MSC SimManager Enterprise Edition R3.1. Installation and Administration Guide

Transcription

1 MSC SimManager Enterprise Edition R3.1 Installation and Administration Guide

2 Corporate MSC.Software Corporation 2 MacArthur Place Santa Ana, CA Telephone: (800) FAX: (714) Europe MSC.Software GmbH Am Moosfeld Munich GERMANY Telephone: (49) (89) Fax: (49) (89) Asia Pacific MSC.Software Japan Ltd. Shinjuku First West 8F 23-7 Nishi Shinjuku 1-Chome, Shinjuku-Ku Tokyo , JAPAN Telephone: (81) (3) Fax: (81) (3) Worldwide Web This documentation, as well as the software described in it, is furnished under license and may be used only in accordance with the terms of such license. MSC.Software Corporation reserves the right to make changes in specifications and other information contained in this document without prior notice. The concepts, methods, and examples presented in this text are for illustrative and educational purposes only, and are not intended to be exhaustive or to apply to any particular engineering problem or design. MSC.Software Corporation assumes no liability or responsibility to any person or company for direct or indirect damages resulting from the use of any information contained herein. The software described herein may contain certain third-party software that is protected by copyright and licensed from MSC.Software suppliers. To the extent that SimManager Enterprise includes IBM components, such components may only be used as part of SimManager Enterprise. Additional information regarding third party software is available at MSC and SimManager are trademarks or registered trademarks of MSC.Software Corporation or its subsidiaries in the United States and/or other countries. FLEXlm is a registered trademark of Macrovision Corporation. All other brand names, product names or trademarks belong to their respective owners. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR (Commercial Computer Software) and DFARS (Commercial Computer Software and Commercial Computer Software Documentation), as applicable. Copyright 2008 MSC.Software Corporation. All Rights Reserved. Printed in the U.S.A. Any reproduction or distribution of this document, in whole or in part, without the prior written consent of MSC.Software Corporation is strictly prohibited. Date: 9/24/08 SMEN:R3.1:Z:Z:Z:DC-OPS

3 Contents MSC SimManager Enterprise Edition R3.1 Installation and Administration Guide 1 About this Guide Introduction 2 Organization of this Guide 3 Related Documentation 4 Technical Support 5 2 SimManager Topology and Overview Introduction to SimManager Enterprise Edition 8 SimManager Topology 9 Overview of System Components 11 Creating a Development and Production Environment 13 Production System 13 Configuration and Test Environment 13 Defining Roles and Responsibilities 14 3 Hardware and Software Requirements Overview 16 Supported Hardware Platforms 16 Prerequisite Software Requirements 17 Server-side Software Requirements 18 License Server (1 Required) 18 Web Application Server (1 required) 19 Relational Database Server (1 required) 20 Optional Server-Side Components 21 Client-side Software Requirements 23

4 iv 4 Preparing for SimManager Installation Overview 28 Installing Prerequisite Software 28 Steps for installing MSC.Software Solutions Download Center files 30 SimManager Enterprise 30 IBM WebSphere Application Server 31 IBM DB2 Universal Database: 32 IBM DB2 Universal Database Setup Utility: 32 Analysis Manager 33 Installing a Web Application Server 34 Installing the WebSphere Application Server 34 Installing the Tomcat Web Application Server 46 Installing the JBoss Web Server 46 Installing a Database Server 49 Installing IBM DB2 Database Server 49 Installing Oracle Database Server 79 Installing Microsoft SQL Server 81 Utilities 83 Security and User Authentication Software 85 Job Scheduling/Queuing Software 85 Installing X Virtual Frame Buffer 99 Installing Xvfb on AIX 99 Installing Xvfb on Linux and Solaris 99 5 Installing and Deploying SimManager Overview 106 Product Licensing with FLEXlm 107 Product Licensing 107 Obtain Licenses 107 Windows 107 Unix 109 Client Access/User licensing 111 Network User licensing 111 Named User licensing 111 Installing and Deploying SimManager 112 Installing SimManager 114 Performing a Full/Typical Installation 114

5 CONTENTS v Activating Portal 126 Setting up the Workspace Launcher 126 Starting the Portal Activation Process 127 Specifying the Directories 128 Logging In 130 Selecting a Portal 130 Specifying the Portal Instance Name 131 Specifying the Database Configuration Information 132 File Vault Configuration Dialog Box 136 Initializing the Knowledge Base 139 Specifying the Load Data File 141 Setting Properties 142 Installed SimManager Enterprise Directory Structure 144 Confirming the Installation 146 Performing a Custom Installation 148 Testing the Installation 150 Setting up SimManager in a clustered WebSphere environment System Administration Overview 156 Administrative Tools 157 SimManager Classic Studio 157 SimManager Eclipse-based Studio 158 Running the Activate Command 158 SimManager Batch Admin Tool 158 Administrative Functions 160 Creating and Deleting SimManager Databases 160 Matching a SimManager Database to the RDBMS 160 Vault Management 170 Vault Administration 172 Revision Change Notification 178 Authorization and Authentication 180 Authorization Rules and Concepts 180 Authentication 192 Authorization 207 Users 208 Organizing Your Work with Hierarchical Projects 236 Projects and Domains Providing Context for Your Data 236 Hierarchical Context Structures 237

6 vi Refined Context Data Model and Migration 239 User and Profile Roles for Hierarchical Projects 240 Action Selection Rules, Action Classification 241 Web Server Administration 243 Support for Load Balancing and Failover 243 Load Balancing setup on Apache/mod_jk/Tomcat 244 Application Connection pooling 248 Portal Configuration 269 Global properties and preferences 269 Database Manager Settings 270 SimManager.properties File 275 Portal.properties and PortalDefinition.properties 276 Defining Units 281 Logging 284 Specifying Mime-type Mapping 285 Lifecycle Management and System Actions 287 Security Labels and Attributes 287 Object Life-cycle Management 293 Life-cycle Process 294 Configuring Life Cycle Behavior 296 Clearing References on Delete 306 Action Permission Checking 306 Execution Privilege 307 Action Permission Checking 311 A Troubleshooting and FAQ Overview 314 Error Messages 315 Tomcat Temp Folder 318 IBM DB2 319 WebSphere Admin Console 321 Mimetype Mapping Problems 322 Web Browser Problems 323 SimManager Startup Error on Tomcat Web Server 324 System Administration 326

7 CONTENTS vii WebStart FAQ 328 B Backup and Recovery Guide Backup and Recovery 332 Introduction 332 SimManager Database/Vault Architecture 332 General Backup and Recovery Considerations in SimManager 334 Offline Backup 335 Online Backup Methods with Tivoli Storage Manager 335 Alternate Online Backup Methods 340 C Tivoli Directory Server Installation for Windows Introduction 342 Installation Process 343 DB2 and IBM Directory Server 343 IBM Tivoli Directory Server Instance 347 IDS Web Administration Tool 354 Starting WAS express version 354 Adding Directory Server Instance to IDS Web Administration Tool 355 Verifying the Installation of IDS 357 D Enterprise Connect Deployment and Usage Guide Deployment of Enterprise Connect Module 360 Deployment of OpenPDM Server 360 PasswordManager 360 Batch Applications set up 360 Interactive client set up 361 Usage of Enterprise Connect Module 362 Batch PDM Import(CSAE) 362 Batch PDM Export (CSAE) 362 Interactive PDM Import 364

8 viii

9 Chapter 1: About this Guide 1 About this Guide Introduction 2 Organization of this Guide 3 Related Documentation 4 Technical Support 5

10 2 Introduction Introduction This guide describes how to install the MSC SimManager Enterprise Edition R3.1 suite of software and to activate a portal. A portal makes it possible to efficiently perform the basic patterns of operations that occur in the simulation process. It makes the virtual product development (VPD) process effective by enabling organizations to perform more simulations earlier in the development cycle. This enables companies to make intelligent decisions earlier and with more confidence, which ultimately leads to better products, improved quality and lower cost of operation for the consumer.

11 Chapter 1: About this Guide Organization of this Guide 3 Organization of this Guide This guide consists of the following chapters and appendices: SimManager Topology and Overview, 7 Hardware and Software Requirements, 15 Preparing for SimManager Installation, 27 Installing and Deploying SimManager, 105 System Administration, 155 Troubleshooting and FAQ, 313 Migration Guide, 331 Backup and Recovery Guide, 331 Tivoli Directory Server Installation for Windows, 341 Enterprise Connect Deployment and Usage Guide, 359

12 4 Related Documentation Related Documentation Additional SimManager documentation includes the following PDF files and an online user guide in HTML: MSC SimManager Enterprise Edition R3.1 Release Guide MSC SimManager Enterprise Edition R3.1 Configuration and Deployment Guide MSC SimManager R3.1 User's Guide MSC SimManager Enterprise Edition R3.1 Process Builder User's Guide Online help for MSC SimManager Enterprise Edition R3.1 Classic Studio MSC SimManager Enterprise Edition R3.1 Programmer's Guide

13 Chapter 1: About this Guide Technical Support 5 Technical Support For help with installing or using an MSC.Software product, contact your local technical support. Our technical support services include: Resolution of installation problems Verification of code error For support information, go to the MSC.Software Web site: Here, you can find a wide variety of support resources, including application examples, technical application notes, and available training courses.

14 6 Technical Support

15 Chapter 2: SimManager Topology and Overview 2 SimManager Topology and Overview Introduction to SimManager Enterprise Edition 8 SimManager Topology 9 Overview of System Components 11 Creating a Development and Production Environment 13 Defining Roles and Responsibilities 14

16 8 Introduction to SimManager Enterprise Edition Introduction to SimManager Enterprise Edition SimManager facilitates simulation processes by integrating external batch-based server applications, enterprise databases, enterprise services and client applications. For optimal operation, it requires specific hardware, storage, and networking infrastructures. For successful SimManager deployment, an appropriate level of planning, design, and implementation (installation, configuration, and optional customization) is required. This chapter includes a system-wide overview for the systems administrator responsible for SimManager installation. Sections discuss the general requirements of the basic SimManager system including system components, SimManager topology, and roles and responsibilities of those involved in the project. Specific capabilities for a particular implementation are achieved by configuring and customizing the system. This process is described in detail in the MSC SimManager Enterprise Edition R3.1 Configuration and Deployment Guide. Note: You will also find installation instructions for basic deployment of the EnterpriseEdition Portal. This portal is intended to work in conjunction with other MSC.Software products such as SimXpert and SimDesigner. The sophistication of the SimManager environment can vary considerably, which may result in the need for additional hardware and software components.

17 Chapter 2: SimManager Topology and Overview SimManager Topology 9 SimManager Topology This section provides an overview of the SimManager topology and layout. While the scope of this can vary considerably, a simple, single system providing all the essential services is shown in the following diagram: Figure 2-1 Single System

18 10 SimManager Topology To achieve a scalable (high-availability) enterprise solution, a cluster setup is suggested in which the different services run on different systems or clusters of systems. Figure 2-2 Cluster setup

19 Chapter 2: SimManager Topology and Overview Overview of System Components 11 Overview of System Components The installation process assumes the performance of a Requirement and/or System Definition Assessment (RDA/SDA) in order to scope the infrastructure required for the intended usage. For this requirement to be met, it is assumed that the customer and the system solution architect have identified the software applications, their setup and configuration. The minimum set of operational software is: Server Relational database system Web application server File Vault Client Web browser As the installation grows and a scalable high-performance environment needs to be established, the individual components/services can be moved to different systems. Considerations for individual components include: Database - The database server (DB) of SimManager can be easily moved to a separate DB server. This can be a company's central database instance or a dedicated DB server just for SimManager. Since every transaction in SimManager includes DB transactions, the DB server needs to be readily available. To ensure the responsiveness of SimManager, make sure that the connection between the DB server and SimManager has very low latency. Compute server - As the execution of the procedures in SimManager can have demanding compute requirements in terms of CPU, memory, and I/O, we recommend that a compute cluster be established. To efficiently use the resources in the cluster, SimManager relies on a job-submission environment to schedule the individual compute tasks. High availability needs to be ensured for the submission host. Content Vault / Storage(file server) - In many instances of SimManager, a large number of data files need to be managed and stored. This requires the setup of a dedicated file server in the SimManager environment that considers near-term sizing requirements as well as future scalability. The file server needs to have high availability, because almost every transaction with SimManager involves file movements between the web server (or compute systems) and the file server. As the storage requirements grow with increasing maturity and use of the Portal, a hierarchical storage management system should be considered, which automatically migrates the less frequently used data files to a back-end tape archive.

20 12 Overview of System Components Web application server - As the number of users of SimManager grows, a cluster of web application servers should be considered with the appropriate load-balancing solution. LDAP server - For authorization, integration with an LDAP server is suggested, which manages user passwords in a central location. Typically, in an organization, there will already be a central LDAP server with which SimManager will interact as users log into the system.

21 Chapter 2: SimManager Topology and Overview Creating a Development and Production Environment 13 Creating a Development and Production Environment While planning a deployment, consider establishing a primary and secondary environment to ensure the highest reliability of the deployed system. The two environments are: Production system Configuration and test environment Establishing these two environments requires additional hardware, software, and personnel. You should factor in these requirements while planning for deployment. The approach has considerable value, however, as explained in the next sections. Production System When the completely configured system is ready for use by end users and system administrators, it can be deployed to the production environment. Do not configure or test on this system. We recommend that you create a test environment for this purpose. Configuration and Test Environment The configuration of the test system should be representative of the deployed SimManager environment. It is used to: Test patches and new software versions Experiment with configurations and processes Configure new processes Introduce a new simulation discipline Determine sizing requirements The configuration and test environment is the staging area for deployed configurations. This test environment does not require the disk space required for a deployed system. If handling sensitive data, however, it should remain on site for security and confidentiality reasons.

22 14 Defining Roles and Responsibilities Defining Roles and Responsibilities The following section defines the responsibilities and required capabilities of SimManager users and administrators. The process of installation will be primarily in the domain of the system administrator. Position End user Webmaster Configuration and deployment specialist Database administrator System administrator Database system integrator External process integrator Responsibilities The end user accesses the system through a web browser. The end user has no responsibilities for the configuration or installation of the system. The webmaster is responsible for initiating and maintaining an operational website. The webmaster should be familiar with the web server application and the site internet configuration. The configuration and deployment specialist modifies the configuration files and web pages to reflect the requirements of the customer s user population. The database administrator: Installs the target database and/or configures the database with the schema definition files Builds the database tables using SimManager administrative tools Monitors and tunes the performance The system administrator provides support for connecting the SimManager system to the site s infrastructure, which includes providing the configuration information for release procedures, the LDAP configuration and connection information, installation access, network support, and so on. The system administrator is responsible for monitoring and supporting the system for end users. The database system integrator designs the site s database schema and implements the schema using XML configuration files. The external process integrator implements the Action Encapsulation (AE) scripts for the SimManager system. These AE scripts are used to configure the information for an external process to run properly, execute the process, then capture the results and put them back into the database.

23 Chapter 3: Hardware and Software Requirements 3 Hardware and Software Requirements Overview 16 Supported Hardware Platforms 16 Prerequisite Software Requirements 17 Server-side Software Requirements 18 Client-side Software Requirements 23

24 16 Overview Overview The hardware and software requirements for a SimManager installation are derived from industrystandard technologies and widely available commercial products. Based on specific configuration, there may be other optional components. Some of these components are briefly mentioned in this chapter. The minimum requirements are described in the sections which follow. Supported Hardware Platforms For an initial deployment of SimManager, only a single machine is required. The recommended minimum system should have 3GHz processor, 4GB RAM, and disk space as required. For a typical, full deployment of SimManager, the minimum hardware environment should have: Web application server - 3 GHz processor, 4GB RAM, 30GB disk Database server - 3 GHz processor, 4GB RAM, 100 GB RAID 4 + disk File-server - 2 GHz processor, 512 MB RAM, RAID 5 storage with appropriate disk space Application cluster - Application-dependent sizing

25 Chapter 3: Hardware and Software Requirements Prerequisite Software Requirements 17 Prerequisite Software Requirements The following software applications must be available on the planned hardware environment before installing the SimManager system. See Overview of System Components, 11, for a brief description of high-level software requirements and configuration. The applications are: Browser (one required, client-side) Java Runtime Environment (JRE) Note: Java plug-ins may be required to perform client-side actions. Web application server (one required, server-side) Relational Database (one required, server-side) File vault server (one required, server-side) FLEXlm license server (required, server-side) The following optional software application may also be required before the installation and deployment of SimManager: Lightweight Directory Access Protocol (LDAP) compatible directory service The following additional software applications may be added during or after the installation and deployment of SimManager to enhance performance or extend capabilities: MSC SimXpert for advanced simulation functionality including template building/running that is seemlessly integrated with SimManager MSC SimDesigner for designer-level analysis that provides easy data publishing and template execution using SimManager. Patran for pre/post processing with advanced finite element modeling tools to import native CAD geometry, build geometry from scratch, create quality meshes, define loads and boundary conditions, and apply material properties. MD Adams for simulating the full-motion behavior of complex mechanical systems. Easy5 for schematic-based modeling and simulation of dynamic systems containing hydraulic, pneumatic, mechanical, thermal, electrical, and digital subsystems. MSC Process Builder for authoring advanced best practice processes within SimManager MSC SimXpert for batch execution of templates managed by SimManager MSC Analysis Manager for job submission and queue management of batch processes Load balancing system for scalability and redundancy of the web application servers PDM integration (generally a custom activity) Required applications running on the server and/or client computers. For example, batch versions of MSC Patran or MSC Nastran.

26 18 Server-side Software Requirements Server-side Software Requirements The following tables describe the server-side system components, versions, operating system/platform information, and locations of software. The links and locations listed were valid at the time of publication. MSC Software recommends that a fully functional, licensed version of the required software be purchased for use in a production environment and that individual license agreements be reviewed prior to usage. License Server (1 Required) Table 3-1 Licensing Software Software Version Supported Operating Systems Source FLEXlm 10.8 Windows, Linux, Unix Included with SimManager Workgroup CD set or Download from MSC.Software Solution Download Center:

27 Chapter 3: Hardware and Software Requirements Server-side Software Requirements 19 Web Application Server (1 required) Table 3-2 Software IBM WebSphere Application Server Network Deployment Web application servers Version Supported Operating Systems Microsoft Windows 2003 Server Red Hat Enterprise 4.3 (2.6 Kernel) IBM AIX 5.3 TL 0 Apache Tomcat Microsoft Windows 2003 Server Red Hat Enterprise 4.3 (2.6 Kernel) Red Hat JBoss Microsoft Windows 2003 Server Source Included with SimManager Enterprise CD set or Download from MSC.Software Solution Download Center: Download from Apache project: Download from: Sun Solaris 9 (Sparc)

28 20 Server-side Software Requirements Relational Database Server (1 required) Table 3-3 Software IBM DB2 Enterprise Relational database server Version Fixpack 3 (Equivalent to Fixpack 10) Supported Operating systems IBM AIX 5.3 TL 0 Source Contact your MSC Software Sale Representative Fixpack 2 Microsoft Windows 2003 Server Red Hat Enterprise 4.3 (2.6 Kernel) Included with SimManager Enterprise CD set or Download from MSC.Software Solution Download Center: IBM AIX 5.3 TL IBM AIX 5.3 TL 7 Contact your MSC Software Sale Representative Microsoft SQL Server Version 2005 Microsoft Windows 2003 Server Refer to Microsoft Corp: Oracle Enterprise Edition 10g Release 2 Microsoft Windows 2003 Server Red Hat Enterprise 4.3 (2.6 Kernel) Refer to Oracle Corp: roducts/database/index.html Sun Solaris 9 (Sparc)

29 Chapter 3: Hardware and Software Requirements Server-side Software Requirements 21 Optional Server-Side Components The following table lists optional, server-side system components and the download source: Job Submission System Table 3-4 Software MSC Analysis Manager Platform LSF Sun Grid Engine Optional server-side components Version Supported Operating Systems Source Included with SimManager Enterprise CD set Download from: Download from: Directory Server Table 3-5 Software IBM Tivoli Directory Server Optional server-side components Version Supported Operating Systems Source Download from: ibm.com/software/tivoli/products/di rectory-server/ Storage Manager Table 3-6 Software IBM Tivoli Storage Manager Optional server-side components Version Supported Operating Systems Source Contact your MSC Account Manager

30 22 Server-side Software Requirements System Automation Table 3-7 Software IBM Tivoli System Automation Optional server-side components Version Supported Operating Systems Source Contact your MSC Account Manager Other MSC Server Applications Table 3-8 Software MSC SimXpert (optional) Other MSC Server Applications R3 Version Supported Operating Systems Source Download from MSC.Software Solution Download Center:

31 Chapter 3: Hardware and Software Requirements Client-side Software Requirements 23 Client-side Software Requirements The following tables describe the client-side system components, versions, operating system/platform information, and locations of software. The links and locations listed were valid at the time of publication. MSC.Software recommends that a fully functional, licensed version of the required software be purchased for use in a production environment and that individual license agreements be reviewed prior to usage.

32 24 Client-side Software Requirements Table 3-9 Software Microsoft Internet Explorer Client-side Requirements Version Supported Operating Systems 6.x Download from: Source 6/downloads/default.mspx Mozilla Firefox 2 Download from: MSC Process Builder (optional) R3 Microsoft Windows XP (32-bit and 64 bit) Included on SimManager Enterprise CD set Red Hat Enterprise 4.3 (32-bit and 64-bit) or Download from MSC.Software Solution Download Center: MSC SimXpert (optional) R3 Microsoft Windows XP (32-bit and 64 bit) Download from MSC.Software Solution Download Center: MSC SimDesigner Template Client Edition (optional) R3 Red Hat Enterprise 4.3 (32-bit and 64-bit) Microsoft Windows XP (32-bit and 64 bit) Red Hat Enterprise 4.3 (32-bit and 64-bit) Patran (optional) 2008 Microsoft Windows XP (32-bit and 64 bit) Download from MSC.Software Solution Download Center: Download from MSC.Software Solution Download Center: MD Adams (optional) R3 Microsoft Windows XP (32-bit and 64 bit) Download from MSC.Software Solution Download Center:

33 Chapter 3: Hardware and Software Requirements Client-side Software Requirements 25 Table 3-9 Software Client-side Requirements Version Supported Operating Systems Easy5 (optional) 2008 Microsoft Windows XP (32-bit and 64 bit) Source Download from MSC.Software Solution Download Center: Java Web Start (Standard Edition) version R3 Microsoft Windows XP (32-bit and 64 bit) Red Hat Enterprise 4.3 (32-bit and 64-bit) Download from MSC.Software Solution Download Center:

34 26 Client-side Software Requirements

35 Chapter 4: Preparing for SimManager Installation 4 Preparing for SimManager Installation Overview 28 Steps for installing MSC.Software Solutions Download Center files 30 Installing a Web Application Server 34 Installing a Database Server 49 Utilities 83

36 28 Overview Overview When preparing to install SimManager, we recommend the following: 1. Read this document completely to plan your environment. 2. Define and document the details of the processes that the system must support. 3. Ensure that you have the required environment as specified in Prerequisite Software Requirements, 17 and install the various components as required. 4. Design the physical architecture. Plan the configuration with consideration for items such as load balancing, vault management, database management, and server combinations for these services. For more information, see the SimManager Logical Topology section in the MSC SimManager Enterprise Configuration and Deployment Guide. This chapter describes all the tasks required to prepare the environment for the installation, configuration, and deployment of the SimManager system. The installation, configuration, deployment, and testing of the SimManager Portal are described in Installing and Deploying SimManager, 105. Installing Prerequisite Software The specific prerequisite software required for your system is dependent on the supported hardware platforms (see Prerequisite Software Requirements, 17) and the overall requirements of your specific simulation solution. Therefore, not all of the software components and applications described in this section may be required for your installation. To install and deploy a basic (demonstration) version of the SimManager Portal, you must install (or have available on your system) and configure the following prerequisite components: Web application server Database server FLEXlm license server or MSC license file The instructions for the installation and configuration of the prerequisite software components are described in the following sections. Required platform-specific differences or instructions are noted in the descriptions. In general, a download location or source for third-party software and auxiliary components are listed in Server-side Software Requirements, 18. We recommend, but do not require, that the software components be installed in the order presented in this section. Note: To configure the required prerequisite software and the SimManager system, several system environment variables are required. We recommend that you limit the scope of these environment variables to avoid conflicts with existing settings and applications.

37 Chapter 4: Preparing for SimManager Installation Overview 29 In the instructions that follow, symbols (for example: <*.dir>) are used in place of directory locations that are specified during the installation process. Table 4-1 Symbol <SM_INSTALL_DIR> Symbols used for directory locations Directory This is the directory under which SimManager is installed. For example, <drive>/msc.software/simmanager/<version> where: <version> is the current version of SimManager, such as R3 <drive> is: <SMAPP_ROOT> Linux/UNIX - /var or /opt or /usr Windows - C:, D:, and so on This is a Web application directory. For example: <WEBSPHERE_HOME>/profiles/<server_name>/InstalledApp s/<node_name> or <WEBSPHERE_HOME> <TOMCAT_INSTALL_DIR> <TOMCAT_INSTALL_DIR>/webapps The installation directory for the IBM WebSphere application server. For example, D:\WebSphere\AppServer For example, the installation directory for Jakarta Tomcat, <CATALINA_HOME> is: D:\jakarta-tomcat-5.5

38 30 Steps for installing MSC.Software Solutions Download Center files Steps for installing MSC.Software Solutions Download Center files If you are an authorized customer with a valid login ID and password, SimManager Enterprise and other software such as IBM DB2 and WebSphere may be downloaded from the MSC.Software Solutions Download Center at: For more information on accessing the Solutions Download Center, please contact your local MSC Sales Office. SimManager Enterprise UNIX / Linux Systems 1. Login as root 2. "cd" to a temporary directory with sufficient disk space. Create a subdirectory and "cd" to the subdirectory. 3. Download the appropriate delivery file from Solution Download Center: AIX: simmanager_r3.1_aix5l.tar Linux: simmanager_r3.1_redhat.tar If you have already downloaded the files, you may proceed to the next step. 4. Execute the delivery file (.bin) which is a Universal Install Script. Executing the delivery file may require adding execution privilege: chmod +x Delivery_File 5. For the remainder of the installation process follow instructions in Installing SimManager. 6. Cleanup: After installation is complete, you may remove the subdirectory created in Step 2. Windows Systems 1. Download delivery file (simmanager_r3.1_windows.exe) from Solution Download Center to a temporary folder. 2. Execute the delivery file (.exe) which is a Universal Install Script. 3. For the remainder of the installation process follow instructions in Installing SimManager. 4. Cleanup: After installation is complete, you may remove temporary files from the download location used in Step 1 above.

39 Chapter 4: Preparing for SimManager Installation Steps for installing MSC.Software Solutions Download Center files 31 IBM WebSphere Application Server UNIX / Linux Systems 1. Login as root 2. "cd" to a temporary directory with sufficient disk space. Create a subdirectory and "cd" to the subdirectory. 3. Download the appropriate WebSphere Application Server Network Deployment (ND) delivery file from the Solution Download Center: AIX: simmanager_ws_ _aix5l.tar.gz Linux: simmanager_ws_ _redhat.tar.gz If you have already downloaded the files, you may proceed to the next step. 4. GUnzip and Untar the delivery file into the current subdirectory: gunzip Delivery_File tar -xf tar_file 5. Execute the launchpad.sh and follow the instructions in the Installing the WebSphere Application Server for the remainder of the installation process. Executing the installation script may require adding execution privilege: chmod +x launchpad.sh 6. Cleanup: After installation is complete, you may remove the subdirectory. Windows Systems 1. Download the WebSphere Application Server Network Deployment (ND) delivery file simmanager_ws_ _windows.zip from the Solution Download Center to a temporary folder. 2. Unzip the delivery file: unzip Delivery_File 3. Execute launchpad.bat and follow the instructions in the Installing the WebSphere Application Server for the remainder of the installation process. 4. Cleanup: After installation is complete, you may remove temporary files from the download location in Steps 1 and 4.

40 32 Steps for installing MSC.Software Solutions Download Center files IBM DB2 Universal Database: UNIX/LINUX Systems 1. Login as root 2. "cd" to a temporary directory with sufficient disk space. Create a subdirectory and "cd" to the subdirectory. 3. Download the appropriate DB2 Universal Database delivery file from Solution Download Center DB2 v9 on AIX: simmanager_db2_9.1_fix_pack_2_aix5l.tar.gz DB2 v9 on Linux: simmanager_db2_9.1_fix_pack_2_redhat.tar.gz If you previously downloaded the file, please proceed to the next step. 4. "Unzip" the delivery file into current subdirectory: unzip Delivery_File 5. The product installer will start automatically. For the remainder of the installation process follow instructions in Installing IBM DB2 Database Server. Executing the installation script may require adding execution privilege: chmod +x install.script IBM DB2 Universal Database Setup Utility: All Systems 1. Download the delivery file from Solution Download Center simmanager_r3_db2_setup.zip to a temporary folder. 2. Unzip the delivery file into current subdirectory: unzip Delivery File 3. The product installer will start automatically. For the remainder of the installation process follow instructions in Run DB2 Setup Utility:. 4. Cleanup: After installation is complete, you may remove temporary files from the download location in Step 1 above.

41 Chapter 4: Preparing for SimManager Installation Steps for installing MSC.Software Solutions Download Center files 33 Analysis Manager UNIX/LINUX Systems 1. Download the delivery file from Solution Download Center to a temporary folder simmanager_anmgr_ _linux-unix.sh. 2. Execute the Install Script (.sh) 3. The product installer will start automatically. For the remainder of the installation process follow instructions in Job Scheduling/Queuing Software. 4. Cleanup: After installation is complete, you may remove temporary files from the download location in Step 1 above. Windows Systems 1. Download the delivery file from Solution Download Center to a temporary folder simmanager_anmgr_ _windows.exe. 2. Execute the Install Script (.exe) 3. The product installer will start automatically. For the remainder of the installation process follow instructions in Job Scheduling/Queuing Software. 4. Cleanup: After installation is complete, you may remove temporary files from the download location in Step 1 above.

42 34 Installing a Web Application Server Installing a Web Application Server SimManager requires one web application server to be installed on the host platform on which SimManager is installed. SimManager has been certified with the IBM WebSphere, Apache Tomcat, and Red Hat JBoss web application server software. If you currently have a SimManager-supported web application server installed and operational, verify the setup and configuration settings described below, and then proceed with the SimManager installation and deployment. Installing the WebSphere Application Server SimManager requires an IBM WebSphere Application Server version 6.1 for proper operation. The IBM WebSphere Application Server is a Java-based application server, integrating enterprise data and transaction for the dynamic e-business world. IBM WebSphere Application Server can be installed on different operating systems. The supported version for WebSphere Application Server is included with SimManager Enterprise. There is a WebSphere Application Server ND CD packaged with SimManager Enterprise for each supported operating system. IBM WebSphere Application Server Network Deployment (1 each for 32-bit AIX, Linux, Windows) During the installation, follow the instructions for the software installation from CD. Installing WebSphere Application Server Network Deployment 6.1 Obtain the correct IBM WebSphere Application Server CD for your platform from the SimManager Enterprise package and initiate the installation process from the IBM WebSphere Application Server v6.1 CD. Execute Launchpad and follow the default installation as per the following instructions: Note: The procedure and dialogs for installing WebSphere Application Server Network Deployment are similar for Windows, Linux and AIX platforms. One difference is the file path syntax and the executable program extension. Windows uses.exe or.bat and Linux and AIX use.sh or no extension.

43 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server Click on Websphere Application Server Network Deployment Installation. 2. Click on Launch the installation wizard for the WebSphere Application Server Network Deployment.

44 36 Installing a Web Application Server 3. Click Next.

45 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server Click Next to continue.

46 38 Installing a Web Application Server 5. Click Next to continue.

47 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server Enter an installation directory (i.e. C:\IBM\Websphere\AppServer). Note: Make sure there are no spaces in the path.

48 40 Installing a Web Application Server 7. Click on Application Server and click Next. 8. Uncheck Enable administrative security and click Next.

49 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server Review the installation information and click Next. 10. Review the progress and click Next.

50 42 Installing a Web Application Server 11. After successful installation, check the Launch the First steps console box and click Finish. You have now installed WebSphere Application Server 6.1.

51 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server 43 To verify the installation, from the First Steps console, select Installation verification.

52 44 Installing a Web Application Server

53 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server 45 Optionally, to verify the installation, run the versioninfo.bat file from the bin directory. For example: C:\IBM\WebSphere\AppServer\bin>versioninfo.bat This completes Installation of WebSphere Application Server 6.1.

54 46 Installing a Web Application Server Installing the Tomcat Web Application Server Apache Tomcat is a supported web application server for the SimManager system. Tomcat is a purely Java-based software, created and supported by the Apache Jakarta Project development organization. The Tomcat web application software is a stand-alone TCP/IP server that communicates with Apache. It can also act as an HTTP server or run within the Apache process. See Web Application Server (1 required), 19, for the download location. Note: When installing Tomcat 5.x for use with SimManager you should download and install the.zip version. Some command-line scripts are NOT included in the.exe download version. To install the Tomcat web application server: 1. Download the binary distribution which is applicable to your platform. 2. Unzip (extract) and untar the downloaded file as required. Ensure that there are no spaces in the directory name. 3. Follow the installation instructions, Tomcat Setup, available at Web Application Server (1 required), 19 In this guide, the installation directory that is created will be referred to as <TOMCAT_INSTALL_DIR>. 4. Set the environment variable CATALINA_HOME to < TOMCAT_INSTALL_DIR>. Installing the JBoss Web Server JBoss is a supported Web Server for the SimManager system. JBoss Web Server is an enterprise ready web server designed for medium and large applications, based on Tomcat < JBoss Web Server provides organizations with a single deployment platform for Java Server Pages (JSP) and Java Servlet technologies, PHP, and CGI. It uses a genuine high performance hybrid technology that incorporates the best of the most recent OS technologies for processing high volume data, while keeping all the reference Java specifications. See Web application server (One required), 19, for the download location. To install the JBoss Web server: Installation on Linux and Unix based systems 1. Downloading JBoss Web JBoss Web is distributed as a standalone web server. The distribution can be downloaded directly from the JBossWeb downloads page < JBoss Web is not pure Java. It contains native code, compiled and optimized for each operating system. Download the package appropriate for your platform, paying particular attention to whether or not you are running on the 64-bit system. 2. Uncompress the distribution wherever you would like JBoss Web installed.

55 Chapter 4: Preparing for SimManager Installation Installing a Web Application Server 47 The resulting directory (jbossweb-4.0.4beta-linux-i686, for example) contains the JBoss Web instance. 3. Adjusting setenv.sh On some system you may have to do an extra step. 4. Edit the $CATALINA_HOME/bin/setenv.sh (CATALINA_HOME should be something like jbossweb ga) add the LD_LIBRARY_PATH variable and modify/add: * LD_LIBRARY_PATH=LD_LIBRARY_PATH:$CATALINA_HOME/bin/native export LD_LIBRARY_PATH * Running JBoss Web Before starting, make sure that your JAVA_HOME environment variable is set to your Java install directory. From the bin directory, run the startup.bat or startup.sh script, as is appropriate for your platform. If you run this from a shell, you will see the JBoss Web console log scroll by. If JBoss Web started correctly, the last few lines of output should contain something like the following: *Feb 15, :45:10 AM org.apache.coyote.http11.http11aprprotocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Feb 15, :45:10 AM org.apache.coyote.ajp.ajpaprprotocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Feb 15, :45:10 AM org.apache.catalina.startup.catalina start INFO: Server startup in 888 ms * The last line is the message JBoss Web sends when all services are up and running, letting you know that everything is good. However, the two lines before it are important for JBoss Web. They tell you that JBoss Web is listening on two ports, 8080 and More importantly, you can see from the output that JBoss Web is using the APR(Apache portable runtime) libraries. This means that you are using the optimized native libraries. Without the APR libraries, you would see output more like the following, with no reference to the APR code. *INFO: Starting Servlet Engine: JBoss Web/ Feb 15, :31:10 AM org.apache.coyote.http11.http11protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Feb 15, :31:10 AM org.apache.coyote.ajp.ajpprotocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 Feb 15, :31:10 AM org.apache.catalina.startup.catalina start INFO: Server startup in 1192 ms * In worse cases, like using the wrong version of the libraries for your platform, JBoss Web may completely fail to start. If there is an error, check the console log (the output in your terminal window) or the server log in logs/catalina.out for more information about the problem. To access your JBoss Web instance, go to in your web browser. If everything went well, you will see the JBoss Web start welcome screen. Congratulations, your JBoss Web instance is ready to go.

56 48 Installing a Web Application Server Windows Overview JBoss Web comes with Windows service executable that can run JBoss WebServer as service. The service executable jbosssvc.exe transforms the run.bat and shutdown.bat batch scripts to services. This means that any change made to those scripts will be used both in service and command line mode. 1. Installing the service To install the JBoss Web server as Windows service use the provided service.bat batch file. *Change directory to the JBossWeb bin directory* /C:\> /*cd c:\jbossweb-4.0.4rc1-windows-i586\bin*. *Install the service* /C:\> /*service.bat install* 2. Starting the service To start the JBoss Web server as Windows service use Control panel or *net start* command.. *Start the service* /C:\> /*net start JBossWebServer*. *The JBoss Web Server 4 service is starting.*. *The JBoss Web Server 4 service was started successfully.* When running in service mode the console output is redirected to the file *run.log*. You can inspect the file for any errors during service startup. 3. Stopping the service To stop the JBoss Web server as Windows service use Control panel or *net stop* command.. *Stop the service* /C:\> /*net stop JBossWebServer*. *The JBoss Web Server 4 service was stopped successfully.* When running in service mode the console output is redirected to the file *shutdown.log*. You can inspect the file for any errors during service shutdown. 4. Stopping the service To restart the JBoss Web server as Windows service use Control panel. 5. Removing the service To remove the JBoss Web server as Windows service use the provided *service.bat* batch file.. *Change directory to the JBossWeb bin directory* /C:\> /*cd c:\jbossweb-4.0.4rc1-windows-i586\bin*. *Remove the service* /C:\> /*service.bat uninstall* 6. Customization of the service Service customization is done by editing the service.bat script. Each command has a separate section that you can customize. The most common customization task would be changing service names if more than one service instances per box are required.

57 Chapter 4: Preparing for SimManager Installation Installing a Database Server 49 Installing a Database Server SimManager requires one database server. The database server does not have to be installed on the host platform on which SimManager is installed. The SimManager host platform, however, must have access to the database server host platform. SimManager has been certified with the IBM DB2 database and Oracle server software. If you currently have a SimManager-supported database server installed and operational, verify the setup and configuration settings described below for your database server application, and then proceed with the SimManager installation and deployment. Installing IBM DB2 Database Server The DB2 Universal Database Server software is IBM's database management system for the Windows, Linux, and UNIX platforms. DB2 ESE Installation for Windows 1. Create the users of the system username: schemauser, Password: SimManager00 username: appuser, Password: SimManager00 If the DB2 instance owner (administrator) does not exist create the username db2admin, Password: SimManager00

58 50 Installing a Database Server For creating a user, follow the dialogs displayed below: 2. Install DB2. Follow the instructions, as shown in the following sections to create a typical, single-partition DB2 Enterprise Server Edition Installation.

59 Chapter 4: Preparing for SimManager Installation Installing a Database Server 51 a. Click Install a Product on DB2 Setup Launchpad. Click Install New under DB2 EnterpriseServer Edition to start installation.

60 52 Installing a Database Server b. Click Next

61 Chapter 4: Preparing for SimManager Installation Installing a Database Server 53 c. Accept the license agreement and click Next.

62 54 Installing a Database Server d. Check Typical, and click Next.

63 Chapter 4: Preparing for SimManager Installation Installing a Database Server 55 e. Check Install DB2 Enterprise Server Edition on this computer. Click Next.

64 56 Installing a Database Server f. Enter or Select the Drive and directory in which to install the software. Check Next:

65 Chapter 4: Preparing for SimManager Installation Installing a Database Server 57 g. Enter the User information for the DB2 Administration Server. This is the DB2 instance owner created in step 1. Check box to Use the same user.... Click Next on this dialog and Yes on the warning dialog that follows:

66 58 Installing a Database Server h. Check Create the default DB2 instance and click Next.

67 Chapter 4: Preparing for SimManager Installation Installing a Database Server 59 i. Check Single-Partition database environment. Click Next.

68 60 Installing a Database Server j. Select DB2 and click Next.

69 Chapter 4: Preparing for SimManager Installation Installing a Database Server 61 k. Uncheck Prepare the DB2 tools catalog, click Next.

70 62 Installing a Database Server l. Uncheck Prepare the DB2 tools catalog, click Next.

71 Chapter 4: Preparing for SimManager Installation Installing a Database Server 63 m. Check the Enable operating system security, click Next.

72 64 Installing a Database Server n. Click Install to continue:

73 Chapter 4: Preparing for SimManager Installation Installing a Database Server 65 o. Click Finish to complete the installation

74 66 Installing a Database Server p. DB2 First Steps Screen appears. Click Exit. q. To verify version level navigate to the DB2 installation Bin Directory and execute db2level on the command line. Output should be similar to the following figure.

75 Chapter 4: Preparing for SimManager Installation Installing a Database Server Run DB2 Setup Utility: The following procedure is the same for all platforms Unzip the simmanager_r3_db2_setup.zip to any directory Follow the instructions of the ReadMe.txt file to run the extracted jar file. After having successfully run the jar file, you will have an output file which is SQL script (for example sm_db2.sql). Login as db2 instance owner in the DB2 control center. Initiate the DB2 control center on Windows using the menus shown below. Initiate DB2 control center on Linux or AIX logon as db2 instance owner and execute db2cc on command line. 4. Open command editor from menu or tool bar. Paste the text from the output file (SQL script sm_db2.sql) into the command Editor window and execute. Follow the instructions as written in the generated output file before you proceed to the next step.

76 68 Installing a Database Server The scripts will create a database and update its parameters. Restart the database (example SMDB) from the control center: The DB2 ESE Installation for Windows is now complete. DB2 UDB ESE V8.2 Installation on AIX 5.3 and LINUX 1. Log in as root 2. Navigate to the DB2 ESE directory. 3. Execute the db2setup command./db2setup 4. Click Install Products:

77 Chapter 4: Preparing for SimManager Installation Installing a Database Server Check DB2 UDB Enterprise Server Edition, click Next: 6. Follow the instructions given on each dialog for step 1 through 12. The following is a summary of each step with recommended settings: Step 1: Introduction. Step 2: Software License Agreement Step 3: Installation Type: Check "Typical..". Step 4: Installation action: Check "Install DB2 UDB Enterprise Server Edition.." Step 5: DAS (Database Administrator Server) User detail. See note below. Step 6: Instance setup. Check DB2 instance - 32 bit. Step 7: Instance use. Check "Single-partition instance" Step 8: Instance-owning user detail. See note below. Step 9: Fenced user detail. See note below.

78 70 Installing a Database Server Step 10: Tools Catalog. Check "Do not prepare.." option. Step 11: Contact list. Check "Local - Create a contact list on this system" and uncheck "Enable notification". Step 12: Contact. Check "Defer this task until..." Note: If you have NIS installed, you must manually create the user account before running the installation and specify those users. A new user account will be created during installation only if NIS is not installed. Review the DB2 documentation ( for instructions on how to manually create user accounts. 7. Select Summary, review the installation options, click Finish to begin the DB2 installation.

79 Chapter 4: Preparing for SimManager Installation Installing a Database Server When the installation is complete, review the Status Report tab to make sure the installation was successful. Click Finish.

80 72 Installing a Database Server Installing DB2 UDB FixPak 10 on AIX 5.3 and LINUX 1. Copy FixPak 10 from the FixPak CD2. 2. As root, unzip and untar the FixPak image to a directory on your server. For example: gunzip FP10_U tar.gz tar -xvf FP10_U tar 3. Follow the installation directions contained in the FixPak Readme file. There are sometimes specific steps you must take depending on other DB2 products you might have installed. We highlight the general steps here, but you should always review the official DB2 documentation before proceeding. a. Stop the DB2 Administration Server process i. Log in as or switch to the DAS (Database Administration Server) owner user. For example: su dasusr1 ii. Stop the DAS using the following command: db2admin stop b. Stop all DB2 Instances i. For each instance, log in as or switch to the instance owner user. For example: su db2inst1 ii. Stop the instance using the following command: db2stop Note: There must not be any database connections for this command to work. To forcibly disconnect all users, issue the following command: Repeat for all instances. db2 force applications all c. You must install the FixPak using the root account. As root, navigate to the FixPak image. Enter the following command to install the FixPak and commit the installation:./installfixpak -y After installing the different components, a summary outlining the result of the installation process. The result status should be Success for all items. d. Update the DAS to the latest DB2 level. As root, navigate to the instance subdirectory in the DB2 installation folder. For example: cd /usr/opt/db2_08_01/instance

81 Chapter 4: Preparing for SimManager Installation Installing a Database Server 73 Run the following command as root, specifying the name of the DAS user:./dasupdt dasusr1 e. For each instance defined, update the instance to the latest DB2 level. As root, navigate to the instance subdirectory in the DB2 installation folder. For example: cd /usr/opt/db2_08_01/instance Run the following command as root, specifying the name of the instance:./db2iupdt db2inst1 Repeat for each instance. f. For each database defined in an instance, (Skip this step if no databases have been defined) update the database to the latest DB2 level. Log in as or switch to the instance owner user. For example: su db2inst1 Run the db2v8updt command to update each database in the instance, supplying the database name in the command. For example: db2updv8 d SMDB Repeat for each database. g. Restart the instances and administration server. To restart an instance: Log in as or switch to the instance owner and enter the db2start command. Repeat for each instance. To restart the DB2 administration server (DAS), log in as or switch to the DAS user and run the db2admin start command. h. Connect to each database and update any necessary packages. Skip this step if no databases have been defined. For example: db2 terminate db2 connect to <dbname> db2 BIND <path>/@db2ubind.lst BLOCKING ALL GRANT PUBLIC ACTION ADD db2 terminate db2 terminate db2 CONNECT TO <dbname> db2 BIND <path>/db2schema.bnd BLOCKING ALL GRANT PUBLIC sqlerror continue

82 74 Installing a Database Server db2 terminate where <path> is typically <inst_home>/sqllib/bnd/ 4. After completing the FixPak installation, log in as or switch to the instance owner user (e.g., db2inst1) and issue the db2level command: su db2inst1 db2level The output should indicate that FixPak 10 has been applied. Consult the official DB2 FixPak Readme file for complete installation instructions. The preceding steps were just a general summary of what is required and other steps may be required in your environment. 5. Run the DB2 Setup Utility see Run DB2 Setup Utility:, 67 and Open command editor from menu or tool bar., 67. DB2 UDB ESE V9.1 Installation on AIX 5.3 and LINUX 1. Log in as root 2. Navigate to the DB2 ESE directory. 3. Execute the db2setup command./db2setup

83 Chapter 4: Preparing for SimManager Installation Installing a Database Server Click Install Products:

84 76 Installing a Database Server 5. Click on Install New for DB2 Enterprise Server Edition:

85 Chapter 4: Preparing for SimManager Installation Installing a Database Server Click Next 7. Follow the instructions given on each dialog for step 1 through 12. The following is a summary of each step with recommended settings: Step 1: Introduction. Step 2: Software License Agreement Step 3: Installation Type: Check "Typical..". Step 4: Installation action: Check "Install DB2 UDB Enterprise Server Edition.." Step 5: DAS (Database Administrator Server) User detail. See note below. Step 6: Instance setup. Check DB2 instance - 32 bit. Step 7: Instance use. Check "Single-partition instance" Step 8: Instance-owning user detail. See note below. Step 9: Fenced user detail. See note below. Step 10: Tools Catalog. Check "Do not prepare..." option. Step 11: Contact list. Check "Local - Create a contact list on this system" and uncheck "Enable notification". Step 12: Contact. Check "Defer this task until..."

86 78 Installing a Database Server Note: If you have NIS installed, you must manually create the user account before running the installation and specify those users. A new user account will be created during installation only if NIS is not installed. Review the DB2 documentation ( for instructions on how to manually create user accounts. 8. Select Summary, review the installation options, click Finish to begin the DB2 installation. 9. When the installation is complete, review the Status Report tab to make sure the installation was successful. Click Finish

87 Chapter 4: Preparing for SimManager Installation Installing a Database Server After completion of installation, log in as or switch to the instance owner user (e.g., db2inst1) and issue the db2level command. Output should indicate the DB2 v 9.1 with Fix Pack 2. Installing Oracle Database Server The Oracle database server software provides a data management system for the Windows, Linux, and UNIX platforms. To install Oracle Database Server: Go to and then select Core Products Database. On the next page, select Services Downloads Database, and then select the oracle10g link. 1. Download the appropriate binary distribution for your platform. Note that you must have a user account on the Oracle Web site to download software. 2. Follow the appropriate installation instructions for your platform and Oracle version from 3. Run the setup.exe. 4. Answer the install questions by accepting the defaults, with the exception of specifying the Global Database Name to TESTDB. Choose the Basic Installation with installation type as Enterprise Edition

88 80 Installing a Database Server 5. Create an smdb directory to hold the table space (i.e. c:\smdb or /opt/smdb). This will be a permanent directory on the database server machine. Next, create a place holder (empty) file named, sdmtables.db under this directory (for example, c:\smdb\sdmtables.db or /opt/smdb/sdbtables.db). The full path to this placeholder file will be referred to as <SDM_DB> throughout the rest of these instructions. 6. Create a second database with an utf8 character set. This is the database to be used with SimManager. a. Select Start <Oracle Home> Configuration and Migration Tools Database Configuration Assistant. b. Select Create a Database. c. Select Create New Database Files. d. Select Mulitpurpose. e. Accept the default value of concurrently connected users: 15 f. Accept the default. g. Enter in SMDB for both Global Database Name and SID. 7. Select Create Database Now. 8. After the database is created, use Oracle s SQLPlus tool to configure the database. Go to the Start menu Programs <Oracle Home> Application Development SQL Plus. Next, login to SQLPlus by entering the system user name, and password when prompted. Note: The creation of the tablespace is an optional step. When user creates the SimManager database as the default global database while installing Oracle, it automatically creates the tablespace. If tablespace is to be created manually, use step 9. Then, if login is granted, an SQL> prompt appears. 9. Create an Oracle Database Tablespace named SMDB, using SQLPLUS, by entering the following commands: CREATE TABLESPACE sdmtbls DATAFILE '<SDM_DB>' SIZE 50M AUTOEXTEND ON NEXT 50M MAXSIZE 200M; (e.g. CREATE TABLESPACE sdmtbls DATAFILE 'c:\smdb\sdmtables.db' SIZE 50M AUTOEXTEND ON NEXT 50M MAXSIZE 200M;) CREATE USER smdbuser IDENTIFIED BY smdbuserpw DEFAULT TABLESPACE sdmtbls TEMPORARY TABLESPACE TEMP; GRANT CONNECT, RESOURCE, DBA TO smdbuser; QUIT; 10. Optional: You can remove the first database you created, TESTDB, with the Database Configuration Assistant. a. Select Start <Oracle Home> Configuration and Migration Tools Database Configuration Assistant.

89 Chapter 4: Preparing for SimManager Installation Installing a Database Server 81 b. Select Delete a Database. c. Pick TESTDB from the list of available databases. d. Select Finish. The database name, database user name and password will be required in configuring SimManager. 11. For full production deployment of SimManager, a fully-licensed installation of the Oracle database server will be required. Installing Microsoft SQL Server The Microsoft SQL database server software provides a data management system for the Windows platforms. Install Microsoft SQL and SQL Server Management Studio Express: 1. Do a typical installation of SQL Server Express. Use all the defaults except set the server to use both Windows and SQL Server Authentication. This can be set later if you do not do this during the installation. 2. Go to Start menu and pick: Programs->Microsoft SQL Server 2005->Configuration Tools-> SQL Server Configuration manager. 3. Click on the SQL SERVER 2005 Network Configuration item in the left tree view. 4. Click on the Protocols for SQLEXPRESS in the left tree view. 5. Enable the TCP/IP and Named Pipes options. 6. Right click on the TCP/IP option in the right window and select Properties from the context menu. Remove the port number for TCP Dynamic Ports and set the TCP Port to 1433 for IPAll. 7. Restart the server by click on the SQL Server 2005 Services item in the left tree view. Select the SQL Server (SQL EXPRESS) option and click the restart button in the toolbar or right mouse click and pick restart from the context menu. 8. Do a typical installation of SQL Server Management Studio Express with all default option. Create an MSSQL example database instance named SMDB in SQL Server 2005: 1. Start SQL Server Management Studio Express: Start->Programs menu. 2. Click on Server Name from Object browser. Right mouse click on the Database on right window and select New Database. 3. From the New Database window, give the new database a name, such as SMDB. Create an admin user for your new database: 1. Under the Security/Logins section, right mouse click and pick New Login. 2. From the general section, enter the name of the admin user. Select SQL Server authentication and give the new user a password. Uncheck the box labeled Enforce password policy.

90 82 Installing a Database Server 3. Set the default database to the database you created in step 2 above. 4. Click on Server Roles in the left window. Check the box next to sysadmin as shown below. (The Public box should already be checked.) 5. Click on User Mapping in the left window. Check the box next to your database (e.g. SMDB) 6. Click on OK to create the new user.

91 Chapter 4: Preparing for SimManager Installation Utilities 83 Utilities Content Vault / File Server SimManager stores all data files into a file storage repository or file vault. The SimManager system can be configured to use several different integrated file vault systems for the management and storage of files. It can use the local and network file management and storage capabilities of your system and no additional software is required. FTP File Vault Alternatively, the following applications can also be used to enhance and expand the file management and storage capabilities of the SimManager system. If an FTP server is already installed and operational on your system, obtain and verify the user name, password, FTP root directory, and FTP port. These inputs will be required in configuring SimManager. Installing and/or Configuring FTP Server The FTP server software is an optional component of the SimManager system, but in typical deployments, this software will be used to manage the data files that SimManager processes generate. You can configure SimManager to use the FTP server for file vault management. For Linux and UNIX platforms, an FTP server is provided as an operating system component and is typically installed with the operating system. Any FTP server that supports passive-mode file transfer can be used in the SimManager system. The following section describes installing and/or configuring a typical FTP server on the supported platforms. A separate user account is not required for using the FTP server. We recommend, and it is good practice, to assign a unique user with limited privileges for security reasons. MSC Software recommends using the user name ftpuser and password ftppasswd. To ensure security, these values should be changed after the initial installation of the SimManager system. When this change is made, verify that all references in the SimManager configuration and properties files are consistent. To install the FTP server on Windows: If the FTP server is not installed on your system currently, follow the instructions below to configure the Windows Internet Information Services. Using Windows IIS (Internet Information Services): 1. Under Start Settings Control Panel Add or Remove Programs. 2. On the left, select Add/Remove Windows Components. 3. If necessary, select the check box for IIS box, and then select Next. 4. Create a new user and password to use with the FTP file vault. From Start Settings Control Panel Administrative Tools Computer Management Local Users and Groups Users.

92 84 Utilities 5. Use the Action New User pull-down menu to create a user named ftpuser and password, ftppasswd. 6. Under Start Settings Control Panel Administrative Tools Internet Services Manager, verify that FTP server is started. 7. Under Default FTP Site Properties Home Directory, verify that the Write check box is selected in the FTP Site. The user name, password, FTP root directory, and FTP port will be required to configure the SimManager using the Admin tool. If an FTP server is already installed and operational on your system, obtain and verify the user name, password, FTP root directory, and FTP port. You can find this information for Windows by: a. Start Settings Control Panel Administrative Tools Internet Services Manager. b. Expand hostname, select Default FTP Site, and then right-click on the Properties tab. c. For Username and Password, select the Security Accounts tab. These inputs will be required in configuring SimManager. Note: For installing IIS on Windows XP refer to system Help and Support for complete instructions To install or configure FTP server on AIX: 1. If necessary, add a user to perform FTP functions. Root access is required to add users to the system. 2. Go to SMIT Security and Users. 3. Select USERS Add a User. 4. Enter the User name, ftpuser, (up to 8 characters) and Password, ftppasswd, and then select OK. 5. Create a vault root directory /tmp/ftp_vault. 6. Verify that the FTP server is functioning by testing a simple FTP command with the user name and password of the vault. The user name, password, FTP root directory, and FTP port will be required in configuring the SimManager using the Admin tool. To install or configure FTP server on Linux: If you do not have a current version of an FTP server on your system, the WU-FTP server application can be downloaded from See Installing WU-FTPD installation instructions available at 1. If necessary, add a user to perform FTP functions. Root access is required to add users to the system. 2. Create a user by using the useradd command:

93 Chapter 4: Preparing for SimManager Installation Utilities 85 %>useradd -M ftpuser 3. Create the user password by using the passwd command: %>passwd <username> For example: passwd ftpuser 4. Create a vault root directory, such as /tmp/ftp_vault. 5. Verify that the FTP server is functioning by testing a simple FTP command with the user name and password of the vault. The user name, password, FTP root directory, and FTP port will be required in configuring the SimManager using the Admin tool. Security and User Authentication Software SimManager provides a basic, built-in security and user authentication mechanism. SimManager can be fully integrated with advanced security and user authentication systems, such as LDAP, Windows 2000 Active Directory Server, Netscape Directory Server, and other security and user authentication systems, as required. For installation and access to required security or user authentication software, consult your internal systems administrator. To configure the SimManager built-in security and user-authentication mechanism, or to configure SimManager for use with LDAP or other security and user authentication systems, see the Authentication. Additional information can also be found in the MSC SimManager Enterprise Configuration and Deployment Guide.. Job Scheduling/Queuing Software The SimManager system can be fully integrated with advanced job scheduling and queuing software, such as: AM (MSC Analysis Manager) LSF (Platform Load Sharing Facility) SGE (Sun Grid Engine) For installation and access to the required job scheduling and queuing software, consult your internal systems administrator. To configure the SimManager system for use with LSF or other job scheduling and queuing systems, see the MSC SimManager Enterprise Configuration and Deployment Guide. MSC Analysis Manager Quick start installation and configuration guide MSC Analysis Manager is a client-server based job-submission software package for unix/linux and Windows operating systems. It supports job submit, monitor and abort capabilities. MSC Analysis Manager (AM) must be installed on all machines involved in the job flow, from submit machine to execute machine(s) and one scheduler machine (which can be the same machine as the others). Once installed, the single scheduler machine needs configuration files and runs a QueMgr scheduler process. All other client machines do not need any configuration files, but they do need the AM install directory tree with all the AM binaries. All client machines also must run an RmtMgr remote access process.

94 86 Utilities To install, execute the appropriate installer program: aminstall-<version>.exe - for Microsoft Windows operating system aminstall-<version>.sh - for all unix/linux operating systems Running this install program will do the following: 1. Check for root or Administrative privileges. If you do not have required permissions you may still install the AM software but some steps will not be performed. Those steps are the installation of the QueMgr and/or RmtMgr processes to the /etc/rc* boot up scripts on unix/linux machines; and the installation of the QueMgr and/or RmtMgr services on Windows machines. 2. Prompt for the <am-install-path> directory. 3. Check for a pre-existing AM installation in this <am-install-path> dir. If a previous AM installation is found then you can continue to install and this will become an upgrade where the AM binaries are updated to those in the installer package, but the configuration files presently found will remain as is. 4. Ask if this is the QueMgr scheduler machine. If so then more questions will be asked for information to create the configuration files. 5. Prompt for any additional QueMgr and/or RmtMgr start up arguments 6. Setup execution path for RmtMgr for running SimXpert batch scripts from SimManager (optional) 7. Start QueMgr and/or RmtMgr. Depending on if this is a scheduler server machine (QueMgr) or if this is a client machine which runs jobs or submits (RmtMgr) An example of the installation script output is shown below. Text in bold specifies data entered by users. Press <Enter> (carriage return) where specified or no input is required. C:\>.\aminstall exe MSC AnalysisManager Installer Enter MSC AnalysisManager install dir : c:\msc.software\msc.analysismgr Installing AM in c:\msc.software\msc.analysismgr... Are you sure? Please answer [y]es or [n]o : y Is this the master scheduler (QueMgr) host for the entire network? (Do you want to create the AM config files now?) (config files are only needed on the QueMgr host)

95 Chapter 4: Preparing for SimManager Installation Utilities 87 Please answer [y]es or [n]o : y Enter hosts and arch types where analysis jobs can run: host and arch separated by spaces, Press <Enter> after each entry blank line to end list possible arch types: WINNT WIN8664 LX86 LX8664 LXIPF HP700 HPIPF RS6K SUNS SGI5: For example: host arch: host1 WINNT Enter AM admin username (amuser) : Press <Enter> Enter the master scheduler (QueMgr) port (default = 2900) : Press <Enter> QueMgr cmd-line args: usage: C:\MSC.Software\MSC.AnalysisMgr\bin\WINNT\QueMgr.exe Argument Description -port < > - port number to use for QueMgr on this host (2900) -rmgrport < > - port number to use for all RmtMgrs on all machines (2800) -path < > - AM install path on this host (for bin and org) (<am-install-dir>) -orgpath < > - AM install path (for only org) (if different than -path <arg>) -ipaddr < > - specific IP address ( format) if this machine is multi-homed -port_start < > - starting port number in range -org < > - specific org name to use - if different than "default" -log < > - specific log file to use -nodefaultuser - don t allow processes to run as admin user if requested user does not exist -queue_only - submits allowed to only queues / groups and not to individual AM hosts Enter additional QueMgr cmd-line args (leave blank for none) : Press <Enter> installed service MSCQueMgr cmdline: C:\MSC.Software\MSC.AnalysisMgr\bin\WINNT\QueMgr.exe started service MSCQueMgr

96 88 Utilities Note: If any remote job execute hosts are Windows based it is suggested to run the AM addamuser utility on this host to enter a fallback user account. RmtMgr cmd-line args: usage: C:\MSC.Software\MSC.AnalysisMgr\bin\WINNT\RmtMgr.exe Argument Description -port < > - port number to use for RmtMgr on this host (2800) -path < > - AM install path on this host (for bin and org) (<am-install-dir>) -orgpath < > - AM install path (for only org) (if different than -path <arg>) -ipaddr < > - specific IP address ( format) if this machine is multi-homed -nodefaultuser - don t allow processes to run as SYSTEM if requested user does not exist -port_start < > - starting port number in range Enter additional RmtMgr cmd-line args (leave blank for none) : <Enter> installed service MSCRmtMgr cmdline: C:\MSC.Software\MSC.AnalysisMgr\bin\WINNT\RmtMgr.exe started service MSCRmtMgr AM_HOME=C:\MSC.Software\MSC.AnalysisMgr AM_HOME is added to the system-wide env settings. If this env var is not set in the current cmd/shell/window, start a new cmd/shell/window before using AM. The scheduler machine (QueMgr) installation is complete. Installation of AM on the client (RmtMgr only) machine is similar. When the installer program asks if this is the master scheduler (QueMgr) host - answer no. Then answer two more questions when prompted: Enter the master scheduler (QueMgr) host : host1 Enter the master scheduler (QueMgr) port (default = 2900) : <Enter> The client machine (RmtMgr) installation is then complete. The unix/linux AM installer is very similar except instead of automatically installing the QueMgr and/or RmtMgr services it creates the boot up /etc/rc* scripts as appropriate for the current platform and then

97 Chapter 4: Preparing for SimManager Installation Utilities 89 asks if you want to start each daemon process up now. If yes is selected, these processes will be started now and then on each reboot these will be started automatically. To uninstall AM run: Windows: <am-install-path>\bin/winnt\uninstall.exe or <am-install-path>\bin\win8664\uninstall.exe UNIX/Linux: <am-install-path>/uninstall.sh Note: The AM uninstaller will REMOVE all files in the AM installation directory, so do not put other non-am related files in the <am-install-path> directory or they will be removed when you uninstall AM.

98 90 Utilities Directory Structure The <am-install-path> directory tree contains these files and directories: Figure 4-1 where: Directory Structure <arch> dirs include the directories of WINNT, WIN8664, LX86, LX8664, LXIPF, HP700, HPIPF, RS6K, SUNS, SGI5. On Windows platforms only the WINNT and WIN8664 dirs are installed. On unix/linux platforms you can select at install time the bin dirs you need to install. To enable the path additions for SimXpert job submissions, create a file called "path.cfg" that you can optionally have in the <am-install-dir>. This file execution paths in this file will get added to the PATH every time a Analysis Manager job is run. The format of this file is simply a list of paths to append, either one per line or all on a single line separated by the appropriate character (: for unix/linux) (; for windows). For example: c:\msc.software\simxpert/winnt\bin;d:\some\other\dir c:\another\dir\to\add The proj directory is a temporary storage area when jobs are first started, before they move to the scratch directory as specified in the disk.cfg file. The log directory is where the QueMgr writes the QueMgr.log file. For a server host, which runs the QueMgr, three AM config files must be created and then the QueMgr started. This is done automatically by the AM installer. There is usually only one QueMgr for an entire network, so you select only one host for this step, whereas RmtMgr runs on all hosts in the network that

99 Chapter 4: Preparing for SimManager Installation Utilities 91 actually execute jobs. If there is a close-coupled cluster involved then typically the QueMgr would be run on the head node so it can 'see' the cluster client nodes as well as any submit client hosts. The config files are in <am-install-path>/default/conf directory and are called host.cfg, disk.cfg and msc.cfg. The exec-on-que method is shown below. The QueMgr will bind to port You can change this with the -port <> cmd-line option. The QueMgr cmd-line options are: Argument Description -port < > - port number to use for QueMgr on this host -rmgrport < > - port number to use for all RmtMgr(s) on all machines in AM config -path < > - AM install path on this host (for bin and org) -orgpath < > - AM install path (for only org) (if different than -path <arg>) -ipaddr < > - specific IP address ( format) if this machine is multi-homed -port_start < > - starting port number in range -org < > - specific org name to use - if different than "default" -log < > - specific log file to use -nodefaultuser - don t allow processes to run as admin user if requested user does not exist -queue_only - submits allowed to only queues / groups and not to individual AM hosts -version - print AM version The host.cfg file describes each host and application combination, (called an am-host). For exec-on-que apps the application is $JOBFILE the script/program you actually are submitting. An example of the host.cfg file is: # # MSC AnalysisManager host.cfg file # #VERSION: 3 ADMIN: amuser QUE_TYPE: MSC ##A/M Host Physical Host Type EXE_Path RC_Path # AM_HOSTS: remote_exec_host1 host1 20 $JOBFILE NONE # #Physical Host Class Max # PHYSICAL_HOSTS: host1 WINNT 2

100 92 Utilities # #Type Prog_name Application name MaxAppTsk [ option args ] # APPLICATIONS: 20 GenMgr exec_on_que 10 # The disk.cfg, msc.cfg, and org.cfg files are automatically generated by the AM installer program from the data you provide. The disk.cfg file describes the file systems each app/host can use. An example disk.cfg file is: # # MSC AnalysisManager disk.cfg file # # #A/M Host File System Type (nfs or blank) # remote_exec_host1 C:\TEMP # The msc.cfg file defines queues (or groups) of am-hosts from the host.cfg file. An example msc.cfg file is: # # MSC AnalysisManager msc.cfg file # # SORT_ORDER: free_tasks cpu_util last_job_time avail_mem free_disk # # GROUP: all_hosts AM_HOSTS: remote_exec_host1 MIN_DISK: 20 MIN_MEM: 10 MAX_CPU_UTIL: 99 TIME_LIMIT: -1 PRIORITY: 0 RUN_LIMIT: 12 # An org.cfg file should also be generated on every host in the <am-install-path>, which contains the info for a client program to contact the QueMgr. An example of the org.cfg file is: # # AnalysisManager org.cfg file #

101 Chapter 4: Preparing for SimManager Installation Utilities 93 # # Org Master Host Port # # default host # The default org name of "default" can be used unless you want to include more than one org in your site. The default port for QueMgr is 2900, unless you want to include more than one org in your network. See above cmd-line options for how to change the QueMgr port number. There is also an optional sepusers.cfg file in the default/conf config dir. In this file is the list of user accounts (one per line) that AM will allow a user to become, if not the same as the submitting user. An asterisk * is allowed to match any separate user specified at submit time. The RmtMgr will bind to port You can change this with the -port <> cmd-line option. The RmtMgr cmd-line options are: Argument Description -port < > - port number to use for RmtMgr on this host -path < > - AM install path on this host (for bin and org) -orgpath < > - AM install path (for only org) (if different than -path <arg>) -ipaddr < > - specific IP address ( format) if this machine is multi-homed -admin < > - admin user - override of ADMIN: setting in configuration (host.cfg) -port_start < > - starting port number in range -nodefaultuser - don t allow processes to run as admin user if requested user does not exist -version - print AM version If you have a firewall and need to control the range of ports AM uses, you can create a port.cfg file in the <am-install-path> dir, which contains the starting port number to use. AM programs will only bind to new ports starting at that value and try to use as few ports as possible increasing in value from there. If many jobs are active at the same time however, the number of ports in use could increase. If any changes are made to the config files after QueMgr is already running then the QueMgr needs to be restarted. This can be done either by stopping the QueMgr process/service and then starting it up again, or via the TxtMgr interactive admin command, which asks the QueMgr to reconfigure itself. For Windows there are also utilities in the bin/<arch> directory for this: stop_server.bat,

102 94 Utilities stop_client.bat, start_server.bat, star_client.bat. For unix/linux you can manually kill the QueMgr process. Note: Unix /Linux Do not ever kill 9 the QueMgr or RmtMgr daemon processes unless there is no other way to get them to stop. A kill command with no signal number should be used as this is received by the QueMgr and RmtMgr processes and allows them to do clean up of any open sockets, shared memory segments and to properly close the ports they are using cleanly, so these port numbers can be used again immediately. Now that the AM config files are created and the QueMgr started and all RmtMgrs started the actual client program (TxtMgr) can be run. For submitting, monitoring and aborting jobs the client AM program TxtMgr is used. All the TxtMgr arguments are: Argument -qmgrhost < > -qmgrport < > -rmgrport < > -timeout < > -org < > -ans <y n> -orgpath < > -auth < > -app < > -rcf < > -jobnum < > -amhome < > -choice < > -[no]wait -ipaddr < > -project < > -port_start -listapps -env -envall -envf < > Description - set to QueMgr hostname - set to QueMgr port number - set to RmtMgr port number - set to change default timeout - set to QueMgr org - set to change default batch submit answer (yes) - set to change default orgpath - set to license file - set to application name - set to runtime-configuration file - set to job number (for use with -wait or -choice) - set to change default am home path - set to menu number selection for batch mode - do [not] wait for batch job to complete - specific IP address ( format) if this machine is multi-homed - set to change default project - starting port number in range - list all installed applications by name - print out the configuration - print out the complete configuration - print out the configuration to a file

103 Chapter 4: Preparing for SimManager Installation Utilities 95 -envfall < > -useenv -nocon -lst < > -version -sepuser < > -submit -mem -nproc -status -queue -amhost -input < > -extra < > [file args] - print out the complete configuration to a file - export the local env on the run host - do not connect to QueMgr on startup - list-file of needed files to copy (generic apps only) - print the am version - set to change user who runs job - submit job with -nowait option (same as -choice 1 -nowait) - memory setting (default units) - number of cpus to allocate for submit - print queue/running/completed job stats for job specified (-jobnum req) - am queue name to use for submit - input file/cmd to submit - optional extra arg(s) to append to cmd - optional input file or extra args to submit (last arg(s)) TxtMgr also needs to know the <am-install-path> at startup. This is determined several different ways, if the AM_HOME env var is set, it is used. On Windows, the Registry may contain a software key, and lastly, if none of these, then the AM installation directory determined from the full-path commandline. You can also manually override any prior AM_HOME setting with the amhome < > commandline option. An example of a typical submit cmd would be: TxtMgr [ app <app-name>] submit ++ <cmd-to-run> [-+- <any addl args>] You can specify a specific queue to submit to with the queue <queue-name> option. Queues are configured in the msc.cfg file (see above) An example of a typical monitor cmd would be: TxtMgr choice 3 or TxtMgr status jobnum <job-id> An example of aborting a job would be: TxtMgr choice 2 jobnum <job-id> You can also use the TxtMgr interactively without supplying any arguments, in which case you use the menu options. The menu options are:

104 96 Utilities Enter selection: 1. submit a job 2. abort a job 3. monitor a job 4. show QueMgr log file 5. show QueMgr jobs/queues 6. show QueMgr cpu/mem/disk 7. list completed jobs 8. write rcfile settings 9. admin test 10. admin reconfig QueMgr 11. submit series of jobs 12. quit There is also an rcf file capable of changing the default values for many AM settings. You can view all these settings with the command: TxtMgr env You can run TxtMgr with the rcf <rcf-file> cmd-line option or place a system-wide rcf file named <am-install-path>/default/amgrrc which would be read automatically at startup. For example changing the default user for all submitted jobs could be done with this line in the systemwide rcf file: unv_config.separate_user = <new-submit-username> If this file were named <am-install-path>/default/amgrrc then all jobs would attempt to be run as this <new-submit-username> instead of the current user. Note: Whenever an explicit separate user is specified, either on the TxtMgr cmd-line or in a AM rcf file with the unv_config.separate_user method, the separate user listed must already be in the <am-installpath>/default/conf/sepusers.cfg file. See above for more info. AM will attempt to become the submitting user when running jobs on remote machines. How it does this is complicated with many different possibilities depending on what user the RmtMgr is running as, the access rights assigned to the RmtMgr user, the submit host and execute host platforms and if there is a AM usr db file present with a username match or fallback user. On Windows, access to network shares by the client process that runs the job on a remote host can also be an issue. The most effective means to

105 Chapter 4: Preparing for SimManager Installation Utilities 97 ensure RmtMgr has the best chance to run as the correct user on Windows is to either run RmtMgr as a domain user with the following access rights: Act as a part of the operating system Bypass traverse checking Log on as a batch job Log on as a service Increase quotas Replace a process level token Or run RmtMgr as LocalSystem (the default at install time) as this account has all these access rights by default. It s also important to have a AM usr db file present with the submitting username (or fallback user) information in it when executing job on remote machines. addamuser is a menu based interactive AM program with these options: Enter selection: 1. add a user entry 2. delete a user entry 3. set fallback user from list 4. list entries 5. quit On unix/linux RmtMgr can run as root and then will become the submitting user automatically. AM will not let user submitted jobs run as root if there is no valid username provided. On Windows you can also provide this capability by using the nodefaultuser cmd-line option for the RmtMgr service. When RmtMgr runs a LocalSystem and is not able to impersonate the true submitting user and cannot locate a username match in any usrdb.cfg AM username database (created with the addamuser program) then access to network resources by the job is limited. The QueMgr can be run by any valid user. QueMgr does not write any files other than its own log file, so user rights and permissions are not usually an issue. After submit, AM will queue the request. Once AM determines an appropriate system is available to run the job AM launches the job via its wrapper program on the remote system. The wrapper program (GenMgr) will attempt to copy the script/program specified on the cmd-line at submit time if this file cannot be accessed directly. AM can also copy additional files from the submit host to the remote execute host if they are provided in an AM lst file with the lst <list-file> TxtMgr cmd-line option. The GenMgr runs the script/program and records process status and statistics during execution. After the script/program has completed GenMgr will copy back all results files created and mark the job as completed. Files returned to the submit host include AM specific files <jobname>.tml, <jobname>.mon, <jobname>.stdout, <jobname>.stderr and any files created locally by the script/program. If you abort a job then all processes of that job are killed and all files created by those processes in the job work directory are removed, with the exception of some AM specific files.

106 98 Utilities Important info about a job s progress on the remote system and its cmd-line is found in the AM specific <jobname>.tml file. Sun Grid Engine (SGE) 1. Download SGE 6.0 from: 2. Verify that you get the following two components: Common files Platform-specific binary and data files 3. Follow the SGE installation steps at: 4. Download jdrmaa.tar.gz from: and extract it to the $TMP directory. 5. Make shared libraries available to SimManager. Verify that the following parameters are set and that the required files are available. Perform the following tasks if required: Copy [$SGE_HOME]/lib/<$SGE_ARCH>/libdrmaa.so to the <SMAPP_ROOT>/config/lib/dlls/[$ARCH] directory. Copy [$TMP]/jdrmaa/[$ARCH]/libjdrmaa.so to the <SMAPP_ROOT>/config/lib/dlls/[$ARCH] directory. Note: Since not all UNIX systems use the.so extension, replace.so with the extension suitable for the UNIX platform in use. 6. Add <SMAPP_ROOT>/lib/dlls/$ARCH to the system wide <$LD_LIBRARY_PATH> environment variable. 7. Append: <SMAPP_ROOT>/config/lib/dlls/[$ARCH]/libdrmaa.so <SMAPP_ROOT>/config/lib/dlls/[$ARCH]/libjdrmaa.so all in one line to the sdm.dyn.libraries line in: <SMAPP_ROOT>/config/SimManager.properties 8. Copy [$TMP]/jdrmaa/drmaa.jar to the <SMAPP_ROOT>/WEB-INF/lib directory. 9. Append: <SMAPP_ROOT>/WEB-INF/lib/drmaa.jar to the classpath in: [$SHARE]/actionrunner/bin/[ARW]

107 Chapter 4: Preparing for SimManager Installation Utilities 99 Installing X Virtual Frame Buffer The X virtual frame buffer (Xvfb) is an X server that can run on machines with no display hardware and no physical input devices. The software emulates a dumb frame buffer using virtual memory and is an included component of X11R6. If it is required that SimManager execute in such an environment, request the necessary components and installation instructions from an MSC Software support representative. The X virtual frame buffer is not a required SimManager component. Installing Xvfb on AIX Use the following procedure to install Xvfb on AIX. For complete instructions, refer to the AIX Windows Programming Guide at 1. Log in to the server as a user with administrative privileges. 2. Add the following line to /etc/initab: xvfb:2:respawn:/usr/bin/x11/x -force -vfb -x abx -x dbe -x GLX :1 > /dev/null 3. Set DISPLAY by adding the following line to.profile: DISPLAY=`hostname`:1.0 export DISPLAY 4. Save the changes. 5. Restart the server. 6. Disable JIT on application servers. Installing Xvfb on Linux and Solaris Use the following procedure to install Xvfb on Linux and Sun Solaris. Before you begin On Linux, the binary is called 'Xvfb' and may or may not be included with your distribution. If you do not have Xvfb with your distribution, it may be available from your Linux vendor; otherwise, it is available from x.org at the following URL: ftp://ftp.xfree86.org/pub/xfree86/4.2.0/binaries/linux-ix86-glibc22/ Once obtained, follow the instructions provided with the package to unpack and install it. On a standard Solaris 9 O/S, the software should already be installed. It resides under /usr/openwin/bin and the binary is called 'Xsun'. It is started by a shell script called Xvfb, which passes it some command line arguments in addition to what the user specifies.

108 100 Utilities Installation The following steps should be carried out as an administrative user; for example, root. If you are installing on Linux, skip Steps 1-4. Note: This procedure assumes you use :1 as the display number for Xvfb. To use a different number, see the instructions that follow for "Changing the display number from 1." 1. (Solaris) Perform the following steps to remove the setgid bit, if it is set, on the Xvfb script. a. Check to see if the Xvfb script has setgid permissions. The "s" in the middle set of permissions denotes that the script has setgid permissions. bash-2.05# ls -l /usr/openwin/bin/xvfb -rwxr-sr-x 1 root root 162 Nov 30 18:34 /usr/openwin/bin/xvfb b. Issue the following command to remove the setgid bit if it is set: bash-2.05# chmod g-s /usr/openwin/bin/xvfb 2. (Solaris) Make a backup copy of the Xvfb script. 3. (Solaris) In a text editor, open the original Xvfb script and change the following line: Xsun $* +nkeyboard +nmouse -dev vfb to /usr/openwin/bin/xsun $* +nkeyboard +nmouse -dev vfb Save the file without closing it. 4. (Solaris) With the Xvfb script still open, determine if the script contains these lines: ServerNumber=`echo $1 grep ":"` if [ "$ServerNumber" ] then shift fi These lines, if present, force Xvfb to run on the default display :0. To run on :1, as described in this procedure, or any other number besides 0, comment out these lines, then save and close the file. 5. Generate a script file named /etc/init.d/xvfb containing the following: #!/bin/sh XVFB_DISPLAY=":1" case "`uname`" in "Linux") XVFB_BINARY=/usr/X11R6/bin/Xvfb ;; "SunOS" "Solaris") XVFB_BINARY=/usr/openwin/bin/Xsun ;; *) XVFB_BINARY= ;;

109 Chapter 4: Preparing for SimManager Installation Utilities 101 esac if [! -z "$XVFB_BINARY" ]; then case "$1" in "start") if [ -f "$XVFB_BINARY" ]; then XVFB_PID="`pgrep -f "$XVFB_BINARY $XVFB_DISPLAY"`" if [ -z "$XVFB_PID" ]; then echo "xvfb: Starting Xvfb on $XVFB_DISPLAY" `dirname $XVFB_BINARY`/Xvfb $XVFB_DISPLAY & else echo "xvfb: ERROR: Xvfb is running on $XVFB_DISPLAY" exit fi else echo "xvfb: ERROR: $XVFB_BINARY not found" exit 1 fi ;; "stop") XVFB_PID="`pgrep -f "$XVFB_BINARY $XVFB_DISPLAY"`" if [! -z "$XVFB_PID" ]; then echo "xvfb: Stopping Xvfb on $XVFB_DISPLAY" kill -9 $XVFB_PID else echo "xvfb: ERROR: Xvfb is not running on $XVFB_DISPLAY" exit 1 fi ;; "status") XVFB_PID="`pgrep -f "$XVFB_BINARY $XVFB_DISPLAY"`" if [ -z "$XVFB_PID" ]; then echo "xvfb: Xvfb is not running on $XVFB_DISPLAY" else echo "xvfb: Xvfb is running on $XVFB_DISPLAY" fi ;; *) echo " Usage: " echo " $0 start (start Xvfb)" echo " $0 stop (stop Xvfb)" echo " $0 status (check if Xvfb is running)" exit 1 ;; esac else echo "xvfb: ERROR: Could not determine platform" exit 1 fi exit 0

110 102 Utilities 6. Make the script file executable with the following command: chmod +x /etc/init.d/xvfb 7. Determine the run-level into which the system starts with the following command: grep initdefault: /etc/inittab The number in the resulting line indicates the default system run-level. In these examples, "3" is the system run-level: Linux id:3:initdefault Solaris is:3:initdefault To use a different run-level, change the line in /etc/inittab to specify a different number. 8. Create a soft link in the appropriate run-level with the following command: ln -s /etc/init.d/xvfb /etc/rc3.d/s99xvfb This example uses run-level 3 (identified by "rc3.d"). If you intend to use Xvfb in a different runlevel, set up the soft link to the appropriate /etc/rcx.d directory. Also, note the use of the number 99 (S99xvfb). This number indicates the order in which the services for your run-level start up. The higher the number, the later the service starts in relation to all the others. You do not have to use 99 but you should make it reasonably high so that other services on which this may depend will be started first. 9. Restart the machine. 10. Verify that Xvfb is running using the following command: /etc/init.d/xvfb status 11. Set and export the DISPLAY environment variable using the following command: export DISPLAY=`hostname`:1.0 This command can also be added to the shell profile you use; for example,.bash_profile. 12. Start Application Servers. Note: Changes in scripts supplied by the operating system supply workarounds for problems encountered with Xvfb on that platform. IBM accepts no responsibility for any harm caused to your system by making these changes and any queries regarding the suitability of such changes should be directed to the operating system vendor. Changing the display number from 1 The display number argument to Xvfb (:1 in the above examples) is what isolates Xvfb from any other running X servers. This number can be any number that is not already in use, but you must set your DISPLAY environment variable to the number you are actually using.

111 Chapter 4: Preparing for SimManager Installation Utilities 103 AIX Make the following changes to /etc/initab, save the changes, and restart the server. 1. Change GLX :1 to the new display number in the following line: xvfb:2:respawn:/usr/bin/x11/x -force -vfb -x abx -x dbe -x GLX :<your_new_number >/dev/null where <your_new_number> represents the new display number. 2. Change DISPLAY=`hostname`:1.0 to the new display number: DISPLAY=`hostname`:<your_new_number>.0 export DISPLAY Linux and Solaris Make the following changes and restart the server. 1. In /etc/init.d/xvfb, change XVFB_DISPLAY=":1" to the new display number, then save the changes: XVFB_DISPLAY=":<your_new_number>" where <your_new_number> represents the new display number. 2. Set and export the DISPLAY environment variable using the following command: export DISPLAY=`hostname`:<your_new_number>.0

112 104 Utilities

113 Chapter 5: Installing and Deploying SimManager 5 Installing and Deploying SimManager Overview 106 Product Licensing with FLEXlm 107 Installing SimManager 114 Activating Portal 126 Testing the Installation 150

114 106 Overview Overview This chapter describes the installation, configuration, deployment, and testing of an initial SimManager installation. This chapter assumes that you have completed the required tasks in Chapter 3, Preparing for SimManager Installation, 27. To install and deploy a basic (demonstration) version of SimManager, you must install (or have available on your system) and configure the following prerequisite components: Web application server Database server FLEXlm license server or MSC license file We recommend, but do not require, that the SimManager installation procedures be performed in the order presented in this section. Required platform-specific differences or instructions are noted in the descriptions. Note: Several system environment variables are required to configure SimManager. We recommend that you limit the scope of these environment variables to avoid conflicts with existing settings and applications.

115 Chapter 5: Installing and Deploying SimManager Product Licensing with FLEXlm 107 Product Licensing with FLEXlm If FLEXlm version 10.8 or higher is currently installed at your site and the Flexlm license server is accessible by the SimManager server, you can integrate the SimManager license with the existing license file and set the MSC_LICENSE_FILE environment variable on the SimManager host platform to the required If you have a temporary or demonstration license (which is a nodelock license.dat file), you can use this file by setting the MSC_LICENSE_FILE environment variable to the full path name of the file. We recommend that the MSC_LICENSE_FILE environment variable be set at the system level. If the required FLEXlm license server does not currently exist at your site, follow the installation and configuration instructions below. Product Licensing MSC SimManager uses MSC.licensing (FLEXlm) to validate usage of its various component features - this section outlines FLEXlm licensing-related procedures that may be necessary to complete the installation of MSC SimManager. As part of the installation, the product licenses that you obtain from MSC.Software Corporation are placed in a file called the License File. This file is located either on a FLEXlm License Server or locally. When MSC SimManager starts up, it looks in a configuration file to find out where to obtain its licensing information - the environment variable will point to one or more FLEXlm Server addresses. MSC SimManager will then make a request to FLEXlm to validate usage for the particular machine it is running on. Note: A FLEXlm Server is required in all cases. FLEXlm version or later is required. Obtain Licenses Contact your MSC.Software representative to obtain MSC SimManager licenses. The license will be provided in the form of a license.dat file. The MSC.licensing license file contains information used to validate usage of the software and may vary according to the licensing model used. Windows Install a FLEXlm Server 1. Select Install Software from the main MSC SimManager installation menu. 2. Choose MSC.Licensing

116 108 Product Licensing with FLEXlm 3. Select Server Installation to start the licensing server installation. 4. Click OK when your system's hostid appears. 5. Follow the installation dialogs. Note: When asked to select a license file, use the license.dat file supplied with MSC SimManager - if you do not have it, you can add it later LMTOOLS Configuration Utility LMTOOLS is a FLEXlm utility that allows you to configure various FLEXlm server settings. To start LMTOOLS, execute <install_dir>\lmtools.exe Update the MSC_LICENSE_FILE System Variable Go to the Windows Control Panel, select and look for System/Advanced/Environment Variables... MSC_LICENSE_FILE. The variable may contain other MSC.Software licensing information - edit it and add the location of the MSC SimManager license (either a server such as 1700@bari or a location such as c:\msc\flexlm\license.dat). Remember to separate entries with a semi-colon and to specify hostname locations first. Install MSC SimManager Licenses MSC SimManager reads the MSC_LICENSE_FILE system environment variable. You will need to update the variable to point to the correct license. Edit the license.dat File The license.dat file may be on the FLEXlm server or located on your machine; either way, you must have a FLEXlm server installed. Edit the license.dat file and add the MSC SimManager licenses. You can use LMTOOLS to find out the location of the license.dat file on a FLEXlm server. You may want to save a copy of the file before updating it. If this is a new license.dat file, you will need to change the SERVER and DAEMON lines in the new license file; otherwise, use what is already in the file and just add the FEATURE lines. For example: SERVER hostname hostid 1700 DAEMON MSC /your_path/msc

117 Chapter 5: Installing and Deploying SimManager Product Licensing with FLEXlm 109 FEATURE SMGR MSC apr-200 etc... Re-read License File If you are updating a license.dat file on a FLEXlm server, you need to refresh the file by using LMTOOLS to re-read the license.dat file and enable the new licenses. Unix Unload FLEXlm Server and Utilities In the flexlm directory on the installation disk, locate the file appropriate for your platform and unzip, then untar it. You should see the following files: LMGRD - the FLEXlm server MSC - the FLEXlm vendor daemon LMUTIL - the FLEXlm administration utility Install a FLEXlm Server First, unload the FLEXlm files as outlined in Unload FLEXlm Server and Utilities, 57 then run the following to start the server: <install_dir>/lmgrd -c <path>/license.dat

118 110 Product Licensing with FLEXlm Select the license.dat file supplied with MSC SimManager - see Install MSC SimManager Licenses, 54. You may need to ensure that the FLEXlm server is started automatically. Display the FLEXlm hostid First, unload the FLEXlm files as outlined in Unload FLEXlm Server and Utilities, 57 then run the following: <installation_dir>lmutil hostid Install MSC SimManager Licenses Installing the MSC SimManager licenses is simply a case of adding them to a license.dat file and pointing to it in the MSC SimManager configuration file as described in Update the MSC SimManager Configuration File, 58. Note: Although MSC SimManager looks in the configuration file for the location of a FLEXlm license file, if the MSC_LICENSE_FILE system environment variable is defined, it will override the configuration file and possibly prevent the product starting up - if this is the case, you will need to update the variable to point to the correct license. Edit the license.dat File The license.dat file may be on the FLEXlm server or located on your machine; either way, you must have a FLEXlm server installed (see Install a FLEXlm Server, 56). Edit the license.dat file and add the MSC SimManager licenses. You can use LMTOOLS to find out the location of the license.dat file on a FLEXlm server (see Unload FLEXlm Server and Utilities, 57. You may want to save a copy of the file before updating it. If this is a new license.dat file, you will need to change the SERVER and DAEMON lines in the new license file, otherwise, use what is already in the file and just add the FEATURE lines. For example: SERVER hostname hostid 1700 DAEMON MSC /your_path/msc FEATURE SMGR TBD MSC apr-2007 etc... Replace License File Rename the existing license.dat file to license_old.dat, and rename the new file to the current license file name (i.e. license.dat): mv license.dat license_old.dat mv license_new.dat license.dat

119 Chapter 5: Installing and Deploying SimManager Product Licensing with FLEXlm 111 Force FLEXlm daemon to Read New License File Use the lmreread command to cause the lmgrd daemon to reset using the new license file. <install_dir>/lmutil lmreread -c <path>/license.dat You should now be able to run MSC SimManager products using the new licenses. If, for some reason, this fails, kill and restart the daemons as follows. <install_dir>/lmgrd -x lmdown -c <path>/license.dat <install_dir>/lmgrd -c <path>/license.dat Point MSC SimManager to the License File Typically, to change the MSC_LICENSE_FILE location edit the following file as the 'root' user: /etc/profile.d/sm.sh /etc/profile.d/sm.csh Please note that the file /opt/msc.software/simmanager/r3.1/bin/start_webserver.sh adds the line: source /etc/profile.d/sm.sh This is REQUIRED so licensing will be found at system startup. If SimManager is reinstalled or this file is replaced for any other reason, you must add that line to the start_webserver.sh file. Client Access/User licensing The license provided by MSC.Software for SimManager Enterprise authorizes a maximum number of users to run SimManager based on either a Network User license model or a Named User license model. Network User licensing Network licenses can be shared between users and allows more flexibility to allow a larger number of users to access the system. The number of simultaneous user sessions is limited at anyone time to the maximum number of Network client access licenses available. Named User licensing Any named user may log in and use SimManager on any machine on the network on which the license server is reachable. Each named user is permitted to run multiple sessions of SimManager, but on the same machine, and with each session using an additional license. So, if you have three sessions of SimManager running on your computer, you will use three licenses from the Named User License pool. When individual users consume multiple licenses, it is possible that the available license pool may get depleted, thus denying access to other named users. Your SimManager administrator manages the list of users that can run the software.

120 112 Product Licensing with FLEXlm OPTIONS file The OPTIONS file contains the list of named users of SimManager. Your administrator maintains the OPTIONS file that lists the named user login IDs. This way, you control who is a named user and may change it at any time. You do this by editing the file and restarting the license server using the FlexLM lmtools utility. No contact with MSC.Software is needed to change the list of named users. Named user licensing requires that the path to the OPTIONS file be given on the DAEMON line of the license file. Please refer to flexlm regarding the various ways of creating an option file. Some examples are listed below: # Start of License File # SERVER blade 80fb DAEMON MSC /your_path/msc OPTIONS=/your_named_user_options file FEATURE SMGR_Enterprise_Server MSC sep \ EDE4574CBB2A20264A83 ck=35 SN= e4f443488be92cfcfdf5 FEATURE SMGR_Enterprise_Client MSC sep \ AD54574CD911B48128B6 USER_BASED ck=38 \ SN= b6d60928de5888d6395e The SMGR_Enterprise_Client feature provides access to SimManager. Some examples of an OPTIONS file for SimManager are shown below: Example 1 Include SMGR_Enterprise_Client USER user1 Include SMGR_Enterprise_Client USER user2 Example 2: GROUP SimManager user1 user2 user3 INCLUDE SMGR_Enterprise_Client GROUP SimManager Installing and Deploying SimManager After preparing the environment to install SimManager, you are ready to install, configure, and deploy the SimManager software as follows: 1. Download the software from the MSC Software delivery site or obtain the SimManager delivery CD-ROM. 2. Install the SimManager software. 3. Configure and activate SimManager portal. 4. Confirm the installation.

121 Chapter 5: Installing and Deploying SimManager Product Licensing with FLEXlm 113 Using the SimManager delivery media, proceed with the following steps: 1. Unzip (extract) and untar the downloaded files as required. The directory to which the files are extracted will be referred to in this document as <SM_INSTALL_DIR>. Changing this directory after installation will require modifications to the configuration files. 2. Set the system environment variable MSC_LICENSE_FILE as required. The following table is a partial list of the file structure after SimManager is installed (for reference only). The examples are for a Linux installation and Windows installation. Table 5-1 Delivery Contents Directory SimManager/<version>/bin SimManager/<version>/config SimManager/<version>/help SimManager/<version>/logs SimManager/<version>/migration SimManager/<version>/scripts SimManager/<version>/SimManager SimManager/<version>/Studio SimManager/<version>/war Description Ancillary programs linked to SimManager processing. Location of Admin tool (Batch and Studio) configuration files. Contains online help for Eclipse-Based and Classic Studio. Contains log files generated from SimManager processes. Contains instructions for migrating to version R3 Files associated with deployment options for the Web server. Contains files associated with creating the war files for deployment. Contains packaged code for Eclipse-Based Studio processing. war file that was processed for deployment to the Web server.

122 114 Installing SimManager Installing SimManager This section describes how to perform a full/typical or custom installation, and how to finalize your installation of SimManager. Performing a Full/Typical Installation, 114 Activating Portal, 126 Performing a Custom Installation, 148 Performing a Full/Typical Installation To install SimManager: 1. Run the installer to launch the SimManager - InstallShield Wizard and click Next.

123 Chapter 5: Installing and Deploying SimManager Installing SimManager Review the requirements for SimManager Enterprise Edition and ensure that you have the correct prerequisite applications installed. Click Next.

124 116 Installing SimManager 3. Click Browse to select an installation directory for the SimManager application. Click Next. Note: Do not install the application to a location that has spaces in any portion of the path. 4. Select the type of installation you want to perform: Typical - Installs only the SimManager and Studio applications. Full - Installs all applications, including the SimManager, Studio, Integrated Client, and Action Runner. Custom- Installs selected applications See Performing a Custom Installation, 148.

125 Chapter 5: Installing and Deploying SimManager Installing SimManager 117 Click Next. 5. Select one of the following: Install Eclipse and Studio Plug-in This will install both Eclipse and the Studio Plug-in needed to activate SimManager. Install Studio Plug-in to existing Eclipse By selecting this option, you may specify the directory of an existing Eclipse installation into which the Studio Plug-in will be installed Click Next

126 118 Installing SimManager 6. Select an application server for the web.

127 Chapter 5: Installing and Deploying SimManager Installing SimManager Select one of the following: WebSphere Application Server - Enter the installation directory for the WebSphere Application Server <WEBSPHERE_HOME>. This is the full path to the AppServer directory that contains the bin directory. Note: If you select the WebSphere application server, the installer will automatically interrogate the system and set the default values and selection menus for the following dialogs. Apache Tomcat - Enter the installation directory for the Apache Tomcat Server <TOMCAT_INSTALL_DIR>. JBoss - Enter the installation directory for the JBoss Server <JBOSS_INSTALL_DIR>. Click Next.

128 120 Installing SimManager 8. Select WebSphere Application Server Profile. SimManager Installer will now collect WebSphere s Settings from your server. Note: Ensure that your WebSphere application server is currently running. If the Application server is not running, InstallShield will attempt to start the application server, but may hang.if the installation process does not progress after 5 to 10 minutes, close all the installation dialog windows (do not kill the process), ensure that WebSphere is running and relaunch the SimManager installer to begin the installation again. 9. Enter the General Portal Information. The following shows an example of the WebSphere Application Server Portal Information window. Hostname - The hostname of the machine to which you are installing. Node (WebSphere Application Server only) - Value is case sensitive. If you manually created a node in your WebSphere Application Server, use the appropriate value.

129 Chapter 5: Installing and Deploying SimManager Installing SimManager 121 Type - Select either Server or Cluster based on the deployment profiles you have created. See Setting up SimManager in a clustered WebSphere environment, 152 Webserver Context - Enter a name that will be used to access the SimManager Web application. For example, using the values shown in the image above, the URL to access the SimManager Web application would be: Deployment Destination (WebSphere Application Server only) - Enter the directory to which you want to install the SimManager application. Select Default to use the WebSphere Application Server internal default. If you want to install to a custom location, select the other option, and then Browse to the desired location. Click Next..

130 122 Installing SimManager 10. Select a Virtual Server, as shown below... Note: If you are installing to a Tomcat webserver or installing integrated client only, the following dialog will display different parameters, see parameters below. : Yes - This is the recommended option (default). Set unique values for: Virtual Server Name (accept default) and port number. No - Enter the name of the existing Virtual Server to which you want to deploy the SimManager Web application. Note: The SimManager Web application requires custom Java settings that will interfere with any Web applications already installed under an existing Virtual Server.

131 Chapter 5: Installing and Deploying SimManager Installing SimManager Verify that all settings are correct before continuing. Select Install to begin the installation process.

132 124 Installing SimManager 12. To complete SimManager installation, Select Launch MSC.SimManager Studio or Clear the selection if you do not want to launch Studio or activate the SimManager portal Click Next..

133 Chapter 5: Installing and Deploying SimManager Installing SimManager Click Finish to exit the installer. Proceed with Activating Portal, 126 to finalize your SimManager installation.

134 126 Activating Portal Activating Portal Portal activation is a process in which a SimManager portal is configured and deployed. During the portal activation process, you must answer several questions regarding the portal, its database configuration, and its content. Once these questions are answered, the portal is deployed on the Web application. When you begin the portal activation process, SimManager launches Eclipse to perform the activation process. Note: If licensing fails when selecting the Activate Portal to launch Eclipse Studio, a dialog appears, reporting the error and prompting the user to check the status of the MSC_LICENSE_FILE variable, which could be improperly set, and advising you to check your access to the license server, or contact the administrator for assistance. The portal activation process includes the following steps: Setting up the Workspace Launcher, 126 Starting the Portal Activation Process, 127 Specifying the Directories, 128 Logging In, 130 Selecting a Portal, 130 Specifying the Portal Instance Name, 131 Specifying the Database Configuration Information, 132 Initializing the Knowledge Base, 139 Specifying the Load Data File, 141 Setting Properties, 142 Installed SimManager Enterprise Directory Structure, 144 Setting up the Workspace Launcher Eclipse initially displays the Workspace Launcher, as shown: Eclipse requires you to work from a workspace so that Eclipse projects, settings, log files, etc. can be stored in a specific location.

135 Chapter 5: Installing and Deploying SimManager Activating Portal 127 To set up the Workspace Launcher: The initial Workspace value is set to the default under the installation directory and it is recommended that this value be used. If you want to change this directory, select Browse. Click OK to continue. Starting the Portal Activation Process A Perspective in Eclipse defines a customized graphical user interface for a particular function. The Setup Perspective is comprised of two tabbed panels called views. The views are: Setup View - Provides access to the Activation Wizard and the SimManager Project Creation Wizard. Output View - Displays information about the wizards as they run, displaying the wizard's progress and error messages.

136 128 Activating Portal To start the portal activation process: Click Activate Portal The wizard displays a set of dialogs that allows you to provide the required information before the actual activation process starts. For most inputs, an acceptable default value will be presented. Specifying the Directories To specify the directories: Enter the path or accept the default for the following directories:

137 Chapter 5: Installing and Deploying SimManager Activating Portal 129 Installation Directory - This is the <SM_INSTALL_DIR> directory that contains the bin, scripts, SimManager, Studio, and war directories. Deployment Directory - Directory where the SimManager Web application was deployed. For the Apache Tomcat Web application server. This is typically under the <tomcat>/webapps/<context> directory. In this directory, there should be the directories jars, lib, portals, and WEB-INF. Note: The directories displayed here match the values entered during the install procedure. If they do not match, Eclipse failed to start with the proper initialization information. Click Next.

138 130 Activating Portal Logging In The next page is the Login page. On this page, you must enter a valid user name and password for a superuser before activating a portal. To log in: In the User text box, enter SimMan. Follow letter-case as shown. In the Password text box, enter a valid password for user SimMan. Initially, this password is sdm. To change this password, use the Preferences page in SimManager Classic Studio. Click Next. Selecting a Portal The next page is the Portal Selection dialog. This dialog requires you to select a default portal or specify a preexisting portal in a zip file. To select a portal: Select one of the following:

139 Chapter 5: Installing and Deploying SimManager Activating Portal 131 Select a portal from the pull-down menu. Click user defined portal (zip file). Then, enter the path to the zip file containing the portal. For the standard installation, select. Click Next. Specifying the Portal Instance Name The next page is the Portal Selection dialog. This dialog requires you to select a default portal or specify a preexisting portal in a zip file. To specify the portal instance name: Enter the name of the portal instance or accept the default. The name must begin with a letter, but can include any combination of letters, numbers, and underscores.

140 132 Activating Portal Click Next. Specifying the Database Configuration Information Enter the database configuration information that is used to connect to the database, such as DB2 or Oracle. To specify the database configuration information: Complete the Database Configuration Information dialog box using the parameter description in Table 5-2.

141 Chapter 5: Installing and Deploying SimManager Activating Portal 133 Click Next.

142 134 Activating Portal Table 5-2 For the option Database Manager Schema Class Application User Name Application User Password Schema User Name Schema User Password File Vault Table Space Database Configuration Information Options Do the following Select how the SimManager system connects to a particular database. There can be one or more database managers and each one can point to different hosts, databases, and database types. Select Edit to display the Database Configuration Specification dialog box and set values for the database. For more information on the Database Configuration Specification dialog box, see Database Configuration Dialog Box, 135. Use the pull-down menu to select a valid schema class for the current portal. The available schema class names are automatically generated by searching the selected portal's schema definition files. Accept the "default" Enter the user name for the database user used at runtime to connect to the database. This user has no privileges to perform any DB schema changes; it can only read and write data to the database. The schema user has the permission to modify the database's schema. This user must not currently be in the database and must be different than the Schema user name. This user is created in the database during the database creation process. Enter the password for the application user. The application user is created with this password during database creation. Enter the name of the database user who owns the database application. This includes owning the database's tables, stored procedures, etc. This user must not be in the database currently and must be different than the Application user name. This user is created in the database during the database creation process. Enter the password for the schema user. The schema user is created with this password during the database creation. Enter the database file vault specification string. Select Edit to display the File Vault Configuration dialog box. For instructions on creating the file vault, see File Vault Configuration Dialog Box, 136. Optionally, specify the name of a tablespace to be used for database objects. To use this tablespace option, a database administrator needs to create the tablespace using the RDBMS system's tools. Then, use the tablespace name given to the RDBMS tablespace as the value of this tablespace. If you leave this text box blank, the default tablespace is used.

143 Chapter 5: Installing and Deploying SimManager Activating Portal 135 Database Configuration Dialog Box The Database Configuration dialog box displays when you select Edit, in the Database Configuration Information dialog. This dialog allows you to add, delete, and edit a database configuration. To add or edit a database configuration: Click Add or Edit to display the Database Configuration dialog, as shown below. This dialog box allows you to specify the database connection information. Complete the dialog box using the parameter descriptions in Table 5-3. Click OK.

144 136 Activating Portal Table 5-3 For the option Configuration Name Database Type Database Admin User Database Admin Password Database Host Database Port Database Instance Name Database Configuration Options File Vault Configuration Dialog Box The File Vault Configuration Dialog is displayed when you select Edit, next to the File Vault text box in the Database Configuration Information dialog. This dialog allows you to edit the file vault configuration. The configuration requires that a vault configuration be specified. To specify the file vault configuration: Select one of the following: Do the following Enter the name of the database manager you are modifying. This can be any alphanumeric name. _, - are also accepted. Use the pull-down menu to select the type of database. There are there choices: Oracle, Microsoft SQL Server and DB2. Select the name of the database user used to connect to the database instance. This name is given to the database when the instance is created. If you do not know this value, see your DBA for assistance. Enter the password of the database user used to connect to the database instance. This password is given to the database when the instance is created. If you do not know this value, see your DBA for assistance. Select the host machine or IP address where the database is running. Select the port on which the database is listening. Switching the database type sets this value to the default port of that database. Select the database instance name that has been assigned to the SimManager database. In Oracle, this is the SID. If you do not know this value, see your DBA for assistance. Local Vault Home Directory - Select this option if the vault is a directory that can be accessed from your SimManager deployment machine. Then, enter an absolute path to the network-mounted directory. Remote Vault Configuration - Select this option if the vault is not visible from the SimManager deployment machine. Then, complete the remaining text boxes as described in Table 5-4. You can specify the vault as read-only by checking the Vault is Read Only check box on File Vault Configuration dialog.

145 Chapter 5: Installing and Deploying SimManager Activating Portal 137 SimManager generates some temporary/transient files while performing simulation actions which are stored on some staging area and may not be transferred in to the file vault because these files may be very large in size or sometimes user does not really want a copy of these temporary files in normal vault. But these files need to be linked with SimManager objects so that user can seamlessly access the objects associated to these files same as the normal objects. These files are linked with the special type of vault which is called ReadOnly file vault. The files linked to ReadOnly file vault are not actually transferred in to the vault. These vaults physical location is mounted to the staging area. User can not also delete the files from ReadOnly vault. You should not make the default vault (i.e. MainVault) as ReadOnly. Note: For an initial installation or a new database, the file vault must be a valid directory. Verify that the directory does not contain the <vault>\smcontent\donottouch\vault.id file. If you select Local Vault Home Directory, ensure that the Remote Vault Configuration data is complete, but the specified directory does not exist. The system checks this information even though this data is not used. Any values of the required type can be used.

146 138 Activating Portal Select OK. Table 5-4 For the option Root Directory Host Port User Password Remote Vault Configuration Options Do the following Depending on your FTP server, enter a relative path from your FTP server home or an absolute path to the FTP server home. To validate this value, use FTP to log into the FTP server, and then change directories using the directory specified in the text box. If this works, then the FTP root directory is correct. If it does not, try changing the directory specified to a relative path or absolute path. Enter the hostname or IP address of the host machine. Enter the port number on which the FTP server is listening. This is usually 21. Enter the password for this user on the FTP server machine.

147 Chapter 5: Installing and Deploying SimManager Activating Portal 139 Table 5-4 Remote Vault Configuration Options (continued) For the option Do the following Add Debug Info Select one of the following: Vault is Read Only Yes - Adds FTP debug messages to the log file. No - Does not add FTP debug messages to the log file. (default) Set the Vault Type to be Read Only Initializing the Knowledge Base Next is the Initialize Knowledge Base. Accept the default or enter the full path to the database initialization file. This is typically the InitializeKnowledgeBase.xml file found in the config directory of the portal. In previous releases, this file was known as the DefineAuthorization.xml file. Note: Click Do not initialize database to turn off the re-initialization of the database. If you select this option, the database is not deleted, created, nor is the initialization of the authorization information performed. Instead, the existing database and authorization is left as-is. The actions performed are the portal file and portal instance file update.

148 140 Activating Portal Click Next.

149 Chapter 5: Installing and Deploying SimManager Activating Portal 141 Specifying the Load Data File The next page is the Load Data File. Enter the required data as described in table 4-5. This process will load (create) data in the initialized database.for the standard EnterpriseEdition portal, no load data file is required. Click Do not load data file and click Next. Table 5-5 For the option User Name Password Data file to load Do not load data file Data File Options Do the following This will be the owner of the data being created. This must be a valid user created in the previous Initialize Knowledge Base step. Enter the password of the user. Specify the absolute path to the data file to load, or click Browse to find the file. This file is typically called LoadInitialData.xml and is found in the portal s config directory. Select to turn off the loading of data into the database. If you select this option, no data is loaded into the database. Use this option to bypass loading data into the database.

150 142 Activating Portal Setting Properties The next page is Properties and allows you to automatically stop and start the web server and to set a web server stop and start delay. Click Finish. To set properties: Select Start/Stop Web Server to start and stop the Web server during the activation process. If you select this option, the Web server is stopped at the beginning of the activation and started again at the end. The stop and start delays are the time (in seconds) the activation process waits while it stops and starts the Web server. If this option is not selected, the Web server is not stopped and started. The Web server will have to be started and stopped using the SimManager specific stop and start functions.

151 Chapter 5: Installing and Deploying SimManager Activating Portal 143 Set the User Ids are Case Sensitive to build the database with the user id case sensitivity on. With this option, the users log into SimManager with or without the case sensitive being checked in the authentication of the user. When case sensitivity is turned off, all user ids are converted to lower case and displayed and used in that case. To set JBoss properties: The Deployment Directory under the JBoss Properties section should be set to point to where the admin has located the JBoss deployment directory. For example, if the JBoss deployment directory is D:/jboss GA, then the correct directory to set is D:/jboss GA/server/default/deploy. If you have a mature jboss installation, and you have other servers than the default, please consult your admin in order to use the correct server location. The SimManager activation process will zip and copy the war file from the installation directory and unzip into this deployment directory. It will automatically be deployed once it arrives in the directory. We recommend that your JBoss web server be shutdown during this activation step and then restarted after the war file is deployed. Note: When installing to JBoss, the deployment is an exploded war file deployment and not a war file deployment. An exploded war file deployment differs from a war file deployment in that the war file is expanded in the deployment directory whereas in the war file deployment, the SimManager war file is placed in the deployment directory. The war file deployment expands the war file into the temp directory each time the web server is started or the war file changes. In the exploded war file deployment, the war file contents exist in the deployment directory and do not get copied to the temp directory when the web server starts. The allows for editing of the SimManager configuration files to be done in the deployed directory and not in the war file itself. It also prevents runtime generated files from being removed when the web server is restarted. One such example of this is when a procedure is registered in SimManager. A JSP file is generated and stored in the portal's jsp directory. If the web server is running from a war file deployment, the JSP file is stored in the temp directory. When the web server is restarted, the temp war file deployment is removed and a new war file deployment is created in the temp directory. This process removes the generated JSP files. The location of the exploded war file deployment is located under the <JBoss install directory>/server/default/deploy/<web Server Context>.war/ directory.

152 144 Activating Portal Installed SimManager Enterprise Directory Structure The following information is a partial listing of the directory structure and files for the EnterpriseEdition portal and is provided for reference only. Table 5-6 Directory structure for SimManager Enterprise Directory Files File definition SimManager/ SimManager/config/ SimManager.properties Portal Instance Selection and other properties SimManager/portals/Base/config Default configuration and properties files for components such as Velocity SimManager/jars Contains jar files common to all portals (for example, Curve Applet jar file) SimManager/lib Contains the dlls used for licensing SimManager/portalInstances Contains EnterpriseEdition portal instantiations. SimManager/portalInstances/ <EnterpriseEditionPortalInstance> SimManager/portals SimManager/portals/Base SimManager /portals/base/ae DbConfig.properties Portal.properties Database connection information Portal specific configuration information Contains portal specific directories and files Contains SimManager Default resource files and configuration files. Contains AE scripts common to all of the portals. Note: These AE scripts are only active if they have been explicitly registered for that portal. SimManager/portals/Base/bin Contains common scripts. SimManager/portals/Base/config ApplicationResources.properties Contains prompts and error messages used by the SimManager Web application. We recommend that you do not modify this file. EasySearchRestrictions.xml Easy search configuration file

153 Chapter 5: Installing and Deploying SimManager Activating Portal 145 Table 5-6 Directory structure for SimManager Enterprise Directory Files File definition SimManager/portals/Base/config/QS HeadersDefs.xml JaasAuth.config Log4j.xml MimeTypeMappings.properties Simman.psw SimManagerTasks.properties ssfs.properties UnitsModule.xml UserPasswords.xml UserProfiles.xml File-based header collector specification. Jaas Configuration file Logging configuration file Mime Type Mapping definitions Password for the SimManager user, SimMan AE task name to classfile mappings. We recommend that you do not modify this file. Properties for Server Side File Selection Units-system definitions File containing user names and passwords used for filebased authentication User profiles and associated default roles Files related to queuing system SimManager/portals/Base/css *.css Cascading style sheets SimManager/portals/Base/errors Error pages SimManager/portals/Base/help *.html SimManager help files SimManager/portals/Base/images SimManager image files SimManager/portals/Base/js *.js Java scripts SimManager/portals/Base/pages *.jsp, *.html jsp pages SimManager/portals/Base/plot Curve-configuration file and plot-presentation templates SimManager/portals/Base/schema *.xml, *.dtd Database schema definition files SimManager/portals/Base/search Search-configuration files SimManager/portals/Base/typeconfig Object type configuration and presentation files SimManager/portals/Base/veltemplate Velocity templates SimManager/portals/Base/veltemplate/views Customized velocity templates SimManager/portals/SimEnterprise SimEnterprise portalspecific files

154 146 Activating Portal Table 5-6 Directory structure for SimManager Enterprise Directory Files File definition SimManager/portals/EnterpriseEdition/ae AE script definitions SimManager/portals/EnterpriseEdition/config InitializeKnowledgeBase.xml Defines the users and authorizations, and registers procedures with the system SimManager/portals/SimEnterprise/css SimEnterprise-specific cascading stylesheets SimManager/portals/SimEnterprise/pages SimEnterprise portal specific jsp files SimManager/portals/SimEnterprise/schema SimEnterprise schema definition files SimManager/portals/SimEnterprise/tree SimEnterprise tree configuration files SimManager/portals/SimEnterprise/images SimEnterprise portal specific image files SimManager/portals/SimEnterprise/ typeconfig SimEnterprise portal specific object type configuration and presentation files Confirming the Installation SimManager displays the Confirmation Page, which displays values entered in the Activate Wizard.

155 Chapter 5: Installing and Deploying SimManager Activating Portal 147 Review the values in the Confirmation page, and then click OK to start the activation process.

156 148 Activating Portal During the activation process, error messages display in the SimManager Output View in Eclipse and are also added to the log file in the <SM_INSTALL_DIR>/Studio/Studio.log file. If an error occurs, click Back on the Activate Wizard and correct the problem. Once the problem is corrected, click Finish to rerun the activate procedure. If you are activating a user-defined portal, the changes to the portal must be made in the zip file. If you make changes to the portal in the portals directory, the directory is removed before running the activation process, and replaced with the contents of the zip file. If the database is to be initialized, a confirmation dialog box asks you to confirm this operation before the action starts. Performing a Custom Installation The Custom installation option allows you to choose which components you want to install. SimManager - Provides access to the SimManager portal server.

157 Chapter 5: Installing and Deploying SimManager Activating Portal 149 Studio - A graphical user interface (GUI) to assist you with the setup and configuration of SimManager. You can use the Studio tool to validate, create, and delete databases, command files, and load data into the system. Integrated Client - Provides programmatic access to SimManager functionality through an Object Oriented API. Action Runner - Runs action scripts that launch specified applications on the client workstation.

158 150 Testing the Installation Testing the Installation To test your SimManager Web Application: 1. Navigate to <SM_INSTALl_DIR>/bin directory. Execute start_webserver.bat/sh command and wait for server start to be finished. 2. Open a supported Web browser and type in the appropriate URL: Typical URL: The <PORT> is, by default, 8080 for Tomcat and 9085 for WebSphere. The default context name is SimManager. A login screen appears, prompting you to enter a valid user ID and password. 3. Enter your user name and password. A login screen appears. Enter a valid user ID and password:

159 Chapter 5: Installing and Deploying SimManager Testing the Installation Verify that you can access the Enterprise Edition Home page.

160 152 Testing the Installation Setting up SimManager in a clustered WebSphere environment The documentation can be accessed using the launchpad.bat file which brings up the launchpad panel for WebSphere Application Server ND.

161 Chapter 5: Installing and Deploying SimManager Testing the Installation 153 From the launchpad, click on the Installation Diagrams link to review the available WebSphere configuration options. To install SimManager, after WebSphere has been configured and tested: 1. Run the SimManager installer and follow all the steps as normal/default. 2. When you get to the profile selection panel for WebSphere, select the "cluster profile" and click next. Note: In order for the installer to create a cluster you must select a "Deployment Manager" profile type. 3. Choose Node cluster node from the node menu (example "smclusternode01"). 4. Choose "cluster" in the type menu and use the defaults for the rest of the installation and click next. Note: If the profile you selected is not a "Deployment Manager" type, then this feature will be disabled. 5. Follow the rest of the steps as normal/default. 6. Once the installation is complete and you have activated the portal using Studio and made any other changes, run the included SimManager script:

162 154 Testing the Installation <SM_INSTALL_HOME>/bin/update_nodes.[sh/bat] 7. Log into the WebSphere Administration Console and create the cluster. 8. Go to Admin Console -> Servers -> Clusters -> SimManagerCluster -> cluster members Note: SimManagerCluster is the default cluster name, it is the web context chosen during the SimManager installation with "Cluster" appended to its name. Follow the remaining instructions for the particular cluster configuration of WebSphere that has been deployed. SimManager can be deployed into a clustered WebSphere environment to support load balancing and failover of the web application server. There are many configurations methods and approaches for setting up a clustered WebSphere environment. Refer to the IBM WebSphere Application Server documentation provided on the CD.

163 Chapter 6: System Administration 6 System Administration Overview 156 Administrative Tools 157 Administrative Functions 160 Authorization and Authentication 180 Web Server Administration 243 Portal Configuration 269 Lifecycle Management and System Actions 287

164 156 Overview Overview This chapter includes descriptions and basic instructions for: SimManager administrative tools Database creation and connections Vault management and connection Site-specific parameters for network connections to include load balancing and failover Portal specific display properties This chapter also includes basic information and procedures for the configuration of site-specific authentication mechanisms. For additional information on configuration topics or customization, refer to the SimManager Deployment and Configuration Guide.

165 Chapter 6: System Administration Administrative Tools 157 Administrative Tools Administrators of SimManager generally use two main tools to deploy and update the SimManager environment: SimManager Classic Studio - Provides a graphical user interface (GUI) for the commands in the Admin tool. SimManager Eclipse-based Studio - is a tool that allows you to configure and activate SimManager portals. To perform administration tasks, these tools use XML files containing content (data) and instructions (commands) to set up the administrative environment. SimManager Enterprise provides additional administrative tools for customization and configuration of the SimManager environment. Refer to the SimManager Deployment and Configuration Guide for information on these additional tools. SimManager Classic Studio SimManager Classic Studio provides a graphical user interface (GUI) to assist you with the set up and configuration of the SimManager environment. You can use this interface to validate, create, and delete databases, run command files, and load data into the system. SimManager Classic Studio provides the following capabilities: Setup - configure and modify properties, delete, and create databases. Initialization - initialize knowledgebase, and load data. Update_schema - Evolve schema for an existing database. Validate system - Validate the system with current configuration settings. Create schema script - Generate SQL statements to create database schema of a specific portal. Delete schema script - Generate SQL statements to delete an existing database schema of a specific portal. Create vaults - Initialize vaults registered through the properties file. Delete vaults - Remove existing vault locations and their contents. Check_update_schema - Validate schema for an existing database. Export/Import database - export/import tools provide the replication functionality of the SimManager system. You can export data from one SimManager system and import it into another. Update vault location - update file vault location. Export a Database - Create SQL script for authorization data contained in the database. Create schema only - Create the database schema only.

166 158 Administrative Tools To start Classic Studio : 1. Navigate to the <SM_INSTALL_DIR>/bin directory. 2. Do one of the following: Linux and Unix: Execute the run_classic_studio.sh command file. Windows: Either execute the run_classic_studio.bat batch file, or go to Start -> Programs -> MSC Software -> SimManager -> Classic Studio. For more information on SimManager Classic Studio and tool-specific help, see its online help. To access the Classic Studio online help: In the Classic Studio interface, go to the Help menu, and then select Content and Index. SimManager Eclipse-based Studio SimManager Eclipse-based Studio allows you to configure and activate SimManager portals. It uses the Eclipse IDE as its base framework, and provides a plugin that displays specialized views, editors, and dialogs. For more information on how to use Eclipse-based Studio, see the online help. To Start Eclipse-based Studio: Do one of the following: Linux and Unix: Execute the run_studio.sh command file. Windows: Either execute the <SM_INSTALL_DIR>/bin/run_studio.bat batch file, or go to the Start -> MSC Software -> SimManager -> Studio. To access the Eclipse-based Studio online help: In the Eclipse-based Studio interface, go to the Help menu, and then select Help Contents. Running the Activate Command The Activate command allows you to configure a user-defined portal and use it as the default portal when the Web server starts. See Chapter 4 for detailed instructions. SimManager Batch Admin Tool The SimManager Ant-based Batch Admin Tool is a batch-only interface that is executed using a script. It can be used by SimManager administrators to deploy and update a SimManager portal. To perform administration tasks, the Batch Admin tool uses an XML file containing content (data) and instructions (commands) to set up the administrative environment.

167 Chapter 6: System Administration Administrative Tools 159 To administer SimManager portals, we recommend using SimManager Classic Studio. Note: To run the SimManager Batch Admin Tool Apache Ant MUST be installed and the ANT_HOME MUST be set. You can download and install Apache Ant from To configure the Admin tool: Edit the <SM_INSTALL_DIR>/config/BatchAdmin.properties file: 1. Set the portal name appname.sel= EnterpriseEdition. 2. Set the full path to the initialization setup XML file, ana_setup_schema = <SMAPP_ROOT>/portals/EnterpriseEdition/config/InitializeKnowledgeBase.xml. 3. Set the full path to the database loading XML file, load_db_schema = <SMAPP_ROOT>/portals/EnterpriseEdition/config/LoadInitialData.xml. 4. Set the full path to the generic commands, enter cmd_file = <SMAPP_ROOT>/portals/EnterpriseEdition/config/RegisterProcedures.xml. 5. Set the Admin user name for Database ana.user = SimMan. 6. Set the Admin password for Database ana.passwd= sdm. 7. Set the full path of the deployment directory, webserver.dir = <SMAPP_ROOT>. 8. To select the Admin tool function to execute, enter admintool.sel= and one of the following functions: BuildDb, DeleteDb, ValidateDb, CreateDb, SetupAnA, LoadDb, RunGeneric, ValidateDb For example, admintool.sel=validatedb. To start the Admin tool: 1. Navigate to <SM_INSTALL>/bin/. 2. Enter the launch command for your platform: On Windows:./run_admin.bat On UNIX or Linux:./run_admin.sh 3. When prompted enter the full path for "ANT_HOME" (previously installed Apache Ant application).

168 160 Administrative Functions Administrative Functions Creating and Deleting SimManager Databases The Classic Studio can be used to create and delete databases and vaults: For the Classic Studio to create or delete the SimManager database, the active user must have database admin privileges. The Classic Studio can also be used to create SQL scripts that can be used by the authorized personnel to create the required RDBMS for customer sites that restrict access to database administrators. The following sections explain the mapping of a SimManager database to an RDBMS. Matching a SimManager Database to the RDBMS SimManager stores metadata in a set of RDBMS tables, which are called a database in the SimManager documentation. The following sections explain the relationship between the SimManager database terms and the respective RDBMS database terms. Mapping to IBM DB2 The IBM DB2 database system uses a concept of database instances where there can be several database instances on the same host. An instance is identified by an instance owner, who is also the operating system user owning the files and directories that make up the instance. Each IBM DB2 instance: Can be configured, started and stopped independently Can have multiple databases Instance owner has administrative power to all databases in the instance Databases in the instance are comprised of configuration parameters and data files. Data files are grouped into table spaces. Databases are used by application programs by means of network connections. To facilitate this, the database instance must be configured to accept network connections. After accepting a connection, the instance calls service daemons to operate on the requested database on behalf of the application program. DB2 relies on the operating system to create and authenticate users. Any user connecting to DB2 must exist in the operating system. Depending on the configuration, user authentication can be performed either on the client or on the database server. In contrast to users authentication, database privileges granted to users (known as authorization) are established within the individual database. Privileges can be granted to single users as well as to groups. For each user, a schema is created using the same name as the user. Subsequently, tables are created inside a table space and inside a schema. The table space defines the physical characteristics, such as data files,

169 Chapter 6: System Administration Administrative Functions 161 space allocation and so on; the schema defines the logical organization. By default, the schema with the same name as the user creating the table is used. Database users are typically assigned different privileges with respect to what operations are available to them and what schemata and table spaces they can use. For example, at runtime, the application program can be forced to use a less privileged user, such as one who cannot modify the schema (for example, create or delete tables). Initial schema creation must then be done by an administrator, or a privileged user who may also own the schema. SimManager supports this privilege separation by specifying one username/password for the schema owner and separate username/password for the database user to use at runtime. When using the automatic database initialization process, an additional username/password of an administrative account is required. During the automatic database initialization process, the administrative user is used to grant appropriate permissions to the other two users: the schema owner and the runtime user. The schema owner is then used to create the database objects, such as tables, views, indexes, and so on. These database objects are owned by the schema owner and reside in a DB2 schema of the same name. During the automatic database deletion process, the schema owner is used to delete the database objects, such as tables, views, indexes, and so on. The user privileges are not modified after deletion. If you initialize the database manually, using SQL scripts, the administrative user is never used by SimManager, so this parameter is irrelevant. The schema owner, however, is used as the name of the database schema, so this name must be specified correctly (the password is irrelevant). If you want to use the same DB2 database for different SimManager databases, you must use a different schema name (schemaowner parameter) for each instances. There are no special considerations to using different databases, even within the same DB2 instance. The table below summarizes the configuration settings needed to access a DB2 database: Table 6-1 Parameter dbserverhost dbserverport dbservername dbmanagerclassname DB2 Database Connection Parameters Meaning Network host name of the server hosting the database instance Listening port number database instance; conventionally this is a number in the or range Database name (created within the instance) com.msc.sdm.db.sql.db2.db2serverdatabasemanager

170 162 Administrative Functions Table 6-1 Parameter dbadminuser/...password schemaowner/...password DB2 Database Connection Parameters (continued) Meaning Privileged DB2 user (e.g., instance owner); used for assigning privileges to schemaowner and dbuser, if using the automatic process; if using SQL scripts, the user name is used as the name of the DB2 schema. Using the automatic process, this user is first granted schema creation privileges, and then the schema is created by this user. appuser/password dbtablespace dbindextablespace schema If using SQL scripts, the name given as schemaowner must be the DB2 schema name. The user which is used to connect at runtime. If using the automatic process, this user is granted appropriate privileges, otherwise the DB2 administrator must grant the required privileges. Used to place all tables into this tablespace. Optional. When not specified, the DB2 automatic placement algorithm will be used to select the best matching tablespace. Used to place all indexes into the given tablespace. Optional. dbindextablespace can only be given if dbtablespace is also specified. The qualified name of the SimManager portal schema; it has no connection to any DB2 entity. The DB2 table space page size limits the maximum row size of any table in the table space, and uses a buffer pool with a page size matching the table space. If no table space is specified when creating tables, DB2 selects a table space that matches the row size requirement automatically, as long as the user (schema owner) has permission to use that table space. Mapping to Oracle Oracle uses a concept of database instances, whereby: There can be several database instances running on the same host An instance is identified by an ORACLE_SID Each instance can be configured, started and stopped independently An instance is comprised of a set of configuration parameters (init.ora settings) and data files. Data files are grouped into table spaces. Database instances are used by application programs by means of network connections. To facilitate this, a listener process (tnslsnr) must be running on the database server host. The listener accepts incoming connection requests on a TCP/IP port and forwards them to the requested database instance. Privileged users are created by default when the database instance is created. These can define additional database users and their passwords, such that each user is assigned a "schema" of the same name as the user name.

171 Chapter 6: System Administration Administrative Functions 163 Tables are created inside a table space and inside a schema. The table space defines the physical characteristics, such as the data file, space allocation etc., while the schema defines the logical organization. By default, the schema uses the same name as the user who created the table. Database users are typically assigned privileges with respect to what operations are available to them and what schemata and table spaces they can use. For example, at runtime, the application program can be forced to use a less privileged user, such as one who cannot modify the schema (for example, create or delete tables). Initial schema creation must then be done by an administrator, or a privileged user who may also own the schema. SimManager supports this privilege separation by specifying one username/password for the schema owner and separate username/password for the database user to use at runtime. When using the automatic database initialization process, username/password of an administrative account is required. During the automatic database initialization process, the administrative user is used to create two other users, the schema owner and the runtime user. The schema owner is then used to create the database objects, such as tables, views, indexes, and so on. These database objects are owned by the schema owner and reside in an Oracle schema of the same name. During the automatic database deletion process, the schema owner is used to delete the database objects, such as tables, views, indexes, and so on. The administrative user is then used to delete the schema owner and runtime user. If you initialize the database manually, using SQL scripts, the administrative user is never used by SimManager, so this parameter is irrelevant. The schema owner, however, is used as the name of the database schema, so this name must be specified correctly (the password is irrelevant). You can use the same database instance for different SimManager databases, as long as the schema name (schemaowner parameter) is different for each one. The table below summarizes the configuration settings needed to access an Oracle database: Table 6-2 Oracle Database Connection Parameters Parameter Meaning dbserverhost Network host name of the Oracle server running the tnslsnr process dbserverport Listening port number of the Oracle tnslsnr process; default is 1521 dbservername ORACLE_SID of the Oracle database instance dbmanagerclassname com.msc.sdm.db.sql.oracle.oracledatabasemanager dbadminuser/...password schemaowner/...password Privileged Oracle user; used for creating and deleting schemaowner and dbuser if using the automatic process; not used if using SQL scripts Using the automatic process, this user is created first, and then the schema is created by this user; If using SQL scripts the name of the schemaowner must match the Oracle schema name.

172 164 Administrative Functions Table 6-2 Parameter appuser/password dbtablespace dbindextablespace schema Oracle Database Connection Parameters (continued) Meaning The user which is used to connect at runtime; if using the automatic process, this user is created for you, otherwise the Oracle administrator must create it. Used in the automatic process to assign a default tablespace to the schemaowner so that all database objects will be created in this tablespace. (Optional) Used to place all indexes into this tablespace by default. Optional The qualified name of the SimManager portal schema; it has no connection to any Oracle entity.

173 Chapter 6: System Administration Administrative Functions 165 Automatic Database Creation and Deletion For automatic database creation, configure the database parameters in the Classic Studio Tool (or provide the correct settings in DbConfig.properties), and then select Create Database and confirm the selection. Classic Studio will initialize the RDBMS and all vaults of your schema. Figure 6-1 Automatic Database Creation example in Studio After creating the database, you can run a command file to load the user and role setup, load some sample data as required. To automatically delete the database, using Classic Studio Tool, select Delete Database and confirm when prompted.

174 166 Administrative Functions Classic Studio first deletes the vaults, and then the RDBMS. Therefore, if an error occurs during deletion of the database, the process will abort, and the vaults will have already been deleted. Exercise extreme caution before selecting the delete option. Figure 6-2 Automatic Database Deletion example in Studio Manual Database Creation and Deletion For manual database creation, use Classic Studio to save the creation scripts to files. There are two scripts, the admin script and the schema script. The admin script contains commands to create the database users needed by SimManager. The schema script contains commands to create the database objects, such as the tables, views, stored procedures, and so on.

175 Chapter 6: System Administration Administrative Functions 167 To manually create the database, execute Create Schema Script, enter the file names to save the scripts, and confirm when prompted, as shown in the figure below: Figure 6-3 Creating the Database Creation Scripts example After creating the scripts, the database administrator must run them in the database s SQL command line processor. For Oracle, this would be the sqlplus command, for DB2, the db2 command, and for SQL Server, the osql command. Before executing the SQL scripts, verify that there is a database schema containing all tables, views, etc., and that there is a user (authorized to access that schema) for SimManager to connect to at run time.

176 168 Administrative Functions Run the admin script under a privileged database user to create the schema owner and run time user. Then, run the schema script (under the schema owner just created) to create the database objects in the schema owners schema. Note: Request the final schema name and connect user/password from the database administrator, and enter the information in the SimManager database configuration (DbConfig.properties). After the RDBMS has been initialized by the database administrator, a separate step is necessary to initialize the vaults. Start Classic Studio, select Create Vaults and confirm when prompted. Figure 6-4 Create Vaults example Proceed with run command file loading user and roles setup, and data, as in the automatic database creation process.

177 Chapter 6: System Administration Administrative Functions 169 To delete the database via SQL scripts, use Classic Studio to delete the vaults. This step must be executed before deleting the RDBMS. The Studio cannot delete vaults after the RDBMS has been deleted. Select Delete Vaults and confirm. Figure 6-5 Delete Vaults using SQL Scripts example Next, save the database deletion scripts. Select Delete Schema Scripts, enter the file names, and confirm when prompted. Give these scripts to your database administrator. Who can run the schema deletion script when connected as the schema owner, then the admin deletion script when connected as a privileged database administrator. The former drops the database objects that were used by SimManager, the latter remove the users that were created for SimManager.

178 170 Administrative Functions Figure 6-6 Creating the Database Deletion Scripts example Note: You can also manually delete the vault and associated files. For DB2, users are not deleted, so the admin script is empty. Vault Management Overview The following sections describe the relationship between physical storage systems, storage locations, physical vaults, and logical vaults. SimManager stores data files in vaults. A portal can have any number of vaults, and each vault can have a different storage location, access protocol, and vault type. SimManager has both physical and logical vault types:

179 Chapter 6: System Administration Administrative Functions 171 Physical vault - Container for a physical storage system defined by any or all of the following: storage path (location), host name, port, user name, and password. Logical vault - Container for files handled in a common way. For example, one logical vault might be for files stored together on the same storage system, and another might be for files subject to the same backup process. A file (data class) is assigned to a logical vault based on its DOCUMENT attributes. This assignment is defined by a portal s schema definition, which also references each logical vault by a unique name. A logical vault is always associated with a physical vault, which maps it to a physical storage system. This mapping is specified in the DbConfig.properties file, where each logical vault name is associated with a string specifying its vault type and the storage path for the physical vault. For details, see File vault properties, 274. Figure 6-7 Logical vault-physical vault association A simple portal may have a single physical and logical vaults as shown above. Portals can also have multiple physical and logical vaults. The number of vaults your portal uses was initially determined when the schema was created.

180 172 Administrative Functions Vault Administration You use the Classic Studio to perform vault management tasks like creating, moving, and updating physical vaults and mapping logical vaults. The following sections provide information to help you update your portal s vault configuration and perform vault maintenance. Changing physical vault access information If the access information for one of your physical storage systems changes, you will need to update the corresponding parameter(s) in the associated physical vault. Access information includes any or all of the following: storage path (location), host name, port, user name, and password. In the example below, the Host setting of a simple portal configuration is updated. Figure 6-8 Changing physical vault access information

181 Chapter 6: System Administration Administrative Functions 173 To change access information for the main vault: 1. In the Classic Studio, go to the Configure Database... menu, and then select Edit File Vault. See Changing physical vault access information, 172. Figure 6-9 Database configuration 2. Update the access settings to reflect the change in the access information for physical storage system. 3. Click Save. The settings in DbConfig.properties are updated. However, SimManager will continue to use the old information until you synchronize the configuration file to the database. 4. Select Update Vault Location... See Update Vault Location, 174. The configuration information is copied to the database.

182 174 Administrative Functions Creating additional physical vaults When an existing physical vault has no storage space remaining, you can create an additional physical vault to store future files to another location. After you create the additional physical vault, you remap the original logical vault to it, as shown below. From then on, files stored on the logical vault will be stored at the new location. The original physical vault, with its original storage system and files, remains in place to provide access to its original files. Figure 6-10 Update Vault Location

183 Chapter 6: System Administration Administrative Functions 175 You can also add storage capacity by moving the existing physical vault and its data to a larger physical storage system. For more information, see Moving physical vaults, 176. Figure 6-11 Example: Remapping a vault. To create an additional vault: 1. In the Classic Studio, select Vault Admin. See Physical vault creation, Select the logical vault to associate with the physical vault. 3. Select Create 4. Enter access information for the physical storage system, including the fields under Remote Vault Configuration (if you use only local vault access, you should enter fictitious values. For syntactical reasons, the Remote fields cannot be blank.)

184 176 Administrative Functions 5. Click OK. Figure 6-12 Physical vault creation Mapping logical vaults to physical vaults To map a logical vault to a physical vault: 1. In Classic Studio, select Vault Admin. See Physical Vault admin/use Vault, Select the logical vault you want to remap to a different physical vault. 3. Select Use The alternate physical vault appears under Current Location and the original vault under Other Locations. Moving physical vaults When an existing physical vault no longer has storage space available, you can create an additional vault, or you can add storage capacity by moving the physical vault and its data to a larger physical storage system. For information about creating vaults, see Creating additional physical vaults, 174.

185 Chapter 6: System Administration Administrative Functions 177 Physical Vault admin/use Vault Figure 6-13 Vault Administration dialog To move a vault: Note: Move a vault only when SimManager is not accessing it. 1. Use operating system commands or other tools to move the vault data contents. 2. Update SimManager s configuration to reflect the new vault location: Main vault - In the Classic Studio tool, go to Configure Database..., select Edit File Vault, and enter the information for the vault s new location. For other vaults - Use a text editor to edit the vault location in the DbConfig.properties file. The following is an example of the vault property settings in the DBConfig.properties file: DB.com.msc.sdm.sdmobject.MainVault.location = LocalVaultHomeDir=\\\\ naefels\\temp\\aerodemo; RootDir=/aerodemo; Host= wichita;

186 178 Administrative Functions Port=21;User=Bob;Password=bob;Debug=false SimManager will continue to use the old information because it is stored in the database. To use the new settings, you must synchronize the configuration file to the database: 3. In Classic Studio, select Update Vault Location... to synchronize the configuration file to the database. Disconnecting and Connecting Vaults Disconnecting Physical Vaults Physical vaults that are no longer associated with a logical vault are still used to retrieve the files they store. However, the vaults will not be used for new file storage. As objects that store their files on the vault are deleted, the files will be removed from the physical vault. When there are no files stored on the vault, you can disconnect it. To disconnect a physical vault: 1. In Classic Studio, go to the Other Location area, and then select the physical vault to be disconnected. 2. Select Disconnect Note: SimManager will not disconnect the vault if there are files still stored in it. Connecting Physical Vaults When migrating to a new SimManager version, you can connect an existing physical vault to the new version to import existing vault data. After you connect the vault, you need to import the XML database dump. Caution: Exercise care when connecting existing vaults. Problems can occur if two portals use the same physical vault. Revision Change Notification This feature provides the facility to obtain a change notification subscription for an object. After subscription, you will be notified by if a new revision of the selected object has been created. You need to provide the addresses to whom the notification will be sent. You will need to register the SimActivity NotifyRevisionChange which is available at: \portals\simenterpriseportal\ae\notifyrevisionchange.xml After successful registration of the procedure, it will be available under Process Actions for revisable objects. See the example below for CatiaDesignModel object:

187 Chapter 6: System Administration Administrative Functions 179 Click Revision Change Notification in Process Actions. In the dialog box, provide a list of addresses, separated with a semi-colon. Check the box if the notification is also to be sent to your user s registered address. Click Ok. It will subscribe to the change revision notification for selected object, in this case, CatiaDesignModel. When a new revision of this object is created, an notification will be sent to all specified addresses. Note: Add smtp.host property in your portal.properties with the correct mail server name or IP address as: smtp.host=mymail Server.

188 180 Authorization and Authentication Authorization and Authentication Authorization Rules and Concepts In the SimManager environment, authorization is the means by which subjects, according to their roles, are granted controlled access over secured objects that endure over life cycles. A subject can be a user or a program. It is only a valid subject (recognizable to the system) when it is assigned a role within a project governed by a domain. The standard EnterpriseEdition portal is pre-configured with default roles, user profiles and privileges. No actions or modifications are required to use the default roles, user profiles and privileges. See <SMAPP_ROOT>/portals/EnterpriseEdition/config/InitializeKnowledgeBase.xml. Authorization includes two major categories of privileges: Admin privileges - Permitting only certain users to administer the system. Object privileges - Permitting only certain users to access, process, or alter data by applying various limitations on users' access or actions on objects. The limitations placed on (or removed from) users can also apply to objects in the system. This section introduces the basic concepts and mechanisms for placing or removing such limitations on users, individually or in groups.

189 Chapter 6: System Administration Authorization and Authentication 181 SimManager Authorization Process The SimManager authorization process is shown in the following figure. This process exists to check that the user has the correct permission to perform an operation as follows: Can subject S in Role R perform operation P over object O? Figure 6-14 Authorization process The terms used in the figure are explained on the following pages. Operation Function: Operations define actions that can be performed on objects (see Roles/permissions, 189). Because operations are intrinsic to the system, users cannot define new operations. Description: There are two kinds of operations: Object - read, execute, delete, kill, release, demote, write, chown, createtemprevision, activaterevision. Admin - createproject, editproject, admin, certifyprocedure.

190 182 Authorization and Authentication All operations are intrinsic to the SimManager system. Therefore, operations are the only predefined concept in the system. New operations cannot be introduced to the system with admin commands (they will not be supported by the system). Role Function: Roles associate privileges with objects and actions (see Roles/permissions, 189). Description: Roles are a means of determining permissions that users have. SimManager uses a rolebased authorization mechanism. There are four types of roles that a user can possess: Default - A role assigned at the time of creation (valid only for named users) or the role with which an unnamed user is first logged in to the system (when authentication is disabled). Domain - The user s role in a specific domain. This is used if a user was created with a specific default role but it becomes necessary to assign the user a specific role within all projects in a domain. Project - The user s role in a project/domain dimension. This role is the determining role. The system uses this role to determine a user's permission. Organizational - The user s role coming from his or her user profile. Every user possesses only one role within the context of a project/domain dimension (project role). The project role of a user is an important factor for computing the object permissions of that user. A user profile can possess three types of roles: default role, domain role, and project role. Every user profile possesses only one role within the context of a project/domain dimension (organizational role). The organizational role of a user is an important factor for computing object permissions of that user. Within a given domain/project dimension, the role of a user is the union of two roles (project role and organizational role). Therefore, a user is granted a permission if either one of these roles have privilege. The default role of a user is the only factor for determining a user's admin permissions for admin actions like Create Project (Root Project) Create Action Classification, Create Enumerated Item, Create User, Create User Profile etc but the project role of a user is used to determine a user's admin permissions for Create Sub Project, Edit Project etc. A user may or may not have been assigned a domain role: If the user has been assigned a domain role, when a new project is created, all existing named users automatically become members of new projects within their active domain roles. If the user has not been assigned a domain role, then the user becomes a member of the new project with their default role as their assigned project role. Note: Unnamed users are made available in a new project, but are not members and do not have an assigned role.

191 Chapter 6: System Administration Authorization and Authentication 183 Domain Function: The domain concept helps conform the project/domain dimension in which the project role of a user and the project role of a user profile are obtained. Because all objects reside in the context of a project that is governed by the domain, access control of objects depend on the subject's (user's) role at that project/domain dimension. A user's and user profile's role can differ in different project/domain dimensions (see Project/domain example, 187). Project/domain context represents the scope of access control over objects. Consequently, a subject's role can diversify within this context variant. Description: Domain is the context in which users and user profiles are assigned particular roles. Domains have a many-to-many relation with projects. Every process is associated with a domain (as specified in the registered AE script or procedure that defines the action). When a process (action) is run, the output(s) are created in the process specified domain. Actions create objects within a domain. Every object in the system is associated with a project/domain, which represents the project/domain dimension that it prevails in. When a new domain is created, all projects are included in this domain. All named users become members of every project with their default roles. Also, every user profile is added to every project with their default roles. Project Function: The project concept helps conform the project/domain dimension in which the project role of a user and the role of a user profile are obtained. The project role and the organizational role of a user in a project/domain dimension defines the object permissions of a user. Description: A project is the context in which individual users performing certain roles under the governance of domains do work. When a new project is created: The project is automatically created in all domains. All existing named users automatically become members of that project and their domain roles become their project role. A user may not be assigned a default role in a domain. In that case, a user's default role becomes his/her project role. All existing user profiles are automatically added to that project, allowing all users in the system (named or unnamed) to inherit a project role within that project. The project role of a user profile in the new project comes from its domain role. If the user profile is not assigned a domain role, then its default role becomes its project role.

192 184 Authorization and Authentication User Function: Users are assigned roles that determine the permissions that they are granted. Description: There are two kinds of users: Named - Assigned a default role when created. A named user can be assigned a default role during Create User and a domain role in a particular domain with the Set User Default Role command in Classic Studio or by executing an authorization command file. The domain role of a user can be changed, but the default role is stored in the database and can only be changed by removing and re-creating the user with a different role. Unnamed - Not known to the system until their first successful login attempt. Once logged-in, they are assigned a user profile. A user's user profile is retrieved from directory services or from a user profiles file (for example, UserProfiles.xml file) according to the type of AnA management system chosen: If directory services (LDAP authentication manager) is the container for user accounts, then each user account entry will contain user profile information. If file authentication is in affect, then association of user profiles to users is specified in the UserProfiles.xml file. If the user profile of a user is not specified within this file, then the user is assigned the default system user profile. Note: If "authentication.casesensitive.enabled" is set to true in the portal.properties file then all user name entries in the "UserProfile.xml" file must match the case of the User name exactly. Otherwise all user name entries must be lower case. The user profile of a user is assigned in all domains and in all projects. The role of this user profile (which can vary) in every project/domain context defines a user's organizational role. A user can possess four types of roles (see Role, 182). The project (determining) role of a user is his/her role in the project/domain dimension. Users object permissions are determined based on their role in a particular project/domain context (project role). The project role of a user is computed with these rules: Get user's organizational role from user profile, only if user profile is added to that project. If the user is a member of a project (he/she is assigned a specific role within that project), then get the project role of the user. If the user is a member of the project and his/her user profile is also added to the project, then his/her computed project role is the union of his/her organizational role and assigned project role. If a user is not a member of the project, then his/her computed project role is the role of user profile that is added to that project.

193 Chapter 6: System Administration Authorization and Authentication 185 If a user s user profile has not been added to the project, then his/her computed project role is his/her assigned project role in that project. If a user s user profile has not been added to the project and he/she is not a member of the project, then he/she does not have any access to (cannot read) the objects that he/she does not own. Basically, he/she does not posses a role in that project. But, he/she will still be able to read (view) the objects that he/she owns, if there are any. The objects that a user creates are owned by that user on every project/domain context. Because every project is created on each domain, if a user has minimal access rights to view a project on one of the existing domains, then even if his/her user profile is deactivated and he/she has no project role in a project on a particular domain, he/she will still be able to view that project because of privileges from the other domain(s). The default role of a user determines his/her admin privileges for some admin actions like Create Action Classification, Create Project (Root), Create User, Create User Profile etc. For some other actions like Create Project (sub project) and Edit Project, the admin privileges are determined from the project role. User profile Function: User profiles allow a group of users to be assigned to an organizational role. Description: A user profile represents an organizational role. Every user in the system must posses a user profile. A user is assigned to a user profile according to the rules of the underlying AnA management system (e.g., for directory services: user account entries will contain user profile information; for file authentication: a user profile file will contain user profile information). If the user is not assigned to a user profile, then he/she automatically gets assigned to the system default user profile specified in the Portal.properties file. Intrinsically, every user in the system inherits the role of the user profile to which he/she is assigned. There are three types of roles that a user profile can possess: Default - A role assigned to the user profile at the time of creation. Domain - Its role in a specific domain. Project - Its role in a project/domain dimension. When a new root project is created, all existing user profiles are automatically added to the project based on the property "rootproject.adduserprofiles" specified in the Portal configuration. For more details on the configurable properties, refer to the User' Guide. The project role of a user profile in the new project comes from its domain role. If the user profile is not assigned a domain role, then its default role becomes its project role. Note: If a default domain role is not set for the user profile, you can set one with the Classic Studio Set User Profile default role command or by executing an authorization command file.

194 186 Authorization and Authentication The domain role of a user profile can be set for a specific domain. A user profile can be assigned a project role (project/domain dimension) within the scope of a project. The project role of a user profile is used in determining the object permissions of a user. Release level Function: Release levels are used to define object permissions and confine roles to performing operations on objects only within a certain range of life-cycle stages. Description: Release levels define the stages in the life cycle of objects in the system. Release levels have to be defined as the first concept during the setting up of the AnA environment. Once defined, the number of release levels cannot be modified. Object permission Function: Object permission is an implicit concept that defines the logical associativity of roles to objects and actions. Description: Granting of object privileges defines which role can perform what type of object operation(s) to the objects within a specified range of release levels. Granting of an object privilege is a function of four concepts: role, object operation, release level, and the foreign flag. The foreign flag determines if the privilege is granted only for objects owned by the user or if the privilege applies to objects owned by other users. If set to true, the privilege is granted on foreign objects and implicitly on owned objects. Otherwise, the privilege is granted only on owned objects. Object permissions are associated with roles, and this association is not confined to project and domain scope (see Roles/permissions, 189). Consequently, once defined, the association of roles with privileges apply to all project/domain context variants. Ultimately, object permissions are used to answer this question: Does role R have permission to perform object operation P over objects that reside within the given range of release levels? For an example of how object privileges work, see Putting the Pieces Together: Authorization Examples, 189. Admin permission Function: Admin permission is an implicit concept that defines the logical associativity of roles to administrative actions. Description: Granting admin privileges defines which role can perform what type of admin operation(s). Admin permissions are associated with roles, and this association is not confined to project or domain scope (see Roles/permissions, 189). Ultimately, admin permissions are used to answer this question: Does role R have permission to perform admin operation P?

195 Chapter 6: System Administration Authorization and Authentication 187 The default role of a user determines his/her admin permissions. Project/domain example The following figure shows an example project with roles set for different users. Figure 6-15 Roles for different users Note: The contents of this table are fully customizable.

196 188 Authorization and Authentication In the Default domain and Truck-XLT project cell (shown magnified to the right), the user Jane is assigned the manager role within the scope of the particular project. Assuming that her user profile is Materials Engineer (assigned to her during the environment setup process), she is also granted the author role, which represents her organizational role through her user profile. Figure 6-16 An Example for Object permissions In this case, Jane s object permissions within this project are the privileges that are the union of manager and author roles. Therefore, on release level 0, she is allowed to perform any operation except demote, and on release level 1, she is allowed to perform all of the object operations resulting from the union of the two permissions tables as shown in the table below, which represents her object permissions on the Truck-XLT project and on the Default domain. Because Jane is created as a named user to the system and logged into the system with the role of manager, she is granted all admin privileges of the manager role. Therefore, she is allowed to perform all admin operations(create Project (root project), Create Action Classification, Create User etc.and admin). Admin privileges are constrained by a project and domain scope for admin actions like Create Project (sub project) and Edit Project.

197 Chapter 6: System Administration Example 1: 189 Figure 6-17 Roles/permissions Putting the Pieces Together: Authorization Examples Example 1: Goal: Control the process actions that a user has privileges to execute. The user should be able to perform some process actions but not others. Each action is registered to a project and domain. Each execution is done in the context of a project. A user has two roles in the context of a project/domain combination: The role associated with him/herself (the user role) The role associated with his/her user profile (the user profile role) For a user to be able to execute an action A1 in a project P1: The user must have read access to A1. This means the role of the user/userprofile in the project/domain in which the action is registered must have a 'read' privilege at level 1 (or at the level of the action)

198 190 Example 1: The user must have execute privilege in P1 (project in which action is executed) A1 and P1 must have at least one action classification in common The user must have the required admin privilege (as specified using attribute 'adminpermission' in the action definition). For the admin actions Create Action Classification, Create Enumerated Item. Create Project (Root), Create User and Create User Profile, this admin privilege must be available on the 'default' role of the user/userprofile. For project based admin actions eg. Create Project (sub project), Edit Project etc. the admin privilege must be present on the project role. In order to restrict a user from executing certain actions in a project, ensure that the user does not have read access to those actions or that the actions and the Project do not have any common action classifications. Licensing, Authorization, and Authentication The licensing model incorporates User-based licensing: User-based licenses are checked out when users log into the system. When they log out, or when the Web server terminates their session because of inactivity, their user-based license is released for use by another user.

199 Chapter 6: System Administration Example 1: 191 As shown in the chart below, when the system starts up, a Server license is checked out, and then a Access Client license is checked out for authenticated users logging in to SimManager. Figure 6-18 A licensing model User-Based Licensing Management The following rules apply to license management:

200 192 Example 1: SimManager checks out one user-based license for the authenticated user logging into SimManager. The user profile is retrieved from the UserProfileManager using the user name. If the user does not have a user profile specified in the system, the default user profile is used to specify the user s profile. The default user profile is specified in the Portal.properties file within the property default.profile.name. When a user logs off SimManager or the web server terminates the user s session because of lack of activity, the system releases one user-based license of the same type that was checked out for the user. The user profile is accessed from the UserProfileManager using the user name. Each user profile has a name, a default role, and a description. The licensetype is ignored. Authentication Depending on how authentication is performed, it is generally divided into two categories: Application Managed Security (AMS) Container Managed Security (CMS) (also known as J2EE standard security). With AMS, application developers are responsible for collecting user credential inputs and checking them against stored user credentials. If a user has write privileges, he gains access to the application. On the other hand, with CMS, the web container takes sole responsibility for determining whether to grant access to HTTP requests to protected resources. If no user credential is found, HTTP requests are directed to a logon page. Once authenticated, it stores the user credentials in each HTTP request and grants access to the user thereafter. While AMS gives a system the most flexibility of customizing authentication controls to its needs, CMS does it in a declarative way. That is, system admin can change the authentication logic without modifying the source code. In addition, since CMS conforms to J2EE standards, multiple web applications deployed on a site can share the same user credentials so as to avoid authenticating the user for each web application. This feature is referred as Single SignOn (SSO). SimManager supports both authentication mechanisms. Potentially, they can be combined to meet special security needs. Note: If a case-sensitive authenication method is configured for SimManager such as LDAP, then case-sensitive login MUST be set for the SimManager portal. Verify that "authentication.casesensitive.enabled=true" is set in the appropriate portal.properties file. Application Managed Security (AMS) SimManager provides a flexible interface that can be configured with a site s specific details to determine how users are validated at login. For example, one site installation may want to allow everyone access to the system, while another site may want to restrict access based on their implementation of LDAP, and

201 Chapter 6: System Administration Example 1: 193 yet another site may have a specific user directory service that needs to be queried for user and password validation. The authentication interface provides the necessary means to do this. Three methods are required for implementation: Initialization Authenticating a user and password Resetting the state of the interface s implementation SimManager provides the following preconfigured implementations for authentication. To use one of these implementations, set the property: authentication.manager.class in the Portal.properties file to the value: com.msc.sdm.ana.authentication.<name-of-implementation> where <name-of-implementation> is the name of one of the preconfigured implementations. Each of these preconfigured implementations has its own prerequisites. For example, FileAuthenticationManagerImpl requires a file that contains the user or password mapping. These implementation-specific details are property values in the Portal.properties file. The portal.properties file is passed to the initialize method so that the implementation can read any implementation-specific details that need to be addressed. The source to these implementations is also included in the deployment to provide examples of a sample implementation of the authentication manager interface. These files are in <SMAPP_ROOT>/src/com/msc/ana/authentication/. Preconfigured implementations: AllowAllAuthenticationManagerImpl Returns TRUE without performing any checks on the user name and password. Using this implementation turns off the authentication checking. Properties: None LDAPAuthenticationManagerImpl Connects to the LDAP server as defined in the Portal.properties file and validates the user ID and password. Properties: One of the following user.provider.url property types must be specified according to the type of LDAP server and SSL feature being used: Working with Netscape SunOne (Non-SSL - over Port 46996): user.provider.url="ldap://host:999/uid=%userid%, ou=people,o=mscsoftware.com" Working with Netscape SunOne (SSL - over Secure Port 636): user.provider.url="ldap://host:999/uid=%userid%, ou=people,o=mscsoftware.com" Working with Active Directory Services (Non-SSL - over Port 389) user.provider.url="ldap:// :389/cn=%userid% CN=Users,DC=mscsoftware,DC=simmanager" Working with Active Directory (SSL - over Secure Port 636)

202 194 Example 1: user.provider.url="ldap:// :636/cn=%userid% CN=Users,DC=mscsoftware,DC=simmanager" XmlFileAuthenticationManagerImpl Same as the FileAuthenticationManagerImpl implementation, except that the file s content is in XML format. Properties: authentication.userpw.file=userpasswords.xml SimManager will look for the portal-specific file <SMAPP-ROOT>/portals/ <portal>/config/userpasswords.xml The default file is <SMAPP-ROOT>/portals/Base/config/UserPasswords.xml. It is the file that contains the user names and passwords. Container Managed Security (CMS) J2EE standard supports four types of CMS that control how user s credentials are sought after and verified when protected resources are accessed. They are: Basic Authentication Digest Authentication Form Based Authentication Client Certificate Authentication Among which, Form Based Authentication is the most commonly used. There are also different ways of how user credentials are managed. Common choices are LDAP, JDBC, (XML) File Based, JAAS, Custom Registry. Each web/application server provides different levels of support to these implementations. We have tested Form Base Authentication with UserDatabaseRealm (XML File Based) on Tomcat 5.0, and with LDAP implementation on WebSphere 6.1. You can leverage the standard J2EE container managed security mechanism for user authentication. You can choose to configure SimManager to authenticate users through either CMS or AMS. No Java code change is involved. In addition, a combination of both may be supported subject to the web server in use. Authentication Settings (AMS) Location and impact The standard SimManager installation supports two LDAP servers: (Win 2000) Active Directory Server Sun One Directory Server(5.2) The Portal.properties file contains the required property settings for the user.provider.url, group.provider.url, isauthenticationenabled, and authentication.manager.class. The property isauthenticationenabled identifies whether the authentication is enabled or disabled. Set this property to true to enable authentication.

203 Chapter 6: System Administration Example 1: 195 The authentication.manager.class property specifies the authentication that SimManager uses. To customize the authentication mechanism, the system defines an interface class: com.msc.sdm.ana.authentication.iauthenticationmanager.java Configuring SimManager for LDAP authentication mechanism To configure SimManager for LDAP authentication: 1. Set the properties in the Portal.properties file authentication settings section as shown below, according to the type of the directory servers you are using. The property isauthenticationenabled identifies whether the authentication is enabled or disabled. To enable authentication, set this property to true. The authentication.manager.class property specifies the authentication that SimManager will use. Set this property to the preconfigured LDAP implementation: ############################################### # Authentication Settings # ############################################### # Enable/Disable authentication for the web application # isautheticationenabled=true # # For LDAP Authentication implementation: # authentication.manager.class=com.msc.sdm.ana.authentication.impl. # LDAPAuthenticationManagerImpl 2. In the Portal.properties file, under the Authorization/User Profile Settings section, set the following properties: Setting ssl.keystore.location identifies whether SSL is enabled or disabled on the server to which you are connecting. When this property is set, an SSL server socket is used to connect to the directory server using a keystore certificate. The value for the ssl.keystore.location property must point to a valid sslkey.keystore file that is created by using a self-signed certificate. For information on how to enable SSL in Active Directory and install an Enterprise Certificate Authority, refer to the online Microsoft Knowledge Base Article located at: The user.provider.url property specifies all the connection information required to establish a connection to the targeted directory server. This property is in the format: user.provider.url="ldap://<directory_server_machine>:<port>/ <CONNECTION_STRING>"

204 196 Example 1: The connection string section of this property specifies the format of the entry on the directory server to which all the user accounts conform. For example, for users that conform to a CN=JSmith,CN=Users,DC=mscsoftware,DC=simmanager domain name structure, the connection string section of the user.provider.url property must be set to: CN=%UserId%,CN=Users,DC=mscsoftware, DC=simmanager. The%UserId% is a placeholder in the connection string and will be replaced by the username value entered on the SimManager logon page. Examples of the two properties settings: ssl.keystore.location and user.provider.url in the Portal.properties file are shown below for an Active Directory server running with SSL enabled on a secure port: 636: ############################################### # Authorization/User Profile Settings # ############################################### # SSL Key Store Property defines the location of the # 'sslkey.keystore' # file for the certification used with SSL connection. # ssl.keystore.location=c:/actcert/sslkey.keystore # Working with Netscape SunOne (Non-SSL - over Port 46996) # user.provider.url="ldap://rugby:46996/uid=%userid%,ou=people, # o=mscsoftware.com" # Working with Netscape SunOne (SSL - over Secure Port 636) # user.provider.url="ldap://rugby:636/uid=%userid%,ou=people, # DC=mscsoftware.com" # Working with Active Directory Services (Non-SSL - over Port 389) # user.provider.url="ldap:// :389/cn=%userid%,cn=users, # DC=mscsoftware,DC=simmanager" # Working with Active Directory (SSL - over Secure Port 636) # user.provider.url="ldap:// :636/cn=%userid%,cn=users, # DC=mscsoftware,DC=simmanager" 3. In the portal.properties file, ensure that the authentication.casesensitive.enabled flag matches the case sensitivity supported and enabled by the directory server. If the directory server is not enabled for case sensitivity when comparing user ids, then the case sensitivity flag should be set to false. If the directory server is enabled for case sensitivity when comparing user ids then the case sensitivity flag should be set to true. If this is not set correctly, it possible that multiple user ids will be created in the SimManager database when only a single user id is being authenticated in the directory server. This occurs if the directory server is performing a case insensitive user id compare and SimManager is configured with a case sensitive compare. SimManager authenticates user names that differ by case only as the same user but then creates users in the database with the typed in user name thus preserving the case that the names were typed in with.

205 Chapter 6: System Administration Example: 197 Configuring SimManager for JAAS authentication mechanism SimManager uses the capabilities of JAAS to achieve plugin capabilities of external authentication mechanisms to its authentication model. To enable JAAS authentication within the SimManager platform: 1. Set the properties inside the Portal.properties file s authentication settings as shown below to enable authentication and to activate the JAAS authentication mechanism. The property isauthenticationenabled identifies whether authentication is enabled or disabled. To enable authentication, set this property to true. The authentication.manager.class property specifies the authentication that SimManager will use. Set this property to the preconfigured JAAS authentication manager, as shown in the following section to activate JAAS implementation in SimManager. The java.security.auth.login.config property specifies the login context configuration file name for the JAAS authentication module. Set this property to the name of the default configuration file that resides in Base. For example, <SMAPP_ROOT>/portals/Base/config/JaasAuth.config. Examples of the properties settings, isauthenticationenabled, authentication.manager.class, and java.security.auth.login.config are shown below: ############################################### # Authentication Settings # ############################################### # Enable/Disable authentication for the web application # isautheticationenabled=true # # For JAAS Authentication implementation: # authentication.manager.class=com.msc.sdm.ana.authentication.impl. # JAASAuthenticationManagerImpl # The name of the JAAS LoginContext configuration file residing under # the portal directory. # java.security.auth.login.config=jaasauth.config An example of the JaasAuth.config file is shown below. By default, the java.security.auth.login.config property points to the JaasAuth.config file that resides in Base/config. This configuration file is tailored to use the preconfigured authentication mechanisms of SimManager. You can edit this configuration file to allow any external authentication mechanism to be plugged-in to SimManager. In the example shown below, a custom authentication module named MyCustomLoginModule is being introduced for use by SimManager. This login module must implement the standard LoginModule interface of JAAS providing integration to any particular authentication mechanism of the SimManager platform. Example:

206 198 Example: SimManagerLoginContext { com.mycompany.auth.mycustomloginmodule sufficient debug=true com.msc.sdm.ana.authentication.jaas.simmanagerxmlfileloginmodule sufficient debug=true com.msc.sdm.ana.authentication.jaas.simmanagerldaploginmodule sufficient debug=true }; The basic format for this configuration file is: Application { ModuleClass Flag ModuleOptions; ModuleClass Flag ModuleOptions; ModuleClass Flag ModuleOptions; }; You can use flags to stack authentication modules as required: Required - The LoginModule is required to succeed. Whether it succeeds or fails, authentication still continues to proceed down the LoginModule list. Requisite - The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list). Sufficient - The LoginModule is not required to succeed. If it succeeds, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list. Optional - The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list. When debug=true, debugging statements print. Configuring custom authentication The following steps customize SimManager authentication for a specific site and for a specific system. Before customizing the authentication, you must first understand how to connect to and interact with the desired system and what information is required to connect to and interact with it. To customize SimManager authentication,

207 Chapter 6: System Administration Example: Place the required system connection information in the Portal.properties file. This information is available to the implementer of the AuthenticationManager interface when the initialize( ) method is called. The implementation of this method reads from Portal.properties and performs the necessary tasks to connect to the desired system. For LDAP, the performance of these tasks makes the initial connection to the server. In a filebased implementation, the performance of these tasks reads and parses the contents of the file. 2. Create a class that implements the interface: com.msc.sdm.ana.authentication.authenticationmanager interface This interface is in <SMAPP_ROOT>/com/msc/sdm/ana/authentication/ AuthenticationManager. An example file is located in the <SimManager install directory>/src/com/msc/sdm/ana/authentication/impl 3. Review the source examples at <SMAPP_ROOT>/src/com/msc/sdm/ana/ authentication/ to understand how to implement this interface and its initialization and authentication methods. 4. Implement the initialization, authentication, and reset methods. The initialization method is only called once and must ensure that the calls to the authentication perform the user name/password validation. The authentication method reads the user name and password and validates if they are a valid combination. If they are validated, then the method returns TRUE; otherwise the method returns FALSE. The reset method is called when SimManager is notified to reset its environment. 5. Write a main method to test the class. The main method should do the initialization and then call the authentication method to test the functionality. 6. Place this new class in the <SMAPP_ROOT>/WEB-INF/classes directory. The Web server looks in this directory before it looks in the system jar files when resolving class-file references. 7. Restart the Web server. UserProfileManager pre-configured implementations SimManager comes bundled with four preconfigured implementations for the UserProfileManager interface.to use one of these implementations, set the userprofile.manager.class property in Portal.properties to the value: com.msc.sdm.ana.authorization.<name-of-implementation> where the <name-of-implementation> is the name of one of the preconfigured implementations. Each of these preconfigured implementations has its own prerequisites. For example, the implementation, FileUserProfileManagerImpl, requires the Portal.properties file to contain the implementation-specific details for mapping user and user-profile names. The Portal.properties file is passed to the initialization method. The implementation can read any implementation-specific details in that file that need to be addressed. The source to these implementations is included in the deployment in the <SMAPP_ROOT>/src/com/msc/ sdm/ana/authorization/ directory.

208 200 Example: UseDefaultUserProfileManagerImpl - Returns the default user profile as specified in Portal.properties with the default.profile.name property. The purpose of this class is to make it easy to set all users to a single user profile. Properties: None LDAPUserProfileManagerImpl - Connects to the LDAP server as defined in Portal.properties. Calling the getuserprofilename method retrieves the user profile for the passed-in name. Properties: One of the following user.provider.url property types must be specified according to the type of LDAP server being used and the Secure Sockets Layer (SSL) being used (example values are for reference only): Working with Netscape SunOne (Non-SSL - over Port 46996) user.provider.url="ldap://na-ywang:46996/uid=%userid%, ou=people, o=mscsoftware.com" Working with Netscape SunOne (SSL - over Secure Port 636) user.provider.url="ldap://na-ywang:636/uid=%userid%, ou=people,o=mscsoftware.com" Working with Active Directory Services (Non-SSL - over Port 389) user.provider.url="ldap:// :389/cn=%userid%, CN=Users,DC=mscsoftware,DC=simmanager" Working with Active Directory (SSL - over Secure Port 636) user.provider.url="ldap:// :636/cn=%userid%, CN=Users,DC=mscsoftware,DC=simmanager" Specify the ldap attribute in user object class that contains the user profile specification. The attribute 'userprofile' has to be added to the LDAP database schema if it does not exist and the site wishes to use this attribute name or an existing attribute on the user object class needs to be used that can contain the user profile specification. Either change userprofile to the actual user object classes' attribute or add 'userprofile' to the user object class. See the directory server documenation for object class descriptions and schema modification instructions. ldapuserprofileattribute=userprofile XmlFileUserProfileManagerImpl Same as the FileUserProfileManagerImpl implementation, except that the file s content is in XML format. Properties: userprofile.authorization.file=userpasswords.xml file relative to <SMAPP_ROOT>/config that contains the user names and user profiles. Configuring Custom User Profiles The following steps customize SimManager for the retrieval of the user profile for a specific site and for a specific system. To do this, you must understand how to connect to and interact with the desired system and know what information is required to connect to and interact with the system.

209 Chapter 6: System Administration Example: 201 To configure user profiles: 1. Place the required system connection information in the Portal.properties file. This information is available to the implementer of the UserProfileManager interface when the initialize( ) method is called for. The implementation of this method reads Portal.properties and performs the necessary tasks to connect to the desired system. For LDAP, the performance of these tasks makes the initial connection to the server. In a file-based implementation, the performance of these tasks reads and parses the contents of the file. 2. Create a class that implements the UserProfileManager interface: com.msc.sdm.ana.authorization This interface is in: <SMAPP_ROOT>/com/msc/sdm/ana/authorization/ UserProfileManager. 3. Review the source examples at <SMAPP_ROOT>/src/com/msc/sdm/ana/ authorization/ to understand how to implement this interface and its initialize and getuserprofile methods. An example file is located in the <SimManager install directory>/src/com/msc/sdm/ana/authorization/impl. 4. Implement the initialization, getuserprofile, and reset methods: The initialization method is only called once and must ensure that the calls to getuserprofile always succeed. The getuserprofile method reads the user name and looks up the user profile information, which is the default user profile name; it then constructs the UserProfileSpec with the user profile names and an empty list of user profile names. Note: The default.profile.name identifies the user profile for users with no user profile specified in the UserProfileManager implementation. The value specified with the property must be a valid user profile that has been loaded into the database. The reset method is called when SimManager is notified to reset the environment. 5. Write the main method to test the class. The main method should do the initialization and then call the getuserprofile method to test the functionality. 6. Put this new class in the <SMAPP_ROOT>/WEB-INF/classes directory. The Web server looks in this directory before it looks in the system jar files when resolving class file references. 7. Restart the Web server. Authentication Settings (CMS) By default, SimManager is configured to use AMS after deployment. This section shows two configurations enabling CMS for SimManager. Both cases use Form Base Authentication, one with UserDatabaseRealm on Tomcat, the other with LDAP on WebSphere.

210 202 Example: Portal Settings: For the file <SMAPP_ROOT>/portals/<ActivePortal>/Portal.properties,set the following property to CMS as shown below: default.managed.security=cms For the file <SMAPP_ROOT>/WEB-INF/web.xml,the following is a sample configuration for Container Managed Security: <security-constraint> <display-name>sdm user security constraints</display-name> <web-resource-collection> <web-resource-name>protectedarea</web-resource-name> <description>sdm User Restricted Area</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description>allowed Users</description> <role-name>sdmuser</role-name> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>form</auth-method> <realm-name>form-based Authentication Area</realm-name> <form-login-config> <form-login-page>/portals/base/pages/login_sso.jsp</formlogin-page> <form-error-page>/portals/base/pages/error_sso.jsp</formerror-page> </form-login-config> </login-config> <security-role> <description>sdm user</description> <role-name>sdmuser</role-name> </security-role> <security-role> <description>test user</description> <role-name>user</role-name> </security-role> Optionally, you can comment out URL mappings to the GateKeeper Servlet to delegate access control to the web container: <servlet-mapping> <servlet-name>gatekeeper</servlet-name> <url-pattern>*.properties</url-pattern> </servlet-mapping>... For the file <SMAPP_ROOT>/portals/Base/pages/login_sso.jsp, you can customize the look and feel of this file as well as file error_sso.jsp. However, the following content must be preserved:

211 Chapter 6: System Administration Example: 203 <form method="post" action='<%= response.encodeurl("j_security_check") %>' > <input type="text" name="j_username> <input type="password" name="j_password"> For the file <SMAPP_ROOT>/portals/Base/pages/index.jsp,uncomment out the CMS part and comment out the AMS part: <!-- Application Managed Security --> <logic:redirect page="/logondisplay.do?page=pages/logon.jsp"/> <!-- Container Managed Security --> <!--logic:redirect page="/logonhandler.do"/--> For the file <SMAPP_ROOT>/portals/Base/pages/Logoff.jsp,uncomment out the CMS part and comment out the AMS part: <!-- Application Managed Security (AMS) --> <html:form action="/logoffhandler?page=pages/logoffcomplete.jsp"> <!-- Container Managed Security (CMS) --> <!-- html:form action="/logoffhandler?page=pages/logoffcomplete_sso.jsp"--> Web Container (Tomcat 5.x) Settings: For file <TomcatHome>/conf/server.xml,verify that it contains the following setting: <Realm classname="org.apache.catalina.realm.userdatabaserealm" debug="0" resourcename="userdatabase"/> For the file <TomcatHome>/conf/tomcat-users.xml,define appropriate roles and users: <role rolename="sdmuser"/> <role rolename="user"/> <user username="boma" password="sdm" roles="sdmuser"/> <user username="sdmuser" password="sdmuser" roles="sdmuser"/> <user username="testuser" password="testuser" roles="user"/> Now you have completed all configuration changes, you can restart the Tomcat server.

212 204 Example: Web Container (WebSphere Application Server 6.1) Settings: The following procedure explains configuration of CMS for WebSphere: 1. Define users and roles in an LDAP Server (for example, SunOne LDAP). 2. Install and deploy SimManager on a WebSphere Application Server (WAS) using InstallShield and SimManager scripts. This sets up necessary environment variables. 3. Update SimManager Portal Settings as stated above. 4. Create a war file out of updated SimManager under WAS. 5. Enable security of WAS using its Administration Console, and then select LDAP for User Registry Management. 6. Redeploy SimManager war file on WAS to bind security roles of SimManager to users defined in LDAP Server. This procedure assumes you have defined a list of users and roles for SimManager on the Sun One Directory Server. Configuring WebSphere Application Server This section shows you how to configure WebSphere Application Server with the admin console to enable security through LDAP and support SSO. By default, you can bring up admin console in a browser at after starting the admin server ( server1). Since security is not enabled yet, you can start using it without logging in. Configure Settings for a LDAP User Registry Ensure that the Sun One Directory Server 5.1 is running and select node <YourHostName>/Security/User Registries/LDAP from the left hand tree of the admin console. Then, modify the following properties in the right panel: Table 6-3 LDAP User Registry Properties Property New Value Server User ID wpsadmin Server User Password wpsadmin Type Sun ONE Host <YourHostName> (for example, NA-YWANG) Port Base Distinguished Name (DN) o=mscsoftware.com Bind Distinguished Name (DN) uid=wpsbind,ou=people,o=mscsoftware.com Bind Password wpsbind Ignore Case checked

213 Chapter 6: System Administration Example: 205 Now, click the Apply button at the bottom of the tree, and save the changes to Master Configuration. Configure LTPA The WebSphere server will use LTPA for authentication. This is a forwardable security scheme that makes single sign-on (SSO) possible across applications running in participating WebSphere servers. Use the following procedure to accomplish this: 1. Click <YourHostName>/Security/Authentication Mechanisms/LTPA tree node. 2. Enter the value secret as the password. 3. Enter the value secret again to confirm the password. 4. Select the Generate Keys tab. 5. Click on the Single SignOn (SSO) link under Additional Properties. 6. Make sure the Enabled property is checked. 7. Enter a domain name such as, mscsoftware.com. The domain name specifies the set of all hosts to which single sign-on applies. If this field is not defined, the web browser will default the domain name to the host name where the web application is running. This means Single Sign On will be restricted to that application server host name and will not work with other application server host names in the domain. 8. Click Apply the bottom of the screen, and then save changes to the Master Configuration. Enable Global Security Now that you have configured security settings, you will need to run them on in the server. To do this, select node <YourHostName>/Security/Global Security from the left hand tree of the admin console. Modify the following properties in the right panel as shown in the table below: Table 6-4 Global Security Properties Property Enabled Enforce Java 2 Security Active Protocol Active Authentication Mechanism Active User Registry Value checked unchecked CSI and SAS LTPA LDAP Select OK to validate all security settings. If you encounter error messages, such as, Validation failed for user wpsadmin2. Please try again, you will need to go back to the LDAP configuration page and validate the values of DNs, port number, and so on. After successfully validating the security settings, select Save to save all changes to the master configuration. You must restart server1 for the changes to take effect.

214 206 Example: Checkpoint 1: Up to this point, you have enabled SSO and Container Managed Security through LDAP on the WebSphere Application Server. Verify that you can successfully restart the admin server (server1) and log in to the Admin Console. From this point on, you can still start WebSphere servers as before, however, you must provide an authenticated user name and password to stop a running server. Otherwise, WebSphere will fail to stop the server and throw error messages. Example commands to be used are shown as below: D:\IBM\WebSphere\AppServer\bin\startServer.bat server1 D:\IBM\WebSphere\AppServer\bin\stopServer.bat server1 -user wpsadmin -password wpsadmin Important: Once security is enabled, you must enter the fully qualified host name in the URL field when accessing the Administrative Console. On Windows platforms, use the DOS command ipconfig to get the value for the local machine. Since security has been enabled, the log on page of the admin console is redirected to a secure port, such as, You must enter wpsadmin as the User Name and Password to get in. Configuring SimManager Server for SSL In order to use SSL with SimManager, the server.xml file from the Web Server needs configuration updates. Copy the SM.keystore file from the installation directory <installdir>/simmanager/web-inf to your web server's conf directory. A code segment from a jboss server.xml file is included below. Comment out the current port for running SimManager and uncomment the code segment for the SSL implementation. A web server restart is required for these changes. keystorefile="${jboss.server.home.dir}/conf/sm.keystore" keystorepass="supersecret" sslprotocol = "TLS" /> Disabling user id switching from the URL When SSO is enabled, the authentication to SimManager is only through the SSO system. The authentication internal to SimManager is disabled because of this. But because SimManager provides a mechanism to switch user ids by using the STRUTS based loginhandler.do URL, its possible to switch users without having any authentication done on that user. This is because the URL to switch users is part of the session that has been authenticated by the SSO system so all SimManager URL requests go to the server, even the ones that allow the user to switch their id. So, a switch has been added to the portal.properties file that disables URL user id switching from the STRUTS based loginhandler.do URL. The flag is: #################################################### # Enable/disable the use of a struts' url to switch# # user ids. If switching urls is # # allowed and the system is configured with an SSO # # system and simmanager's authentication system is # # disabled due to the SSO system, the user of the # # system will be able to switch to another user id #

215 Chapter 6: System Administration Example: 207 # without having the SSO system validate the # # user/password and with out having SimManager chec# # the user/password. This only is in effect for the# # STRUTS based URLs and not the JSF URLs. # #################################################### allowswitchingusersafterloggedin = true Its also necessary to pass in the user id as an encrypted string. This is used by SimManager to ensure that the request is coming from the SSO system and not by the URL being invoked. Follow the example code shown in the file '<web app>/simmanager/portals/base/faces/login_sso_example1.jsp'. The important parts of the code are: Encrypt the user id byte[] digest = com.msc.sdm.util.sdmutil.digest(ssoid); String secretword = com.msc.sdm.util.sdmutil.encodebase64(digest); Use the same id in the above encryption as the user name in the form <td align="left"><input type="text" name="username" value="<%= ssoid%>" readonly></td> Pass the encrypted user id to the SimManager login handler. The login handler will compare the secretword with its own secret word generated from the user id. If they don't match and the 'allowswitchingusersafterloggedin' flag is false, the request to login will be denied. <input type="hidden" name="ssosecretword" value="<%= secretword>"> Set the flag to false to disable the URL user id switching. Authorization Authorization rules maintain permissions on various operations. These rules can be set up and modified using the SimManager administrative tools described in Administrative Tools, 157. This is done by creating a command file (for example, <SMAPP_ROOT>/portals/ <portal>/initializeknowledgebase.xml) using the rules, elements, and syntax described in this section. After a portal is initialized most authorization elements can be modified using the Classic Studio. The standard Enterprise Edition portal is pre-configured with default roles, user profiles and privileges. No actions or modifications are required to use the default roles, user profiles and privileges. See <SMAPP_ROOT>/portals/EnterpriseEdition/config/InitializeKnowledgeBase.xml. SimManager uses authorization to limit the functionality and data available to a specific user. Authorization is maintained with the following concepts: user, role, user profile, administrative operation, object operation, domain, release level, and project. The following sections describe each of these concepts and the various elements used in an XML file to define the authorization rules.

216 208 Example: Users Users are defined using the CreateUser method. A user represents a named user of the system. Each user is assigned a default role in each new project. This default role is used to grant permissions for executing non-project-based admin operations (for example, Create Project (Root), Create Action Classification, Create Enumerated Item, Create User, Create User Profile). A user object can also be created automatically if a nonexistent user accesses the database (has been authenticated via user name and password). This is based on the property user.autocreateatlogin in the Portal Configuration. In this case the default users role will be determined by the associated userprofile. In each project, a user has one role that is used to limit the operations available. User login validation/authentication is provided through a configurable interface to enable interaction with the customer's external user management system. SimManager requires that there always be an active administrator account (admin user) that can fully administer the system. This user should be able to act as the superuser of the system and be able to reinitialize the system, if necessary. SimManager creates the SimMan user by default as the superuser of the system. SimManager also defines user types that are in possession of a various range of administrative privileges. Users with different user types will possess distributed administrative and data access control privileges to administer the system efficiently. All privileges (data access control and administrative) are distributed among these four main types of users: SimMan, Superuser, Admin, and generic users. User types help define different levels of users who are endowed with certain capabilities in the system for controlled administration and access of data. In parallel, the administrative privileges defined in SimManager are delegated between these four types of users. Role of different types of users in the system SimMan - SimMan is an intrinsic power user who is defined as a real user within SimManager and has the unique role of being the originator of the system. This user runs the Activator to initialize the system, or runs SimManager Classic Studio when a new database needs to be created or configured. Therefore, this user is empowered with exclusive admin privileges to fully delete, create, and administer databases. No other user of the system except SimMan, regardless of being promoted to Superuser or Adminuser, is capable of deleting or creating databases. This gives SimMan the ultimate privilege of being able to operate above the scope of portals (cross-portal administrator). SimMan is by default the superuser of every portal instance unless demoted to a lower ranked user type. The underlying authentication mechanism protects malicious use of such a powerful user (For detailed information, see the SimManager Classic Studio online help). When logging in to the SimManager portal as SimMan, the same set of authentication rules applies to this user as other portal users. Note that SimMan is a real portal user with a superuser type. Therefore, if authentication is enabled for that particular portal, the underlying authentication mechanism is used to authenticate SimMan. Superuser - Superuser is a privileged user who has unrestricted access to the entire portal at which it is defined. All administrative and access control permissions are granted to this user with the exception of

217 Chapter 6: System Administration Example: 209 cross-portal administrative privileges (delete and create database; see the following table, Access control for user types, 209). Admin user - This user is also a power user but has restricted administrative privileges and controlled access to the data. Admin users are allowed to perform all administrative operations except projectspecific ones (add/remove user profile to/from project, add/remove user to/from project, change user role in project, and change user profile role in project). Additionally, Admin user s default role determines its level of data accessibility. Generic user - The above mentioned power users (SimMan, Superuser, and/or Adminuser) are able to create generic users of the system. These users will only be endowed with limited administrative privileges that are confined within the project scope (add/remove user profile to/from project, add/remove user to/from project, change user role in project, and change user profile role in project). Note that a project role of a user determines if a user can perform a project-specific administrative operation. The following table shows the access control of these different user types: Table 6-5 Access control for user types Operations/Access: SimMan : Super user: Data Access Unlimited Admin : Generic user (default role): Controlled None Database Configuration Database operations Delete Create Load Export Import AnA setup Run AnA setup Vault Operations Delete Create Update Vault Location Generic user (project role):

218 210 Example: Table 6-5 Vault Admin Export AnA Database Schema Operations Validate schema Delete schema only Create schema only Create schema script Delete schema script Perform schema evolution Admin Operations Create Access control for user types (continued) Operations/Access: Root Project Sub Project Action Classification Role Domain User User profile Add/remove/change Add user profile to project Add user to project Remove user from project Remove user Remove user profile Remove user profile from project. SimMan : Super user: Admin : Generic user (default role): Generic user (project role):

219 Chapter 6: System Administration Example: 211 Table 6-5 Set Named User Flag Assign Action Classification To Project Update Action Classifications On Procedure Change user role in project Change user profile role in project. Promote user To Admin To Super user Demote user Set To Admin user To generic user Set user default role Set user profile default role Grant/revoke Grant object privilege Grant admin privilege Revoke object privilege Revoke admin privilege Register/unregister Access control for user types (continued) Operations/Access: SimMan : Super user: Admin : Register object type Generic user (default role): Generic user (project role):

220 212 Example: Table 6-5 Register resource Register queue Unregister procedure Access control for user types (continued) SimMan Super Admin Operations/Access: : user: : Register report template Register section template Register procedure Unregister queue Transfer Transfer ownership Generic user (default role): Generic user (project role): Defining an Administrator Hierarchy SimManager defines the intrinsic user SimMan at the application level. SimMan authentication is specified in the SimManager.properties file. By default, an encrypted password file called simman.psw is used for verification. The password file initially contains a default value for SimMan s password. To create an administrator hierarchy: 1. When the user SimMan logs into Classic Studio, it displays a prompt requesting a username and password. If default settings are in place, i.e. there is an encrypted password file for authentication (meaning that StudioAuthenticationManager class is used as the authentication mechanism and that default password value is being used for SimMan), SimMan logs in with the default password value stored in the encrypted simman.psw file. 2. SimMan creates a database. 3. SimMan creates a superuser by using the command Create user Promote User to Superuser in Studio. 4. If desired, SimMan can log out from the Studio and log back in as the newly created Superuser who has full access to all administrative operations in that portal. This user continues with initiation process, sets up the administrator hierarchy (setup AnA), and populates the database. Creating Power Users Superusers and Admin users are first created as generic SimManager users and then they are promoted to higher levels of administration as power users using the Promote User Studio command (or demoted to a lower level using the Demote User command).

221 Chapter 6: System Administration Example: 213 Rules for promoting or demoting users: SimMan can promote/demote to/from any user Superusers can promote or demote to or from Superusers, Admin users, and generic users, including the SimMan, within a portal Admin users can promote or demote to or from Admin users and generic users Methods of demoting/promoting power users: There are two methods to demote or promote power users: By executing a command file that contains the desired administrative tasks. Note that only a superuser of the system can execute this type of command file because it contains administrative operations affecting superusers. By using SimManager Classic Studio s Promote/Demote User commands: a. Activate the Admin tool in SimManager Classic Studio. b. Select the user to be promoted/demoted using Commands Promote/Demote User Select the user to be promoted/demoted and Select the level of promotion/demotion. Roles Roles are defined using the CreaterRole method. Roles are used to collect permissions that are associated with users. Roles are granted and revoked permissions for performing operations. Roles provide an indirection between users and permissions. Administrative operations Administrative operations are those operations that are associated with administrating the system. For valid admin operations, see Admin permission, 186. Permission to perform administrative operations are granted to and revoked from roles using the GrantAdminPrivilege and RevokeAdminPrivilege methods. Object operations Object operations are those operations that are associated with different types of objects and procedures in SimManager. For valid object operations, refer to Object permission, 186. Permission to perform object operations is granted or revoked from roles for objects in a particular domain at a range of release levels using the GrantObjectPrivilege and RevokeObjectPrivilege methods. Domain Domains define different application areas for which different permissions can be associated. Each procedure registered in the system specifies the domain to which it is associated. The domain (in combination with Project) is used to determine which users have permissions to execute the procedure. Each content object in the system has an associated domain (and release level) that is used to determine permissions (in combination with Project). Domains are defined using the CreateDomain method.

222 214 Example: Release Level Release levels define the stages in the life cycle of objects in the system. Each content object in the system has a release level that is used to control the visibility of the object to various users. The permissions a user has on an object are a function of the release level, domain, and project (and therefore, the user role in project). The number of release levels in the system are defined within the command file using the DefineLevels element and is only valid when the system is first initialized. Project Projects define a context in which work is performed. All objects in the system must be created in the context of a project. Projects are defined using the CreateProject method. Note: An operational SimManager portal must contain at least one project object. If a project was not created during the InitializeKnowledgeBase process, you should create one with the CreateProject command in SimManager Classic Studio. Projects can be created only by SimMan, Admin, and Superuser users. User Profile A user profile defines the role of a particular group within the organization. User profiles are defined using the CreateUserProfile method. Elements in the Authorization Command File Note: After the SimManager portal has been deployed, most of the following administration commands can be executed through SimManager Classic Studio. The attributes listed in the following tables are required for the associated element. Refer to the <SMAPP_ROOT>/portals/<portal>/InitializeKnowledgeBase.xml file for a detailed example. Note: Within the InitializeKnowledgeBase.xml command file, all objects must be defined or created or must previously exist in the database before they can be used as an attribute value in a subsequent command.

223 Chapter 6: System Administration Example: 215 <CreateRole> This element defines roles. The CreateRole element has the following attributes: Attribute Description Required role Name of role; each role has a unique name. Y description Description of the operation. N Example: <CreateRole role="manager" description="role of a manager"/> <CreateDomain> This element is used to define access control over data classes/objects in the database. The CreateDomain element has the following attributes: Attribute Description Required name Name of access domain; each access domain has a Y unique name. description Description of this access domain. N Example: <CreateDomain name="default" description="first Domain"/>

224 216 Example: <CreateUser> This element defines a user. The CreateUser element has the following attributes: Attribute Description Required name Name of user; each user has a unique name. Y description Description of this user. N defaultrole The default role given to the user in each new project. Y Also used to associate admin privileges with the user. isnameduser If the user is a named user; this is true; if otherwise, false. Optional. If this is set to 'true' when the user is created, the user is capable of being added to every project with the defaultrole specified when the project is created. The automatic addition of named users to projects is controlled by the property rootproject.addnamedusers in the Portal Configuration. N If not specified, isnameduser is assumed 'false' Example: <CreateUser name="user1" description="description for the first user." defaultrole="manager" isnameduser= true /> <CreateUserProfile> This element defines a user profile. The CreateUserProfile element has the following attributes: Attribute Description Required name Name of user profile. Each user profile has a unique Y name. description Description of this user profile. N defaultrole The default role given to the user profile in each new project. Also used to associate admin privileges with the user. Y Example: <CreateUserProfile name="materialsengineer" description="user profile description for the materials Engineer." defaultrole="manager" licensetype="engineer"/>

225 Chapter 6: System Administration Example: 217 <UpdateUserProfileDefaultRole> This element sets the default role for a user profile. The UpdateUserProfileDefaultRole element has the following attributes: Example: <UpdateUserProfileDefaultRole userprofile="materialsengineer" role="consumer"/> Attribute Description Required userprofile Name of user profile to which the default role is set. Y role The new role of this user profile. Y <DefineLevels> This element defines the number of release levels that objects are subject to during their life cycle. This element cannot be reset without recreating the database. The DefineLevels element has the following attribute: Attribute Description Required nlevels Defines the number of release levels. Y Example: <DefineLevels nlevels="3"/> <GrantAdminPrivilege> This element grants privileges to a specific role to perform in a specific administrative operation. For valid admin operations, see Admin permission, 186. The GrantAdminPrivilege element has the following attributes: Attribute: Description: Required role Role assigned to this role permission. Y operation Operation set. Y Example: <GrantAdminPrivilege role="manager" operation="createproject"/>

226 218 Example: <GrantObjectPrivilege> This element grants privileges to a specified role to perform specific operations on objects in a particular domain for a defined range of release levels. For valid object operations, see Object permission, 186. The GrantObjectPrivilege element has the following attributes: Attribute: Description: Required role Role assigned to this role permission. Y operation Name of operation. Y foreignflag Flag to denote if the privilege is granted for foreign objects, or only owned objects. Y minreleaselevel maxreleaselevel If true, the privilege is granted on foreign objects and implicitly on owned objects. If false, the privilege is granted only on owned objects. Minimum release level at which the operation can be performed. Maximum release level at which the operation can be performed. Y Y Example: <GrantObjectPrivilege role="manager" operation="read" minreleaselevel="1" maxreleaselevel="2" foreignflag="true"/> <GrantObjectPrivilege role="author" operation="read" minreleaselevel="0" maxreleaselevel="2" foreignflag="false"/>

227 Chapter 6: System Administration Example: 219 <RevokeObjectPrivilege> This element revokes an object operation from a role at a certain release level. The RevokeObjectPrivilege element has the following attributes: Attribute Description Required role Name of the role from which to revoke the Y operation. operation Name of the operation to revoke. Y releaselevel Release level where this restriction will be Y effective. foreignflag Determines whether the target object s ownership is foreign. Y Example: <RevokeObjectPrivilege role="manager" operation="read" releaselevel="1" foreignflag="true"/> <RevokeAdminPrivilege> This element revokes an admin operation from a role. The RevokeAdminPrivilege element has the following attributes: Attribute Description Required role Name of the role from which to revoke the operation. Y operation Name of the operation to revoke. Y Example: <RevokeAdminPrivilege role="manager" operation="editproject"/>

228 220 Example: <RegisterObjectType> This element registers a new object type into the system. The RegisterObjectType element has the following attributes: Attribute: Description: Required name Name of the object type to register. Y parent Name of a parent object type. Y Example: <RegisterObjectType name="patranstoryboard" parent="storyboard"/> For additional information about object types, see the SimManager Configuration and Deployment Guide. <RegisterReportTemplate> This element creates a new report template in the system. The RegisterReportTemplate element has the following attributes: For more information, see Report Generator in SimManager Configuration and Deployment Guide. Attribute Description Required name Name of the template. Y seedobjecttype Type of associated seed objects. Can be any object type defined in SimManager. Y Example: <RegisterReportTemplate name="alphareport" seedobjecttype="geometrymodel"/> <RegisterSectionTemplate> This element creates a new section template in SimManager. The RegisterSectionTemplate element has the following attributes: Attribute Description Required name Name of the template. Y seedobjecttype Type of associated seed objects. Y dataobjecttype Type of associated data objects. N For more information, see Report Generator in SimManager Configuration and Deployment Guide.

229 Chapter 6: System Administration Example: 221 Example: <RegisterSectionTemplate name="crosssection" seedobjecttype="storyboard" dataobjecttype="geometrymodel"/> <RegisterQueue> This element registers a new queue into SimManager. The file <queue name>-queue.xml must exist in a directory relative to <portal>/queue. The RegisterQueue element has the following attribute: Attribute Description Required name Name of the queue file. Y For more information, see SimManager Configuration and Deployment Guide. Example: <RegisterQueue name="myqueue"/> <UnregisterQueue> This element unregisters a queue that is already registered into SimManager. The UnregisterQueue element has the following attribute: name Attribute Description Required Name of the queue to be unregistered from SimManager. Y Example: <UnregisterQueue name="myqueue"/> <CreateAdminOperation> This element creates the specified admin operation. The user may grant privilege to this operation to one or more roles using <GrantAdminPrivilege>. This admin operation can be specified as the 'adminpermission' required to execute an action. This can be specified in the definition of the action. Attribute Description Required name Name of the admin operation to create Y description Description of the operation N

230 222 Example: Example: <CreateAdminOperation name="execaction-a1"/> <PromoteUser> This promotes the specified user to the specified level/type. The valid user types are GenericUser, AdminUser and SuperUser. The SuperUser is the most powerful and the GenericUser is the least. A user U1 can promote another user U2 upto the level/type of U1. Every user is created as a Generic User. Attribute Description Required name Name of the user to promote Y usertype Type of the user to promote to. The valid values are AdminUser and SuperUser Y Example: <PromoteUser name="user0" usertype="adminuser"/> <DemoteUser> This is the reverse of Promote. This lowers the user's powers. Again, a user U1 can demote a user U2 from a level <= U1's to a level < U1's. Attribute Description Required name Name of the user to promote Y usertype Level/Type to demote to. If the user performing this is a SuperUser, the valid values are AdminUser and GenericUser. If the user performing this is an AdminuUser, valid value is GenericUser Y Example: <DemoteUser name="user0" usertype="genericuser"/> <SetNamedUserFlag> This sets the named user flag for the specified user. After this flag is set, the user will be automatically added to every root project created thereafter if the property rootproject.addnamedusers=true in the Portal Configuration. If the flag is set to false, the user will no longer be automatically added to every root project created thereafter even if the required Portal Configuration property is set. Note: This does not affect the existing projects. It only affect root projects created thereafter.

231 Chapter 6: System Administration Example: 223 Attribute Description Required name Name of the user Y isnameduser Valid values are true/false Y Example: <SetNamedUserFlag name="user0" isnameduser="true"/> <UpdateUserDefaultRole> This updates the 'default' role of the user. This role is used to determine admin privileges for non-projectbased actions (in combination with user profile's default role) eg. Create Project (Root) etc. Attribute Description Required name Name of the user Y role Default role for the user Y Example: <UpdateUserDefaultRole name="user0" role="manager"/> <DefineEnumValues> This element can define values for a pre-defined enumeration. Please refer to "Create Enumerated Item" to find out see how to register a new Enumerated Item. Enum Attribute Description Required Name of the pre-registered Enumeration for which values are being defined Y <DefineEnumValues> uses <EnumValue> tags to define new values. <EnumValue> This element is used in conjunction with <DefineEnumValues> to define new values for a pre-defined enumeration. Attribute Description Required name Name of the enum value Y label Display label for the enum value Y description Description for the Enum Value Y

232 224 Example: Example: <DefineEnumValues enum="simulationtype"> <EnumValue name="nvh" label="nvh" description=""/> <EnumValue name="acoustics" label="acoustics" description=""/> <EnumValue name="structures" label="structures" description=""/> </DefineEnumValues> In the above example, "SimulationType" is a pre-registered enumeration type. "NVH", "Acoustics" and "Structures" are the newly defined values. <RegisterSimulationTool> Attribute Description Required name Name of the Simulation Tool being registered Y modeltype Associates the Simulation Tool to a Model Type defined in CAESchema. Value can be any Enterprise Object that is derived from "com.msc.sdm.cae.model" Y resulttype <RegisterSimulationTool> uses <SupportedSimulationType> tags to define supported Simulation Types. <SupportedSimulationType> Associates the Simulation Tool to a Result Type defined in CAESchema. Value can be any Enterprise Object that is derived from "com.msc.sdm.cae.result" Y Attribute Description Required name Name of the pre-defined SimulationType Y Example: <RegisterSimulationTool name="nastran" modeltype="nastraninputdeck" resulttype="nastranresult"> <SupportedSimulationType name="nvh"/> <SupportedSimulationType name="acoustics"/> <SupportedSimulationType name="structures"/> </RegisterSimulationTool> In the above example, "SupportedSimulationType" refers to the pre-defined Simulation Type values.

233 Chapter 6: System Administration Example: 225 <RegisterProcedure> This registers an action with SimManager. Every time an action is registered a new revision of the action is created and made 'active'. By default, when the user launches an action, the latest revision of the action is executed since that will be the 'active' one. name Attribute Description Required Name of the action. This must match with the name specified within the Action file. This file must be relative to./portals/<portal>/ae directory Project Name of the project Y domain Name of the domain to be used in combination with Project (ProjectDomain). The action will be associated with this ProjectDomain and it will be used to determine a user's privileges for the action Y actionclassification One or more action classification to associate with Procedure. This is a filter and is one of the factors that determine which Project this action can be executed in. If no action classifications are specified, this action cannot be executed at all. Y N autorelease certificationstatus It is possible to specify more than one actionclassification using "ac1, ac2" Flag to denote if this action must be promoted automatically to level 1 when it is registered the very first time. If not specified, it is assumed to be 'true'. The valid values are true/false. Specifies the certification status of the action. This is used to determine if the action must run in a sand-box mode or free mode. Valid values are "AllowFullAccess", "AllowRequestedAccessOnly", "BlockAllAccess". If not specified, "BlockAllAccess" is assumed N N Example: <RegisterProcedure name="action1" project="project1" domain="default" actionclassification="global" certificationstatus="allowrequestedaccessonly"/>

234 226 Example: <UnregisterProcedure> This unregisters an action from SimManager. Attribute Description Required name Name of the action to unregister Y Example: <UnregisterProcedure name="action1"/> <RegisterResource> This registers a resource with SimManager. The resource is used by an action. Every time a resource is registered, a new revision of the resource is created and a new revision of the procedure associated with the resource is also created. This ensures that when an action using a resource is executed, it always uses the latest revision of the resource. Attribute Description Required name Name of the resource Y filepath Path to the resource file relative to Y portals/<portal>/resources project Name of the project Y domain Name of the domain to be used in combination with Project (ProjectDomain). The resource will be associated with this ProjectDomain and it will be used to determine a user's privileges for the resource Y autorelease Flag to denote if this resource must be promoted automatically to level 1 when it is registered the very first time. If not specified, it is assumed to be 'true'. The valid values are true/false. Example: <RegisterResource name="myresource" filepath="action1resources/res1.js" project="project1" domain="default"/> N

235 Chapter 6: System Administration Example: 227 <RegisterQueue> This registers a queue with SimManager. The queue to run an action can be specified in the action definition or when launching the action. Attribute Description Required name Name of the queue to register Y Example: <RegisterQueue name="lsf-queue"/> <OwnershipTransfer> This transfers ownership of all objects owned by 'from user' to 'to user'. The owner of all the objects is changed from 'from user' to 'to user'. It is used before <RemoveUser> to transfer all the objects owned by the user-to-be-removed to another user. Attribute Description Required fromuser Name of the user to transfer ownership from Y touser Name of the user to transfer ownership to Y Example: <OwnershipTransfer fromuser="user0" touser="user1"/> <CreateActionClassification> This creates ActionClassification objects. Action Classifications are used as a filter to determine which action can run in which project. One of the factors SimManager uses to determine if an action can be launched in a project is to check if the action and the project have at least one action classification in common. One or more action classifications can be associated with a Project/Procedure. Attribute Description Required name Name of the action classification. Y Example: <CreateActionClassification name="ac1"/>

236 228 Example: <AddActionClassificationToProcedure> Associates one or more action classifications with an action/procedure. Attribute Description Required procedure Name of the action to associate one or more action Y classifications with actionclassification One or more action classifications to be associated with the action. eg. "AC1, AC2 Y Example: <AddActionClassificationToProcedure procedure="action1" actionclassification="ac1"/> <AddActionClassificationToProcedure procedure="action1" actionclassification="ac2, AC3"/> <RemoveActionClassificationFromProcedure> Removes one or more action classifications from the specified action. Attribute Description Required procedure Name of the action to remove one or more action Y classifications from actionclassification One or more action classifications to be removed from the action. eg. "AC1, AC2" Y Example: <RemoveActionClassificationFromProcedure procedure="action1" actionclassification="ac3"/> <RemoveActionClassificationFromProcedure procedure="action1" actionclassification="ac1, AC2"/> Setting Up Projects You can set up projects in SimManager using the Classic Studio/Web Client to execute admin operations. Refer to Administrative Tools, 157 and SimManager User's Guide, Chapter 3, Project Management. Once you create an initial project through the Classic Studio, you can also create and edit projects interactively using the Web interface of the portal (if you have the correct privileges). The attributes listed in the following tables are required for the associated element. <CreateProject> This element defines a project. A project will automatically inherit all domains.. The addition of users and user profiles to a Project are controlled by various properties in Portal Configuration. Refer to SimManager User's Guide, Chapter 3, Project Management for further detail. A project will

237 Chapter 6: System Administration Example: 229 automatically be associated with all domains (A ProjectDomain object is created for every combination of Project and Domain). The CreateProject element has the following attributes: Attribute Description Required name Name of project. This must be unique in the system. Y parentproject Name of parent project. This project will then be created as a sub-project of the parent project. If this is not specified, the project is created at the top level as a root project. N shortname Example: Short Name of the project. This must be unique within the parent project. If not specified, the short name is set to the same value as 'name' description Description of project. N remarks Remarks for project. N Create a Root Project: <CreateProjectname="Project1" description="first Project." remarks="first Project remarks."/> Create a Sub Project : <CreateProject name="sub Project 1" parentproject="project1" shortname = "SP 1" description="sub Project of First Project." remarks="sub Project of First Project remarks."/> <AddUserToProject> This element adds a user with a defined role to a project. If the project has sub-projects, the user is added to all the projects in the hierarchy if the property childproject.inheritusers=true in Portal Configuration. The AddUserToProject element has the following attributes: N Attribute Description Required project Name of the project to which the user will be added Y user Name of the user to add to the project Y role Name of the Role to assign to the user in the project Y domain Name of the domain to be used in combination with Project name to add the user to (ProjectDomain to add the user to) Y Example:

238 230 Example: <AddUserToProject project="project1" user="user1" role="manager" domain="default"/> <RemoveUserFromProject> This element removes a user from a project. If the project has sub-projects, the user is always removed from all the projects in the hierarchy. The RemoveUserFromProject element has the following attributes: Attribute Description Required project Name of the project from which the user will be Y removed. user User name to be removed. Y domain Name of the domain to remove the user from (This will be used in combination with Project Name ProjectDomain to remove the user from) Y Example: <RemoveUserFromProject project="project1" user="user1" domain="default"/> <RemoveUser> This element removes a user from SimManager. To remove a user the user must not "own" any existing objects. You can "Transfer Ownership" before removing the user. The user is removed from all projects. The RemoveUser element has the following attributes: Attribute Description Required name Name of the user being removed. Y Example: <RemoveUser name="user1" /> <RemoveUserProfile> This element removes a user profile from SimManager. The user profile is removed from all projects. The RemoveUserProfile element has the following attributes: Attribute Description Required name Name of the user profile being removed. Y

239 Chapter 6: System Administration Example: 231 Example: <RemoveUserProfile name="stressmanager"/> <RemoveUserProfileFromProject> This element removes a user profile from a project. If the project has sub-projects, the user profile is always removed from all the projects in the hierarchy. The RemoveUserProfileFromProject element has the following attributes: Attribute Description Required project Name of the project from which the user profile will be Y removed userprofile Name of the user profile to be removed from the project. Y domain Name of the domain to remove the user profile from (This will be used in combination with Project ProjectDomain to remove the user from ) Y Example: <RemoveUserProfileFromProject project="project1" userprofile="stressmanager" domain="default"/> <SetUserDefaultRole> This element sets a domain role for a user. A user can have different roles in different domains. The SetUserDefaultRole element has the following attributes: Attribute Description Required user User name to set the domain role for Y role Name of the role assigned to the user Y domain Name of the domain in which their user will be assigned the specified role Y Example: <SetUserDefaultRole user="user1" role="manager" domain="default"/>

240 232 Example: <SetUserProfileDefaultRole> This element sets a domain role of a user profile. A user profile can have different roles in different domains. The SetUserProfileDefaultRole element has the following attributes: Attribute Description Required userprofile Name of the user profile to set the role to Y role Name of the role to assign to the user profile Y domain Name of the domain in which the userprofile will be assigned the specified role Y Example: <SetUserProfileDefaultRole userprofile="materialsmanager" role="manager" domain="default"/> <AddUserProfileToProject> This element adds a user profile to a project. If the project has sub-projects, the user will be added to all the projects in the hierarchy if the property childproject.inherituserprofiles=true in Portal Configuration. The AddUserProfileToProject element has the following attributes: Attribute Description Required project Project to which to add the user profile. Y userprofile User profile name to add to the project. Y role Role to assign to the user profile within the project. Y domain Domain of this assignment. This will be used in combination with Project (ProjectDomain to add the user to.). Y Example: <AddUserProfileToProject project="project1" userprofile="stressmanager" domain="default"/>

241 Chapter 6: System Administration Example: 233 <UpdateUserRoleInProject> This updates the 'project' role of the user in the specified project. This role is used to determine admin privileges for project-based actions (in combination with user profile role). Eg. Edit Project. This affects only the specified project and not the sub-projects or any project in the project hierarchy. Note: The user will not be allowed to change the role of a user in a project such that it breaks the visibility of the project hierarchy. Eg. if a user can see P1->P2->P3 where P1 is the highest level of visibility, it is not possible to assign a role to the user in P2 which takes away the user's visibility of P2. This is because it will then not be possible for the user to traverse to P3 at all. It should also be noted that the privileges in a project are determined as a union of privileges of the user and user profile. Attribute Description Required user Name of the user Y role Name of the role to assign in the project Y project Name of the project Y domain Name of the domain to be used in combination with Project (ProjectDomain) Y Example: <UpdateUserRoleInProject user="user0" role="author" project="project1" domain="default"/> <UpdateUserProfileRoleInProject> This updates the 'project' role of the user profile in the specified project. This role is used to determine admin privileges for project-based actions (in combination with user role). Eg. Edit Project. This affects only the specified project and not the sub-projects or any project in the project hierarchy. Note: The user will not be allowed to change the role of a user profile in a project such that it breaks the visibility of the project hierarchy. Eg. if a user can see P1->P2->P3 where P1 is the highest level of visibility, it is not possible to assign a role to the user profile in P2 which takes away the user's visibility of P2. This is because it will then not be possible for the user to traverse to P3 at all. It should also be noted that the privileges in a project are determined as a union of privileges of the user and user profile.

242 234 Example: Attribute Description Required userprofile Name of the user profile Y role Name of the role to assign in the project Y project Name of the project Y domain Name of the domain to be used in combination with Project (ProjectDomain) Y Example: <UpdateUserProfileRoleInProject user="stressmanager" role="author" project="project1" domain="default"/> <AddActionClassificationToProject> This associates one or more action classifications with a project. Attribute Description Required project Name of the project to associate action classification to. Y domain Name of the domain to be used in conjunction with Project Y (ProjectDomain) actionclassification One or more action classifications to be associated with the project. eg. "AC1, AC2" Y Example: <AddActionClassificationToProject project="project1" domain="default" actionclassification="ac1"/> <AddActionClassificationToProject project="project1" domain="default" actionclassification="ac2, AC3"/> <RemoveActionClassificationFromProject> This removes one or more action classifications associated with the project. Attribute Description Required project Name of the project to remove action classification from. Y domain Name of the domain to be used in conjunction with Project Y (ProjectDomain) actionclassification One or more action classifications to be removed from the project. eg. "AC1, AC2" Y

243 Chapter 6: System Administration Example: 235 Example: <RemoveActionClassificationFromProject project="project1" domain="default" actionclassification="ac2"/> <RemoveActionClassificationFromProject project="project1" domain="default" actionclassification="ac1, AC3"/>

244 236 Organizing Your Work with Hierarchical Projects Organizing Your Work with Hierarchical Projects Projects and Domains Providing Context for Your Data Simulation data in engineering is generated and collected in the context of specific goals, such as designing a new product or improving an existing product in certain ways, e.g. better stability, less weight, compliance with new government regulations. This is a goal-related context which is frequently captured by a project number or project name. SimManager offers a Project attribute for your data and processes to model this kind of context. Another kind of context is the kind of investigation or simulation being performed, e.g. stiffness analysis, crash analysis, flight loads, passenger safety, etc.. This attribution is orthogonal to (independent of and in addition to) the first one, and it is sometimes also called discipline, sub discipline, subproject or similar. SimManager offers a Domain attribute for this second kind of context. The two kinds of context attributes form a matrix wherein each cell or project/domain combination identifies the contextual environment of data. See figure 5-11 for an example. Figure 6-19 A sample project/domain structure. Data and processes are associated with a development goal a.k.a. Project and with a development activity or discipline, a.k.a. Domain. Each data or process object can be thought of being associated with, or stored in, one cell of this matrix. 1 But not only data, also users and user profiles have properties with regards to the project/domain combination. A given user, and similarly a profile, can be thought of as having a role in each of the matrix cells. The role is a name for an aggregation of various permissions that the user (or profile) will have within the project/domain combination, e.g. at which release levels she or he will be able to read, edit, delete an object, whether she or he will be able to create new data objects (synonymous with write access at release level 0), and so forth. Note that a data or process object is associated with exactly one matrix cell, while users and profiles have a role in potentially every matrix cell. The role will vary by cell, of course. 1 Sometimes a cell of this matrix is called a ProjectDomain because a cell represents the combination of a project and domain value.

245 Chapter 6: System Administration Organizing Your Work with Hierarchical Projects 237 A user or profile does not need to have a role in really every cell. The system can be configured so that there is only a role if the user or profile has been added to the project/domain. If not added, there will be no role at all in the respective cell, and access as well as any other operations will be prohibited. Refer to the access control description, section Domain, 213 for further details on permission assignments. Hierarchical Context Structures The matrix-like context definition described in the previous section has been a good fit for many situations, but there are cases where this is not flexible enough. For example, some people like to further structure the development goal into separate phases and wish to enforce different permission assignments in some of them. Disciplines may need a little finer breakdown, e.g. when crash simulations are distinguished between front impact, side impact and passenger safety simulations. Sometimes not all combinations of goal and discipline make sense, and sometimes the flat, matrix-like context model is seen as a restriction in itself. Additional criticism arises because the matrix model is really targeted at the main use-case of managing simulation data. Another kind of activity, developing simulation methods, becomes more and more important as the use of simulations for product development increases. To support methods development, one needs to look at tasks for testing actions (SimActivities, SimTemplates, SimProcesses) within some kind of sandbox environment with known test data, refining and debugging actions, and finally making them available for production, for use by the general simulation engineer. In many cases there are hierarchies inherent in the way we partition the context. We also tend to view data from hierarchical perspectives, e.g. from a navigation tree, a directory tree, product structure trees, etc.. It would therefore make a lot of sense if we could support hierarchical context definitions directly in the context association in SimManager.

246 238 Organizing Your Work with Hierarchical Projects This is exactly what hierarchical project structures or project trees are about. They are meant to replace the flat, matrix-like project/domain combination with a tree of project nodes. See figure 5-12 for an example. Figure 6-20 Figure 2: A sample project tree. Data and processes are associated with a node within the tree. Data and process objects are associated with (stored in the context of) a particular node in the project tree. The project association alone now comprehensively identifies the data context, a separate domain attribute is not needed any more. Actually in the example given in the figure, the nodes Crash and NVH are equivalent to the Crash and NVH domain from the former model in figure 1. The second branch of the project tree in figure 2 is an example of a different way of structuring the context. Here a development goal (car project) is split into development stages, concept phase and milestone 1 phase, instead of by discipline. The third branch gives an example of how methods development tasks could be supported by a hierarchical project model. Here a subtree of projects is created as a context for developing and storing actions. There are sandbox projects where methods developers can test and certify new actions. Actions in these places will not be accessible by the public, they are restricted to methods development only. Data stored in these places will be test data sets, used for the purpose of debugging and certifying actions. Once an action is ready for use by the public, it is made available in the Gold Standard project where simulation engineers will have access. Similar to the earlier project/domain model, users and user profiles are now assigned a role for nodes in the project tree, again with the exception of projects where they should not have any access.

247 Chapter 6: System Administration Organizing Your Work with Hierarchical Projects 239 It is quite interesting to relate this new context model to the way people look at their data in the navigation tree. Previously in the flat project/domain model, some portals would define navigation trees that were first structured by project, then by domain within the project, then by actual data sets. Other portals would do it the opposite way: first domains, then projects within the domain, then data. This observation makes apparent that there is no real good argument for supporting hierarchical project trees in combination with domains. A portal adopting hierarchical project structures will choose to subdivide the tree either first by project then by domain or the other way around. Both approaches can be directly modeled by the project tree. The hierarchical context model supplies a superset of the features that the flat model provided. A portal preferring the flat context definition can still use nonhierarchical projects together with domains. But as soon as more flexibility is needed, it can switch to the hierarchical model and convert prior domains to a level within the tree. That being said, there is no hard technical reason prohibiting a combining both models within a single portal, but it would certainly complicate matters a lot so that understanding could become an issue. The recommendation is either use non-hierarchical projects together with domains, or use hierarchical projects without domains. 1 Refined Context Data Model and Migration Looking at the context data model from a human point of view, we would probably describe a certain node with words like the front impact project within the crash project within the E39 car project. Technically, however, the hierarchy is only a structuring means that makes it easier to group subsets of the context. Technically every node in the project tree is an entity of its own and provides a comprehensive description of the context. We sometimes like to give several nodes in the tree the same name, e.g. there could be a crash subproject in other branches of the tree, there may be front impact sub-projects in many branches. So the name is no longer a unique identifier for a project. In mathematical terms each project still has a unique id, and it also can still have a globally unique name as it did in the previous project/domain model. The labels shown in the tree example are then additional, local project short names. They are not globally unique, they are only unique among children of the same parent project. Also in mathematical terms, as long as SimManager still supports the flat project/domain model as an option, there will always be a domain associated with each node in the project tree as a technical necessity. But since we don't recommend multiple domains with hierarchical projects, the domain associated will always be the same one. It can have the name Default or another convenient placeholder. The first case, the flat project/domain model, is still supported by the new hierarchical context model as well. We simply don't make use of the additional short name (we set it to be the same as the globally 1 Technically there will always be domains in the data schema. Using hierarchical projects without domains refers to using a single default domain, implicitly, with all projects.

248 240 Organizing Your Work with Hierarchical Projects unique name), and we don't nest project creations within a parent project. Instead we do use multiple domains in this case.the figure below shows the refined data model. Figure 6-21 The refined context data model. When migrating from an earlier version of SimManager, all projects are converted into top-level projects and their short names are set to the same as the globally unique name. Thus existing portals will continue to work as they did before, using the flat project/domain model. Migrating existing portals from flat projects and domains to the hierarchical model will be a much more difficult task. A strategy will be needed for either nesting existing domains within projects, or projects within domains. Data associations will need to be modified to refer to the new hierarchical structure, and user and profile roles will need to be adapted accordingly. There are currently no tools available to ease this kind of migration. User and Profile Roles for Hierarchical Projects While each node in a project tree is technically independent of other nodes, the user experience is that of a hierarchy of nodes where each node exists within the name space of its parent. For example the user will expect being able to see (navigate through) any parent projects when she or he has access to a certain child project. It follows that access control settings in SimManager need to make sure that a user or profile who is member of a child project is also member of all the parents, up to the root of the tree. There is no need

249 Chapter 6: System Administration Organizing Your Work with Hierarchical Projects 241 that the role be the same at all levels, but at least minimal access (visibility only) is required throughout. Similarly, when a user or profile is made member of a parent project, it would be a good default to make her or him member of all child projects with the same role as well. Note that the role in child projects could be changed subsequently, or the user/profile could even be taken out from child projects later (recursively). Another valuable feature of project hierarchies natural support the delegation of administration actions over subtrees. Assigning and changing user or profile roles within parts of the tree does not require global administration privilege any more, it is now sufficient if the acting administrator has the needed privileges locally in the projects where roles are assigned. Access control services in SimManager apply these rules: When a user or profile is added to a project, the addition is propagated to all child projects recursively with the same role. When a user or profile is removed from a project, it is removed from all children as well, recursively. A user or profile can only be added to a child project, if it has read privilege in the parent project. When a new child project is created, all user and profile role assignments are initially copied from the parent project. The assignments can be changed later on. For adding or removing users or profiles, or changing roles, global administration privilege is no longer required. It is sufficient if the acting administrator possesses the required rights on the project nodes where the assignment takes place. Action Selection Rules, Action Classification At the same time as adding support for project trees, actions and resources are given access protection via release levels. This facilitates the required visibility restriction to shield methods development within a sandbox from general access by simulation engineers. In addition it lays the basis for action approval work flows where new actions or new action revisions need formal promotion and sign off before they can be used in production runs. Note: Refer to Configuration and Deployment Guide, Chapter 4 Registering Procedure and Registering Resource for more information on actions and resources and detailed command syntax. Actions being protected by release states imply a project and domain membership for the actions themselves. Hence a project and a domain are now required when registering actions. In the case of hierarchical projects, the project can be some project node from anywhere in the tree, e.g. a sandbox project or the Gold Standards project, and the domain will be the single (default) domain that is used throughout the portal. In the case of the flat project/domain model it may be necessary to assign a dedicated project and domain for registering actions. Either way, role assignments of users and profiles need to be set up in such a ways that people have access (read privilege at least) to the actions they are supposed to execute.

250 242 Organizing Your Work with Hierarchical Projects Essentially the access protection of actions becomes a new filter for action selection rules. This filter cannot be bypassed, regardless of the setting of the filter system/process actions preference setting. There is a second new filter for action selection, meant to improve support for the finer context that becomes possible with hierarchical projects. This second filter is called action classification: With hierarchical projects one can set up pretty detailed nestings. Using the default propagation of role assignments within project hierarchies there is also not much administrative overhead in setting up deeply nested hierarchies. However, the existing action filter only filters actions based on the users ability to execute in the target project and domain. When user privileges are the same in many sub projects, actions will show up in all of them. However, with sub projects being created for separating different kinds of situations and load cases, we really do not want to show all actions in all sub projects. Quite frequently a given action will only be applicable by its nature in certain kinds of sub projects, e.g. a passenger safety simulation action will only be applicable in the passenger safety sub project. This cannot be modeled adequately by user roles. Action classifications solve this problem. Any (sub) project is tagged with a number of action classifications, and also any action is tagged by a set of classifications. The new action classification filter will only show those actions that have at least one classification in common with the target project. 1 The figure below shows an example. Figure 6-22 Use of action classifications for filtering available actions. 1 The target project refers to the project where new data is being created. It can and usually will be different from the project where the action itself was registered.

251 Chapter 6: System Administration Web Server Administration 243 Web Server Administration Support for Load Balancing and Failover For support on configuring WebSphere for Load Balancing and Failover operation consult your MSC Software representative. The following section documents load balancing and failover as supported on Tomcat Webservers. SimManager in a failover environment has been verified by IBM for WebSphere SimManager provides support for Load Balancing/Failover. Currently SimManager supports only the SessionAffinity mode. This means that all requests from a web client are routed to the same SimManager server in the cluster. Therefore, the load balancer balances load between the web clients (and not between web requests). Apache routes all requests to mod_jk which is the load balancer. mod_jk determines which Tomcat server in the cluster to which to send the request. To enable load balancing/failover for SimManager, perform the following steps: 1. Edit "<SMAPP_ROOT>/SimManager/WEB-INF/web.xml" and add the following line <distributable/> This line can be added anywhere in the file (Except in the middle of an XML element) 2. Edit "<SMAPP_ROOT>/SimManager/config/SimManager.properties" and set the following server.mode=distributed (default is set to "Single") sessionaffinity.enabled=true server.instance.id=9000 (Ensure that the load balancer settings are the same for session Affinity. SimManager supports only true for sessionaffinity.enabled. If this is set to false, the results may be unexpected. Ensure that the value of server.instance.id is same as the porton which the server is listening on. When IP address is concatenated with server.instance.id, the combination forms a unique key which is used to identify a unique user session across multiple servers in the Load balanced setup. e.g :9000 is a unique key - where 9000 is the server.instance.id This key is used to correctly update/identify UserSession object or User Statistics on clustered environment) Note: When one of the servers in the cluster is shutdown normally, it takes a few seconds for SimManager to completely shutdown. During this time if the user clicks anywhere in the page, a 503 error is returned. This is because http server is not aware that the server is being shutdown. As soon as the server shuts down completely, the requests failover to another server in the cluster. On the other hand, if the server crashes or is quickly aborted, it comes down immediately and http server fails over the request to another server in the cluster.

252 244 Web Server Administration Load Balancing setup on Apache/mod_jk/Tomcat The following are basic instructions for setting up a Tomcat Cluster. Refer to the Apache website for the latest information. Tomcat clustering is set up using Apache + mod_jk + Tomcat. For configuration information on the IBM HTTP server refer to the IBM redbooks for your specific version ( SimManager in a load balanced environment has been verified by IBM for WebSphere Setting up Apache Download Apache from and install in accordance with downloaded instructions. Setting up mod_jk Download mod_jk from We recommend that you download binaries if they are available for your platform. Follow the instructions on the download site to install mod_jk. Connecting Apache and Tomcat through mod_jk Edit <Apache Install Dir>/conf/httpd.conf Alternative 1: 1. Above the "LoadModule" lines under "Dynamic Shared Object (DSO) Support" add the following: # # Load mod_jk # LoadModule jk_module modules/mod_jk.so # # Configure mod_jk # JkWorkersFile conf/workers.properties JkLogFile logs/mod_jk.log JkLogLevel info 2. Under #DocumentRoot add the following: JkMount /SimManager/* loadbalancer JkMount /jkmanager/* jkstatus JkMount /jkstatus/* jkstatus Note: "SimManager" refers to the webapp name. "loadbalancer" refers to the load balancer worker name specified in workers.properties"

253 Chapter 6: System Administration Web Server Administration 245 Alternative 2: 1. Add the following line to the end of the file: Include "conf/simman/simman.conf" 2. Create the file "<Apache Install Dir>/conf/SimMan/SimMan.conf" and add the following lines in the file: # # Load mod_jk # LoadModule jk_module modules/mod_jk.so # Configure mod_jk # JkWorkersFile conf/simman/workers.properties JkLogFile logs/mod_jk.log JkLogLevel info JkMount /SimManager/* loadbalancer JkMount /jkmanager/* jkstatus JkMount /jkstatus/* jkstatus Note: "SimManager" refers to the webapp name, "loadbalancer" refers to the load balancer worker name specified in "workers.properties" 3. Create "workers.properties" with the following content (this example refers to a cluster with two tomcat servers): worker.list=tomcat1, tomcat2, loadbalancer, jkstatus # # First tomcat server # worker.tomcat1.port=11009 worker.tomcat1.host=localhost worker.tomcat1.type=ajp13 worker.tomcat1.lbfactor=100 # # Second tomcat server # worker.tomcat2.port=12009 worker.tomcat2.host=localhost worker.tomcat2.type=ajp13 worker.tomcat2.lbfactor=100 # DEFAULT LOAD BALANCER WORKER DEFINITION worker.loadbalancer.type=lb worker.loadbalancer.balanced_workers=tomcat1, tomcat2 worker.jkstatus.type=status Update <tomcat install dir>/conf/server.xml 4. Edit <TOMCAT_INSTALL>/conf/server.xml a. Change <Server port="12005" shutdown="shutdown" debug="0"> so "port" is unique among the servers If you do not want this Tomcat server to be directly visible, comment out the block:

254 246 Web Server Administration \Connector port="8082" maxthreads="150" minsparethreads="25" maxsparethreads="75" enablelookups="false" redirectport="8445" acceptcount="100" debug="0" connectiontimeout="20000" disableuploadtimeout="true" /> If you want this Tomcat server to be directly visible, ensure that "port" and "redirectport" are unique among the servers. b. Configure AJP 1.3 Connector Settings. Ensure "port" and "redirectport" are unique among the servers <Connector port="12009" enablelookups="false" redirectport="8551" debug="0" protocol="ajp/1.3" /> This is the port number that must be specified in workers.properties for worker.<tomcat_worker>.port c. Modify the line: <Engine name="catalina" defaulthost="localhost" debug="0" jvmroute="tomcat2"> d. Add attribute "jvmroute". The value for this attribute must be the tomcat_worker name specified in workers.properties. This attribute is used by the load balancer (mod_jk) to maintain session affinity so that all requests from a web client can be routed to the same server. e. Uncomment the <Cluster> element. This configures Session Replication. This enables replication of the HttpSession across all the servers thus preparing for a failover. The following is a sample configuration: <Cluster classname="org.apache.catalina.cluster.tcp.simpletcpcluster" managerclassname="org.apache.catalina.cluster.session.deltamanag er" expiresessionsonshutdown="false" usedirtyflag="true"> <Membership classname="org.apache.catalina.cluster.mcast.mcastservice" mcastaddr=" " mcastport="45564" mcastfrequency="500" mcastdroptime="3000"/> <Receiver classname="org.apache.catalina.cluster.tcp.replicationlistener" tcplistenaddress="auto" tcplistenport="4501" tcpselectortimeout="100" tcpthreadcount="6"/>

255 Chapter 6: System Administration Web Server Administration 247 <Sender classname="org.apache.catalina.cluster.tcp.replicationtransmitte r" replicationmode="synchronous"/> <Valve classname="org.apache.catalina.cluster.tcp.replicationvalve" filter=".*\.gif;.*\.js;.*\.jpg;.*\.htm;.*\.html;.*\.txt;"/> <Deployer classname="org.apache.catalina.cluster.deploy.farmwardeployer" tempdir="/tmp/war-temp/" deploydir="/tmp/war-deploy/" watchdir="/tmp/war-listen/" watchenabled="false"/> </Cluster> Note: In some cases, especially if the computers on which the tomcat servers are located have static IP addresses, it may be necessary to specify "mcastbindaddr" for <Membership>: <Membership classname="org.apache.catalina.cluster.mcast.mcastservice" mcastaddr=" " mcastbindaddr="<ip address of the computer on which the tomcat server is running>" mcastport="45564" mcastfrequency="500" mcastdroptime="3000"/> For additional information, refer to the links below: SimManager in a load balanced environment has been certified for the following: Windows Apache , mod_jk , Tomcat Linux: Apache , mod_jk , Tomcat

256 248 Web Server Administration Application Connection pooling Configuring Application Connection pools The SimManager server opens a separate database connection for every concurrent request (thread). Since most databases take a considerable amount of time for establishing a new connection, it is desirable to keep a pool of open connections and assign an existing connection from the pool for increased performance. Using a connection pool is optional but highly suggested. Note: It has been reported that Oracle sometimes returns connection errors if SimManager opens and closes too many connections in rapid succession. Using a connection pool avoids these errors. The DataSource specification is optional. It is used if <dbmanager>.dbdatasource in DbConfig.properties is non-empty. The purpose is to define a pooled data source in the web application server in order to avoid the overhead of connecting to the database over and over again (connection pooling). If the dbdatasource parameter is specified, the connection must be configured in the web application server and the connection parameters from DbConfig.properties are no longer relevant for the webserver. Note that Studio only uses the information in DbConfig.properties, so the connection parameters need to be specified correctly. SimManager adheres to the connection pooling capability at web application server level as documented in the Java Servlet Specification. Note: Details can be found in the Java Servlet Specification 2.4, section 13.4, resource-ref element, and the Java Enterprise Edition Specification section 5.6 ff. Note that the application server is called container in the specification The specification basically requires the application (SimManager) to declare that it wants to access a relational (JDBC) by some name, and then the deployer will define the data source with all its properties within the application server. Most application servers supply a GUI tool for defining the data source. In the SimManager system Application Connection pooling is activated by configuring a non-empty value for the <dbmanager>.dbdatasource property in DBConfig.properties. SimManager always uses nonpooled JDBC connections directly for administrative tasks, when using Studio or the installation tool. Connection pools will only be in effect within the web server, when configured. When connection pooling has been configured, the connection properties from DBConfig.properties are required, but the actual information configured in the web application server will be used. To activate Application Connection pooling:

257 Chapter 6: System Administration Web Server Administration Define the data source in your web application server. Definition method is application server dependent. See below for instructions for Tomcat and WebSphere. Choose a data source name of the form jdbc/some-value where some-value can be any name of your choice. The conventional name is SimManagerDS. 2. Enter data source name, without the jdbc/ prefix, as the <dbmanager>.dbdatasource property in DBConfig.properties. 3. Ensure the data source name is the same as in the deployment descriptor, web.xml, for example, <resource-ref> <description>simmanager Data Source</description> <res-ref-name>jdbc/simmanagerds</res-ref-name> <res-type>javax.sql.datasource</res-type> <res-auth>container</res-auth> </resource-ref> If required, replace the value for SimManagerDS with the value you chose in step 1. When using Studio to configure your database connection, steps 2 and 3 will be performed automatically for you once you enter a value for the data source name, see below. Figure 6-23 Set Database Cofiguration Dialog

258 250 Web Server Administration Defining Connection Pools in Tomcat This section describes defining the data source in the Tomcat. There are two ways to define connection pools in Tomcat: by using the Admin GUI web application, or manually by editing an XML file. Note: The Admin web application has to be installed separately with recent releases of Tomcat. There are several connection pool implementations available in Tomcat. First, there is the implementation from Apache DBCP which is bundled with Tomcat. This is always used when you use the Admin GUI, but it can be used when configuring via an XML file as well. Note that DBCP requires the JDBC driver of your database to be available in $CATALINA_HOME/common/lib. Note: You can use other implementations as well, for example, Oracle supplies a connection pooling implementation bundled in the JDBC driver. See below for more information. Defining a Connection Pool in Tomcat using the Admin GUI 1. Copy your database driver into $CATALINA_HOME/common/lib.Table 6-6 gives the names of the database driver files of the supported databases. Table 6-6 Database IBM DB2 Oracle Database driver file names. Driver Files db2jcc.jar, db2jcc_license_cisuz.jar ojdbc14.jar Note: These files can be found in <SMAPP_ROOT>/WEB-INF/lib.

259 Chapter 6: System Administration Web Server Administration Start up Tomcat with SimManager installed. Open the Tomcat Admin web application in your browser and navigate to the Resources--> Data Sources display within the web application context of SimManager (the context being called munich-features in this example): Figure 6-24 Administering Data Sources in Tomcat. 3. The data sources currently declared by web.xml will show up. You can either select an existing data source and enter the values, or create a new one from the menu of available actions.

260 252 Web Server Administration The following figure gives an example for a DB2 database connection. Figure 6-25 Creating a new Data Source in Tomcat. This example uses DB2. Make sure you use a jdbc/ prefix to the data source name. The maximum active and idle connections and the wait time configure the pool behavior. The validation query is optional and can be used to validate a pooled connection before it is handed over to the application. A suitable query for this field is select * from <schemaowner>.dbinfo, so in the above example the schema owner was aeroownr. Table 6-7 gives the format of the data source URL. Table 6-7 Database IBM DB2 Oracle Format of the data source URL for the supported databases Data Source URL jdbc:db2://<dbserverhost>:<dbserverport>/<dbservername> jdbc:oracle:thin:@<dbserverhost>:<dbserverport>:<dbservername >

261 Chapter 6: System Administration Web Server Administration 253 Note the format for SqlServer with the use of semicolon instead of colon. Table 6-8 Database IBM DB2 Oracle Driver Class Names for the supported databases Driver Class Name com.ibm.db2.jcc.db2driver oracle.jdbc.oracledriver 4. Saving the form should display as shown in the figure below. Click on Commit Changes to apply, declare the data source to SimManager and restart Tomcat. Figure 6-26 Tomcat Admin application with a data source defined. Be sure to click on "Commit Changes" to apply. Manually Defining a DBCP Connection Pool in Tomcat Manually defining a data source requires a Tomcat Context XML file. This file should be either in $CATALINA_HOME/conf/Catalina/localhost/<appname>.xml, where <appname> is the context path of your SimManager application, or the METAINF directory within the SimManager installation inside Tomcat. The following is an example of a context file corresponding to the data source connection from the previous section for Tomcat 5.0: Example context XML file:

262 254 Web Server Administration <?xml version="1.0" encoding="utf-8"?> <Context path="<appname>" reloadable="false"> <Resource name="jdbc/simmanagerds" auth="container" type="javax.sql.datasource" /> <ResourceParams name="jdbc/simmanagerds"> <parameter> <name>url</name> <value>jdbc:db2://oreo:50000/gwk</value> </parameter> <parameter> <name>driverclassname</name> <value>com.ibm.db2.jcc.db2driver</value> </parameter> <parameter> <name>username</name> <value>aerodemo</value> </parameter> <parameter> <name>password</name> <value><your-password></value> </parameter> <parameter> <name>maxidle</name> <value>5</value> </parameter> <parameter> <name>maxactive</name> <value>50</value> </parameter> <parameter> <name>maxwait</name> <value>5000</value> </parameter> <parameter> <name>validationquery</name> <value>select * from aeroownr.dbinfo</value> </parameter> /> </ResourceParams> </Context> Refer to Table 6-7 in the previous section for details on the parameters. Defining an Oracle Connection Pool in Tomcat In order to use Oracles connection pool implementation, you must override Tomcats default data source factory. For this implementation, you must create a context XML file as in the previous case. Refer to the previous section, Manually Defining a DBCP Connection Pool in Tomcat, for general information on context files. The parameters to configure the pool are different than DBCP. The following is an example context file for using an Oracle connection pool.

263 Chapter 6: System Administration Web Server Administration 255 <?xml version= 1.0 encoding= UTF-8?> <Context path="<appname>" reloadable="false"> <Resource name="jdbc/simmanagerds" type="oracle.jdbc.pool.oracledatasource" auth="container" description="simmanager Data Source" factory="oracle.jdbc.pool.oracledatasourcefactory" url= connectioncachingenabled="true" connectioncacheproperties="initiallimit=5,maxlimit=50" user="aerodemo" password="<your-password>" /> </Context> The example shown here is in Tomcat 5.5 syntax. For earlier versions, use the syntax as described in the previous section.

264 256 Web Server Administration Defining DB2 Connection Pool in WebSphere : 1. In Guided Activities>Connecting to a database, open Configure credentials for secure database access (middle panel) and click on Click to perform. a. Click on New (right panel). b. Create new alias for SimManager by entering following values and save the settings. For example: Alias: isvlab006node01cell/simmanager (NodeCell/Name) User ID: appuser Passowrd: ******

265 Chapter 6: System Administration Web Server Administration Configure a JDBC provider: a. Open a JDBC Provider by Click on Perform (middle panel) b. Select scope as "Node=Nodename,Server=SimManager" (right panel) c. Click on New. d. On step 1: Create new JDBC provider, select following values: Database type: DB2 Provided type: DB2 Universal JDBC Driver Provider Implementation Type: Connection pool data source Click Next.

266 258 Web Server Administration e. Enter the path name as <PathWhereYouCopyFollowingFiles> Note: Copy following jar files to some location which is accessible by websphere. db2jcc.jar and db2jcc_license_cu.jar from DB2_Installation_Dir>/java directory. db2jcc_license_cisuz.jar from SM_INSTALL_DIR/SimManager/WEB-INF/lib directory Click Next.

267 Chapter 6: System Administration Web Server Administration 259 f. Click Finish on Summary. 3. Configure a data source a. Open Configure a data source by Click on Perform (middle panel)

268 260 Web Server Administration b. Click on JDBC provider name created in step 2 (right panel)

269 Chapter 6: System Administration Web Server Administration 261 c. Click on Data sources d. The following page appears. Click New e. Fill in the panel on Step 1: Enter basic data source information:

270 262 Web Server Administration Data Source Name: SimManagerDS JNDI name: SimManagerJNDI Select (NodelCell/Name) created in step 1 Click Next f. Step 2: Enter database specific properties for the data source Enter database name, select driver type 4, server name and port number for your environment Click Next g. Step 3: Summary

271 Chapter 6: System Administration Web Server Administration 263 Click Finish h. Save your changes. {for HADR only: }

272 264 Web Server Administration Click on Custom properties.

273 Chapter 6: System Administration Web Server Administration 265 Scroll down and select the second page. Update dbfailoverenabled to true, Adjust connretriesduringdbfailover and connretryintervalduringdbfailover (during testing we used values of 2 and 15, respectively). Add one new entry, name=clientrerouteserverlistjndiname, value=cell/persistent/alsrvlist, type=java.lang.string;

274 266 Web Server Administration The second page of the custom properties will now look similar to the image below: Select clientrerouteserverlistjndiname.

275 Chapter 6: System Administration Web Server Administration 267 Click OK. Click Save, and once again Save. {end HADR only} 4. Test database connection a. Open a Test database connection by Click on Perform (middle panel) b. Select scope and data source name (right panel).

276 268 Web Server Administration c. Click on Test Connection. Successful message will be displayed. Defining DB2 Connection Pool in Tomcat The example shown here is in Tomcat 5.5 syntax. <?xml version= 1.0 encoding= utf-8?> <Context path="/simmanager" reloadable="false"> <Resource name="jdbc/simmanagerds" type="javax.sql.datasource" auth="container" url="jdbc:db2://isvlab006:50000/smdb" driverclassname="com.ibm.db2.jcc.db2driver" username="appuser" password="<appuser_password>" maxactive="500" maxidle="5" maxwait="5000" servername="isvlab006" /> </Context>

277 Chapter 6: System Administration Portal Configuration 269 Portal Configuration Global properties and preferences The SimManager environment is controlled by various configuration and properties files. The following section briefly describes the parameters and files that affect the SimManager portal and network configuration. Database property and Configuration files These configuration changes take effect at the database level when you create a database: DbConfig.properties <schema>.xml <dataclass>.xml <datastructure.xml> Startup and initialization property and configuration files These configuration changes take effect when you restart the application server. These files are read during the portal startup/initialization. SimManager.properties Portal.properties CurveDisplay.properties <objecttype>-config.xml TreeSpecification.xml <navigationtree>.xml <unitsdefinitionfile>.xml Variable property and configuration files These configuration changes take effect whenever you change a page: Velocity changes JSP files, images DataClass Icons (object type icons) Report templates <report_template>-content.xml and <report_template_name>-layout.xml

278 270 Portal Configuration Database Manager Settings Database server configuration You configure the database structure by editing XML files that define the data classes, attributes, and relationships for the database schema. These XML files are used to initialize a new database with a schema. The property, DB.schema in the DbConfig.properties file, specifies the schema for the particular portal. CAESchema is used for EnterpriseEdition portal. The schema file follows Java package-naming conventions. Enter DB.schema=com.msc.sdm.cae.CAESchema. The schema file is located in the <SMAPP_ROOT>/portals/<portal>/schema directory of each portal. The value for <portal> is EnterpriseEditionPortal for CAESchema. For more details on configuring the database, see SimManager Configuration and Deployment Guide. DbConfig.properties file The database configuration file DbConfig.properties is used to create and access the SimManager database for a particular portal. This file contains settings for both, the database and file vaults. Each portal has a DbConfig.properties file located in the <SMAPP_ROOT>/portalInstances/<portalInstance> directory.

279 Chapter 6: System Administration Portal Configuration 271 The DbConfig.properties file contains the following properties: Table 6-9 Properties in DbConfig.properties Properties Description Database settings - for examples, see Database properties, 273 DB.dbManager Specifies the database configuration specification for the database that SimManager uses. You can use any unique name as long as it matches the prefix of the actual database configuration specification (see the following). <DB.dbManager>. dbadminuser <DB.dbManager>. dbadminpassword <DB.dbManager>. dbserverhost <DB.dbManager>. dbserverport <DB.dbManager>. dbservername <DB.dbManager>. dbmanagerclassname Administrator user for the RDBMS; used for creating and deleting the other database users. Password for connecting to the RDBMS as <DB.dbManager>.dbAdminUser Network host name or IP adress of the machine hosting the RDBMS instance Network port number where the RDBMS can be reached on host <DB.dbManager>.dbServerHost RDBMS database name Database manager classname. Must match the RDBMS in use. SimManager defines three types of database managers that provide functionality for creating, deleting, and accessing the database: com.msc.sdm.db.sql.oracle. Oracle database manager com.msc.sdm.db.sql.db2. IBM DB2 database manager DB.schema Schema file of the database to be used. This file is specified as a dotted path (i.e. with a period as the path separator) relative to <SMAPP_ROOT>/portals/<portalname>/schema. DB.schemaOwner Database user that owns the RDBMS schema. SimManager creates this user as part of the normal database creation process. DB. Password for connecting to the RDBMS as DB.schemaOwner schemaownerpasswor d DB.user Database user that SimManager uses to connect to the RDBMS at normal production time. DB.password Password for connecting to the RDBMS as DB.user File vault settings - for examples, see File vault properties, 274

280 272 Portal Configuration Table 6-9 Properties DB.<vaultName>. location Properties in DbConfig.properties (continued) Description Main vault specification for SimManager remote and local file vaults. The SimManager core schema provides com.msc.sdm.sdmobject.mainvault as the default vault. If the schema for the specific portal defines any other vaults, each of them must have a corresponding entry. Note: SimManager stores file vault locations in the database when the database is created. If you change the location specified here is not referenced. If you change the location here, it will not take effect until you recreate the database or synchronize the DbConfig.properties information with the database using SimManager Classic Studio. The value of this property is a list of property=value pairs, separated by ; These nested properties are: DB.<vaultName>. debug LocalVaultHomeDir - Path to the vault s local- or networkaccessible root directory. If path does not exist, then SimManager uses the remote file vault specified by RootDir. RootDir - Root directory on the FTP server Host. Both the LocalVaultHomeDir and RootDir must be specified. If both the local and remote vault locations are accessible, the local setting takes precedence. If the local vault location is not accessible, SimManager uses remote (FTP) access using RootDir. Host - Network host name or IP adress of the machine serving the SimManager remote vault (FTP server host) Port - Network port number of the FTP server User - User name to log in to the FTP server Password - Password for the FTP user name If set to "true", DEBUG messages appear during FTP file access. Default is False, no debug messages.

281 Chapter 6: System Administration Portal Configuration 273 Note: The DbConfig.properties settings are, to some extent, dependent on the database in use: Oracle maintains all RDBMS user and password definitions in the database so both the schema owner and the database user are supported, and the respective database creation and deletion functions operate as their names imply. IBM DB2 supports separate users, but delegates authentication to the operating system. Therefore, for IBM DB2, SimManager can only assign RDBMS privileges to users. Valid users must exist before SimManager installation. DB2 limits the size of a table row to, the page size of the associated table space. For SimManager, this means that all attributes defined in a particular DataClass must fit into the table space page size, which is 4 KB by default. If your SimManager schema needs more than this, you will have to create a table space defined in your database that provides a larger page size. Also, the schema owner must have access rights to the table space. A buffer pool with a matching page size for the table space must be defined. For additional information, consult IBM DB2 documentation. Some sites restrict the RDBMS privileges. In this situation, database creation and deletion cannot be done by the install tool or SimManager Classic Studio. You can, generate SQL scripts for the individual steps and give them to the database administrator, who can run them under the identity of the admin user and the schema owner. SimManager will only use the normal database user once the creation tasks have been performed by the database administrator. Database properties The following shows an example of the property name/value pairs used by the SimManager portal: # # Database on NAEFELS # Naefels_SqlServer.dbAdminUser = sdmuser Naefels_SqlServer.dbAdminPassword = sdmuser Naefels_SqlServer.dbServerHost = naefels Naefels_SqlServer.dbServerPort = 1433 Naefels_SqlServer.dbServerName = SMDB Naefels_SqlServer.dbManagerClassName = com.msc.sdm.db.sql.sqlserver.sqlserverdatabasemanager # ###################################################### # CURRENT SETTINGS ###################################################### DB.dbManager = Naefels_SqlServer DB.schema = com.msc.sdm.aero_demo.aeroschema DB.schemaOwner = Aeroschema DB.schemaOwnerPassword = Aeroschema DB.user = Aerodemo

282 274 Portal Configuration DB.password = Aerodemo File vault properties The following is an example of properties in the DBConfig.properties file for file vaults: DB.com.msc.sdm.sdmobject.MainVault.location = LocalVaultHomeDir=\\\\ naefels\\temp\\aerodemo; RootDir=/aerodemo; Host= wichita; Port=21; User=Bob;Password=bob;Debug=false For additional information about vaults, see Vault Management, 170. The remote vault can be configured to use SFTP instead of FTP. Two additional parameters must be added to the vault definition parameter in DbConfig.properties, Protocol and Identity. Protocol valid values are "ftp", "sftp", or "file". The default is "ftp". "file" is equivalent to a local vault. Identity is the path name of a file holding the RSA keys for authentication for the SFTP server. For example: /home/vault/.ssh/id_rsa Examples: FTP vault: DB.com.msc.sdm.sdmobject.MainVault.location=Protocol=ftp;RootDir=/home/ftp/vault/aero_r8;Host= localhost;port=21;user=ftp;password=ftp SFTP vault: DB.com.msc.sdm.sdmobject.MainVault.location=Protocol=sftp;Identity=/home/web/.ssh/id_rsa;RootD ir=/home/ftp/vault/aero_r8;host=localhost;port=21;user=ftp;password=ftp Note: This syntax/feature is not supported by the Classic Studio tool. You must manually edit the DbConfig.properties file. File Movement between Client and Server File movement between a client and the SimManager server has been enhanced in R3 to utilize the optimum file movement protocol that is available; based on the vault type ("local" or "remote") that has been specified. The enhancements that have been introduced are transparent to the "end" user, and will attempt to import/export files directly to/from the file vault in order to reduce network chatter. The following table depicts the possible transfer protocols that might be used for file movement and should be taken into consideration when configuring the vault type:

283 Chapter 6: System Administration Portal Configuration 275 Protocol / Vault Type Local Vault Remote Vault NFS Initial attempt is made to directly import/export the file to/from the vault. Failure to directly access the vault will result in the file being imported/exported using HTTP/HTTPS. File movement using NFS is the most efficient, of the supported protocols. FTP / SFTP N/A Initial attempt is made to directly import/export the file to/from the vault. Failure to directly access the vault will result in the file being imported/exported using HTTP/HTTPS. N/A HTTP / HTTPS Defaults to using HTTP/HTTPS whenever direct access to the file vault using NFS is not possible. Of the supported protocols, HTTP/HTTPS is the least preferred protocol for file movement. File movement using FTP/SFTP is preferred over HTTP/HTTPS. Defaults to using HTTP/HTTPS whenever direct access to the file vault using FTP/SFTP is not possible. Of the supported protocols, HTTP/HTTPS is the least preferred protocol for file movement. Note: Direct NFS access between the client and the vault will require that the Operating System user, who is invoking the client file movement operation, be also a recognized user on the vault host. In simpler terms, the credentials of the user on the client machine must also be valid on the machine that is hosting the vault. SimManager.properties File This is the SimManager application configuration file. It contains name/value pairs for the various global properties that the SimManager application uses. The following table describes the minimum required set of properties for each SimManager installation. They are found in the SimManager.properties file in the directory (<SMAPP_ROOT>/config).

284 276 Example: SimManager.properties Several other properties that govern authentication and default global behavior and file access can be set in the SimManager.properties file. For detailed information refer to the specific topics in this installtion guide and the Administraion and Deployment Guide. Table 6-10 Properties portals.instance Properties for the SimManager installation Description The portal instance can be changed at any time by changing the entry in portal.instance. sdm.dyn.libraries This property defines the default portal invoked by the SimManager application. The name specified must match the name of the portal directory under /portalinstances. List of comma-separated, dynamically-loaded libraries, which are relative to the context root installation, <SMAPP_ROOT>/lib/... Example: SimManager.properties ######################################## # Portal Preferences ######################################## # Portal Instance to use portal.instance=enterpriseeditioninstance ############################################### # Dynamically Loaded Libraries ############################################### # List of comma separated dynamically loaded libraries, which are relative # to the web root installation <web_server_context_root>/lib/... sdm.dyn.libraries=lib/dlls/win32/lapi.dll,lib/dlls/win32/mscsdmsim.dll, lib/dlls/win32/getenv.dll Portal.properties and PortalDefinition.properties This file contains portal specific configuration information that is portal specific. It is located in <SMAPP_ROOT>/portalInstances/<portalInstance>. This file must contain the property portal.name. Properties that govern the default behavior and file access for a specific portal can be set in the Portal.properties file. For detailed information refer to the specific topics in this installation guide and the Administration and Deployment Guide. The following section describes typical portal properties that are set in the Portal.properties file. See installed <SMAPP_ROOT>/portalInstances/<portalInstance>/Portal.properties for current example.

285 Chapter 6: System Administration Example: SimManager.properties 277 Parent Portals (inheritence) You can specify a parent portal in the file <SMAPP_ROOT>/portalInstances/<portalInstance>/config/PortalDefinition.properties, for example, parent.portals=portal_1, portal_2 For Enterprise Edition, parent.portals=enterpriseeditionportal When searching for resources, such as JSP files, images, configuration files, and so on, SimManager looks in parent portals if the resource is not found in <portal>. If required file or resource is not found in the portal or parent portals the default is the "base" portal. Options menu One function of Portal.properties is to set the initial/default values for the user preferences that can be viewed and changed using the Options menu, which is available in the main menu of the SimManager interface. The user preferences/options are automatically set during installation. Any changes made to the options/preferences interactively take effect immediately, are recorded in the database, and will persist and be restored for future sessions. All property settings are associated with the current user name, except for Locale, which is a global setting for all users of the client machine. Locale for a user session is determined by the property locale of text, which is specified in the Options page of SimManager. Its value is cached on the local machine each time a user clicks Submit, or logs off SimManager; and is used for the session. Only if no value for local of text has been cached on a machine will the value specified in Portal.Properties be used. See the locale property in Table 6-11 for more information. The Locale and user name are stored in a cookie for the client browser. You can disable this feature by adding the following line in the pages/logon.jsp file. <body class="normalbody" onload="init(false)" >

286 278 Example: SimManager.properties The properties in the Portal.properties file and the associated options/preferences are described in Table Table 6-11 Properties Tree Properties in Portal.properties Description Users can change the displayed tree view by selecting a tree name from the list of available trees and clicking submit. The default tree view and the list of available tree views are defined in the Portal.properties file using the following properties: tree.default.name - Default tree displayed at system initiation tree.names - Names that appear in the drop-down list on the Options page. For each name, there must be a subdirectory under the directory <portal>/tree that contains XML files, which define the named tree. See Tree Configuration in SimManager Configuration and Deployment Guide.

287 Chapter 6: System Administration Example: SimManager.properties 279 Table 6-11 Properties Workbench Curve Properties in Portal.properties (continued) Properties (the following can be changed in Options menu): Note: Description Default level of detail for list of objects - Default view for displaying a list of objects. Valid values are Default or Detailed. Sets the listdetail property. Default level of detail for single object - Default view for displaying a single object. Sets singleobjdetail property. Valid values are Default or Detailed. Number of rows per page - Maximum number of rows to be displayed in a list within the workbench. Sets workbench.display. count property. Valid value is an integer between 1 and 100, default value is 5. Filter system/process actions - If this option is set to YES, the system and process actions on the multiple and single objects workbenches are filtered based on the user and object type. In a multiple-object workbench, only those system and process actions that are valid for all the rows appear. If the value is NO, there is no filtering and all the actions for the object type appearing in the single and multiple objects workbench. In this case, it is possible that a particular system/process action is not valid for one or more of the displayed rows. When the user selects the invalid action, an error message appears. This property can only be set interactively. The default value is NO. Maximum number of rows for Action Filter Controls when the list of process actions must be filtered, based on user privileges. For example, if this property is set to 2, and the number of rows displayed in the Workbench is more than 2, then the list of process actions are not filtered. If the number of process actions is very large, you should set this property to 0 to completely turn off filtering and improve the performance of the workbench display. Properties (the following can be changed in Options menu): Line width - Width of lines in a plot. The default value is 1.0. This does not affect the line width of the thumbnail image. Thumbnail size - Height and width of the image. Sets the curve. thumbnail.size property. Valid value is an integer (number of pixels). Default value is 100. Cannot be set in the Options menu. Image size - Height and width of the curve image plot frame. Sets curve.image.size property. Valid value is integer (number of pixels). Default value is 500.

288 280 Example: SimManager.properties Table 6-11 Properties Units Properties in Portal.properties (continued) Description Properties (the following can be changed in Options menu): Users can change the current units system by selecting a unit system name from the list of available unit systems and clicking Submit. The default unit system and the list of available unit systems are defined in the Portal.properties file using the following properties: Locale units.default.system - Optional. If specified, the value must be a valid unit system name as listed in the specified units.definition.file. If the property is not set, the default value is the first units system name listed in the specified units.definition.file. units.definition.file - Can be set to a portal-specific units definition file. The default setting for the units.definition.file property is UnitsModule. See Defining Units, 281. Properties (the following can be changed in Options menu): Users can change the current locale of text by selecting a language from the list of available languages and clicking Submit. The list of available languages is defined in the Portal.properties file using the supportedtextlocales property. The default setting for the supportedtextlocales property is zh:cn,en:us,fr:fr,de:de. Valid values are I18N language codes. csae mechanism simmgr.url Note: When the Locale is changed, the Web browser must have the corresponding language support to display the text. The user may be prompted to download and install the appropriate language pack when the Web browser attempts to display the text. The user can perform the installation at this time. This property defines how CSAE executes ActionRunner. Valid entries include: WebStart - CSAE executes ActionRunner using Java WebStart. WebStart downloads and installs ActionRunner as required. Applet - CSAE executes ActionRunner using a Java applet embedded within the Web page. To use, the applet ActionRunner must already be installed on the client system. This property defines the URL that ActionRunner will use to connect to SimManager. It must be the same URL by which users log in to SimManager.

289 Chapter 6: System Administration Example: SimManager.properties 281 Table 6-11 Properties Active Domains SimXpert. cmd Properties in Portal.properties (continued) Description Properties (the following can be changed in Options menu): This property controls which property domains are visible to a user. When the system starts, all domains defined in the system are active. A domain can then be inactivated by using the options menu. Only the process actions that belong to the Active Domains will be visible to the user. This property defines the command to run the SimXpert application with the default queuing system. Default: simxpert32 AM queue: simxpert32 LSF queue: <full_path_to_simxpert_install_on_client>/simxpert32.[b at,sh] Local execution: <full_path_to_simxpert_install_on_host>/simxpert32.[bat,sh] Generic: If the user desires to run another script other than simxpert, that script can be entered in this property SimXpert. args Action performed: Command is sent through queuing system (if non-local) and executes a simxpert "bat" or "sh" file (if non-generic) on client machine. This property defines the arguments sent with the SimXpert.cmd to the queuing system. Current default: "-gray" Action Performed: Run command in background with no GUI displayed. Defining Units A units definition file defines the unit systems and conversion factors that are available for a specific portal. A default unit definitions file is provided. No actions or modifications are required to use the default unit definitions file. If a custom units definition file is required the file must be an XML file that conforms to the DTD file in: <SMAPP_ROOT>/portals/Base/schema/com/msc/sdm/units/UnitsModule.d td.

290 282 Example: SimManager.properties You specify the units file to be used with a portal in <SMAPP_ROOT>/portalInstances/ <portalinstance>/portal.properties using the property name units.definition.file. Note: The units definition file name is specified in the units.definition.file property without an extension. If the units definition file is not specified for a portal, that is, if it is not found in the directory <SMAPP_ROOT>/portals/<portal>/config, then the default <SMAPP_ROOT>/portals/ Base/config/UnitsModule.xml file is used. When you add a units definition file in.../portals/<portal>/config, you must specify the appropriate relative path to the UnitsModule.dtd file, for example,.../.../base/schema/ com/msc/sdm/units/unitsmodule.dtd. The names of the UnitsFamily, QuanityType, UnitSystem, and Unit must be unique within the units definition file. This file is not stored in the database. The units definition file is read during system startup and a units repository is created and stored. Any change made to the file requires a restart of the Web application to reflect the change. The required elements of a SimManager units definition file are shown in the table below.

291 Chapter 6: System Administration Example: SimManager.properties 283 From an example of a units defintion file see <SMAPP_ROOT>/portals/Base/config/UnitsModule.xml. Table 6-12 Attribute UnitsFamily Units definition file components Description Container of units that can be used for measurements. A UnitsFamily has a unique name. Within each UnitsFamily is a single unit identified as the SI unit. The SI unit is the base SI unit for this family (for example, m, N, Pa, C). The UnitsFamily specifies the exponent for each fundamental quantity in the SI unit system. The base SI unit must be the standard SI unit associated with the exponents for core SI units. The core SI units are those associated with a single exponent of value=1. The core SI units are: length - meter mass - kilogram time - second electrical current - ampere temperature - Kelvin luminous intensity - candela molecular structure - mole The base SI unit associated with exponent length = 1, mass = 1, and time = -2, is thus kg*m/s^2 (aka Newton (N)). Therefore, the base SI unit for those exponents must be Newton. QuantityType Unit The exponents of the core SI units are used in determining the type of unit when multiplying two measurements. This is accomplished by converting each of the quantities to their SI BaseUnit, multiplying them, summing the exponents, finding the appropriate base SI unit, and converting to Unit in UnitSystem (if specified). A QuantityType represents a specific type of measurement that can be made. A QuantityType has a unique name (for example, Length, Modulus, Strength) and the specification of the UnitsFamily that contains applicable units. Within a UnitSystem, a Unit is specific for each QuantityType. There can be one or more QuantityType elements for each UnitsFamily. A Unit has a unique name in the context of a UnitsFamily that defines the conversion of a measurement in the Unit to a value of another Unit in the same UnitsFamily. A Unit element must have a defined SI conversion to the base SI unit in the UnitsFamily.

292 284 Example: SimManager.properties A unit definition file defines: For each UnitsFamily, the name, siunitname, and the conversion factor to be used when converting a specific value from one unit system to a different unit system. Each UnitsSystem for the portal (for example, SI_CONSISTENT). For each UnitsSystem, all the valid quantitytype elements, with the corresponding units. For each quantitytype, the UnitsFamily to which it belongs. Logging The default SimManager log file is <SMAPP_ROOT>/portals/Base/config/log4j.xml. You can add a portal-specific file <SMAPP_ROOT>/portals/<portal>/config/log4j.xml in which you can specify the level of logging for your portal as DEBUG, INFO, WARN, ERROR, or FATAL. This file is read during system startup; any change to the file does not require a restart of the Web server because Log4J checks for updates at regular intervals. Log4j can be configured with one or more output mechanisms known as appenders. Each appender sends the log data in a specific format to an output device. This can be a file, console, Swing window, etc. Each appender is configured to work with the type of output and the device that the data is written to. The following appenders are a subset of the appenders available. Search the web for more appenders as there are numerous appenders available and new ones being developed all the time. <appender name="rolling_file" class="org.apache.log4j.rollingfileappender"> <param name="threshold" value="info"/> <param name="file" value="c:/event.log"/> <param name="append" value="true"/> <param name="maxfilesize" value="500kb"/> <param name="maxbackupindex" value="1"/> <layout class="org.apache.log4j.patternlayout"> <param name="conversionpattern" value="%d %-5p [%c] %m%n"/> </layout> </appender> <!-- Mail Appender --> <appender name="smtp" class="org.apache.log4j.net.smtpappender"> <param name="threshold" value="fatal"/> <param name="to" value=""/> <param name="from" value=""/> <param name="subject" value="one Fatal Error"/> <param name="smtphost" value=""/> <param name="buffersize" value="10"/> <layout class="org.apache.log4j.patternlayout"> <param name="conversionpattern" value="[%d{absolute},%c{1}] %m%n"/> </layout> </appender> <!-- JDBC --> <appender name="jdbc" class="org.apache.log4j.jdbc.jdbcappender"> <param name="threshold" value="error"/>

293 Chapter 6: System Administration Example: SimManager.properties 285 <param name="driver" value="com.sybase.jdbc2.jdbc.sybdriver"/> <param name="url" value="jdbc:sybase:tds: :2638/summit"/> <param name="user" value="dba"/> <param name="password" value="sql"/> <layout class="org.apache.log4j.patternlayout"> <param name="conversionpattern" value="insert INTO ErrorLog (ErrorMessage) VALUES ('%d - %c - %p - %m')"/> </layout> </appender> <appender name="console" class="org.apache.log4j.consoleappender"> <param name="target" value="system.out"/> <param name="threshold" value="info"/> <layout class="org.apache.log4j.patternlayout"> The default pattern: Date Priority [Category] Message\n <param name="conversionpattern" value="%d{absolute} %-5p [%c{1}] %m%n"/> </layout> </appender> <appender name="file" class="org.apache.log4j.fileappender"> <param name="append" value="false"/> <param name="file" value="/log/jsr77.log"/> <layout class="org.apache.log4j.patternlayout"> <param name="conversionpattern" value="%d{absolute} %-5p [%c{1}] %m%n"/> </layout> </appender> <!-- Buffer events and log them asynchronously --> <appender name="async" class="org.apache.log4j.asyncappender"> <appender-ref ref="rolling_file"/> <appender-ref ref="smtp"/> <appender-ref ref="jdbc"/> <appender-ref ref="file"/> </appender> Some parameters are obvious to configure. Others, like the ConversionPattern requires more information as to the format specification. Navigate to the following URL as it provides details on the ConversionPattern format and possibly other patterns in the log4j parameter specification. Specifying Mime-type Mapping The <SMAPP_ROOT>/Base/config/MimeTypeMappings.properties file specifies a file extension and the corresponding mime type to use for that extension. For example: txt = text/plain. You can specify the file extensions in lowercase only; the file extension txt handles txt, TXT, Txt, and any other case combinations. Image and video files are identified using this properties file as well. For an image file, the mapping must begin with an image. For example: jpg = image/jpeg. For video files, the mime-type mapping must begin with video. For example: mpg = video/mpeg.

294 286 Example: SimManager.properties The mime-type mappings file is referenced for the mapping based on the file extension during a file import. It is also used to validate the image and video data types. Therefore, any change made to the file will be reflected during the next file import operation. This file is common to all portals. There is no specific mime-type mappings file for individual portals. Note: If a specific application is mapped to a file extension/mime type on the user s computer, then that application is used to open the file with that extension/mime type when the user clicks on the link.

295 Chapter 6: System Administration Lifecycle Management and System Actions 287 Lifecycle Management and System Actions Security Labels and Attributes Security Enhancements for SimManager Introduction SimManager in its base configuration employs access control based on a model of user roles on one hand and object project/domain/release level on the other hand. Roles are identified by looking at user entitlements or user profile entitlements. The user identity and userprofile is looked up dynamically during login, usually from an LDAP source. There are use cases where this is not enough. On the user side there is sometimes a requirement to track additional properties, in addition to the user name and profile, and on the object side there is sometimes a requirement for additional protection, in addition to project, domain, and release level. Therefore the concepts of Security Labels and User Attributes are used in SimManager. Figure 6-27 The Security Label data model Security Labels are attributes that can be assigned to objects in order to protect them. They work like locks. Only a user that possesses the keys for all the locks on an object is allowed to access the object. User Attributes are additional properties of the user, determined by the login mechanism. Among them are the security labels in the users possession (the keys to unlock objects), There can also be additional user attributes depending on a site's particular requirements. The additional user attributes must be string name/value pairs.

296 288 Lifecycle Management and System Actions Data Model Definition Security Label protection of data classes is declared in the data class definition files using the <AccessControl> element. Table 6-13 Access control attributes for a data class Attribute ownerattribute releasestateattribute securitylabelprotection protectbysecuritylabels Description the name of a one-reference pointing to the owner of the object; optional. the name of a one-reference pointing to the release state; optional; cannot be redefined. the name of a many-reference pointing to the security labels data class; optional; cannot be redefined. a boolean; if set to false, security label protection is turned off for this data class as well as subclasses. The default is "true". Portal developers generally will not have to worry about security settings of data classes since the settings are inherited from base classes. The definitions in the core schema supplying the base classes should be adequate for all cases. Authentication Process Security labels available to the user as well as the other user attributes are assigned during the authentication process. They persist throughout the session. Like the user profile assignment, these properties are not persisted in the database and are dynamicly set (read) at login. The user attributes are supplied by a method in the LoginManager plugin class: /** * Retrieves security attribute based on the user name * username the user name user security attributes */ public UserAttributes getsecurityattributes(string username); where the UserAttributes class is defined like this: /** * A VO compliant container for user attributes */ public class UserAttributes implements Serializable { /** * Getter for security labels array * the activesecuritylabels. */ public String[] getactivesecuritylabels() { return activesecuritylabels;

297 Chapter 6: System Administration Lifecycle Management and System Actions 289 } /** * Getter for inactive security labels * the inactivesecuritylabels. */ public String[] getinactivesecuritylabels() { return inactivesecuritylabels; } /** * Getter for session properties * the sessionproperties. */ public NameValue[] getsessionproperties() { return sessionproperties; } /** * Retrives property by name. Returns <code>null</code> if not set * propertyname the name of the property the value of the property */ public String getsessionproperty(string propertyname) {... }... } /** * Getter for user name * the username. */ public String getusername() { return username; } /** * Getter for user profile name * the userprofilename. */ public String getuserprofilename() { return userprofilename; } Note: username and userprofilename, while part of the UserAttributes structure, do not need to be initialized by the getsecurityattributes() call; they will be initialized by the framework.

298 290 Lifecycle Management and System Actions There are two sets of security labels in the UserAttributes: active and inactive ones. Active labels can be assigned to objects via the public API or AE scripts. Inactive security labels cannot be assigned to objects but are available to grant access to existing, historic objects. Sample Authentication Manager Support for Security Labels The XmlFileAuthenticationManagerImpl class can supply security labels and session properties as well. The following is example input for the UserPasswords.xml file. Figure 6-28 Sample UserPasswords.xml Public API Security Label Support General User attributes are available in the public API for informational purposes, e.g. to derive specific AE behavior if a particular user attribute is present or not present. The public API also allows assignment and modification of Security Labels on objects. Accessing User Attributes in the Public API The UserAttributes bean is exposed externally using the SimMgrUserAttributes interface /** * Interface describing the user attributes specific to the current session * */ public interface SimMgrUserAttributes { /** * Retrieves active security labels * an array of labels */ SimMgrStringArray getactivesecuritylabels(); /** * Retrieves the inactive security labels * an array of labels */

299 Chapter 6: System Administration Lifecycle Management and System Actions 291 SimMgrStringArray getinactivesecuritylabels(); /** * Retrieves all user properties associated with the current session * a list of properties (named values) */ SimMgrNamedValueList getsessionproperties(); } The SimMgrUserAttributes object can be accessed directly from an established SimMgrConnection: /** * Retrieves the existing user attributes associated with this connection * user attributes SimMgrException if the user attributes cannot be retrieved */ SimMgrUserAttributes getuserattributes() throws SimMgrException; Assigning and Changing Security Labels on an Object in the Public API To manage security label assignments of an object, retrieve a SimMgrSecurityLabelsEditor from the respective SimMgrDbObjectEditor, using this method: /** * Get an editor for the associated security labels * the security labels editor SimMgrException on failure */ public SimMgrSecurityLabelsEditor getsecuritylabelseditor() throws SimMgrException; The security labels editor provides methods to add and remove security labels. Note that you can only assign security labels that are "in your possession", i.e. are present in the set of active security labels of the current UserAttributes. AE Security Label Support User attributes are available at the AE script level as well, with similar abilities as in the public API. Accessing User Attributes in AE scripts In the AE environment user attributes are available as predefined ANT properties as shown in the table below.

300 292 Lifecycle Management and System Actions Table 6-14 User attributes available as ANT properties in AE scripts. ANT Property userattributes.activesecuri tylabels userattributes.inactivesecu ritylabels userattributes.properties.< propertyname> Description comma separated list of active security labels in the possession of the current user; these can be used by the AE script to assign to or modify data objects comma separated list of inactive security labels in the possession of the current user value of <propertyname>; there is an ANT property for every user defined property from the UserAttributes structure. Assigning and Changing Security Labels on an Object in AE Scripts The <securitylabel> element is used for assigning and modifying security labels in an AE script. This element can be used within <smcreate> and <smsetattr> tasks to create or modify the security labels of the object. The <securitylabel> usage is described in the following table: Table 6-15 Modifying security labels in an AE script. Element Example <securitylabel add="mylabel" /> <securitylabel remove="otherlabel" /> <securitylabel add="mylabel" remove="otherlabel" /> <securitylabel define="labela,labelb,label C" /> Description adds security label "mylabel" to the object removes security label "otherlabel" from the object a single add and remove can be combined like this replaces the current security labels of the object with the given labels; the labels are specified as a comma separated list

301 Chapter 6: System Administration Lifecycle Management and System Actions 293 Object Life-cycle Management An object in SimManager passes through several stages during its life cycle. Initially, an object gets instantiated as an empty container when the creator process launches. When the process finishes, the object is complete, and all attributes have been given a value. Still, for many objects, this only means that they are ready for review and test by the engineer who must verify that the computation that created the object is accurate and that the result is valid. At this stage, there is usually some inspection of selected properties, curves, images, and comparison with similar results. If the object fails verification, it is deleted, and its life cycle ends. If it passes, it is promoted to a higher release state to indicate that it was validated. In most cases, promotion to a higher release state also makes the object visible to a larger audience, such as the project group. At a later time, selected objects may be promoted again to higher release levels, which makes them visible to an even broader audience, such as the whole simulation department, or all of engineering.these life-cycle changes are restricted to certain roles. Each company has its own policy, or several possible policies, on what actions should be taken at a given life-cycle event. There are also rules governing which objects are changed together in one operation to keep data in a coherent state. For example, when a report is released, it usually makes sense to also release the objects contained in that report. In other cases, you may want to trigger automatic processing steps at certain life-cycle changes, such as publishing to other enterprise information systems. The life-cycle management subsystem addresses these needs. It provides methods for configuring rules that define which objects should be treated together as a single batch, which prerequisites must be met, and what processes will be triggered. Permissions for life cycle actions are configured in the same way as other permissions, via the assigned role of the current user or profile. The standard SimManager portal is pre-configured with the default rules described in Execution Privilege, 307. No actions or modifications are required to use the default life-cycle policies. Actions SimManager supports the following life-cycle actions: Promote Release objects to a higher state The promote action may make data visible (available) to other users and/or processes. Demote Un-release objects to a lower state The demote action should be used with caution; it will undo the publishing of an object. Users may already have seen the object at the higher release state and may have used the data. It is likely that these users will not notice when the release is undone and the visibility revoked. SimManager endorses the publishing notion; found in news and systems, that A message that has been sent out cannot be unsent. All that can be done is to post a notice alerting users that the original posting has been revoked and the data should not be used. Delete Discard objects, removing them from SimManager The delete action should be used with extreme caution. An object once deleted cannot be retrieved.

302 294 Lifecycle Management and System Actions Chown - change the ownership of objects Working Set Life cycle actions are usually performed on a set of related objects. This set is called the working set of the life-cycle process. Life-cycle Process Internally, life cycle actions are services provided by the SimManager kernel. They can be called via thepublic API from a custom action script or client, and the out of the box actions (see below) use this mechanism as well. Therefore life cycle actions are always associated with a calling process. Life cycle executions 1 run as "deferred operations" within the process, i.e. they are executed only when the calling process finishes. Life Cycle History All life cycle actions with the exception of "delete" will automatically create a LifeCycleHistory object for tracking purposes. The history object stores details about the action and provides links to the objects in the working set, i.e. the modified objects. Out of the Box Life Cycle Actions For each life cycle action, an out of the box action (script) is provided. It shows up under "process actions" for the data objects, and lets you execute the life cycle operation on the selected objects. Internally these are just regular SimManager actions that call the corresponding life cycle action via the public API with suitable default parameters. For delete, there are two versions of the action, one called "Delete" and one called "Delete All Dependents". The former one deletes the selected objects and fails if any dependent objects should exist. The latter deletes the selected objects and also deletes dependent objects if there are any. Since these are all process actions, they can only be applied to data objects not process objects. This is usually not a problem because process objects will be modified indirectly due to life cycle rules of data objects. For deletion, however, there is also a system action called "discard" available on process objects. The discard system action on a process is conceptually the same as delete on a data object. A variant of the discard action is "Discard & Run New". It first deletes the existing process and outputs, and then launches the action again with new user input. Availability of Life Cycle Actions The following sections describe the conditions under which each system action is valid. The conditions have been specified separately for a process and an SDMObject. 1 That is, the "execute" calls run as deferred; the corresponding "check" calls don't modify data and therefore run immediate

303 Chapter 6: System Administration Lifecycle Management and System Actions 295 Process actions have AE scripts associated with them. System actions do not have any external scripts associated with them, but each has a unique behavior associated with it. The visible impact of any system action on the workbench (single or multiple) is based on the conditions stated in the following table and the Filter System/Process Actions option in the Options menu. If the option is set to Yes, then in a multiple objects workbench, only those system actions that are valid for all the rows in the workbench appear. If you know that a specific system action is valid for a particular row but do not see it in the multipleobjects workbench, it may be because that action is not valid for some other row. If you view the row for which it is valid, you will see the desired system action (in the single-object workbench of that row). Table 6-16 System action For any process: Terminate Discard System and Process Actions Condition A process can be killed or terminated only if its status is not Done or Failed. A process can be discarded only if all the following conditions are satisfied: Release/Promote Demote Continue Its status is Done, Failed, or Saved User or user profile has delete permission A process can be released or promoted only if all the following conditions are satisfied: Its status is Done User or user profile has release permission A process can be demoted only if all the following conditions are satisfied: It has been released at least once (release level is > 0) The user or user profile has demote permission Continue can be performed only if all the following conditions are satisfied: The current user is the owner of the process The process status is Saved or WaitingInput The process is not released

304 296 Lifecycle Management and System Actions Table 6-16 System action Run Variant System and Process Actions (continued) Condition Run Variant can be performed only if all the following conditions are satisfied: Discard & Run New For any SDMObject: Delete Promote Demote The process is not released User or user profile has execute permission The isrerunnable attribute in the AE script is true Discard & Run New can be performed only if the conditions for both, Discard and Run Variant, as stated above, are satisfied: Its status is Done, Failed, or Saved The process is not released User or user profile has delete and execute permission The isrerunnable attribute in the AE script is true An SDMObject can be deleted only if all the following conditions are satisfied: The creator process is Done, Failed, or Saved The user or user profile has delete permission An SDMObject can be promoted only if all the following conditions are satisfied: The creator process is Done User or user profile has release permission An SDMObject can be demoted only if all the following conditions are satisfied: The SDMObject has been released at least once (release level > 0) User or user profile has demote permission Configuring Life Cycle Behavior Life-cycle Rules The behavior of life cycle actions is determined by rules that can be configured in the system. There are two classes of rules: policies and restrictions.

305 Chapter 6: System Administration Lifecycle Management and System Actions 297 Policies A policy is essentially a container that aggregates policy rules. There are two kinds of policy rules: Policy concerns - Express which objects must be included in the working set and which preconditions must be met. Policy triggers - Define external processes that need to be launched. Different versions of a policy can be configured for different release levels, e.g. for the first promote from level 0 to 1 you may want to apply other rules than for promoting from 1 to 2. Furthermore, Policies have names, so you can define different policies for the user to choose from. Restrictions Restrictions are simple, non-compound rules, similar to policy concerns. In contrast to the latter, restrictions are always enforced and are always the same, regardless of policy and release level. Restrictions can be complemented by triggers, which contain external processing steps to be started regardless of policy or release level. Restrictions capture low-level requirements that must be obeyed under all circumstances. The primary purpose of restrictions is to maintain data integrity, i.e. to include attachments in the working set when the main object gets included, and delete process objects when all of the outputs are deleted. Mandatory versus Optional rules Restrictions, as the name implies, are always enforced. The triggers complementing them are always executed. No exception is possible, regardless of which policy was selected.. Policy rules, however, can be either: Enforced (mandatory) - Policy rules must always be satisfied. They are similar to restrictions, but only take effect within a policy. Optional policy rule - The system tries to satisfy the rules by including the required objects into the working set, but if some objects cannot be included for any reason, the system will silently skip them. It is possible that the same target object gets considered for inclusion several times as the effect of evaluating several rules. Specifying the Life-cycle Configuration Life-cycle configuration uses the same mechanism as view configuration. Rules are specified and inherited by object type, and the settings reside in: portal/typeconfig/objecttype-config.xml where: portal - Portal name. The configuration for the core types is in portals/base/typeconfig. objecttype - Name of the object type

306 298 Example: The life-cycle configuration settings are enclosed in a <lifecycle>...</lifecycle> pair. Policy configuration <LifeCyclePolicy> A life-cycle policy is defined by the LifeCyclePolicy element. The LifeCyclePolicy element has the following attributes: Attribute name action title level subtags Description Name of the policy must be unique within the object type, for the given action and release levels. Life-cycle action to which the policy applies Descriptive string Comma-separated list of numerical release levels indicating the release levels for which the policy is valid. Ranges of consecutive numbers can be abbreviated with an ellipsis notation. For example, 1,2,3,4 is equivalent to 1..4 Life-cycle policy element can have the child elements Description, PolicyConcern, and PolicyTrigger. Example: <LifeCyclePolicy> name="unique-name" action="delete promote demote" title="title-string" level="release-levels" <!-- subtags go here --> </LifeCyclePolicy> <PolicyConcern> The Description element is used to attach a multi-line description to a policy. The PolicyConcern element expresses a rule to extend the life-cycle action to related objects, or to check that the related objects pre-exist in a consistent state.

307 Chapter 6: System Administration Example: 299 The PolicyConcern element has the following attributes: Attribute target propagation type Description Name of a relationship (ONE_REFERENCE, MANY_REFERENCE) of the current object. The system evaluates the relationship and takes the result set for checking the state, (propagation=require), or enlarging the working set, (propagation=cascade). Valid values, cascade or require: Using cascade means the life-cycle action will be extended to the objects matched by the target expression, i.e. the referenced objects will be included in the working set. Using require indicates the requirement that the matched objects must pre-exist in a compatible state. What is compatible depends on the life-cycle action type. For a promote, the objects must already have been promoted before. For a demote, the objects must pre-exist in the demoted state. For a delete, the objects must have been deleted before. For any action type, if the objects in question are included in the working set anyway, perhaps as a consequence of other life-cycle rules, the requirement is also met. Valid values, enforced or optional: Example: <PolicyConcern type="enforced optional" propagation="cascade require" target="anchored-expression"/> <PolicyTrigger> If enforced, the rule must always be satisfied; it is a mandatory rule. If optional, an object matched by the rule can be skipped if other reasons prevent it from being included (contradicting rules, no permission for the action, and so on). The PolicyTrigger element specifies additional actions that are to be triggered when the life-cycle action executes.

308 300 Example: The PolicyTrigger element has the following attributes: Attribute target launch trigger Description Relationship name. The trigger acts on the objects that are matched by this relationship, possibly modified by target - set. Valid values of before and after: If before, the trigger runs before the life-cycle action changes the object. If after, it runs after the action. A trigger name that must be defined with RegisterTrigger. See Trigger definition, 302. Example: <PolicyTrigger trigger="trigger-ref" launch="before after" target="anchored-expression"/> Restriction configuration <LifeCycleRestriction> A restriction is defined by the LifeCycleRestriction element: The LifeCycleRestriction element has the following attributes: Attribute action relationship Description Life-cycle action to which the rule applies, promote, demote, delete, or chown Name of a relationship of the current object type. The life-cycle action either checks the state of objects related, if propagation="require" was specified, or it extends the life-cycle action to the related objects (propagation="cascade").

309 Chapter 6: System Administration Example: 301 propagation condition Valid values of cascade or require: A propagation of cascade means the life-cycle action is extended to the related objects, i.e. the referenced objects are included in the working set. Using require indicates the requirement that the related objects must pre-exist in a compatible state. What exactly compatible means depends on the life-cycle action type. For a promote, the objects must already have been promoted before. For a demote, the objects must pre-exist in the demoted state. For a delete, the objects must have been deleted before. For any action type, if the objects in question are included in the working set anyway, for example as a consequence of other life-cycle rules, the requirement is met as well. Valid values of always or if-all: If always, the rule is evaluated unconditionally. If if-all, the rule only takes effect if all related objects of the related object are either included in the life-cycle action, or pre-exist in a compatible state. The if - all setting is useful for cascading on last reference. For example, consider the creator relationship of the SDMObject class, which points to the creating process object. The inverse is the outputs relationship of the process class. When you delete an SDMObject you want to traverse the creator relationship and check the creator process. You want to delete the creator process when all its outputs (SDMObjects) have been deleted. To achieve this, you specify a restriction on the creator relationship, which cascades with an if-all condition. This life-cycle rule traverses the creator relationship to find the process, and traverse back the outputs relationship to find all output objects of the process. If, and only if, all objects found at the end of the back-traversal have either been deleted or are included in the current delete action, then it cascades to or includes the creator process. Example: <LifeCycleRestriction action="delete promote demote" relationship="relationship-name" propagation="cascade require" condition="always if-all"/>

310 302 Example: Trigger configuration <LifeCycleTrigger> A LifeCycleTrigger element takes unconditional action on the objects that are changed. This is in contrast to the PolicyTrigger, which only acts on related objects that an expression specifies. The LifeCycleTrigger element has the following attributes: Attribute: action trigger launch Description: Life-cycle action to which the trigger is applied Trigger name that must have been defined by RegisterTrigger. See Trigger definition, 302 Valid values of before or after: Example: <LifeCycleTrigger trigger="trigger-ref" action="delete promote demote" launch="before after"/> If before, the trigger runs just before the life-cycle action changes the object. If after, it runs after the action. Trigger definition The PolicyTrigger and LifeCycleTrigger elements reference trigger definitions. You must specify trigger definitions separately in the lifecycle configuration section of the typeconfig file, with the following attributes: Attribute name implementation Description Unique name for the trigger which is used to reference it from a LifeCycleTrigger or PolicyTrigger element Qualified name (including package prefix) of a Java class that implements the trigger behavior. This class must implement the trigger interface. No implementations of the trigger interface are bundled with SimManager. Example: <RegisterTrigger name="unique-name" implementation="java-classname"/>

311 Chapter 6: System Administration Trigger interface: 303 The trigger interface follows. Trigger interface: /* * This code is part of MSC.SimManager * * (c) 2003,2004 MSC.Software. All rights reserved. */ package com.msc.sdm.lifecycle; import java.util.set; import com.msc.sdm.config.triggerdefinition; import com.msc.sdm.exception.sdmexception; /** * A trigger can be executed by a lifecycle action when some * object is being changed by a lifecycle action. * Georg-W. Koltermann, MSC.Software */ public interface Trigger { /** * Set the trigger definition. * def the policytrigger definition */ void settriggerdefinition(triggerdefinition def); /** * Return the trigger definition * the trigger definition */ TriggerDefinition gettriggerdefinition(); /** * Excecute the trigger. * * <P> * * This method is called either before or after the lifecycle action, * depending on the configuration. * actiontype the lifecycle action type * triggerinstances the Set<InstanceHandle> * containing the database objects that caused the trigger to fire * SdmException An SdmException is thrown on error. */ void launch(string actiontype, Set triggerinstances) throws SdmException; /** * Check method. * * <P> * * This method is called during the lifecycle check phase. * It can return a set of instances that cannot be * modified by the lifecycle action. These instances may * then cause a VETO, or be skipped in the lifecycle process. *

312 304 Trigger interface: } * </P><P> * * The instances returned must be a subset of the instances * passed in as <code>triggerinstances</code> * actiontype the lifecycle action * triggerinstances the Set<InstanceHandle> * containing the database objects that caused the trigger to fire * a set of instances that should not be changed, * or <code>null</code> for none * SdmException An SdmException is thrown on error. */ Set check(string actiontype, Set triggerinstances) throws SdmException; Configuration scope Object types form a hierarchy where subtypes inherit the properties of their base types. Within an object type, all life-cycle definitions of any base type are automatically available. Life cycle restrictions, life-cycle triggers and trigger definitions, can only be accumulated by inheritance. There is no way to "un"define or redefine a rule or trigger that was inherited. It is important to remember that these rules are meant to protect data integrity, so allowing an "un"definition or redefinition of such a rule could bears the risk of jeopardizing data integrity and hence it is disallowed. In contrast, policy definitions can be accumulated, as well as modified in the inheritance hierarchy. They are kept in an inventory keyed on action, policy name, and release level. If a derived object type contains a policy definition with the same action, policy name, and release level as a base type, the definition from the base type is overridden (replaced) for this type. If any of the three key elements are different, the settings accumulate. For example, consider a base type with a definition of the policy name, Default, for action delete, at release levels 1 through 5. If a derived type contains a definition of the name Default for action delete at release levels 2 and 3, then, in the derived type, the inherited definition is used for levels 1, 4, and 5, but the local definition is used for levels 2 and 3. Ability to Change the Ownership of SimManager Objects The SimManager system separately tracks which user is the creator and which user is the owner of data objects and process objects. The creating user is a static property; it is assigned upon object creation and treated as read-only. The creating user has no effect on object behavior, that is, it is not taken into account when your permissions on an object are assigned. The owning user is initially the same as the creating user, but can be changed later using the "chown" life cycle action 1. The owning user is taken into account for permission determination. You often have more permissions on objects that you own than on foreign objects. 1 The "chown" operation is named after the Unix command to change ownership of files and directories.

313 Chapter 6: System Administration Trigger interface: 305 Handling Referential Integrity Problems When deleting objects, SimManager has two ways of avoiding referential integrity problems among the deleted objects: a. Clear the reference before the delete, b. Pick the proper deleting order so that an object that has a reference is deleted prior to the one that it references. The SimManager system uses: a) for all non-key references. For references that are part of a key (<Key> tag), the system uses b) because the database does not allow clearing of a field which is part of a key. So references which are not part of a key are handled automatically. For references that are part of a key, the user needs to make the life cycle engine aware of dependencies. The implementor must create a life cycle rule for these to either cascade or require the dependency. For example: Example Reference; Requirement. svjp --> Perform. durabilityrequirements relationship, create Perform-typeconfig. xml <?xml version="1.0" encoding="utf-8"?> <type con fig> <lifecycle> <LifeCycleRestriction action="delete" propagation="require" relationship="durabilityrequirements" /> </lifecycle> </typeconfig> For a similar reference Requirement. svjp --> Perform.fatigueRequirements add an entry <LifeCycleRestriction action="delete" propagation="require" relationship=" fatiguerequirements" /> For every inverse relationship resulting from a ONE_REFERENCE that is part of a key, add a life cycle restriction at the target class (where the ONE_REFERENCE points to). This will have two effects: 1. You will get a regular life cycle error message in case you somehow arrive at a set of objects that does not include the referencing object during a delete. This will be a little more descriptive than the "some integrity rule violated" message. 2. If all is fine, the life cycle engine will know about the dependency and pick the proper delete order so you don't run into the integrity problem.

314 306 Trigger interface: Clearing References on Delete Sometimes you may want to break linkages between objects when one of them is deleted. This kind of relationship behavior is called a "weak reference". MANY_REFERENCEs are treated as weak references by default. When you delete an object on one end, the linkage to the other end is removed. If you want different behavior, you need to write a life cycle rule for the relationship, specifying either require or cascade. ONE_REFERENCEs are treated as weak references in one direction, from the defining end, i.e. if you delete the object that holds the reference, the reference is silently removed, but if you delete the object that is referenced, you get an error (integrity violation). You can write a life cycle rule for a ONE_REFERENCE if you want cascading (also delete the other object) or if you want a nice error message (saying the other object needs to be deleted before). However, life cycle rules can not turn the strong relationship into a weak one. If you want to have weak behavior for a ONE_REFERENCE in both directions, you need to declare that at the schema level, within the DataClass XML file. Action Permission Checking What Permission Checks Are Performed For Launching An Action? Parameters An action is actually a Procedure (actually ProcedureRevision) object. It doesn't contain the relevant bits for permission checking in its data model, but rather these parameters are contained within the XML, as part of the <smdefine> tag. There are domain context and project context of the action. Domain An action is associated with a domain context. The domain is either specified directly, in the domain= parameter of < smde fine>, or it is specified indirectly by setting the domain= parameter to the string "frominput". In the latter case there is an additional domainparameter= parameter on the <smde fine> tag. The additional parameter gives the name of a process input parameter which must be a ONE_REFERENCE. The domain of the object that is finally selected for this ONE_REFERENCE process input parameter will then determine the domain context of the action. Project There is a hidden process parameter named project. It is initialized by the project of the process input parameter that was used to launch the action (in the case when you launch the action after first selecting a data object in the web UI). It can be changed by the process input wizard. The final value of the project parameter, after any possible change in the wizard, determines the project context of the action.

315 Chapter 6: System Administration Trigger interface: 307 Permission Checks Basic Execute Permission The system checks whether the user or profile has "EXECUTE" permission in the context of the project and domain. See above for how the project and domain context is determined. Additional Permission Checks Individual process input parameters of type ONE_REFERENCE or list can have an additional permission check applied. This is done by giving the permission= parameter on the <processparameter> tag, or in the case of list parameters on the <variable> tag. If this is specified, the system will check if the current user or profile has the permission that was specified with the permission= parameter in regards to the object that was finally selected for the respective input parameter (or all parameters in case of a list). These checks are applied in addition to the basic execution check above. Execution Privilege Policy definitions contain a role specification indicating which roles can execute this policy at the given release levels. At execution time, the current user must possess one of these roles with regard to all objects in the working set. This section describes the default rules that are distributed with the core data model in the SDMObject package. It contains a summary of default settings and an annotated example of writing life-cycle rules. For this section, any cascading effect is treated recursively, i.e. when a rule calls for cascading an action to another object, all rules that are in effect for that other object, are also evaluated, in turn. The default configuration contains one policy for each life-cycle action. This policy has the name Default. The user interface always executes the Default policy. Promote - data objects There are no restrictions for the promote action. The default policy is available to authorized roles at all release levels. It contains the following rules: Promotes all objects that this object depends on using the dependenton relationship. Enforced. <PolicyConcern type="enforced" propagation="cascade" target="dependenton"/> Promotes the creator process. Enforced. <PolicyConcern type="enforced" propagation="cascade" target="creator"/> Promotes all modifier processes referenced by the modifiedby relationship. Enforced. PolicyConcern type="enforced" propagation="cascade" target="modifiedby"/> Promotion of the process objects does not cause any further recursive promotion in this Default configuration. If you were to specify that promotion of a process automatically promotes its outputs, you

316 308 Trigger interface: end up in a scenario where promoting one output object implicitly promotes the creator process, and the promotion of the creator process implicitly promotes all output objects. Starting with the promotion of one object would finally cause promotion of all objects that are outputs of the same creator, which is not desirable. Promote - process objects There are no restrictions for the promote action. The Default policy is available to authorized roles at all release levels. It contains no rules, however, as you do not automatically cascade the promote action to any other object. If you want to automatically promote the output objects on promotion of a process, you must define an additional promote policy that specifies this behavior for the process object type. Demote - data objects There are no restrictions for the demote action. The Default policy contains the following rules: Require that any dependent object be already demoted: <PolicyConcern type="enforced" propagation="require" target="dependents"/> Require that the processes that take the object as an input be already demoted: <PolicyConcern type="enforced" propagation="require" target="processes"/> Automatically demote the creator process: <PolicyConcern type="enforced" propagation="cascade" target="creator"/> Demote - process objects There is a single restriction for demote that facilitates demotion of the action sequence, if the process is part of an action sequence: <LifeCycleRestriction action="demote" propagation="cascade" relationship="compoundexec"/> Under the Default policy, there is a rule that effects demoting of all output objects: <PolicyConcern type="enforced" propagation="cascade" target="outputs"/> Delete - data objects The restrictions for a delete action on data objects are: If the action deletes the last object that was created, the creator process is deleted. <LifeCycleRestriction action="delete" propagation="cascade" condition="if-all" relationship="creator"/> If the action deletes the last object modified, all modifier processes are deleted.

317 Chapter 6: System Administration Trigger interface: 309 <LifeCycleRestriction action="delete" propagation="cascade" condition="if-all" relationship="modifiedby"/> Deletes all properties of the object. <LifeCycleRestriction action="delete"propagation="cascade" relationship="properties"/> For any properties that are AttachmentProperties, the corresponding attachments are deleted when the last reference is deleted. This is configured by the following restriction in AttachmentPropertyconfig.xml: <LifeCycleRestriction action="delete"propagation="cascade" condition="if-all" relationship="attachment"/> All folder entries pointing to the object are deleted and the object is removed from all folders. <LifeCycleRestriction action="delete" propagation="cascade" relationship="infolders"/> The Default policy for deleting data objects is available to authorized roles at release level 0 only. It contains the following rule: All dependent objects, i.e. those that are related by the dependents relationship, are also deleted. Enforced. <PolicyConcern type="enforced" propagation="cascade" target="dependents"/> In the Default policy, there is no rule that allows deleting objects at a release level higher than 0. If you need that facility, you must add a corresponding policy. Delete - process objects There is one restriction for deleting a process object: Any CompoundExecution objects are deleted as well. <LifeCycleRestriction action="delete" propagation="cascade" relationship="compoundexec"/> CompoundExecution objects are helper objects created when an action sequence is run. There are other restrictions on the ActionSequenceStep, which only allow deleting if the whole action sequence is deleted. Essentially, this setting prevents deleting single objects out of an action sequence. The Default policy for deleting process objects is available to authorized roles at release level 0 only. It contains the following rules: All output objects are also deleted. Enforced. <PolicyConcern type="enforced" propagation="cascade" target= "outputs"/>

318 310 Trigger interface: A process object can only be deleted if all modified objects, i.e. those related by the modifies relationship, are also deleted, or have been deleted before. If there are any modified objects left, the delete request is rejected. <PolicyConcern type="enforced" propagation="require" target= "modifies"/> Ability to Change the Ownership of SimManager Objects The SimManager system separately tracks which user is the creator and which user is the owner of data objects and process objects. A new life cycle actions allows you to change the ownership of SimManager objects. The creating user is a static property; it is assigned upon object creation and treated as read-only. The creating user has no effect on object behavior, that is, it is not taken into account when your permissions on an object are assigned. The owning user is initially assigned from the creating user, but can be later changed. The owning user is taken into account for permission determination. You can often have more permissions on objects that you own than on foreign objects. Change Owner Life Cycle Rules The change owner action is an object life cycle action that is similar to promote, demote, and delete. The action usually affects sets of interrelated objects. The rules for determining what objects should be treated together in one set, and what restrictions apply, are configured within the <lifecycle> section of the object type configuration files. The name of the change owner action is chown. The default rules contained in the Base portal typeconfig files treat an ownership change in the same way as demotion, that is, when you change the owner of some object, the system automatically performs the same change to all dependent objects recursively. In addition, the creator process and sibling objects are also included in the operation (unlike demote). Change Owner AE Scripts The change owner action must be called by an AE script. The default chown-ae.xml script is provided in the Base portal and displays a two page wizard that will: Prompt for the target user Display the objects that will be changed (or the error page indicating why the change cannot be performed) Launch the change of ownership when the user confirms Handling Referential Integrity Problems When deleting objects, SimManager has two ways of avoiding referential integrity problems among the deleted objects: a. Clear the reference before the delete,

319 Chapter 6: System Administration Trigger interface: 311 b. Pick the proper deleting order so that a object that has a reference is deleted prior to the one that it references. The SimManager system uses: a) for all non-key references. For references that are part of a key (<Key> tag), the system uses b) because the database does not allow clearing of a field which is part of a key. So references which are not part of a key are handled automatically. For references that are part of a key, the user needs to make the life cycle engine aware of dependencies. The implementor must create a life cycle rule for these to either cascade or require the dependency. For example: Example Reference; Requirement.svjp --> Perform.durabilityRequirements relationship, create Perform-typeconfig.xml <?xml version="1.0" encoding="utf-8"?> <typeconfig> <lifecycle> <LifeCycleRestriction action="delete" propagation="require" relationship="durabilityrequirements" /> </lifecycle> </typeconfig> For a similar reference Requirement.svjp --> Perform.fatigueRequirements add an entry <LifeCycleRestriction action="delete" propagation="require" relationship="fatiguerequirements" /> For every inverse relationship resulting from a ONE_REFERENCE that is part of a key, add a life cycle restriction at the target class (where the ONE_REFERENCE points to). This will have two effects: 1. You will get a regular life cycle error message in case you somehow arrive at a set of objects that does not include the referencing object during a delete. This will be a little more descriptive than the "some integrity rule violated" message. 2. If all is fine, the life cycle engine will know about the dependency and pick the proper delete order so you don't run into the integrity problem. Action Permission Checking What Permission Checks Are Performed For Launching An Action? Parameters An action is actually a Procedure (actually ProcedureRevision) object. It doesn't contain the relevant bits for permission checking in its data model, but rather these parameters are contained within the XML, as part of the <smdefine> tag.

320 312 Trigger interface: There are domain context and project context of the action. Domain An action is associated with a domain context. The domain is either specified directly, in the domain= parameter of <smdefine>, or it is specified indirectly by setting the domain= parameter to the string "frominput". In the latter case there is an additional domainparameter= parameter on the <smdefine> tag. The additional parameter gives the name of a process input parameter which must be a ONE_REFERENCE. The domain of the object that is finally selected for this ONE_REFERENCE process input parameter will then determine the domain context of the action. Project There is a hidden process parameter named project. It is initialized by the project of the process input parameter that was used to launch the action (in the case when you launch the action after first selecting a data object in the web UI). It can be changed by the process input wizard. The final value of the project parameter, after any possible change in the wizard, determines the project context of the action. Permission Checks Basic Execute Permission The system checks whether the user or profile has "EXECUTE" permission in the context of the project and domain. See above for how the project and domain context is determined. Additional Permission Checks Individual process input parameters of type ONE_REFERENCE or list can have an additional permission check applied. This is done by giving the permission= parameter on the <processparameter> tag, or in the case of list parameters on the <variable> tag. If this is specified, the system will check if the current user or profile has the permission that was specified with the permission= parameter in regards to the object that was finally selected for the respective input parameter (or all parameters in case of a list). These checks are applied in addition to the basic execution check above.

321 Appendix A: Troubleshooting and FAQ A Troubleshooting and FAQ Overview 314 Error Messages 315 Tomcat Temp Folder 318 IBM DB2 319 WebSphere Admin Console 321 Mimetype Mapping Problems 322 Web Browser Problems 323 SimManager Startup Error on Tomcat Web Server 324 System Administration 326 WebStart FAQ 328

322 314 Overview Overview This appendix offers guidelines, troubleshooting tips, and workarounds for various issues that can arise from components that work with SimManager.

323 Appendix A: Troubleshooting and FAQ Error Messages 315 Error Messages The following table lists some sample error messages and solutions. Table A-1 Sample error messages Problem You are getting OutOfMemory error using Tomcat web server. You are getting OutOfMemory error in WebSphere. Solution Before starting Tomcat, you must set the following environment variables in the <SM_INSTALL_DIR>/bin/start_webserver script. To increase the memory available to the Java application KSH - export CATALINA_OPTS=- Xms512m -Xmx1024m Windows -- set CATALINA_OPTS=- Xms512m -Xmx1024m Increase the Java memory allocation startup parameters using the WebSphere administration console. If these memory settings are set to the same value Java garbage collection may be disabled and result in out-of-memory conditions. Web Server responds with the error message: java.lang.noclassdeffounderror: org/w3c/dom/ls/documentls This a machine-specific problem. On certain machines, you may see the following error message in the Web browser when the Web server starts up: java.lang.noclassdeffounderror: org/w3c/dom/ls/documentls. Copy the file xercesimpl.jar into the directory webserver/common/lib. java.lang.internalerror: Can t connect to X11 window server using 0.0 as the calue of the DISPLAY variable You can find the jar file within the SimManager install directory. 1..Install X Virtual Frame Buffer (Xvfb). 2. If Java 1.4 is being used, set the following command line option for JVM in which the SimManager Web app is running. Djava.awt.headless=true

324 316 Error Messages Table A-1 Sample error messages Problem Curve or image files fail on upload or object creation. Typical message in sdm.log: Caused by: java.lang.noclassdeffounderror at org.jfree.chart.chartfactory.cre atexylinechart(chartfactory.java :1531) at com.msc.sdm.services.impl.curvel ocalservice.formthechart(curvelo calservice.java:1301) Solution Some functions must write to an X window on LINUX or UINIX Install or activate X Virtual Frame Buffer (Xvfb) set DISPLAY on server startup

325 Appendix A: Troubleshooting and FAQ Error Messages 317 Table A-1 Sample error messages Problem If you get following error messae during the activation of portal on JBOSS on Linux OS: [EclipseStudio] com.msc.sdm.estudio.consoleoutpu t.print (ConsoleOutput.java:40) - System failed to run due to 'Failed to zip directory/file '/opt/msc.software/simmanager/r3 JB/SimManager' due to 'Failed to zip directory/file '/opt/msc.software/simmanager/r3 JB/SimManager' due to '/opt/msc.software/simmanager/r3 JB/SimManager/portals/Base/velte mplate/views/sod-reportrevision- Preview.vm (Too many open files)' ' ' Solution Increase Total File Descriptors For System: To prevent SimManager from running out of filehandles you need to make sure that there are enough file handles available at the system level, and that the user you are running SimManager as is allowed to use enough file handles: Run the command sysctl -a. If this is less than , increase the number of file handles by editing /etc/sysctl.conf and changing the property fs.file-max to If there isn't a value set already for this property, you need to add the line fs.file-max= Then run sysctl -p to apply your changes to your system Increase Total File Descriptors For User: *Linux* also limits the number of *files* that can be *open* per login shell. To change this limit for the user that runs the SimManager system you will need to adjust the user limit configuration. For PAM enabled systems For *Linux* systems running PAM < HOWTO/x115.shtml> you will need to adjust /etc/security/limits.conf The format of this file is <username> <limit type> <item> <value>. For example to set the limit for the user confservice the following line would be used: confservice hard nofile 5000 Other systems For other *Linux* systems the file responsible for setting limits is /etc/limits To replicate the setting given in the previous example the line would be: confservice N 5000

326 318 Tomcat Temp Folder Tomcat Temp Folder Problem: If you are having problems loading a database using the Admin tool, this might be happening because the temp directory is not created in the Tomcat directory structure. Symptoms are write to disk errors. Solution: Create a directory named temp under CATALINA_HOME.

327 Appendix A: Troubleshooting and FAQ IBM DB2 319 IBM DB2 The following table lists some errors that may occur while you are configuring IBM DB2. Table A-2 Possible errors and solutions Problem You get the following error message in the create database section of the Admin tool: The transaction log for the database is full. SQLSTATE=57011 " You get an error message similar to the following on create database. This typically indicates that the transaction log is out of space. Solution Increase the transaction log for your database by issuing the db2 command processor: Consult your DB2 administration Users guide. Increase the transaction log for your database by issuing the db2 command processor: Consult your DB2 administration Users guide. com.ibm.db2.jcc.a.sqlexcep tion:db2 SQL error:sqlcode: -964, SQLSTATE: 57011, SQLERRMC: null at com.ibm.db2.jcc.a.hd.d... You get the following error while creating a database: Failed to create database: Reason: "The dataspaces are inssuficient for the DataClass='com.msc.sdm.sdm object.formattedtextproper ty'. This error means you need to create a tablespace that allows rows of 8030 bytes (or more). You can do that in the DB2 control center or manually with the DB2 command line. Consult your DB2 administration Users guide. The required allowed row size should be >= Please,create the tablespace manually."

328 320 IBM DB2 Table A-2 Possible errors and solutions (continued) Problem You get the following error while running Admin tool: Solution Increase the size of the lock list by issuing the db2 command processor: SQL0912N The maximum number of lock requests has been reached for the database. SQLSTATE=57011 On AIX DB2: You get the following error while running Admin Tool: com.msc.sdm.db.dbexception: com.ibm.db2.jcc.b.sqlexcep tion: The file P msg cannot be opened. Database Manager cannot be started - user is NOT authenticated: java.lang.exception caught: com.ibm.sa.admin.share.adm inexception: SAWM4302E: Database error encountered: code=-964 SQLState=57011 text="[ibm][cli Driver][DB2/SUN] SQL0964C Consult your DB2 administration Users guide. This error occurs if you do not have sufficient access/write permissions on the instance directory path. Set the permissions to the corresponding directories of your instance as mode 777, as shown next: chmod 777 /local/db2/sqllib/function/routine/sqlproc/smdb/simenter prise chmod 777 /local/db2/sqllib/function/routine/sqlproc/smdb/simenter prise/tmp Make sure the instance owner belongs to the appropriate group. Set the authentication mode to CLIENT, by issuing the following command from the DB2 command processor window: db2 update dbm cfg using AUTHENTICATION CLIENT

329 Appendix A: Troubleshooting and FAQ WebSphere Admin Console 321 WebSphere Admin Console The following table includes common problems regarding the WebSphere Admin Console. Table A-3 Common problems with WebSphere Admin Console Problem WebSphere Admin Console is not functioning properly. For example, server instance is not there, installed apps is empty, and so on. Solution Start with cleaning up the logs directory (including the server1.pid file - this may corrupt WS instance running). Capture the process ID of server from the log files. Perform ps -ef grep nothing! WS bin directory perform./startserver.sh server it comes back saying: there is already server instance on port 8880 running! When starting default server, you get the following error message: Exception caught during transaction service recovery! javax.transaction.systemex ception: java.io.ioexception: Inconsistent Transaction and XA Resource recovery logs. How can you make server run on a different port. Check the admin console again it reconfigures, and then it's up and running. In general, these issues should be worked through the support system. However, what probably happened is that WebSphere Application Server was killed in the middle of one or more transactions. Now that the application server is restarting, it is trying to recover those transactions. The short-term answer is to delete or rename the tranlog* files in the tranlog directory. This makes the WebSphere Application Server stop trying to recover the transactions. A fix has been created for this issue on WebSphere Application Server 5.1. See Cumulative Fix Pack 1, or Individual Fix.

330 322 Mimetype Mapping Problems Mimetype Mapping Problems If you have an extension defined on the local machine to use a specific application, that setting will take precedence over mime-type mapping in SimManager. For example, if you have Exceed installed and the.ses extension is mapped to an Exceed session file, then any file name ending in.ses will be opened with Exceed. To view the *.ses files, you can add an entry to the MimeTypeMappings.properties file. If this is a text file, then the entry will look like this: ses = text/plain Now, when you click on the file, you should be able to see the file correctly. After you modify the MimeTypeMappings.properties file, continue without restarting the Web server to see if it has taken effect. If you can see the file correctly, restart the Web server and then check again. When using Tomcat as the webserver and browsers other than Internet Explorer, if the browser does not recognize the mime type correctly, that is, if the file is not handled correctly based on the mime type, it is possible that the mime type setting in the MimeTypeMappings.properties file is incorrect. To fix this problem, update the mime type setting in the web.xml file of webserver.

331 Appendix A: Troubleshooting and FAQ Web Browser Problems 323 Web Browser Problems Table A-4 Problem Viewing a SimManager portal on two or more Web browsers of the same type and at the same time shows incorrect data in one or both of the tree displays. In general practice web browsers are not intended to transport large volumes of data due to performance. In keeping with this practice the SimManager system sets the default limit for Web Browser file upload to 1GB. Web Browser Problems Solution Use different browser types to view simultaneous SimManager Web browser sessions running on the same machine. For example, use Internet Explorer to show data in one browser and Firefox or Netscape to show data in the other. To change the default Web Browser file upload limit, edit the maxfilesize value in the following files: <SM_APP_ROOT>/SimManager/WEB-INF/struts-config.xml <controller maxfilesize="1g" processorclass="com.msc.sdm.web.controller.smrequestprocessor"/> and <SM_APP_ROOT>/SimManager/WEB-INF/web.xml <filter-class>org.apache.myfaces.webapp.filter.extensionsfilter</filterclass> <init-param> <param-name>maxfilesize</param-name> <param-value>1g</param-value> For Linux platforms for Client Side execution with Firefox browser - error "unable to launch application" You must restart the web server for these changes to take effect. It is because the MIME type mappings for Firefox are not configured properly. The file that Firefox is actually asking about is a.jnlp file (not "csae.do"). A mapping needs to be made to associate Java Web Start (JWS) with.jnlp files (a MIME type of "application/x-java-jnlp-file"). In Firefox, see Tools > Options > Content > File Types.

332 324 SimManager Startup Error on Tomcat Web Server SimManager Startup Error on Tomcat Web Server Table A-5 Startup Error on Tomcat Web Server Problem Error during SimManager startup on the Tomcat Error during SDMActionServlet initialization: 'Failed to initialize core due to 'Native Library \webapps\simportal\ SMConfig\lib\dlls\win32\lapi.dll already loaded in another classloader' Solution This error occurs if you have multiple SimManager applications deployed under one Tomcat Web server (for example, under the../webapps directory, you have the SimPortal and MySimPortal applications deployed). To resolve this issue: 1. Stop the Tomcat Web server. 2. Move all unwanted Web application directories under <CATALINA_HOME>/webapps directory to a <CATALINA_HOME>/backups directory so that there is only one SimManager Web application deployed in the webapps directory. 3. Restart the Tomcat Web server.

333 Appendix A: Troubleshooting and FAQ SimManager Startup Error on Tomcat Web Server 325 Table A-5 Startup Error on Tomcat Web Server Problem When using Tomcat if the webserver is running and the "web.xml" is edited the webserver will terminate and then attempt to restart. The restart fails with: INFO: Illegal access: this web application instance has been stopped already... Solution The webserver MUST be stopped and restarted from the <SM_INSTALL_DIR>/bin/start_webserver :37:06,593 ERROR [Services] ProcedureManager$ProcedureMo nitor.run (ProcedureManager.java:1466) - Error in procedure manager thread: The database is not available. Error during SimManager stratup on Tomcat: java.io.invalidclassexception: com.msc.sdm.i18n.timenumbercurre ncyinfo This error typically occurs when the SimMamager Application has been updated. To resolve this issue: Delete the contents of the <CATALINA_HOME>/work/Catalina/localhost/ SimManager directory and restart the web server.

334 326 System Administration System Administration Table A-6 System Administration Problems Problem You are getting an LDAPException: Invalid Credentials (49) Invalid Credentials. You are getting an LDAPException: No Such Object (32) No Such Object. Solution This error occurs when SSL is enabled on the directory server on which you are connecting and you do not have a trusted server certificate. Verify that the keystore file is created with appropriate credentials and exists in the specified location. This error occurs once the connection is established to the directory server but the DN specified does not match any entry DN existing on the server. Verify that the connection string section of the user.provider.url property is specified accurately and that the username entered on the logon page conforms to the DN structure on the server. For example, if you have entered Jblow on the logon page of SimManager, this entry must exist on the directory server: You are getting error: NoClassDefFound for the com\sun\net\ssl\internal\ ssl\provider.class CN=JBlow, CN=Users, DC=mscsoftware, DC=simmanager This error occurs if you are not running on J2RE or higher. LDAP authentication mechanism using SSL-secure socket connection requires J2RE or higher. or javax\crypto\ BadPaddingException.class

335 Appendix A: Troubleshooting and FAQ System Administration 327 Table A-6 System Administration Problems (continued) Problem SimManager Classic Studio fails to run Delete Database command for Oracle. Error: Failed to delete database: Reason: java.sql.sql.exception: ORA-01940: cannot drop a user that is currently connected. When attempting to an object from the SimManager Web interface, it fails to display the correct URL in the message area of the tool. When sending the URL to another user, the URL on which to click is missing from the body of the message and does not function properly. Solution This occurs on an Oracle database only. The reason is that your Web application is currently running and, therefore, there is a live connection established to the database at this time. 1. Stop your Web application server. This causes the users currently connected to Oracle database to be dropped. 2. Exit the Classic Studio and restart. 3. Try to delete the database while the Web server is still down. This error occurs with the Lotus Notes Client only on Windows. To fix this problem, you can reconfigure your Windows operating system to use another tool, such as Microsoft Outlook or Netscape Mail. Using one of these mail tools or any other mail tool will format the mail message properly.

336 328 WebStart FAQ WebStart FAQ Problem: SimManager Client Side Execution "WebStart" fails Server Side requirements: 1. Set AE script smdefine execution="client-side" 2. Verify that the "simmgr.url" property in the portal.properties file is set the server URL (i.e Verify that the "csaemechanism" property is et to "WebStart". Note: The ActionRunner component must be installed as part of the SimManager installation and the is any custom jars have been added these MUST be signed in accordance with the published instructions. Note: If the AE script executes an external application such as patran or nastran the executable must be in the user s path on the client machine. Client Side requirements: Verify that WebStart Version 1.2 is installed on the client - open a command window and type javaws.exe Note: WebStart is required for CSAE processes. If it is not installed you can download it from The installation instructions are documented at the following page: Note: SimManager Client Side execution using WebStart has been verified with Java 1.4.2_04-1.5_12 Solutions: If the client side execution fails; Previous execution may have cached required files that were not updated. On windows go to Start->Settings->Control Panel->Java 1. In the general tab - Temporary Internet Files click the "Delete Files" to clear the current cache and try again.

337 Appendix A: Troubleshooting and FAQ WebStart FAQ 329 Also verify that the "settings". Click the "Settings" button and verify that adequate disk space is allocated.

338 330 WebStart FAQ

339 Appendix B: Backup and Recovery Guide B Backup and Recovery Guide Backup and Recovery 332

340 332 Backup and Recovery Backup and Recovery Introduction This is information to help plan and conduct backup operations for SimManager. This guide is intended to provide sufficient information to understand and create a backup/recovery plan for SimManager deployments. However, each company should review the policies and specific requirements for backup, archival, and disaster recovery and tailor a specific plan to meet their needs. Depending on the complexity of the SimManager environment and whether there are dependencies on job submission and compute host environments, the type of backup and frequency can vary significantly and considerations must be given to minimize the impact on the affected user community. Note: The policies described here are intended to be implemented in the context of purely backup and recovery from a system failure/disaster type of event. Full system recovery is assumed. Policies involving archival of data for the purpose of restoring unique or specific data, for example, in the event of accidental deletion of some data from the system, are not addressed and should be considered separately SimManager Database/Vault Architecture SimManager follows a standard meta-model approach to persist objects that are created during any process conducted in SimManager. The meta attributes and the relationships between objects are stored in a relational database, while the raw data files of an object are stored in a vault. This means there are

341 Appendix B: Backup and Recovery Guide Backup and Recovery 333 two primary data repositories for a SimManager environment - the relational database and one or more file storage vaults that are synchronized. This is depicted in the following figure. The database provides a means to populate and control the critical information that the system will manage. This is generally not the raw data associated with CAE activities (input files, output files, etc.) but is the metadata that represents the business value of CAE. This metadata includes performance predictions, such as crash predictions, and the "who, what, when, and how" information that gives context to the performance data. The database is owned by the Web application server, ensuring that only the Web application server itself (or the database administrator) can alter the information it contains. SimManager supports a freely-

342 334 Backup and Recovery configurable object model schema, allowing customers to extend SimManager. The schema is defined in an XML-schema definition file, which is used by the SimManager Studio tool to create the relational database schema. SimManager persists its metadata in a relational database, currently supporting IBM DB2 and Oracle and multiple file-vaults accessed via nfs or (s)ftp. The SimManager data objects are derived from a common base class, which provide a basic business logic infrastructure handling: Owner/creator Release level Revisioning (with SimManager R3) Association to project Access control (visibility) Dependencies SimManager Storage Vault: The storage vault provides large scale storage (vaulting) of CAE input and output files. The storage vault can utilize raw disk space, Storage Area Networks (SAN), backup systems, and/or content management systems. In addition, SimManager supports multiple vaults, which allows organizations to optimize where specific data files are kept. This enables keeping the data files in close proximity to frequent requestors as well as optimizing the vault and its backup procedures for given data files. General Backup and Recovery Considerations in SimManager Backup can be done either while the system is online or during specified maintenance periods when the system is shutdown. Each has ramifications that should be understood prior to execution. For smaller operations that will endure little or no impact if the entire system is shut down, MSC recommends that all backup and recovery operations be performed during a maintenance window when all access to the portals has been terminated. Consideration must be given to the allowable impact on the user community for any offline periods as well as ensuring that controlled and managed shutdowns/restarts are conducted if required. Also, practices involving backup during remote job execution need to be established. In the event jobs are running on remote servers, data is intermittently passed back to SimManager. If SimManager is down the data must be buffered until SimManager is restored. This is generally a customized solution and not available today as a standard feature in SimManager. If shutdown of the system is not practical and only performed on rare occasions, online backup will have to be performed. An example of this process has been provided. In any case, it is recommended that the backup of the database precede that of the file vault data for synchronization reasons. Typically, the database will be relatively small compared to the file vault and the duration to backup the database will be small compared with the file vault. This practice should ensure that the database and data files remain synchronized as closely as possible should a restoration be required.

343 Appendix B: Backup and Recovery Guide Backup and Recovery 335 MSC does not recommend the redeployment and re-initialization of SimManager based portals in response to disaster recovery as this may introduce discrepancies in the database table spaces and globally unique IDs (GUIDs) that are generated during portal operation for data referential integrity. Offline Backup As describe above, offline backup can be performed if the impact on the user community, in-process jobs, and the other business issues allow for offline backup within a given window of time. Offline backup involves shutting down the SimManager system so that no operations can be performed during this time. Additional consideration has to be made for in-process jobs that are being managed by a job submission system. In process jobs will typically reconnect with SimManager during restart and the jobs can continue, but they should be monitored after restart. Backup Methodology If offline backup is performed, MSC recommends daily backup of the database information, but this will be dependent on the company policies and other considerations. The system must be shut down in a controlled manner to minimize issues with data synchronization and lost references due to in-process tasks or jobs. All users should be notified in advance that the system will be down for a specified period of time and that a notification will be sent out once the system has been restarted and is available. Once the system is shut down, the database backup should be done IMMEDIATELY BEFORE backing up the file vault. SimManager based portals rely upon a file "vault" to maintain system files. Depending on the implementation, the vault(s) may either be local file system, FTP or NFS mounted with either a NAS or SAN system depending on the implementation size and organizational infrastructure policies. As noted earlier, this should be done IMMEDIATELY AFTER backing up the database. Periodic off-site storage of this backup is recommended to address catastrophic event recovery. Backup of Portal Source Code MSC further recommends creating a snapshot of the web application server partition containing the production portal directory and subdirectories at deployment and after each maintenance upgrade. This would allow the restoration of prior functionality in the event of a critical defect being inadvertently deployed to the production systems or in the case of hardware or other issues with the system. Online Backup Methods with Tivoli Storage Manager For this guide, the scope of this discussion is based on the assumption that IBM Tivoli Storage Manager (TSM) will be utilized only to back up the SimManager database and vault contents. There are multiple variants on configurations that include a great many additional components to the total solution, and designing an overall backup system for more complex architectures has to be considered individually. For example, will TSM be used to back up configuration or other information from the Web application

344 336 Backup and Recovery servers? If such a design is desired much more detail about the system architecture will be required. However, the methods for obtaining the best possible backup of the database and vault can be covered fairly quickly. First, a discussion on the elements that are common to all sizes of implementations. Backup Methodology SimManager utilizes a relational database (IBM DB2 Universal Database or Oracle Database) to contain what is commonly called the content management records, and a repository, or "vault" to contain the various managed data files. The objective of the TSM implementation is to keep up-to-date backups of both the database and vault. A primary design consideration is the 7 X 24 operational nature of the SimManager in many implementations. This prevents placing the database into maintenance mode while the backup is performed. Since the database cannot be shut down for backup, the backup will have to be done in two operations. The database will have to be backed up using its live backup utility, and in parallel, the new files in the vault will have to be backed up using the TSM Backup/Archive client. TSM provides the capability to back up an operating DB2 or Oracle database directly to TSM server-managed storage, so temporary disk storage on the database server is not needed when using TSM. The challenge with this approach is keeping the data files in the vault in synchronization with the object records in the database. There are several considerations which make perfect synchronization difficult if not unachievable: 1. The database entries are made before the actual data files are completely written to the vault, so at any given "snapshot" time we must assume some degree of difference. 2. Since the database cannot be put in maintenance mode, additional entries can appear during the backup interval, and may not be captured. This is limited to the situation when a new object was created and files imported into the vault during the backup process. This is not a major concern, since the unsynchronized files will not interfere with any operations and will be pick-up during the next backup. 3. Users can selectively delete records from the database and vault during the backup interval, and at other times. In SimManager, files in the vault are not deleted immediately when a database object is deleted, but are marked for deletion. The actual file deletion occurs during the running of a special SimManager agent. This agent should be halted during the backup process. So in this case, the inconsistency of a meta-data object in the DB pointing to a file which was deleted in the vault cannot occur. 4. Files that are changing (because they are still being written) during the backup process may be skipped. This will be logged by the Backup/Archive client. Note: SimManager prohibits the editing / modifications of files, once they are in the vault. So there can not be inconsistencies where the meta-data of an object does not match with the files it refers due to modifications (only time-based as in 1). As such, the inconsistencies can be limited to additional or 'orphan' files being included in the vault backup, which do not have a 'parent' meta-data object in the DB (as these files may have been written to the vault after the database backup but before the vault backup).

345 Appendix B: Backup and Recovery Guide Backup and Recovery 337 While perfect synchronization may not be possible, correct utilization of the TSM client capabilities and options can reduce the discrepancy to a minimum. Backup time and resultant latency issues are the problem to be reduced. The minimum backup time is achieved by performing incremental backups of both the database and file system. The file system backup can be further expedited by using the filelist option of the Backup/Archive command-line client (dsmc). The default operation of the Backup/Archive client during an incremental backup is to scan all the file systems in the client's domain and compare what is found with the include/exclude options to generate a candidate list. This list is then compared with the objects already contained in the TSM server database, and a final set of objects to be backed up is generated. For very large file systems, this can be timeconsuming, so we want to avoid this. The filelist option dispenses with the file system scan, making the preliminary processing much quicker. Thus, it is the preferred method of operation in this case when viewed purely from a time perspective. The list used by the filelist option is an ASCII text file containing one full file path per line. The file is not altered or deleted during the backup, and could, itself, be backed up for use during post-recovery reconciliation activities. For SimManager, the list file can be generated by running a query against the database to list all files added since the last database backup (This could be automated with some relatively simple scripting) To perform the actual backup. First initiate the incremental database backup, then immediately initiate the incremental file system backup using the filelist option. Optionally, also back up the list file as well. Following the completion of the file system backup, the Backup/Archive client log should be checked to see if any files in the list were missed. If so, it generally means they were still being written to during the backup. These can be retried, or added to the file list for the next backup. Note also that depending on the database in use, other configuration files for the RDBMS may need to be backed up as well. This is documented in the RDBMS administrator's guide. Finally, to ensure full consistency (due to possible deletions from the vault) and better database restore performance it is recommended that a weekly full backup of the database and a concurrent full incremental backup of the file system(s) during a period when activity is expected to be its slowest. This will also ensure deleted objects are allowed to expire in TSM server storage. Backup Frequency Based on the assumption that this TSM implementation will be tasked ONLY with backing up SimManager, there is no reason not to back up the vault and database on as frequent a basis as the supporting network infrastructure can sustain, assuming that the server can accommodate the workload without significantly impacting user response times. However, this will have to be evaluated on a caseby-case basis and is always a compromise. But more frequent backups will minimize the out-of-synch problem as well as the magnitude of the data loss should a complete system failure occur requiring a full restoration from backup. For the very large files that will comprise the majority of the data being transferred, you can plan on achieving around 40% efficiency over a shared Ethernet link, or as much as 80% efficiency over a dedicated backup LAN. Data can also be backed up directly to SAN-attached storage as another option. In most cases, the network is the limiting factor in completing a backup, although a client system with a heavily-loaded CPU or disk system can sometimes become a bottleneck.

346 338 Backup and Recovery In any case, the one caution that must be observed is to NOT initiate a second backup before the preceding one completes. It may be wise to have your implementation scripting check for the presence of an existing dsmc process before launching a new one. Now let us move to a discussion of the variable elements, i.e. those things that will change depending on the size of the SimManager implementation. TSM Sizing The most fundamental question is how many TSM server instances will be required? This is determined by the total TSM server database size, which in turn depends on three factors: the total amount of storage space being backed up; the average size of the files in this space; and the number of extra copies you wish to retain in TSM storage. These factors are used to compute an estimated total size of the TSM server database. TSM maintains its own internal relational database within which each primary file requires about 600 bytes of storage (for file metadata). Additional copies require an additional 200 bytes per copy. IBM normally recommends at least one extra copy of each object be kept as a precaution against media failures. This copy can, if desired, be removed to an off-site storage vault for use in disaster recovery. So, as a minimum you should plan on 800 bytes of metadata storage per managed file. Since restore performance is an important consideration, accepted best practices indicate that you do not want any TSM server database growing beyond approximately 100 GB in size. Please note that this is not a physical limit of the system, it is only an IBM recommended practice based on many years of operational experience. Nothing dramatic will happen should the database exceed this size, indeed many TSM users are operating beyond this limit; but restore performance should be expected to gradually degrade. So, once you determine the aggregate size for the TSM database (in GB), divide this by 100 and round the result up to the next full number. This is the number of TSM server instances (not necessarily physical servers) required. Because of these performance considerations we recommend using a separate TSM server instance for long-term archival. This is because archived records are typically accessed infrequently, and only a few records at a time. Thus, retrieval performance is less of an issue and the TSM database can be allowed to grow larger, even to its current physical limit of 530 GB. In SimManager, records consigned to long-term archival can be passed along to a different application. In that case, the long-term storage requirements are a separate discussion. In any event, the recommendation would be to set up a separate TSM server to support that activity, optimized for long-term archival. Since we do not know the precise average size of the specific vault records we cannot guarantee the accuracy of the information in the table below. In this estimate, it is assumed an average file size of 1 MB for files in the vault. We have used best-practices planning factors for database and file system daily change rates of 15% and 5%, respectively. While the results may or may not be accurate, they do illustrate the methodology and it should not be overly difficult to adjust the results to conform to expected change rates or average record sizes. The TSM database size estimate assumes that one primary copy of each file will be kept, plus one disk pool copy. Whether these backups are kept on disk or tape is irrelevant to the TSM database sizing.

347 Appendix B: Backup and Recovery Guide Backup and Recovery 339 : Attribute Small Medium Large XLarge Database Size (GB) % Daily Change(MB) 1,536 7,680 30, ,720 Vault Size (TB) Average Record Size (KB) 1,000 1,000 1,000 +1,000 5% Vault Daily Change 256 1,536 5,120 +5,120 (GB) Recommended Disk Pool 309 1,852 6,180 +6,180 (GB) Est. Number of Records 5,368,709 32,212, ,374, ,374,182 TSM Database Size (GB) From this table we can see that the small and medium implementations should fit comfortably within one TSM server's capacity. The Large implementation may start to push a single TSM instance if the average file size in the vault drops below 800 K. For the Xlarge implementation, it would be appropriate to place a TSM server at each site, since that appears to be the way the vault and database space is set up and each server should then be operating near capacity. TSM Server Placement It appears that the Xlarge, implementations will be having geographically separated locations, so the number and placement of TSM servers should take network connectivity into account as well. Wide Area Networks are typically slower than LANs, and their use should therefore be minimized. However, geographically dispersed TSM servers can be an advantage in that server-to-server virtual volumes can be used to back up the TSM server database. This greatly accelerates server restoration in the event of a disaster recovery situation. TSM Server Storage The factors you should consider in architecting TSM server storage are your restore time constraints and media cost. Typical implementations place backups of small files initially on a random access disk, and later migrate them to tape. Extra copies are typically written to tape. In this configuration the amount of disk storage space on the TSM server should be enough to hold each incremental backup, plus about 20 percent extra. The disk pool size recommended above is based on one incremental backup per day. If you performed the backup four times per day, and immediately migrated the data to tape, you could reduce this figure to one fourth the size. However, you may wish to write most of the vault data directly to tape. IBM has found that in practice, files many megabytes in size are most efficiently written directly to tape, if that is to be their eventual

348 340 Backup and Recovery destination. In that case, the disk pool can be reduced in size accordingly. Large files can be forced directly to tape, while leaving the default destination as a disk pool by setting the MAXFILESIZE parameter on the storage pool to the threshold size. With that consideration and the use of SAN storage in mind, you may wish to use a SAN-attached tape library and do LAN-free backups. This takes the data directly across the SAN to the tape library. It saves both disk space and processing time on the TSM server and would appear to be ideally suited for the very large files created by analysis processing. The tape library should contain at least two tape drives and hold enough cartridges to keep at least the primary tape storage pool entirely within the library. If you plan to use LAN-free or other backup directly to tape, make sure you allow at least one tape drive for each SimManager database server using the library, to prevent device contention issues. Additional copies can, if desired, be removed and placed in external storage, as they are only needed if the primary pool copy is damaged. So, the amount of tape storage space will be the total primary data content plus the additional copies, plus space to back up the TSM database, plus enough scratch tapes to hold one day's additional data. This figure is then adjusted to allow for partially-empty tapes, as data expires. Typically, plan for tapes to be 65% full on average. The number of tape drives required is a function of the amount of data backed up each day and the write speed of each individual drive. Do not assume the full rated speed of the drive. 80% of the rated speed is the usual planning factor. If you divide the amount of data in each backup by the number of hours available to perform the backup, you will obtain the hourly throughput required. Divide this by 80% of the drive's rated capacity and round the result up. This will tell you the minimum number of tape drives required. Then if you intend to make an additional tape copy, you will need to provide capacity to do that. Don't forget that this is a tape-to-tape copy operation, needing two tape drives for each copy operation. Alternate Online Backup Methods Hierarchical Storage Management Other alternatives to backups are available and should be discussed with you implementation team. For example, in larger installations it may make sense at some point to fully migrate the vault to a fully managed hierarchical storage management (HSM) solution, in which the off-line storage devices serve as backup media (which still require them to be redundantly laid out). In such a scenario, policies can be setup, in which the files are immediately copied into the off-line storage. In such a setup, there would be no explicit backup process and it would be completely managed by the HSM system (e.g. Tivoli Storage Manager). Each solution has to be evaluated on from a business and operational perspective in order to architect the correct solution for each specific company and it is recommended that you work closely with your MSC implementation team to determine the best solution for your needs.

349 Appendix C: Tivoli Directory Server Installation for Windows C Tivoli Directory Server Installation for Windows Introduction 342 Installation Process 343 IDS Web Administration Tool 354

350 342 Introduction Introduction This document describes how to install IBM Tivoli Directory Server version 6.0 on windows system. You should refer this link for more information on IBM Tivoli Directory Server V6 Documentation.

351 Appendix C: Tivoli Directory Server Installation for Windows Installation Process 343 Installation Process DB2 and IBM Directory Server DB2 Version 8.1 Enterprise Server Edition with FixPack 8 is included with IBM Tivoli Directory Server 6 and is installed if a supported version of DB2 is not detected on your system. This installation guide includes the installation of DB2 with the Directory Server. 1. Unzip "Tivoli Directory Server V6.0, Windows on Intel, Multilingual (C90ZCML)" to a local directory. 2. Double-click on the setup.exe, this will start the IBM Directory Server installation. 3. Select English as the language, Click OK to continue. 4. Select Next to continue the installation. 5. Click on I Accept the terms in the license agreement, click on Next. 6. Accept the Default location, click on Next. t

352 344 Installation Process 7. Click Next, then select all features to install. 8. Enter the user id/password for DB2 installation. The user needs to be created before you start the installation.

353 Appendix C: Tivoli Directory Server Installation for Windows Installation Process Click Next, the next screen list out all of the packages you have selected and the locations where you want them installed. 10. DB2 installation starts. 11. After DB2, WAS express install will start.

354 346 Installation Process 12. After this, IDS web admin tool installs in Embedded version of WebSphere Application Server - Express. 13. Click on Next, you will see IDS installation complete screen. 14. Click on Finish. It will open IBM Tivoli Directory Server Instance Administration Tool.

355 Appendix C: Tivoli Directory Server Installation for Windows Installation Process 347 IBM Tivoli Directory Server Instance 1. Click on Create, you will get following screen. 2. Select Create a new directory server instance, click Next.

356 348 Installation Process 3. Enter following values in the Instance details screen: Username: db2admin (This is the same user from step 7) Administration seed string: Instance Description: IDS instance for TIM 4. Click Next

357 Appendix C: Tivoli Directory Server Installation for Windows Installation Process Verify the name of instance created by Db2 installation in above steps. Create the user with the instance name before you start this step. Enter the db2instance name and click Next.

358 350 Installation Process 6. Select Listen on all configured IP addresses, click Next. 7. Enter new TCP/IP port settings for IDS or choose default, click Next.

359 Appendix C: Tivoli Directory Server Installation for Windows Installation Process Select both options i.e. Configure admin DN and password and Configure database, click Next. 9. On Configure administrator DN and password screen enter following values: Administrator DN: cn=root Administrator password: password Confirm password: password 10. Click Next.

360 352 Installation Process 11. Enter following values in the Configure Database screen: Database username: db2admin (This is user we used during DB2 install ) Database name: ldapdb (This is ldap database name which will created and configured with IDS) Password: db2admin's password 12. Click Next 13. Select Database install location and "Create a Universal DB2 database (UTF-8/UCS-2), click Next 14. Click Next on Verify settings, then click on Finish.

361 Appendix C: Tivoli Directory Server Installation for Windows Installation Process IDS instance creation starts, Click Ok when it finishes.

362 354 IDS Web Administration Tool IDS Web Administration Tool Starting WAS express version Open a command window and issue following command: Processes of starting the server will take a few moments. If the server is started successfully, you should get following message

363 Appendix C: Tivoli Directory Server Installation for Windows IDS Web Administration Tool 355 Adding Directory Server Instance to IDS Web Administration Tool The IDS Web Administration Tool is now installed and capable of managing LDAP servers, however, an LDAP server must be defined in the tool before any management can occur. 1. Open Internet Explorer to the following URL: Note: It is normal for the page to take a few moments to open. 2. Log on to the Console Admin with the user name superadmin and the password secret. It will take a few moments for the IDSWebApp application to load. 3. In the left pane, click Console administration to expand, then click Manage console servers. 4. Click Add.

364 356 IDS Web Administration Tool 5. Enter the host name of Machine, leave the port as 389 and the administration port as Leave SSL cleared and click OK. 6. The following screen should result. Click Logout in the left panel

365 Appendix C: Tivoli Directory Server Installation for Windows IDS Web Administration Tool 357 Verifying the Installation of IDS 1. Open Internet Explorer to the following URL : 2. It is normal for the page to take a few moments to open. Choose <Machine> as the LDAP host name. Use cn=root as the user name and passw0rd for the password. Click Login to log on. 3. Make sure Directory server instance is running (You can start IBM Directory Server instance from Windows services or from Web Admin tool) 4. Click Directory Management to expand, and then click Manage entries. 5. You should see some default entries here. This completes the IDS installation.

366 358 IDS Web Administration Tool

367 Appendix D: Enterprise Connect Deployment and Usage Guide D Enterprise Connect Deployment and Usage Guide Deployment of Enterprise Connect Module 360 Usage of Enterprise Connect Module 362

368 360 Deployment of Enterprise Connect Module Deployment of Enterprise Connect Module Deployment of OpenPDM Server Please refer to the deployment guides from ProStep openpdm_installation_en.pdf OpenPDM_PDMLink_connector_manual.pdf PasswordManager PasswordManager batch can be used to generate the KeyStore file that will be used by the batch applications to Export to /Import from PDM data. Example PasswordManagerClient -pw <masterpassword> -ks <keystorefilename> -fme -s <system> [-f <flag>] -u <user> -p <password> [-t] -ts <system> -npw <new_masterpassword> -print -version pwm.bat -ks passwordmanager.kst -s -u demo -p demo Caution: Ideally the system (-s) should be the same as mentioned in OpenPDMClient\plugins\SoapModelPlugIn\config\profiles\<profilename>.profile The PasswordManager file should have the entries for backend.systemid in pdmlink.properties file (mentioned in section B) webdav (systemid same as the webserver path) server openpdm (systemid should be openpdm) server Batch Applications set up Set environment variable ENTERPRISE_CONNECT to the location of the folder that contains OpenPDM interactive/batch clients. In the <ENTERPRISE_CONNECT> folder OpenPDMBatchClients should be the name of the location of batch clients.

369 Appendix D: Enterprise Connect Deployment and Usage Guide Deployment of Enterprise Connect Module 361 The password keystore file generated should be put in the folder <ENTERPRISE_CONNECT>/OpenPDMBatchClients Ensure that there are two batch files namely import.bat and export.bat for batch import and batch export respectively Open the batch files and edit the <JAVA_HOME> variable to point to a java installation. Only java versions above or equal to Java.1.5 are supported Set and Environment variable PDMLINK_PROPERTIES to the location of file that defines connection properties. In the current set up this should point to <ENTERPRISE_CONNECT>/OpenPDMBatchClients/conf/pdmlink.properties Pdtnet2SimManager.xsl should be present in config folder of the batch application. pdmlink.properties should be present in the config folder. The file should contain following entries (values mentioned have to be changed to relevant locations) webdav.location= soapservice.location= et/rpcrouter backend.systemid=pdmlinkconnector@ind-bmaradani.gssl.mscsoftware.com. (The id should be the same as the system option chosen during the keystore file generation) ignore (passwordmanager.location) option this is not currently used xsl.path property should point to the location of Pdtnet2SimManager.xsl. the path should the physical path of the file. Example D:/ /OpenPDMBatchClients/config/Pdtnet2SimManager.xsl Interactive client set up The interactive client should be set up in the folder <ENTERPRISE_CONNECT> with the name OpenPDMInteractiveClient. The plugins folder should have SimManagerPlugin folder SimManagerPlugin\test.bat file The batch file must have the following statement echo %5>%ENTERPRISE_CONNECT%\OpenPDMInteractiveClient\plugins\SimManagerPlugin\log.txt SimManagerPlugin\config\Pdtnet2SimManager.xsl SimManagerPlugin\config\simmanager.config msc.locations.stylesheet property should point to the physical path of pdtnet2simmanager.xsl msc.import.application property should point to the test.bat file mentioned above Running the Interactive client will require presence of appropriate client license on the machine.

370 362 Usage of Enterprise Connect Module Usage of Enterprise Connect Module Batch PDM Import(CSAE) Usage AE can be found in the process actions of a project user should provide the ItemId and the ItemVersionId (they should be a valid entries in the PDM data base). Batch PDM Export (CSAE) Usage AE can be found in the process action on the SOD of any SDMObject

371 Appendix D: Enterprise Connect Deployment and Usage Guide Usage of Enterprise Connect Module 363 User can select Multiple object of different types Use is provided with options to export Files or URL or both. Files Only: only file will be exported to the PDM system URL Only: only the simmanager reference URL will be sent to PDM system. On "OK" SimManagerExport.xml is created in User temp location. This application is taken by OpenPDM batch exporter to export the data to PDM

372 364 Usage of Enterprise Connect Module Interactive PDM Import user can change the project on 'OK', the OpenPDM interactive client comes into the foreground. user can search for the PDM data to be exported to SimManager. After clicking on the "Export to SimManager" button, user has to exit from the application for the import (into simmanager) process start.

373 Index MSC.Fatigue Quick Start Guide Index MSC SimManager Enterprise Edition R3.1 Installation and Administration Guide A activating portals about, 126 confirmation, 146 data file, 141 data file options table, 141 database configuration table, 134 ftp file vault configuration, 136 initialize knowledge base, 139 login, 130 portal instance name, 131 portal selection, 130 properties, 142 remote vault configuration options, 138 setting workspace launcher, 126 specify database configuration, 132 specify director, 128 starting, 127 admin tool, 158 administrative operations, 213 AllowAllAuthenticationManagerImpl, 193 Apache Tomcat download source, 19 error messages, 315 installing, 46 temp folder, 318 application cluster, 16 authentication interface, 193 authorization maintaining, 207 rules and concepts, 180 setting up rules, 207 user profile settings example, 196 B browsers supported, 17 C CATALINA_HOME environment variables, 46 change notification, 178 client-side software configuration table of, 23 command file elements, 214, 215 compute servers, 11 configuration, 14 customizing authentications, 198 D database administrator, 14 database configuration information, 132 database manager settings, 271 types of, 271 database server about, 11 requirements, 16 database system integrator, 14 DB level xml files, 269 delete life cycle action of, 293 demote life cycle action of, 293 deployment directory, 129 deployment specialist, 14 directory locations list of, 29 domains, 213 E Eclipse about, 126 perspective, 127 workspace launcher, 127 elements in command file, 214

374 366 enabling SSL in active directory, 195 end user, 14 enforced (mandatory) policy rules, 297 environment variables CATALINA_HOME, 46 MSC_LICENSE_FILE, 107 error messages, 315 event subscription, 178 external process integrator, 14 F file server about, 11 requirements, 16 file vault server about, 83 types of, 17 files read during the portal startup, 269 FLEXlm about, 17 ftp file vault configuration, 136 ftp server, 83 G general portal information, 120 H hardware platforms supported, 16 I IBM DB2 database server configuration errors, 319 download source, 20 installing, 49 troubleshooting, 319 IBM Tivoli Directory Server, 342 Administration, 354 Installation, 347 IBM WebSphere download source, 19 problems with admin console, 321 installation custom, 148 directory, 129 full/typical, 114 installing to IBM WebSphere, 119 installing database server, 49 IBM DB2 database server, 49 Oracle database server, 79 Tomcat Web application, 46 WebSphere, 34 J job scheduling, 85 L LDAP about, 17 configuration, 14 server, 12 licensed directory access protocol (LDAP) authentication mechanism, 195 LDAPAuthenticationManagerImpl, 193 LDAPUserProfileManagerImpl, 200 life cycle configuration, 297 process definition of, 294 rules definition of, 296 load balancing system, 17 LSF job scheduling/queuing, 85 server, 21 M Microsoft SQL database server download source, 20 mimetype mapping problems, 322 MSC.SimManager about, 8 installing and deploying, 112 topology, 9

375 INDEX 367 O object life cycle, 293 object operations, 213 operational software, 11 optional components descriptions and sources, 21 software, 17 optional policy rule, 297 Oracle database server download source, 20 installing, 79 P PDM integration, 17 perspective defined, 127 policies as sets of rules in object life cycle, 297 policy concerns, 297 policy configuration, 298 policy triggers, 297 portal activation process, 127 portal instance name, 131 portal.properties resource bundle use in LDAP, 201 portals activating, 126 pre-configured Implementations for LDAP, 199 production system about, 13 projects definition of, 214 promote life cycle action of, 293 Q queuing software, 85 R RDA/SDA, 11 relational database server descriptions and sources, 20 types of, 17 release levels, 214 restrictions as used to maintain data integrity, 297 revision change notification, 178 Revision Management, 333 roles and responsibilities defined, 14 S security and user authentication software, 85 servers compute, 11 database, 11 file, 11 file vault, 17 FLEXlm license, 17 LDAP, 12 web application, 12 server-side requirements, 18 SimManager project creation wizard, 127 software requirements, 17 storage, 11 sun grid engine (SGE), 85 system administrator, 14 components, 11 manager, 14 T test environment, 13 U UseDefaultUserProfileManagerImpl, 200 user default role, 208 user.provider.url property, 195 UserProfileManager interface, 199 V views, 127

376 368 W web application server about, 12 description and source, 19 installing, 34 requirements, 16 types of, 17 web browser problems, 323 webmaster, 14 working set definition of, 294 workspace launcher setting, 126 X X virtual frame buffer installing, 99 XmlFileAuthenticationManagerImpl, 194 XmlFileUserProfileManagerImpl, 200