When you install IBM CSS engine client, it updates the CE EAR file with INSO information.
If INSO is not installed correctly you will find the job in ‘Indexed Queue’ waiting for processing.
First thing is to check CE Context Ping page for ‘INSO Version’ entry.
There are two reason why this entry is not there
You have not redployed the updated EAR file. This should be the EAR file in this location ‘../ContentEngine/tools/configure/profiles/…’.
Client installation is not updating the INSO information. If this is the case then you can manually run the CSSClientTool
CSSClientTool.sh ../ContentEngine/tools/configure/profiles/<profile>/ear/Engine-ws.ear ../java/bin
Redeploy EAR.
I recently configured SSO in my current project and like to share my experience.
The setup was having the following components
First thing to get SSO working is to make sure you have valid JAAS subject created by Websphere and Oracle Access Manager.
If you are developing custom web component e.g. JSP pages or servlets this can be achieved using Oracle TAI configuration on webspehere. The JAAS Subject will be propogated by Webspehere container. In this scenaio all the Websphere instances should have the Oracle TAI configured. Oracle TAI will create JAAS subject for the web application (WAR or EAR) only if security is enabled for the app. Later in ths post I will explain how to enable this security.
If you are developing custom EJB client service then you need to have the LTPA/LDAP configured as detailed here. This configuration is same as done for Workplace XT. CE connection will use EJB call that will propogate the JAAS subject via LTPA. If you have federated LDAP copy the exact configuration in CE box to all client box that will consume the service.
CE EJB call expects a valid JAAS Subject in the request thread. For SSO we do not need to push/pop JAAS Subject.
SSO CE Connection
UserContext tempUC = new UserContext(); tempUC.setLocale( origUC.getLocale() ); // uriEJB = iiop://server:port/FileNet/Engine connection = Factory.Connection.getConnection( uriEJB );
Enable Security for Web Application
Update web.xml with the following configuration
<security-role> <description>All application users</description> <role-name>user</role-name> </security-role>
<security-constraint> <display-name>Basic Security</display-name> <web-resource-collection> <web-resource-name>Protected Resources</web-resource-name> <description>Constraint for protected resources</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint>
Once the application is deployed, you need to update the ‘user’ security role to ‘Trusted Realms’. This can be done using websphere admin console.
Check the link below that list steps to resolve this issue.
https://www-304.ibm.com/support/docview.wss?uid=swg21307871
If you are using marking set in your data model, deploying marking set in another environment might be a challenge as you need to create it manually.
As you know Marking Set are created in GCD and therefore it is not part of import/export of data model.
You can use the Add-On approach to add the marking set in different environment while keeping the GUID of marking set same in each environment.
Here is how to do it.
e.g. MarkingSetAddon.xml
<?xml version=”1.0″ ?> <ObjectManifest EMVersion=”3.5.1000.58″> <LifeCycleActions/> <LifeCyclePolicies/> <ChoiceLists/> <PropertyTemplates/> <ClassDefinitions/> <Folders/> <Documents/> <Annotations/> <EventActions/> <EventSubscriptions/> <Others/> <ReferentialContainmentRelationships/> <DynamicReferentialContainmentRelationships/></ObjectManifest>
Name the script with .js extension. e.g. create_marking.js
importPackage(Packages.org.mozilla.javascript); importPackage(Packages.com.filenet.api.core); importPackage(Packages.com.filenet.api.collection); importPackage(Packages.com.filenet.api.constants); importPackage(Packages.com.filenet.api.util); importPackage(Packages.com.filenet.api.exception); importPackage(Packages.org.apache.log4j);
//—————————————————————————– // This is the well-known Id for the CFS Federated Lock Markings MarkingSet. // A reference to this Id is HARD CODED in the Object Mannifest for the // AddOn, i.e. CFS-ICILockdownObjects.xml and should NOT be changed //—————————————————————————– var gCmFederatedLockMarkingsId = new Id(“{225293b0-158e-11de-8c30-0800200c9a66}”); var gLogger = Logger.getLogger(“filenettracing.api.detail”);
//—————————————————————————– // This script creates the MarkingSet used by CFS/ICI to “lockdown” documents // that have been federated from a P8 repository. Federated documents are // locked down when they are declared records in the “destination” repository, // that is the P8 repository the document has been federated to. // // This script is as a “PreImportScript” as part of the CFS-ICI AddOn. // The Import Manifest for this AddOn includes a property template that // references the Marking Set using the ID specified above. // // Note: the script only creates the Marking Set if it doesn’t already exist //—————————————————————————– function PreImportScriptMethod(ObjectStore) { gLogger.debug(“CFS-ICIAdd: Start PreImportScriptMethod”); var thisDom = ObjectStore.getDomain(); var mSetName = “CmFederatedLockMarkings”; // var mSet = getMarkingSetById(thisDom, gCmFederatedLockMarkingsId); var mSet = getMarkingSetByName(thisDom, mSetName); if (mSet == null) { //——————————————————————— // The MarkingSet didn’t exist so we must create it //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Creating a Marking Set”);
mSet = thisDom.createObject(“MarkingSet”, gCmFederatedLockMarkings_Id);
//——————————————————————— // Set its Display Name //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Setting the MarkingSet.Display name to ‘” + mSetName + “‘”); mSet.set_DisplayName(mSetName);
//——————————————————————— // Indicate whether or not it is hierarchical //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Setting MarkingSet.IsHierarchical to ‘False’”); mSet.set_IsHierarchical(false);
//——————————————————————— // Create the Lockdown Marking //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Creating the Locked Marking”); var ldMarking = createMarking(“Locked”);
//——————————————————————— //Add the Locked Marking to the Markings collection //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Creating a MarkingList”); var ml = Factory.Marking.createList();
gLogger.debug(“CFS-ICIAddOn: Adding the Locked Marking to the Marking List”); ml.add(ldMarking);
gLogger.debug(“CFS-ICIAddOn: Adding the Marking List to ” + mSetName); mSet.set_Markings(ml);
//——————————————————————— // Save the MarkingSet //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Saving the MarkingSet”); mSet.save(RefreshMode.REFRESH); } else { gLogger.debug(“CFS-ICIAddOn: ” + mSetName + ” already exists”); } gLogger.debug(“CFS-ICIAddOn: End PreImportScriptMethod”); }
function getMarkingSetById(thisDom, msId) { gLogger.debug(“CFS-ICIAddOn: Start getMarkingSetById”); gLogger.debug(“CFS-ICIAddOn: Fetching: ” + msId); var theMarkingSet = null; try { theMarkingSet = thisDom.fetchObject(“MarkingSet”, gCmFederatedLockMarkingsId, null); } catch (e) { //——————————————————————— // Check to this if this was caused by an object not found error // If it isn’t, then we rethrow the exception //——————————————————————— if (e instanceof JavaException) { var jEx = e.javaException; if (jEx instanceof EngineRuntimeException) { if (jEx.getExceptionCode() == ExceptionCode.EOBJECTNOTFOUND) { gLogger.debug(“CFS-ICIAddOn: A MarkingSet with Id = ” + msId + ” was not found”); } else { throw e; } } else { throw e; } } else { throw e; } }
gLogger.debug(“CFS-ICIAddOn: End getMarkingSetById”); return theMarkingSet; }
function getMarkingSetByName(thisDom, msName) { gLogger.debug(“CFS-ICIAddOn: Start getMarkingSetByName”); gLogger.debug(“CFS-ICIAddOn: Fetching ” + msName); var theMarkingSet = null //——————————————————————— // Iterate over the collection of MarkingSets until we find one // with a name matches the name we are looking for //——————————————————————— var allMarkingSets = thisDom.get_MarkingSets(); if (allMarkingSets != null) {
var it = allMarkingSets.iterator(); while ( it.hasNext() ) { var ms = it.next(); if ( ms.getDisplayName().length() > 0) { var name = ms.getDisplayName(); if ( name.equalsIgnoreCase(msName)) { //————————————————— // We found a match so we break out of the loop // and set the return value to the MarkingSet we found //————————————————— theMarkingSet = ms; gLogger.debug(“CFS-ICIAddOn: Found ” + msName); break; } } } } else { //—————————————————————— // This will happen if there are no Marking Sets defined //—————————————————————— gLogger.debug(“CFS-ICIAddOn: Domain.get_MarkingSets() return NULL”); }
//———————————————————————- // If we didn’t find the MarkingSet we’re looking for, we return NULL //———————————————————————- if (theMarkingSet == null) { gLogger.debug(“CFS-ICIAddOn: ” + msName + ” not found”); } gLogger.debug(“CFS-ICIAddOn: End getMarkingSetByName”); return theMarkingSet; }
function createMarking(mName) { gLogger.debug(“CFS-ICIAddOn: Start createMarking”); //——————————————————————— // Create the marking //——————————————————————— gLogger.debug(“CFS-ICIAddOn: calling Factory.Marking.createInstance()”); var theMarking = Factory.Marking.createInstance();
//——————————————————————— // Set the marking value //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Set its value to ” + mName); theMarking.set_MarkingValue(mName);
//——————————————————————— // Set the ConstraintMask property //——————————————————————— gLogger.debug(“CFS-ICIAddOn: Set the constraint mask to mask out the Delete, Write, Write Owner, Write ACL and Change State access rights”); theMarking.setConstraintMask(AccessRight.DELETEASINT + AccessRight.WRITEASINT + AccessRight.WRITEOWNERASINT + AccessRight.WRITEACLASINT + AccessRight.CHANGESTATEASINT); gLogger.debug(“CFS-ICIAddOn: End createMarking”); return theMarking; }
This tutorial details the new Content Search Services (CSS) in P8 5.0 release.
FileNet PE Forum Feed