Managing Your Workflow System

SUNGARD SUMMIT 2007 sungardsummit.com 1 Managing Your Workflow System Presented by: Michael Brzycki, SunGard Higher Education March 20, 2007 A Community of Learning

Introduction Topic: Learn how to leverage and manage the different technical capabilities of Workflow Agenda: Architecture Access Control Core Integration High Availability Advanced Integration 2

SUNGARD SUMMIT 2007 sungardsummit.com 3 Workflow Architecture Requirements Deployment Architecture Key Components A Community of Learning

Multi-Tier Architecture Browser Oracle Application Oracle Server Application Oracle Server Application Server HTTP Server HTTP (Apache) Server HTTP (Apache) Server (Apache) Oracle Containers Oracle for Containers J2EE Oracle for Containers J2EE for J2EE OC4J_Workflow OC4J_Workflow OC4J_Workflow Banner SQL Database Luminis Web Portal Web Service Client Workflow Engine Workflow Engine E-Mail Server 4

Oracle Http Server (OHS) Component Apache Web Server Handles http or https requests coming from Web Browser or Web Service before delegating to OC4J_workflow instance. Mod_oc4j Apache Module for delegating requests to OC4J J2EE container Can delegate to multiple OC4J instances if cluster present Oracle Application Server HTTP Server (Apache) mod_oc4j 5

Oracle Container For Java (OC4J) J2EE Container Enterprise Java beans Presentation Logic JSPs / Servlets Http Sessions Workflow Administration Logic Automatic Activity Execution Oracle Application Server Oracle Containers for J2EE OC4J_Workflow 6

Workflow Engine Polls for External Events Instantiates new Workflows Routes work items to worklists Workflow Engine Performs workflow and work item life cycle changes 7

configuration.xml Core configuration file for Workflow Data Sources E-mail Server # of connections Port Settings Deployment names Web Protocols Log Settings Gets stored in the database during deployment Need to update configuration upon any changes and restart any running oc4j and workflow engine instances bin\wftool updatesystem 8

Bootstrap Files A bootstrap file contains administrative data that is normally stored in the database (such as users, roles, workflow definitions) but can be exported in a convenient file archive Use bin\export and bin\import to create and push workflow administration data from one system to another Use bin\extractwd for extracting a single workflow definition and its dependent objects from an exported bootstrap file 9

SUNGARD SUMMIT 2007 sungardsummit.com 10 Access Control Authentication Authorization A Community of Learning

Authentication Workflow supports several authentication options to provide Single Sign On (SSO) with key integrations. Workflow Authentication The users and their passwords are stored internally within the Workflow application. External Authentication Allows an external source to be put in place to validate a user password. Can have both Workflow Authenticated and Externally Authenticated Users. 11

External Authentication Types of External Authentication LDAP Authentication This method allows the user name and password to be authenticated by an LDAP server. Required for Luminis integration. Disables ability within Workflow to change passwords and puts the ownership of passwords in the LDAP server. Banner Authentication This method of authentication allows the user name and password to be validated against the Banner database. Desirable when using password expiration with Banner and not using Luminis. Disables ability within Workflow to change passwords and puts the ownership of passwords in the Banner database. 12

External Authentication Setup cont d A user account that is to be authenticated via an External Authentication source must have External Authentication enabled with the user account name entered below it. By default, the same workflow logon id is used. Example from User Management page: 13

Example: Luminis SSO (4.3) Edit the LDAPMappingAuthenticator properties in configuration.xml to map to the LDAP server host location and LDAP configuration <ExternalAuthentication enabled= true > <ClassName>com.sct.workflow.security.LDAPMappingAuthenticator</ClassName> <Properties> <Property name= java.naming.factory.initial value= com.sun.jndi.ldap.ldapctxfactory /> <Property name= java.naming.provider.url value= ldap://myserver.myschool.edu:389 /> <Property name= parent.dn value= ou=people,o=myschool.edu, o=cp /> <Property name= rdn.attribute value= uid /> </Properties> </ExternalAuthentication> Edit the accounts of all workflow users with Luminis accounts to externally authenticate using Luminis ID s 14

Authorization Workflow functionality is guarded by Security Groups and Role Assignments. For an end user to view or manipulate a Workflow object, the user must have an effective Role authorized for the Security Group which grants access. Example: ug_admin_bcc Business Component Access ug_admin_events Business Event Access ug_admin_roles Role Management Access New security groups added in Workflow 4.3 release 15

Workflow Organizations As of Workflow 4.3, Role assignments carry a required Organization property that restricts the objects which the user has access to Organizations are defined under Workflow System Administration May map to a department or an Institution (under MIF) Organizations allow us fine grain control to share or hide Workflow objects between different sets of users 16

Authorization Example For example, Security group ug_admin_modeler_read grants access to view workflow definitions in the Workflow Modeler In order to have access to open the modeler and view workflow definitions in the Admissions department: Ensure role is authorized for the security group In Security Management, add Role Authorization Coordinator to ug_admin_modeler_read Assign the user to the role at the organization In Role Management, add a user assignment for jsmith to the role Coordinator at the organization Admissions 17

Authorization Considerations Use wfroot (super user) sparingly Setting up Organizations Command line tools Give users/roles enough privileges to do their job and no more For Multiple Organizations Decide if business processes will be administered by a central team or by local department leads Establish Business Analysts and Administrators for each Banner MIF institution Business Analysts and Administrators need access at Root in order to modify global objects Business Components Business Events Users and Roles 18

SUNGARD SUMMIT 2007 sungardsummit.com 19 Core Integrations Event Posting Data Retrieval via Automated Activities E-mail A Community of Learning

Workflow Events Events are SIGNALS to workflow to do something Table Updates = Workflow Events Events may carry Information Keys for later primary key lookup Data for evaluating event guard conditions Department or MIF codes Names, e-mail addresses, etc 20

Recipe for Creating an Event Define the Event in Banner Define the Event in Workflow (Event Wizard) Add a database trigger to fire the event to workflow Gokparm.sendParameterList( name, parameters ) DECLARE v_params gokparm.t_parameterlist; BEGIN... Gokparm.Send_Param_List( 'APPLICATION_SUBMITTED', v_params);... END; 21

Event Guards You may not want to fire a workflow on every update to Student Admissions (SARCHKL) Place a guard (if condition) in the trigger starting the event Fine if only a single workflow is mapped to event Define an Event Guard Condition in Workflow Each workflow to event association may have its own guard condition Sufficient Event Parameters Must Be Provided Check a decision early in the workflow to stop the process if necessary. Not efficient but sometimes necessary 22

Working with Events Events may be generated manually via the Simulate Event button in Workflow (useful during modeling) Event Failure may arise when required Event Parameters are omitted or inadequate mapping to an effective Workflow Model Failed events may be Replayed Event processing may be temporarily disabled (useful during maintenance) Configuration.xml (enabled flag) <EventDispatcher> <EventProvider name="banner W-Event Provider #1 classname="com.sct.workflow.engine.externalevent.provider.bannertableexternaleventprovider enabled="true"> 23

Data Retrieval via Automated Activities Retrieve Additional Information from the Banner DB or any other DB with internal SQL Automated Activities Fetched data is mapped into context parameters and may be used as part of our e-mail notification. 24

Automated Activities Three kinds of Automated Activities Automated Stored Procedure Automated SQL Query External Automated Activity (ex. Perl Script ) SQL Database Launch Parameters and Parameter Mappings are used to share information between an activity and a workflow 25

Creating the Get_Applicant_Details Activity Formulate your query Register the query as a Business Component Associate the Business Component to Activity Definition Step in the Workflow Model Map the Parameters 26

SQL Query vs. Stored Procedure SQL Query Queries only Quick to Make Possibly done by Business Analyst Stored Procedure Pre-compiled Can perform Updates Complex operations Requires IT resource 27

Data Sources Configuration Wizard is used to set up the initial Banner Automated Activity Data Source You can add additional Data Sources by editing the configuration.xml and tying to a Product Type <DataSources> <DataSource name= MyDatabase"> <Url>jdbc:oracle:thin:@localhost:1521:mydb</Url> <Username>wombat</Username> <Password>appler0cks23</Password> </DataSource> </DataSources> Data Sources may be used to segregate access, refer to other Oracle databases, and even access non-oracle (ex. SQL Server) databases via JDBC-ODBC driver 28

E-mail Send notifications with built in E-mail Activity Works with any SMTP compliant Mail Server Configuration is defined during installation Configwizard Workflow Context Parameters can be used in any of the e-mail parts (to, from, subject, body, etc) E-Mail Server 29

Workflow Modeler: E-mail Editor 30

E-mail Alerts Allow alerts to be raised and processes halted when the system has failed to send a notification in behalf of an e-mail activity During workflow modeling, set the e-mail failure response to either: Ignore (default) simply log error in workflow log file and continue processing to next activity in workflow Warn to publish an information Alert but continue processing to next activity in workflow Stop to publish an alert and suspend the current workflow thread 31

E-mail Alerts continued 32

E-mail Alerts continued Note: An e-mail is considered successfully sent if all the recipient addresses are well formed and the e-mail server accepts the message. It is not a guarantee that all recipients actually received the message sent. 33

SUNGARD SUMMIT 2007 sungardsummit.com 34 High Availability and Failover Clustering Concepts Oracle Application Server Clustering Workflow Engine Clustering A Community of Learning

Clustering Cluster: a group of servers and other resources that act like a single system and enable high availability and, in some cases, load balancing and parallel processing Allows for Failover Promotes scalability Both the Oracle Application Server and the Workflow Engine may be clustered 35

Managed Clusters in Oracle Application Server Set up cluster using Application Server Control (Enterprise Manager) or command line tools In Oracle 10.1.2 (R2), must create Farm first Create cluster Create OC4J instance Deploy workflow ear from application server control interface Configure Load Balancer Cluster configuration storage 10.1.2 (R2) File-based or Oracle Infrastructure 10.1.3 (R3) (Future support with pending 4.4) Dynamic Discovery (multi-cast) or Discovery Server 36

Some Load Balancer Options Hardware Load Balancer More reliable in practice Multiple Http Servers avoids yet another single point of failure Route based on IP address, etc. Software Load Balancer (mod_oc4j) Easy to set up / inexpensive Single Http Server (Apache) dispatching to multiple OC4J instances Route based on server load, affinity, weights, etc. 37

Hardware Load Balancer Oracle Application Server HTTP Server (Apache) Browser Oracle Containers for J2EE OC4J_Workflow Hardware Load Balancer Oracle Application Server HTTP Server (Apache) Browser Oracle Containers for J2EE OC4J_Workflow 38

Software Load Balancer (mod_oc4j) Browser Cluster / Farm Oracle Application Server HTTP Server (Apache) Oracle Application Server Oracle Containers for J2EE OC4J_Workflow Browser mod_oc4j Oracle Application Server Oracle Containers for J2EE OC4J_Workflow 39

Additional Oracle App Server Set-up Tips Do not refer to localhost in Workflow s configuration.xml or configwizard Absolutely keep the time clock on all server nodes synchronized to the exact same time of day!!! Each member of a cluster must be on a common OS (R2) Make changes to cluster and configurations files using Application Server Control (Enterprise Manager) as much as possible Keep OPMN in sync Do not turn on state replication 40

Workflow Engine Clustering Increases scalability and failover for areas of the system that deal with core workflow instance and event handling Basic Recipe: Add new engine instance in configuration.xml using configwizard Copy engineinstaller.jar from workflow home to target server and directory location Extract contents (jar xf engineinstaller.jar) Install (java jar engine.jar install) Start new engine (bin/startengine) Workflow Engine Workflow Engine 41

Multiple Engine Set-up Tips Possible to run multiple engines on single server Edit configuration.xml to have multiple engine configs For example, main and main2 Use different ports for each engine configuration If you change the Workflow datasource properties, you will need to roll out a new engine installer. Any other changes to configuration.xml, simply require a restart (Again) Absolutely keep the time clock on all server nodes synchronized to the exact same time of day!!! No load balancer engine nodes cooperate with each other 42

SUNGARD SUMMIT 2007 sungardsummit.com 43 Advanced Integrations Luminis Integration MIF Enabled Banner Custom or Third Party Integration A Community of Learning

Luminis Integration Workflow provides three channels for inclusion in your portal home page Worklist channel for work item notification Shortcuts channel to starting workflows manually Alerts channel for process administration Luminis Web Portal Single Sign On for seamless traversing Luminis Look and Feel 44

Workflow Luminis Channels Workflow Channel Suite Worklist Shortcuts Alerts 45

Integrated Workflow-Luminis Tab Full Product immersion via Tabbed Interface Single Sign On Luminis Look and Feel 46

Connecting Workflow and Luminis Enable Luminis Integration and External Authentication configuration.xml Luminis ldap server Deploy the Workflow Channel stub wftool car Copy workflow.car to Luminis cars directory Register the workflow system with Luminis configman i workflowcar.properties Publish the channels using Luminis Channel Admin 47

One more thing on setting up Luminis SSO Edit the LDAPMappingAuthenticator properties in configuration.xml to map to the LDAP server host location and LDAP configuration Point to same LDAP server (internal or external) that Luminis uses Define search.user and search.password if not accessing LDAP server anonymously <ExternalAuthentication enabled= true > <ClassName>com.sct.workflow.security.LDAPMappingAuthenticator</ClassName> <Properties> <Property name= java.naming.factory.initial value= com.sun.jndi.ldap.ldapctxfactory /> <Property name= java.naming.provider.url value= ldap://myserver.myschool.edu:389 /> <Property name= search.user value= uid=wfsearcher,o=myschool /> <Property name= search.password value= password /> <Property name= parent.dn value= ou=people,o=myschool.edu, o=cp /> <Property name= rdn.attribute value= uid /> </Properties> </ExternalAuthentication> Most support calls fall under the parent distinguished name or search user authentication to LDAP server not set correctly Configuration properties will change slightly in pending 4.4 to accommodate changes with Luminis IV 48

MIF Enabled Banner MIF architecture uses Oracle Virtual Private Database (VPD) to segregate data among institutions in a single database Each institution is given a unique MIF code (or rather VPDI_CODE) Any MIF enabled tables (or modules) will contain an additional VPDI_CODE column. When a MIF enabled table is queried, the architecture applies the current MIF code as an invisible Where clause against the VPDI_CODE column MIF code is set by calling a stored procedure before making the query 49

How Workflow Handles MIF Workflow uses Organizations to get same benefits and to communicate with MIF enabled Banner Cost efficiency of managing a single deployment But with the Data separation similar to multiple deployments Organization represents a MIF institution rather than simply a department in this scenario Each Organization may be assigned a MIF code Required when launching or querying an object in Banner that is using MIF Workflow will look up the MIF code for the current workflow instance when communicating with Banner Do not set MIF code If the Banner object is not using MIF 50

Setting the MIF Code Assign the MIF Code for each child organization to corresponding VPDI_CODE being used in MIF Banner 51

Launching MIF Banner from Workflow Workflow and Banner target must be kept synchronized. If the workflow instance has a MIF code assigned, then the target Banner system must be MIF enabled. Launched Banner session will be locked to the MIF code associated with the workflow instance VPD selector in Banner will be disabled Subsequent launches will reuse existing Banner session if the MIF code is the same. If a Banner work item for a different MIF code is launched, a new Banner session will be opened to service the launch request. 52

Querying the MIF Banner Database Two new MIF-aware (automated activity) Technology Types have been added to Workflow 4.3 to handle a SQL query or calling a stored procedure against the Banner database. MIF-aware SQL Query MIF-aware Stored Procedures Define just like regular (non-mif) automated activities. The MIF code will be set automatically in Banner before performing the database operation Workflow Alert if the MIF code is not assigned. Separate Bootstrap MifTypes.xml (provided with Banner Seed Data & Examples) 53

Custom or Third Party Integration Workflow has long supported launching of desktop applications, access to external databases, and fire-and-forget launching of server side scripts. For increased custom integration or simply to extend the capabilities of the Workflow product, Workflow now offers a Web Service API for communicating back and forth between workflow. Custom Scripts 54

Workflow Web Service A web service allows different machines to communicate over a network using existing web technologies. The Workflow Web Service adheres to the WS-I Basic Profile 1.1 specification which is well supported among both Microsoft and Java development kits. Specifies a Web Services Description Language (WSDL) file for describing operations and messages. Developer Friendly Based on SOAP and XML 55

Workflow Web Service Messages The Workflow Web Service provides a set of messages (operations) that can be passed between your custom application and Workflow Event Creation: postexternalevent Data Passing: getworkitemcontext setworkitemcontext State Manipulation completeworkitem releaseworkitem 56

workflow.wsdl 57

Workflow Bundled Examples Found in \examples\ws Full source code and bootstrap data Transfer Student example is a scenario for posting events from the command line perhaps to call from a batch or shell script or even the windows scheduler. Get Stock Quote example demonstrates using a business component to call out to another web service. In this example, it obtains a delayed stock quote from a public service. The value is returned to workflow via a setworkitemcontext xml message to the workflow web service. 58

postexternalevent Request (TCPMON) 59

Developing and Deploying Custom Applications When developing/testing new components, write tracer messages to an application log to monitor if the application performed correctly Do not assume environment or path variables are correct the first time Automated Activity Scripts need to be accessible from the same Oracle Application Server that is calling out to them Desktop applications need to be accessible from user s client machine No SSO mechanism for external web interfaces at this time 60

Summary Architecture Modern tiered design accessing business objects in an Oracle Application Server Access Control Banner and Luminis SSO Security Group authorization Core Integration Event, SQL, and E-mail Oh my! High Availability Clustering for Failover and Scalability Advanced Integration Luminis Set-up MIF Banner Third party integration via Web Services 61

Questions & Answers 62

Thank You! Michael Brzycki Michael.Brzycki@sungardhe.com Please complete the online class evaluation form SunGard, the SunGard logo, Banner, Campus Pipeline, Luminis, PowerCAMPUS, Matrix, and Plus are trademarks or registered trademarks of SunGard Data Systems Inc. or its subsidiaries in the U.S. and other countries. Third-party names and marks referenced herein are trademarks or registered trademarks of their respective owners. 2007 SunGard. All rights reserved. 63