite Kyle Swidrowich’s piece of code start making it work without https
  5. We then make IIS HTTPS. Note you cannot make a webserver https commercially without shelling some money.HTTPS needs a certifying authority. For purposes of demonstration I will be using Microsoft’s self-signing certificate. Self-signing certificates are the same secure protocol other than the fact that a commercial company will not stand by it. Products such as archive server uses self-signing certs and OT bundles a signer program so I have used it many times to create closed loops between SAP ,livelink and archive server. For the completely uninitiated a secure transmission means only with the private key can you decipher the communication between the browser and the application so snooping with fiddler/wire shark etc. will give you a lot of garbled messages.
  6. So we manage to login as HTTP on that livelink

Again VC#, At this point this looks promising, Now add quickly DocumentManagemnt.svc and ContentService.svc as well Try Kyle’s code and make it work for HTTPS .Perfect everything works we added the document

Part 2


I used this site and followed that

see how simple it was for me a non MS/IIS person to figure this out that is what we sadly lack with OT.

BTW word press cannot do embedded images from my word document.I have the word document replete with screen caps in communities.

And this Now for good measure we need to remove http

If you remember a posting I made and Guy Pomerleaux commented if you have http and https running and OT web services code  is accessed you don’t really know you are talking https unless you do this. To keep it simple my livelink is now HTTPs Web GUI or web services. Perhaps if you leave a http listening port this would make your coding easier, but since I am doubtful which protocol will be used I resort to this.My builder program reports HTTPS=on that tells me everything is SSL.

We say yes to the IE warning and proceed to our newly created Livelink website which is now on HTTPS

We have cert errors even after we import the cert to keep IE happy

But I guess it will complain until I paid VeriSign or Thawte some money Perhaps readers can pool some money and buy me a certificate J for all practical purposes I am https

When I try to change my web service references we get this

I say yes

I got this and plenty of yellow looking errors at the livelink web services server when I tried to call the web service. Too many to list and too unknowing to comment on the mumbo jumbo.Essentially at this point I am trying on the server to get this service created.


Several errors ensued which I basically got around by removing all traces of places I thought was written for HTTP stuff.

So I remembered form my 9.7.1 that there is some SSL binding stuff we have to do on the web services on the server. So we make a copy of the Web.Config and try it.

Mostly if you remove everything that did not contain SSL and enable the SSL stuff it should work.

Also could not establish trust relationship means you have to install the certificate into the trusted certificate store

A working Web.Config you can find a working app.config you can also find. I am not able to explain the mumbo jumbo as it is mostly trial and error. I hope if any OT knowledgeable people read this they would conduct a webinar on how to do this.

Link 1 The above article replete with screen caps as a word doc

Link 2 The Web.Config that goes on the web services install that works for me 

Link 3 The App.Config from my C# application

Single Sign On and Content Web Services for a livelink server

04/28/2016 Why am I keeping this ?This is obsolete like hell




Many users who know me from my contributions ask me to write code that helps with their livelink problems.In many cases it is very new programmers who get assigned to write these.They expect almost without success to find snippets of livelink webservice code thru google etc.I have not frankly understood programmer hurry like this but when you program it does not hurt to put a rational outline on what you are trying to do.In any case OT official dom is very notorious for non hand holding.In fact when I first started writing Dr Lapi I seriously doubt if there was a working sample of lapi code you could find in the web.Now that they have started to tell people not to use LAPI they need to put a lot of working examples as a livelink implementation can become very complicated over years of use and maturity.Also customization can alter ways of its working.

SSO or single sign on is not impersonation in livelink.If you have a ID in livelink with System Admin privileges it is very easy to gain access to livelink and do things as another user.While that sounds very insecure the actions are all audited.It is available in Unix,MS and many other applications hence impersonation is nothing to be considered as lowly.However I take exception when you advertise impersonation as SSO.

SSO is mostly applied to a company Intranet.When people and computers need to be managed they would employ a directory server which usually understands the LDAP protocol.In MS centred organization you would hear as Active Directory,in novell it is NDS,in IBM it may be a Domino or is it Tivoli? server,in SUN /ORACLE places it could be their ldap server.When you sign into a domain held computer unbeknownst to you you have established a trust between your device and the company network.So any other application need to trust you for what you are.that is proper SSO.In web application when you hit a IWA enabled website your browser exchanges a 401 challenge which when successful will populate certain environment variables the famous one REMOTE_USER.In a proper livelink SSO exchange we take that env variable and sign you in.In the livelink database such a user would be called a ‘Externally Authenticated’ user.

Well here’s how I got my CS10 Update 6 VM working with SSO code.I write a long word document detailing my challenges but this is the best short way I can give to the community.My research material is uploaded in the communities web site.In retrospect OT is expecting you to use the OTDS java web server maybe to get applications to integrate.That is when you hear terms such as RCS etc.


  1. I configured otdsintegration to use webserver authentication.Meaning otdsintegration oscript module allows you a radio button to do web server authentication.I did not configure OTDS(RCS) as I do not have a domain and AD in my VM.
  2. I made the IIS VD for livelink IWA
  3. I checked whether I could login as my domain user in my case my user called ‘Administrator’ I verified what admin.testargs passed in to me
  4. I downloaded old directory services code and installed it luckily there was aversion for CS10.I had to because the otdsintegration module gets you web authentication but not web services authentication.
  5. I put my computer on IPv4 to first test it
  6. I made these changes to my opentext.ini
  7. [Security]
  8. #REM when you install directory services module you can get this ospace
  9. Authentication=NTLM
    #REM when IPV6 is installed the crazy looking things is a oscript bug and its defeat by me found thru builder
    CGIHosts=::ffff:,fe80::2d54:a6cb:b5d2:b145%11 I think the code is looking for socket.pPeeraddress
  10. which is the address of the client in fact they should not do that but in IPv4 it is all OK
    #REM127.0.0.1 is added by livelink code but the computers IPv4 address
  11. the Web.Config changed for NTLM for the livelink webservices  application


  1. App.Config reflected to the same NTLM auth as in Web.Config
  2. Added System.IO
  3. That is about it.

Client stack traces are almost impossible to understand unless you understood livelink code.Since I understood it and was able to understand what they were doing I am providing this.Your setup could vary I have no clue.

Link 1-Interested programmers could see my setup for CS10U6 here—

Link2-The C# solution containing a basic piece of code Kyle Swidrowich Created which I repurposed 🙂

Link3-Livelink Web.Config tthat you have to do for webservices

Link4-My experience when Livelink was 9.7.1wanted to write SSO code