EASYVISTA 2013 Installation Guide
EASYVISTA 2013 Installation Guide
Installation Guide
Last update : May 24th, 2013
24/05/2013
EasyVista 2013
Installation Guide
Summary
A. New in this document linked to EasyVista versions .................... 13
A.1. New in EasyVista 2012.................................................................................... 13
A.2. New in EasyVista 2010.................................................................................... 13
A.3. New in EasyVista 2009.................................................................................... 13
B. Presentation .................................................................................... 15
B.1. Prerequisites ................................................................................................... 15
B.2. Overall installation process ........................................................................... 15
B.2.1. 1 Installation preparation .......................................................................................................... 15
B.2.2. 2 Main installation process ....................................................................................................... 15
B.2.3. 3 Installation of complementary INSIDE components ............................................................. 15
B.2.4. 4 Installation of complementary OUTSIDE components ......................................................... 15
B.2.5. 5 Validation document ............................................................................................................. 15
24/05/2013
EasyVista 2013
Installation Guide
24/05/2013
EasyVista 2013
Installation Guide
E.3.4. Choose the kind of operation you want to do on the account ..................................................... 34
E.3.5. If you selected UPDATE AN ACCOUNT INFORMATION .......................................................... 35
E.3.6. If you selected REINITIALIZE A DATABASE ACCOUNT .......................................................... 35
24/05/2013
EasyVista 2013
Installation Guide
24/05/2013
EasyVista 2013
Installation Guide
24/05/2013
EasyVista 2013
Installation Guide
24/05/2013
EasyVista 2013
Installation Guide
24/05/2013
EasyVista 2013
Installation Guide
24/05/2013
EasyVista 2013
Installation Guide
Z.10. Configuring SSO with IIS on the EasyVista server ................................... 137
Z.10.1. Description .............................................................................................................................. 137
10
24/05/2013
EasyVista 2013
Installation Guide
11
24/05/2013
EasyVista 2013
Installation Guide
12
24/05/2013
EasyVista 2013
Installation Guide
EasyVista Extending
security of SSO exchanges
Single Sign On
EasyVista 2010 can now use the native database server indexation
features to improve full text search through EasyVista interface
LDAP Preimport
Google Maps
SCHEDULER as a specific
service
13
24/05/2013
EasyVista 2013
Installation Guide
A dedicated log file has been added to help you troubleshoot the
issues linked to e-mails. See P.3.1 Check the dedicated log file for email issues
LDAP/AD authentication
and Easyvista
authentication available
simultaneously
How to configure
Easyvista when the SMO
Server must access to the
web resource folder
Running Integration
processes from a dos
batch or any process
scheduler
14
24/05/2013
EasyVista 2013
Installation Guide
B. Presentation
B.1. Prerequisites
Easyvista prerequisites are described and up to date in the last version of the document EASYVISTA
TECHNICAL WHITE PAPER. Refer to it to validate your platform configuration.
Configuration files
Table
Supported
encoding
Parameter
A_COMPANY
ASCII
DIRECTORY
A_PARAMETERS
ANSI
SMTPServer
SMTPUsername
SMTPPassword
15
24/05/2013
EasyVista 2013
A_SMTP
Installation Guide
SERVERNAME
ANSI
USERNAME
PASSWORD
SD_EXTERNAL_WEBSERVICE
SERVICE
ASCII
PORT
FUNCTION_NAME
SERVICE_LOGINNAME
SERVICE_PASSWORD
SERVICE_PROXY
A_PARAMETERS
DOCUMENT_SHARE_CERTIFICATE_PATH
ANSI
DOCUMENT_SHARE_LOGIN
DOCUMENT_SHARE_PASSWORD
SD_MAILBOX
MAIL_SERVER
ANSI
MAIL_USER
MAIL_PASSWORD
AM_PARAMETER
MAPI_PASSWORD
ANSI
MAPI_PROFILE_NAME
B.1.1
Others
Support
Supported encoding
Parameter
All
ASCII
Databases
ASCII
PHP files
ASCII
Resources
ASCII
16
24/05/2013
EasyVista 2013
Installation Guide
Description
Web server
Application server
Database server
Description
Web pages
The PHP web pages are in charge of serving the web pages
requested by the Easyvista users.
Web pages are installed and running on each web server of
the platform.
This is the core of Easyvista. This service knows all the rules
of the product.
There can be more than one active SMO Servers for
redundancy or to improve performances.
SMO Broker
SMO PrintServer
SMO Backoffice
17
24/05/2013
EasyVista 2013
Installation Guide
processes
preparing data for further integration by Easyvista
The can only be one active SMO Backoffice on a platform.
For platform importing a lot of discovery assets, its
recommended that a server be dedicated to discovery imports,
or at least that import be scheduled during non working hours.
SMO Monitoring
Description
Web Server
SMTP Server
POP3 Server
IMAP Server
FTP Server
LDAP Server
ACTIVE Directory server
C. Installation preparation
C.1. Why do you have to prepare the installation?
C.1.1. Define the platform architecture
First, this is the phase during which you will definitively validate the architecture of the platform
(especially how many servers according to the number of users that will be connected).
18
24/05/2013
EasyVista 2013
Installation Guide
C.1.3. Validate what has been bought and what youll have to do
Check which installation must be done according to the order (production, test, development, etc).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxUserPort ->60 000
TcpTimedWaitDelay -> 30
19
24/05/2013
EasyVista 2013
Installation Guide
Database client must be installed and configure to access to the database server.
C.4.9. Firewall
Check that the necessary ports have been opened according to the preparation document.
20
24/05/2013
EasyVista 2013
Installation Guide
C.5.2. Antivirus
Check that:
on the application sever the antivirus does not check the LOG forlder of Easyvista
on customer PCs that will use Easyvista the antivirus consider as safe the javascript files send
by Easyvista
21
24/05/2013
EasyVista 2013
Installation Guide
D.2. Legend
In the next part, the most common choices done during the setup process are displayed like this: this
is a most common choice during the setup.
D.4. Installation
D.4.1. Start the setup
The SETUP must be executed from the application server with a Run as Administrator.
Choose the language to use during the setup and CLICK NEXT.
This folder will contain the temporary files extracted from the SETUP and should have about 1Gb of
free space.
Click NEXT
Click NEXT
22
24/05/2013
EasyVista 2013
Installation Guide
Click NEXT
Select the folder where your licenses are or leave the field blank.
Click NEXT.
If you did not select a folder, a message tells you that youll be able to integrate them later using the
Easyvista administration interface.
Click NEXT.
LOCAL means that they will be installed locally. If you select WEB SERVER LOCAL and
Apache is not already installed, the setup will propose to install it during the installation
process.
DISTANT means that they are on another server than the application server
23
24/05/2013
EasyVista 2013
Installation Guide
Once the file uncompressed, the STEP screen should show you that the uncompress file step is done,
and that the monitoring service is now installed and running (you should see the version of the
monitoring service).
Click NEXT.
AUTOMATICALLY CREATE THE CONTAINERS: The default one is that the containers will
be automatically created during the next steps, without a human action. In this case you
cannot check the script used, or change the default options that we use.
Generate a SQL SCRIPT: The setup will generate a script that you will execute manually to
create the containers. Youll be able to check the way well create the containers or even
change some options.
CONTAINERS HAVE ALREADY BEEN CREATED: In this case, the containers have already
been created by the DBA before the installation. The setup will only check that they are
correctly created.
Choose how you want to create the containers and click NEXT.
Click Next.
24
24/05/2013
EasyVista 2013
Installation Guide
Mind that this is the local path on the database server, even if its distant.
Type the password affected to the Easyvista accounts (defined during the execution of the
script).
The script is generated and opened in a notepad window. Execute it manually on your
database server to create the containers. If you close the notepad windows by error, you can
recreate the script with REGENERATE button.
Click Next.
Mind that this is the local path on the database server, even if its distant.
Type the password affected to the Easyvista accounts (defined during the execution of the
script).
25
24/05/2013
EasyVista 2013
Installation Guide
Type the PORTused to access to the SQL Server instance. This field is mandatory. Local
aliases will be created to simplify the access to SQL Server and used during connections.
Automatic negociation of SQL instance ports is not supported: you must configure a fix port on
your SQL instance.
Type the credentials of an SQL Server account granted to created databases, users,
etc. You can use the TEST button to check if your credentials and connection information are
correct. If the connection is not successful, try to connect to the instance with a query manager
and the credentials you used in the setup.
Leave the value found for the path of BCP.EXE or change it if not correct.
Click Next.
The creation of the three Easyvista account and system objects is now running. Wait until the NEXT
button be available again.
INVALID VARIANT OPERATION error message: you can find more information in the
SMOMONITORING_LOG_xxx.LOG file, in the tools\monitoring\log subfolder of the destination
Easyvista folder. Youll have to send this page to the technical support if you encounter this
error.
Once you see the message EASYVISTA DATABASE INITIALIZED SUCCESSFULLY, Click NEXT.
The summary page shows you where you are in the installation process.
Click NEXT.
26
24/05/2013
EasyVista 2013
Installation Guide
If you dont want to install SMOBackoffice on this machine, uncheck the INSTALL BACKOFFICE
option. In this case, the following chapter will not be used.
Click NEXT.
D.4.14. Configure the way collection points will send data to the backoffice
server
On this page, youll configure the default protocols that your collection points will use to send data to
the Easyvista backoffice server:
FTP : Data will be sent through a FTP folder that must be accessible either by the collection
points, and the backoffice server
SMTP / POP3 : Data will be sent by SMTP and retrieved by POP3. The SMTP/POP3 account
must be accessible from the collection points and the backoffice server.
The mail server must allow attachments with password secured zip files.
LOCAL : This option is only useful if you have one or more collection points in the same LAN
that the backoffice server.
Click TEST if you want to check the correct access to the FTP or SMTP account.
Click NEXT.
PORTS : Use the default values because these ports are free of use, meaning that they are not
already reserved for a public software. Change them only if another software already use them, or if
you have several Easyvista platforms in the same network.
27
24/05/2013
EasyVista 2013
Installation Guide
IP ADDRESSES : Leave the local IP address if you have a mono server installation. Otherwise use
the IP addresses of the application server.
Privilege IP addresses instead of SERVER NAME for multiple server platforms to avoid potential
contention due to DNS accesses.
Define the URL that will be used to access to Easyvista. This link will be used in autologon e-mails :
dont forget HTTPS or port override (:8080 for example) if needed. Do not use http://localhost/ !
Click NEXT.
28
24/05/2013
EasyVista 2013
Installation Guide
Warning : if youre installing Easyvista with an SQLserver 2012, the service MSSQLexe may refuse to
install with an error message of this kind :
Click NEXT.
The NEXT button will be available only when the APACHE installation will be done.
29
24/05/2013
EasyVista 2013
Installation Guide
Click on the INSTALL APACHE button. And follow the Apache Installation process:
Once APACHE installed, you should see a new in the lower right area of your screen.
Click NEXT.
The summary page shows you where you are in the installation process.
Click NEXT.
The last page allows you to connect to Easyvista. If you use a distant server, be sure to copy the
Easyvista PHP pages and configure your web server before.
30
24/05/2013
EasyVista 2013
Installation Guide
Choose the language to use during the setup and CLICK NEXT.
This folder will contain the temporary files extracted from the SETUP and should have about 1Gb of
free space.
Click NEXT
Click NEXT
Click NEXT
31
24/05/2013
EasyVista 2013
Installation Guide
Fill the Easyvista application parameters depending of your installation. You should leave the port
fields unchanged for a standard installation, but you have to fill the correct IP address to access the
Easyvista application services.
Click NEXT
Once the copy done, if the setup did not detect Apache locally, it will propose to install Apache.
See the OPTIONAL : Apache Installation chapter in the Installation section of this document for
more information.
Only one Broker service must be active : the setup will install but not start the broker service
on the new application server
Only one Backoffice service must be active. The setup will not install it on the application
server.
Choose the language to use during the setup and CLICK NEXT.
32
24/05/2013
EasyVista 2013
Installation Guide
This folder will contain the temporary files extracted from the SETUP and should have about 1Gb of
free space.
Click NEXT
Click NEXT
Click NEXT
Once the copy done, fill the parameters as defined in the If you choose CONTAINERS HAVE
ALREADY BEEN CREATED chapter of the Installation section.
Click NEXT
Fill the port and IP address of the Primary broker of the platform. The IP address is the address
of the server on which the first Broker service has been installed.
Click NEXT
Leave the the port and IP address of the local services as defined, or change them depending of
your configuration.
33
24/05/2013
EasyVista 2013
Installation Guide
Click NEXT
Choose the language to use during the setup and CLICK NEXT.
This folder will contain the temporary files extracted from the SETUP and should have about 1Gb of
free space.
Click NEXT
Click NEXT
34
24/05/2013
EasyVista 2013
Installation Guide
Or Choose REINITIALIZE A DATABASE ACCOUNT. Choose this option if you want to completely
relinitialize the account.
Youll lose all the data stored for this account and all the configuration changes
youve already done (filters, screens, etc). Be sure to backup the data and config
database before doing this.
Click NEXT
The application service (SMOServer) must be restarted to integrate this change. Leave the checkbox
selected to restart the service now, or unselect it to restart the service later.
Only the local application service is restarted. If you have more tha one
application server, you must restart the other services manually on each application
server.
Click NEXT.
Click NEXT.
35
24/05/2013
EasyVista 2013
Installation Guide
Select the account you want to update. The above fields are immediately update and filled with this
account information.
Wait until the initialization operation is finished. A message box will confirm that the initialization is
successful.
Click NEXT.
The application service (SMOServer) must be restarted to integrate this change. Leave the checkbox
selected to restart the service now, or unselect it to restart the service later.
Only the local application service is restarted. If you have more tha one
application server, you must restart the other services manually on each application
server.
Click NEXT.
36
24/05/2013
EasyVista 2013
Installation Guide
Choose the language to use during the setup and CLICK NEXT.
This folder will contain the temporary files extracted from the SETUP and should have about 1Gb of
free space.
Click NEXT
Click NEXT
Click NEXT
Click NEXT.
37
24/05/2013
EasyVista 2013
Installation Guide
This can only be a number and must not be an existing account number!
Click NEXT.
Wait until the initialization operation is finished. A message box will confirm that the creation is
successful.
Click NEXT.
The application service (SMOServer) must be restarted to integrate this change. Leave the checkbox
selected to restart the service now, or unselect it to restart the service later.
Only the local application service is restarted. If you have more tha one
application server, you must restart the other services manually on each application
server.
Click NEXT.
The CREATE NEW ACCOUNT report is displayed and stored in the log folder.
38
24/05/2013
EasyVista 2013
Installation Guide
If theres a leak of disk space on the disk storing the www folder
Or if the resource folder needs to be on a network disk for security or space disk reasons
39
24/05/2013
EasyVista 2013
Step
Installation Guide
Action
In Httpd.conf, add an alias and a directory pointing to the local resource
folder (mind to use / and not \ in the path):
Alias /resources/ "D:/storage/resources/"
Create an Apache
Alias
A_PARAMETERS
Config/smo_confi
g.php in the www
folder
define ('PHYS_RESOURCES_PATH',D:/storage/resources/);
Thumbnail upload cannot be used through the EasyVista interface with this
configuration and should be done manually. All other uploads work fine.
40
24/05/2013
Step
EasyVista 2013
Installation Guide
Action
In Httpd.conf, add an alias and a directory pointing to the local resource
folder (mind to use / and not \ in the path):
Alias /resources/ "//MySharedFodler/resources/"
<Directory " //MySharedFodler/resources/">
Create an Apache
Alias
Configure
A_PARAMETERS
Config/smo_confi
g.php in the www
folder
define ('PHYS_RESOURCES_PATH',
\\\\MySharedFodler\\resources\\);
Step
Action
Configure
A_PARAMETERS
41
24/05/2013
EasyVista 2013
Installation Guide
Step
Action
Share the resource folder and grant the rights for the user on the
web server.
Either add a line in fstab
//MyWindowsServer /MySharedFolder
/var/www/[Site_WEB_EZV]/resources cifs
uid=[owner_apache],gid=[owner_apache],username=[Log
in_Windows],file_mode=0777,dir_mode=0777,iocharset=i
so8859-1,password=[Password_Windows] 0 0
42
24/05/2013
EasyVista 2013
Installation Guide
Step
Action
Share the resource folder and grant the rights for the user on the
application server that will run the EasyVista service
Configure the
EasyVista services
Configure
A_PARAMETERS
The resource folder is placed on the Linux web server and shared using the SAMBA protocol.
The application servers must run on a windows account that has been granted the right to access the
SAMBA folder.
43
24/05/2013
EasyVista 2013
Installation Guide
Step
Action
Share the resource folder using SAMBA and grant the rights for
the user on the application server that will run the EasyVista
service
Configure the
EasyVista services
Configure
A_PARAMETERS
Step
Action
Configure the
EasyVista services
Configure
A_PARAMETERS
//MyWindowsServer /MySharedFolder
/var/www/[Site_WEB_EZV]/resources cifs
uid=[owner_apache],gid=[owner_apache],username=[Log
in_Windows],file_mode=0777,dir_mode=0777,iocharset=i
44
24/05/2013
EasyVista 2013
Installation Guide
so8859-1,password=[Password_Windows] 0 0
Or run a mount command
mount -t cifs -o
username=[Login_Windows],password=[Password_Wind
ows],uid=[owner_apache],gid=[owner_apache],iocharset
=iso8859-1 //MyWindowsServer /MySharedFolder
/var/www/[Site_WEB_EZV]/resources
Step
Action
Configure the
45
24/05/2013
EasyVista 2013
Installation Guide
EasyVista services
Configure
A_PARAMETERS
46
24/05/2013
EasyVista 2013
Installation Guide
47
24/05/2013
EasyVista 2013
Installation Guide
X86 : http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=bc9b9f0f-830e409c-a211-dcea1b4d9860
48
24/05/2013
EasyVista 2013
Installation Guide
x64 : http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b74e3b35-b77c4191-9ac4-8307423d09ec
On the right panel, click on ADD MODULE MAPPING to configure FAST CGI with IIS.
49
24/05/2013
EasyVista 2013
Installation Guide
The EXECUTABLE field must point to the php-cgi.exe file youve copied when decompressing the
PHP installation file.
50
24/05/2013
EasyVista 2013
Installation Guide
Click on APPLY.
icon.
51
24/05/2013
EasyVista 2013
Installation Guide
52
24/05/2013
EasyVista 2013
Installation Guide
).
53
24/05/2013
EasyVista 2013
Installation Guide
Install a package using your OS package distribution system (rpm, yum, etc.)
Download and compile the sources of PHP from http://www.php.net
Download an alternative package from http://www.php.net/downloads.php and choose your
Linux distribution from the left column
H.2.2. XCache
The XCache PHP module is used to improve PHP performance by caching the preparsed pages
instead of reparsing them each time.
The XCache module can be found here : http://xcache.lighttpd.net
The installation process is mainly:
# cd /opt
# wget http://xcache.lighttpd.net/pub/Releases/1.3.0/xcache-1.3.0.tar.gz
# phpize
# ./configure --enable-xcache
# make
# make install
54
24/05/2013
EasyVista 2013
Installation Guide
Once installed, copy the xcache.ini file available in the temporary xcache-1.3.0 folder to /etc/php.d and
configure the following lines:
[xcache-common]
zend_extension = /usr/lib/php/modules/xcache.so
[xcache]
xcache.size =
64M
$ php v
55
24/05/2013
EasyVista 2013
Installation Guide
Expose_php = Off
zend.ze1_compatibility_mode = On
max_execution_time=300
max_input_time=300
memory_limit=192M
post_max_size=96M
upload_max_file_size=30M
session.use_cookie=0
magic_quotes_gpc = Off
session.use_trans_sid=0
ADDDefaultCharset ISO-8859-1
56
24/05/2013
EasyVista 2013
Installation Guide
session.save_path= PHP_FOLDER\session_tmp
session.gc_maxlifetime = 18000
file_uploads = On
session.name = PHPSESSID
session.gc_probability = 1
session.gc_divisor
= 1000
session.gc_maxlifetime = 18000
session.cache_expire = 180
If theres enough memory, the session can be stored in the shm folder (ram disk). This configuration
can improve performance but only if theres enough free memory (see top results).
session.save_handler = files
session.save_path="/dev/shm/session_tmp"
57
24/05/2013
EasyVista 2013
Installation Guide
By default, caching configuration is managed by EasyVista with the .htaccess file (.htaccess if used if
AllowOverride All is configured in the <DIRECTORY xxx> of Httpd.conf)
ExpiresActive On
ExpiresDefault A36000
Configuration can also be done in HTTPD.CONF if AllowOverride None is set in HTTPD.CONF for
security reasons. Depending on the server configuration, this should be added either in
<DIRECTORY> or <LOCATION>.
ExpiresActive On
ExpiresByType image/png A360000
ExpiresByType image/gif A360000
ExpiresDefault A36000
You can use Internet Explorer Options to check if the EasyVista static resources are correctly cached
locally.
58
24/05/2013
EasyVista 2013
Installation Guide
In the list of displayed files, look for EasyVista static resources and check the EXPIRES column.
The value for these resources should be greater than the last access (at least 10 hours greater for
a standard EasyVista installation). Check several kinds of static resources (JS, CSS, GIF, PNG) to
be sure that they are all cached.
H.3.3. Keep-alive
When Keep-alive is configured, performance can be improved because systematic negotiation
between the web browser and the web server are not done systematically but only when the keepalive delay is over.
Configuration is done in HTTPD.CONF:
KeepAlive On
MaxKeepAliveRequests 150
KeepAliveTimeout 15
You can check with HTTPWATCH if keep alive is enabled or not by displaying twice a page during the
keep-alive delay.
Yellow blocks are connections to the web server. The first display shows connections, but not the
second one, because they are reused due to keep-alive.
59
24/05/2013
EasyVista 2013
Installation Guide
Add the following lines on <LOCATION> or anywhere else corresponding to your configuration:
You can use HTTPWatch or any other HTTP sniffer to check if compression is enabled.
On EasyVista pages (Operation / Home for example), refresh pages using CTRL-F5 to force
the static resources to be reloaded.
Check the size in the RECEIVED column for the TINY_MCE.JS file : it should be about 50Kb if
compression is well configured, and more than 150Kb if not.
AddDefaultCharset ISO-8859-1
60
24/05/2013
EasyVista 2013
Installation Guide
Change the HTTPD.CONF file to have the following line configured (either in one of the already
existing logformt lines or in a new one):
The %D flag will log the delay used to produce each page required by the EasyVista server.
As the access.log is a file that will grow day after day because it log all the requests passed to the web
server, you should setup the rotation of the access log file and so limit the size that this file could
reach.
H.4. Troubleshooting
H.4.1. SMO Broker not found
If this message is displayed and a TELNET on the broker address and port from the server is working
fine, there may be a security configuration on the server, that do not allow the HTTPD process to
access to the network.
You can also check that no network packet are going out of the web server to the application server
using TCPDUMP when connecting to index.php, even if a TELNET is working.
The problem can be on the Linux Enhanced Security (SELinux). First check if its active or not with :
/usr/sbin/sestatus -v
And if so, add the HTTPD process to the processes allowed for network connections :
setsebool httpd_can_network_connect=1
61
24/05/2013
EasyVista 2013
Installation Guide
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCipherSuite !ADH:!EXPORT56:+SSLV3:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLV2:+EXP:+eNULL
Activate the SSL keep-alive cache to avoid negotiation to be done for each HTTPS request between
the client browser and the web server:
SSLSessionCache
SSLSessionCacheTimeout
shmcb:/var/cache/mod_ssl/scache(512000)
900
Since Easyvista 2008, these features are integrated in the SETUP for database creation, and in the
Easyvista administration pages for monitoring.
For security reasons, we highly recommend that you deactivate the SMO Monitoring service once the
installation done. Unfortunately, this action cant be done automatically during the setup, and must be
done manually once the installation completed.
62
24/05/2013
EasyVista 2013
Installation Guide
<Directory "D:/EasyVista/www/monitoring">
Order allow,deny
Allow from all
AuthType Basic
AuthName "Acces a monitoring"
AuthUserFile "D:/EasyVista/www/monitoring/.monitoring"
Require valid-user
</Directory>
Copy the .monitoring file from the apache/bin folder to the www/monitoring folder.
[LINUX] If needed, apply the necessary rights to have Apache owner of this file.
63
24/05/2013
EasyVista 2013
Installation Guide
apache -k restart
Any access to the monitoring folder will need to type a login and password (case sensitive). The login
is the one you used in the htpasswd command (Beasyvista in our example).
Traffic between user and SSL PROXY appliance is done with HTTPS
Traffic between SSL PROXY appliance and EasyVista web server is done with HTTP
In this case you must add a parameter in the file www/Config/initialization_customer.php of the
EasyVista web server to tell EasyVista that even if the web servers receives HTTP queries, the final
users are working with HTTPS.
$_SESSION['HOST_PROTOCOL'] = 'https://'
Remark: This configuration is mandatory to fix the issue concerning resources (.JS, .JPG, et.) being
searched in HTTP from the web browsers instead of HTTPS, leading to errors (images not displayed,
JavaScript errors or file missing error) on the customer side while displaying EasyVista pages.
64
24/05/2013
EasyVista 2013
Installation Guide
J.2. Architecture
J.2.1. EasyVista authentication process with LDAP/Active Directory
1 The user type his credentials on the standard Easyvista ogin page
2 The credentials are sent to Easyvista for validation
3 Easyvista check the credentials through LDAP/Active Directory
4 If the authentication succeeded, the user is logged and his profile is retrieved from the Easyvista
database
5 The user is connected to Easyvista
65
24/05/2013
EasyVista 2013
Installation Guide
1
2
3
4
5
Easyvista opens a connection to the ldap directory with the credentials defined in the
Administration pages of Easyvista
Easyvista searches the value of login typed by the user (on the login page) in the LOGON
ATTRIBUTE fields of the subtrees the user connected in step 1 is granted to access
If a record is found during the search, the DN value is retrieved from this record
Easyvista then tries to bind (to login) this DN and the password type on the login page
If the bind succeed, then the credentials are validated
66
24/05/2013
EasyVista 2013
Installation Guide
Be sure of the
FQDN you
use.
Use CSVDE
or another tool
to check it.
Check the
syntax that
67
24/05/2013
EasyVista 2013
Installation Guide
must be
exactly the
one defined in
the directory.
Heres how you can find the FQDN with Active Directory:
68
24/05/2013
EasyVista 2013
Installation Guide
If you have several subtrees where Easyvista users can be defined in your
Directory, mind to define the BaseDN as the upper level including all these subtrees.
69
24/05/2013
EasyVista 2013
Installation Guide
Go to the Easyvista Administration pages, and then to the LDAP Authentication menu.
Fill the LDAP server and port fields based on the server to use.
Fill the UserDN and password of the account to use to connect to the Directory.
Fill the BaseDN field with the upper level of the subtrees to search the users into.
Leave the LOGIN ATTRIBUTE field empty to use by default the SAMAccountName attribute or fill it
with the attribute you want to use.
Save and Restart the SMO Server service to activate this change.
J.7.2. Configuration
Connect to the Easyvista database of the account to configure (EVO_DATA50004, etc) with an SQL
client.
Run the following query if the parameter is not already present in the table :
70
24/05/2013
EasyVista 2013
Installation Guide
To disable this option, just set the PARAMETER_VALUE of this record in the AM_PARAMETER table
to FALSE.
J.8. Troubleshooting
Use external tools to validate your parameters (UserDN, BaseDN, etc) and to
check that the user defined is granted to access to the Directory
J.8.1. Use LDAP.EXE to check that the USER DN has an access to the
Directory
LDAP.EXE is a tool available on the Easyvista CD.
If you cant connect with LDAP.EXE, Easyvista will not be able to connect too !
Run LDAP.EXE
Click on Search
71
24/05/2013
EasyVista 2013
Installation Guide
If it works, you
should see a result
like this
If you cant connect with CSVDE, Easyvista will not be able to connect too !
CSVDE Syntax :
-a the FQDN to use to connect password
-f path and filename that will be created
-s servername
-t port number
-d Base DN from where starts the export
For example:
72
24/05/2013
EasyVista 2013
Installation Guide
73
24/05/2013
EasyVista 2013
Installation Guide
74
24/05/2013
EasyVista 2013
Installation Guide
This problem is not EasyVista specific and many other software editors have already add a kbase
article about that point:
IBM: https://www-304.ibm.com/support/docview.wss?uid=swg21090028
SOFTERRA
(LDAP
browsing
http://www.ldapadministrator.com/forum/viewtopic.php?t=14
expert):
The new limit to configure must be greater than your number of employees, or if you do not limit the
extraction to employees, to the number of object you want to retrieve in a single LDAP query. As this
75
24/05/2013
EasyVista 2013
Installation Guide
is just a upper limit, without impact on memory on server side, we strongly advice that you use a really
higher value than needed to avoid to do that change again later.
On the ACTIVE DIRECTORY server, you must use ntdsutil.exe (a Microsoft tool on your
server) to change the limit value (check this link for more information on how to use
NTDSUTIL.EXE: http://support.microsoft.com/kb/315071/en-us)
LDAP policies
Connection
Connect to domain PUT_HERE_YOUR_AD_DOMAIN
Q
Set maxpagesize to
PUT_HERE_A_VALUE_GREATER_THAN_YOUR_#_OF_EMPLOYEES
Commit changes
Q
Q
Heres an example:
76
24/05/2013
EasyVista 2013
Installation Guide
Another way to change this parameter is to edit it directly inside the CN=Default Query
Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services,
CN=Configuration, DC=YOUR_COMPANY, DC=YOUR_COMPANY_TLD entry by using
LDAP Administrator.
The time limit for the OpenLDAP server can be changed in the config file (check in
/etc/openldap/slapd.conf). The parameter name is sizelimit. You can get more information
please in the slapd.conf Manual page or the in the OpenLDAP documentation
If your customers/partners are separated in several physical LDAP/AD trees without replication, you
must use the Multi LDAP/AD authentication process to authenticate these users.
77
24/05/2013
EasyVista 2013
Installation Guide
This feature should not be used if you have only one physical tree to authenticate
users.
K.2. Architecture
The authentication is based on an Easyvista specific service installed on each application server. This
service will try to authenticate the user against each LDAP/AD tree define in its configuration file.
K.3. Prerequisites
The LDAP/AD trees must be physically accessible from the application server running the Multi AD
service, meaning that the SMOAuthService will have to connect to these trees.
K.4. Configuration
K.4.1. Install the service on one application server
On one application server, copy the content of the Easyvista CD folder /tools/MultiAD/*.* in the
[EASYVISTA_FOLDER]/tools/servers/[ORA or MSSQL] folder.
From this local folder, install the service with the command SMOAutService.exe /install.
Use the SMOAuthEditor.exe tool to add and update lines in this file.
Passwords are stored encrypted in this file, and thats why you cant update the parameters directly.
Label
Comment
Hostname
Port
User
78
24/05/2013
EasyVista 2013
Installation Guide
Password
BaseDN
The node in the LDAP directory from which the search will be
realized.
attributLogin
Change this parameter if the attribute that stores the login is not
login.
Protocol
version
Parameter
Comment
SMOAUTHENTIFICATION
SMOAUTHENTIFICATIONHOST
SMOAUTHENTIFICATIONPORT
If you do not see these parameters, use the following SQL script to create the needed entries in the
AM_PARAMETERS table (connect using EZV_ADMIN)
79
24/05/2013
EasyVista 2013
Installation Guide
K.5. Troubleshooting
See the troubleshooting chapter of the LDAP or ACTIVE DIRECTORY authentication.
L. Webservice authentication
L.1. Presentation
This feature can be used if the customer has centralized its corporate authentication process with a
local web services.
L.2. Architecture
Each time a user will type its logon and password credentials on the Easyvista login page, these
credentials will be sent to the corporate authentication webservice.
The user will be granted if the webservice allow the connection.
The webservice can be secured with a certificate, but this certificate must be accessible from each
Easyvista application server.
If active, this feature is defined for all the accounts of the platform, including the
demo database (40000).
L.3. Prerequisites
The customer must have a documentation of the parameters and URL to access to the corporate
authentication webservice.
The webservice must:
80
24/05/2013
EasyVista 2013
Installation Guide
L.4. Configuration
On each application server, update the SMOSERVER.INI file in
[EASYVISTA_FOLDER]\tools\servers\[MSSQL or ORA] FOLDER:
WSActive=TRUE
[WSAuthentication]
wsdl=http[s]://URL?wsdl
service=xxx
port=xxx
functionName=Authenticate
Service_LoginName=username
Service_Password=pwd
RootCertFile=path/xxx.pem
Parameter
Comment
WSDL
Service
Port
FunctionName
Service_LoginName
Service_Password
RootCertFile
81
24/05/2013
EasyVista 2013
Installation Guide
[WSAuthentication_params]
__login_name__=userparameter/value
__password__=passwordparameter/value
_expected_=[no_error]|[value/true|false]
Params_xx=
Params_zz=
Parameter
Comment
__login_name__
82
24/05/2013
EasyVista 2013
Installation Guide
__password__=USER_PASSWORD/value
_expected_
Values can be :
[OPTIONAL]
Params_yy=value_n
Params_CALLING_APPLICATION=EASYVISTA
L.5. Troubleshooting
L.5.1. Webservice not reachable
With Internet Explorer, check that the WSDL can be displayed from each Easyvista Application server
by calling the WSDL URL.
83
24/05/2013
EasyVista 2013
Installation Guide
Ask the webservice manager if he logs authentication requests from Easyvista or not, and if yes why
they are not granted.
M.2. Prerequisites
IP V6 is not supported by the SOAP layer used by EasyVista:
N.2. Prerequisites
The customer must have a documentation of the parameters and URL to access to the external
webservices.
The webservice must:
N.3. Configuration
N.3.1. Register the webservice in Easyvista
Go to the Administration/Parameters/WebServices menu in Easyvista.
84
24/05/2013
EasyVista 2013
Installation Guide
Parameter
Comment
WSDL
Login / Password
Proxy
Attached files
Click NEXT.
Fill the following fields to define the method to use from this webservice.
Parameter
Comment
NAME
COMMENT
METHOD
Click NEXT.
Parameter
Comment
DOCUMENTATION
PARAMETERS
85
24/05/2013
EasyVista 2013
Installation Guide
Comment
Static values
Easyvista tags
N.4. Troubleshooting
N.4.1. External webservices not reachable from Easyvista
Check that the WSDL can be displayed from the Easyvista application servers.
You should retrieve the XML description of the webservices provided by Easyvista.
86
24/05/2013
EasyVista 2013
Installation Guide
O. Easyvista NETWORK
O.1. Presentation
EZVNETWORK is an automatic process to update of Easy Vista software database references
The softare database reference (EVO_REFERENCE) mainly contains the following elements:
TABLE NAME
CONTENT
R_MANUFACTURER
Manufacturers Directory
R_SOFTWARE_CATALOG
Software Directory
R_MATCHING_MODEL
R_SNMP_*
R_OS
R_UNKNOW_*
87
24/05/2013
EasyVista 2013
Installation Guide
O.2. Architecture
O.3. Requirements
O.3.1. Automatic FTP method
To setup Easyvista network with the FTP method, Easyvista Backoffice serevr (the server running the
SMO Backoffice service) must have an access to the following Internet Server :
www.itassetservices.com
To validate your platform connectivity, you can try the following command sequence in a
DOS windows:
88
24/05/2013
EasyVista 2013
Installation Guide
If a line appears like 220 EZV_APAC FTP server (Version wu-2.6.1-20) ready. , it means that the
connection is OK .
Do not unzip this file. The backoffice process is waiting for this file in a zip
format.
You must at least once a week to have your software catalog up to date.
[EZVNET]
ACTIVE=1
DELAY=1
LOG_DEBUG=0
debugging mode
Begin_Time=00:00:00:000
Integration
End_Time=23:59:59:999
MODE=FTP
89
24/05/2013
EasyVista 2013
Installation Guide
DELAY=1
LOG_DEBUG=0
debugging mode
Begin_Time=00:00:00:000
Integration
End_Time=23:59:59:999
MODE=LOCAL
EZVNetDir=C:\tmp\
O.5. Troubleshooting
To check if the updates import have been successfully executed, you can refer to the following
information:
90
24/05/2013
EasyVista 2013
Installation Guide
If the import is ok, the DONE column must be filled by the day of the import.
The following line contains the next execution date (TODO column) of the updates imports.
(This date is figured by this way : DATE in the column DONE of the former line + DELAY value in the
smobackoffice.cfg file)
91
24/05/2013
EasyVista 2013
ERROR MESSAGE
FTP - Connection failed (n 1) :
Message (Socket Error #
11001)
Installation Guide
CHECKINGS REQUIRED
Validate your connection to the FTP Website as indicate in
requirements.
Validate your connection to the FTP Website as indicate in
requirements
No such file
If you use the LOCAL method, just verify that the file in the
EZVNETDir directory from the smobackoffice.cfg file is right here.
This means that the file has been damaged during the transfer.
Unable to unzip datafile
ezvnetwork_sql.zip
Please contact your Network Administrator to know if the ZIP files
are filtered during the transfer via FTP or your mailbox.
ORA-01400: cannot insert
NULL into
("EVO_REFERENCE"."R_SNM
P_COMPONENT"."SNMP_COM
P_ID")
P.1. Parameter
Open the EVO_ADMIN.A_PARAMETERS table, and set the value fields of the following lines:
PARAM_ID
SMTPServer
PARAM_VALUE
Name or IP of the SMTP server
SMTPPort
92
24/05/2013
EasyVista 2013
Installation Guide
P.2. Check
Connect to the demo application (40000) with epachelbel, go to Discovery and send a Discovery file
by e-mail.
P.3. Troubleshooting
From a DOS prompt, you can use TELNET with the SMTP server address and credentials to check
that you can send e-mails.
RecipientAddressErr
or
Other fields of the log file will give you information about the context of the attempt to send an e-mail.
Type EHLO <your mail server domain>, and then press ENTER.
2.
Type AUTH LOGIN. The server responds with an encrypted prompt for your user name.
3.
Enter your user name encrypted in base 64. You can use one of several tools that are available to
encode your user name.
4.
The server responds with an encrypted base 64 prompt for your password. Enter your password
encrypted in base 64.
5.
Type MAIL FROM:<[email protected]>, and then press ENTER. If the sender is not permitted
to send mail, the SMTP server returns an error.
93
24/05/2013
6.
EasyVista 2013
Installation Guide
7.
Type DATA.
8.
If desired, type message text, press ENTER, type a period (.), and then press ENTER again.
Q.2. Architecture
Q.3. Parameter
Action
Description
94
24/05/2013
EasyVista 2013
Installation Guide
Open the
configuration
page
Enable Technical
support agent
using the
ENABLE/DISBALE
assistant
Add a mailbox to
check
95
24/05/2013
EasyVista 2013
Installation Guide
96
24/05/2013
EasyVista 2013
Installation Guide
In our case we have only 1 connection and we send single commands so it's not really relevant, however we need to type
something as a tag. I usually just use a period
'.' but you could use a number or whatever suits you. To demonstrate the command tag see the two server responses here with
the tag (don't worry about the command itself, it
will be explained soon), in the first one we send '. fetch' and the second one 'a01a fetch' getting the same tag back to identify
the response:
. fetch 1 fast
* 1 FETCH (FLAGS (\Seen hasatt) INTERNALDATE " 1-Feb-2006 08:37:23 -0500" RFC822.SIZE 15013)
. OK Completed (0.000 sec)
ao1a fetch 1 fast
* 1 FETCH (FLAGS (\Seen hasatt) INTERNALDATE " 1-Feb-2006 08:37:23 -0500" RFC822.SIZE 15013)
a01a OK Completed (0.000 sec)
Finally, the IMAP commands are not case sensitive, so 'SELECT inbox' will work just as well as 'select INBOX'. For clarity in the
code I have typed the commands in
uppercase and the word INBOX in uppercase also.
The address of your mail server, this will usually be of the form mail.domain.com. You should look at the settings in your email
client or documentation about your
email account to get this information.
97
24/05/2013
EasyVista 2013
Installation Guide
Security.
In this demonstration we will be sending our account username and password unencrypted over the internet, if this is a major
concern to you then you should not follow
this exercise.
Another alternative, if your email provider supports SSL, is to use OpenSSL (which most if not all Linux computers will have),
see the 'Connecting to the host' section
below for the syntax.
98
24/05/2013
EasyVista 2013
Installation Guide
-----BEGIN CERTIFICATE----MIIDeDCCAuGgAwIBAgIDQBYSMA0GCSqGSIb3DQEBBAUAMIHOMQswCQYDVQQGEwJa
..........................
-----END CERTIFICATE----subject=/C=AU/ST=New South Wales/L=Crows Nest/O=Optimal Decisions Group Pty
Ltd/CN=mail.messagingeng ine.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services
Division/C N=Thawte Premium Server CA/[email protected]
--No client certificate CA names sent
--SSL handshake has read 1054 bytes and written 340 bytes
--New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher
: AES256-SHA
Session-ID: Session ID
Session-ID-ctx:
Master-Key: Key
Key-Arg
: None
Krb5 Principal: None
Start Time: 1140271254
Timeout
: 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
--* OK IMAP4 ready
Once this step is carried out the IMAP commands are identical to those for a normal telnet session.
We can see from this output how the mailboxes are arranged like a tree with INBOX being the 'trunk'. My IMAP provider uses a
period (.) as a separator between parent and
child folders so INBOX.Drafts is a child of the INBOX. The \HasChildren simply tells us that this folder has sub folders whereas
the other folders do not.
99
24/05/2013
EasyVista 2013
Installation Guide
The way IMAP works means that all folders are created as subfolders of the INBOX even if your email client is configured not to
show it that way.
That's the main commands covered however there are a few more just 3 of which I'll mention here as they could be useful.
Q.6.2. Configuration
Configure the SMOASTPLUGIN.INI file as follow:
PORT_ID
The port dedicated to the TSA plugin. Mind to attribute a port that is not already
used by another Easyvista service, or any other application already running on
the server
BROKER_PORT_ID
DATASERVER_PORT_ID
DATASERVER_ADDRESS
100
24/05/2013
EasyVista 2013
Installation Guide
Configure the following A_PARAMETERS reference values (if the values are not already in the table, add the manually)
PARAM_ID
PARAM_VALUE
ASTServer
ASTPort
Q.6.3. Installation
1 - Stop the SMOServer Service.
2 - Install the TSA service with SMOAstPluginNTService.exe /INSTALL
3 - Start the TSA service.
4 Restart the SMOServer Service
Q.6.4. Troubleshooting
Check the specific log for this service.
R. Google Maps
EasyVista can use GoogleMaps to display information.
R.1. Prerequisites
The GoogleMaps latitude and longitude of the location you defined in EasyVista are retrieved from the
GoogleMaps web site by the EasyVista web server, using a free account you defined for EasyVista.
The EasyVista web server therefore must have an access to Internet and the GoogleMaps web site.
Once created, a unique key will be available and youll use it to access GoogleMaps information.
101
24/05/2013
EasyVista 2013
Installation Guide
S.2. Prerequisites
The full text search or indexation feature must be implemented on the database server.
select databaseproperty('EVO_DATA50004','IsFullTextEnabled')
102
24/05/2013
EasyVista 2013
Installation Guide
103
24/05/2013
EasyVista 2013
Installation Guide
S.3.7. Troubleshooting
S.3.7.1. List the document formats that the database server natively indexes
select * from sys.fulltext_document_types
S.3.7.2. Check if the fields used by EasyVista in a full text search are
considered as FullText indexed by the database server
S.3.7.3. List the name of the catalog configured on the Instance
select * from sys.fulltext_catalogs
S.3.7.4. Check if the catalog are well configured and are used to retrieve
information
If the result doesnt contain what you were looking for, check that the indexes are up to date (number
of lines and the date of the last crawl):
select fulltextcatalogproperty('YOUR CATALOG NAME','itemcount')
If the indexes doesnt seem to be activated, force the full indexation again. Be careful because this
first indexation may be resource consuming depending of the size of the database. We highly
recommend that this indexation be done outside of business hours.
exec
exec
exec
exec
sp_fulltext_table
sp_fulltext_table
sp_fulltext_table
sp_fulltext_table
'SD_KNOWN_PROBLEMS','start_full'
'AM_ACTION','start_full'
'SD_REQUEST','start_full'
'AM_DOCUMENT_STORAGE','start_full'
104
24/05/2013
EasyVista 2013
Installation Guide
[Easyvista_FOLDER]\tools\smobackoffice\CUST
[Easyvista_FOLDER]\tools\smobackoffice\QUERIES
[Easyvista_FOLDER]\tools\servers\MSSQL\*.ini
[Easyvista_FOLDER]\tools\servers\ORA\*.ini
EVO_ADMIN
EVO_REFERENCE
EVO_BACKOFFICE
EVO_DATA500xx (*)
EVO_CONFIG500xx (*)
105
24/05/2013
EasyVista 2013
Installation Guide
U.2. Architecture
EasyVista is a multi tiers platform. It means that we can consider three platform tiers (Web server,
Application server and database server) and two external tiers (the customer PC and the network
between the customer PC and the web server).
Even if the HTML page is quickly produced, it needs some time to be transferred through the network
and then displayed.
The network between the PC and the web server can have a complex architecture (Firewall, proxy,
routers, wan, etc).
The local browser (IE, Firefox, etc) can also be configured in a non optimal way.
106
24/05/2013
EasyVista 2013
Installation Guide
You should see lines in the captures with HTTP code 200 for CSS, JS, and pictures (PNG, GIF, JPG,
etc).
Display these pages again (DONT use F5 to refresh the pages !) using the Easyvista menus.
You should see fewer lines in the capture, some lines saying (CACHE), and few ones with HTTP 200.
If so everything is ok.
If you see HTTP 304 lines, then you have a problem of cache, and your browser spend too much time
asking the web server for unneeded information: this costs time and bandwidth.
To understand why you have such HTTP 304, check the header of the http answers from the
server. This information is available in HTTPWATCH here.
You should have an EXPIRES line in the header of the static objects (pictures, JS, CSS). If not
theres a problem with the web server that is not configured to manage client cached resources:
107
24/05/2013
EasyVista 2013
Installation Guide
Check that the local mode of the browser is to refresh the pages AUTOMATICALLY
If you still have the problem, contact Staff & Line technical support.
U.3.3. Check the delay between the creation and the transfer of a page
This test can only be done if the cache management is ok (previous test) is ok, meaning all the static
resources are found in cache.
The goal of this test is to check if theres no problem during the page transfer process.
First, connect to the Easyvista demo database with epachelbel.
Add &ShowStack=simple at the end of the URL, and press enter to refresh the page. You should now
see a delay at the bottom of the Easyvsta page: this is the delay used by Easyvista to create the page.
Now, start an HTTPWATCH capture and display some pages.
When a page is displayed, compare the delays given by Easyvista (creation delay only) and
HTTPWATCH (creation delay + transfer delay). These delays should be closed. Otherwise, theres a
network transfer problem that slows the display of the page.
108
24/05/2013
EasyVista 2013
Installation Guide
After a page is displayed, check the two last lines of the capture. The start delay of these lines should
be closed. Otherwise, there may be a local antivirus that checks the Easyvista files before the display.
Check if there is a local Antivirus and configure it to either consider Easyvista static files (especially
Javascript .JS files) as trusted, or to avoid checking the Javascript files.
V.2. Architecture
The integration is done in two steps:
1. LDAP/AD data are transferred into a local SQL table to be prepared. The step is necessary to
format LDAP/AD data and to delete unnecessary records. After this first step, a table is
available with data compliant with Easyvista employee directory connector
2. Integrate the data into Easyvista with the standard Easyvista employee directory connector
Sn
givenName
sAMAccountName
mail
accountExpires
Then, the TABLE_LDAP_OK will be filled with the records from TABLE_LDAP_TEMP using the
following rules for each record:
V.3. Prerequisites
Check that the PREMIMPORT module is active in the file
[EASYVISTA_FOLDER]\tools\smobackoffice\SMOBackoffice.cfg on the server running the
SMOBackoffice service.
[PREIMPORT]
109
24/05/2013
EasyVista 2013
Installation Guide
ACTIVE=1
;DELAY = n minutes
DELAY=1
LOG_DEBUG=1
Begin_Time=00:00:00:000
End_Time=23:59:59:999
If the PREIMPORT module was not active, mind to restart the SMOBackoffice
once the cfg file updated.
110
24/05/2013
EasyVista 2013
Installation Guide
TABLE_1=TABLE_LDAP_TEMP
DO_NOT_DELETE_TEMPTABLE=0
In the DOMAIN_1 field, mind to include the CN=Users level to limit the import to
the user records of your directory. Otherwise, youll get any object defined in the
directory
The TABLE_LDAP_TEMP and TABLE_LDAP_OK tables should be filled with your data.
Click on the DEFINE button and use the following as the connection information (mind to change the
account credentials):
Provider=sqloledb;Data Source=EZV_SQL1;Initial
Catalog=EVO_BACKOFFICE; UserId=EZV_ADMIN;Password=staff
And as the SQL query:
Select * from EVO_BACKOFFICE.EZV_ADMIN.TABLE_LDAP_OK
Once the window closed, map the fields like this:
SOURCE
DESTINATION
111
DEFAULT VALUE
24/05/2013
EasyVista 2013
FULL_NAME
NAME
LOGIN
LOGIN
EXPIRATION_DATE
DEPARTURE
Installation Guide
NOTIFICATION
You can then run the integration or schedule it once a day, after the preimport process.
This process is not optimized but is the only way to retrieve information for Active Directory databases
where the Partial Attribute Set is configured (activated by default for Active Directory).
To considerably reduce the delay necessary to retrieve the data form LDAP, you can try a new option
both in the PREIMPORT.INI files and with the LDAP.EXE tool.
When SINGLE PASS is activated, results will be asked to the LDAP server in just one pass instead of
two. The improvement is important but only if your LDAP/AD server do not use Partial Attribute Set :
otherwise only the fields defined in the AD/LDAP Partial Attribute Set will be returned instead of all the
attributes you asked.
To use this new feature, add the SINGLE_PASS option in you ini LDAP definition:
[XXXXXXXXXXXXX]
DBKERNEL=LDAP
SINGLEPASS_1=1
V.4.7. Change the separators used when bulking (SQL SERVER only)
By default, the PREIMPORT process uses tabulations and CR-LF in the temporary file used when
bulking LDAP data into the temporary SQL table you created.
If your data contain TABS or CR-LF, you can change the definition of the separators that PREIMPORT
will use.
[XXXXXXXXXXXXX]
DBKERNEL=LDAP
ROW_SEPARATOR_1=##MYFIELD##
LINE_SEPARATOR_1= ##MYLINE##
112
24/05/2013
EasyVista 2013
Installation Guide
[XXXXXXXXXXXXX]
PROTOCOL_1=2 or 3
Create the AD_DATE_CONVERT function with the script available on the CD in the folder
tools/preimport add-on scripts/ LDAP timestamp converter AD_DATE_CONVERT.sql
Retrieve from AD/LDAP the timestamp value you want to use
Somewhere in you SQL Preimport process, call the AD_DATE_CONVERT, giving the
timestamp as parameter
V.5. Troubleshooting
V.5.1. Force a preimport to restart before the next scheduled execution
Open the LDAP_PREIMPORT.INI file and update the following lines. Save and close the file.
NLASTRUN=0
SLASTRUN=0
W.2. Architecture
Easyvista interface style is based on a CSS file and on pictures.
You can only:
Update the values of the CSS file described in the next chapter
113
24/05/2013
EasyVista 2013
Installation Guide
EVO_ADMIN
Tables :
A_STYLE table
It stores the different parameters used to define the graphical interface for each
database. In the RELATIVE_PATH field, is mentioned the directory where the style
sheet (theme.css) and all the graphical settings are stored.
This RELATIVE_PATH is a sub-directory of [EASYVISTA_FOLDER]\www\Style
In the following table, 2 styles are displayed:
The default style which settings are stored in the
[EASYVISTA_FOLDER]\www\Style\Easyvista directory
The specific style for the Production base called "Production_Style"
stored in the [EASYVISTA_FOLDER]\www\Style\Production_Style
directory
STYLE_ID
RELATIVE_PATH
LABEL_EN
{2B726BEC-EBB4-4DC8-B09253180E0CA902}
Easyvista
Default
{4D5B5ECF-7C69-4F07-A876BE24810D8E26}
Production_Style
Production_Style
The STYLE_ID is automatically generated when a new line is created. This will be the value to copy/paste into
the A_COMPANY table.
W.3.2.2. The
A_COMPANY table
In this table, the 2 bases use the same style (STYLE_ID) that is defined in the A_STYLE
table.
114
24/05/2013
EasyVista 2013
Installation Guide
COMPANY_NAME
COMPANY_ACCOUNT
STYLE_ID
273
Demo
40000
283
Empty Demo
40001
{2B726BEC-EBB4-4DC8-B09253180E0CA902}
{2B726BEC-EBB4-4DC8-B09253180E0CA902}
Mind to restart the SMO Server service on each application service to validate
these changes.
Used by the fields where you can change the values (asset tag,
serial number, etc)
115
24/05/2013
EasyVista 2013
Installation Guide
form_input_ro
Form_input_ro_list
116
24/05/2013
EasyVista 2013
Installation Guide
.dialog_main_section_header_bg
{
background-color: #E4E9F1;
}
.dialog_line
{
font-family: Verdana; font-size: 10px; color: #000000;
vertical-align: middle; padding-top: 0px; padding-bottom: 0px; text-align: left;
}
.dialog_alias
{
font-weight: bold; text-align: right; color: #1D293D;
}
.dialog_arrow_down_popup
{
background-color: #EAEDF4;
background-image:url('./Images/bloc-fond-entete.png');
background-repeat:repeat-x;
background-position: center top;
border: 1px solid #AFBCD8;
font-family: Trebuchet MS; font-size: 11px; color: #1D293D; vertical-align: middle;
padding-top: 4px; padding-bottom: 4px; padding-left: 4px; padding-right : 4px; height:
20px;
}
117
24/05/2013
EasyVista 2013
Installation Guide
.dialog_sections_header_selected
{
background-color: #F6F6F6; color: #FF3300; font-weight: bold; font-size: 11px; fontfamily: Verdana; padding-left: 2px; padding-right : 2px;
border-left: 1px solid #AFBCD8; border-top: 1px solid #AFBCD8; border-right: 1px solid
#AFBCD8;
}
.dialog_sections_header_selected a,
.dialog_sections_header_selected a:link,
.dialog_sections_header_selected a:visited,
118
24/05/2013
EasyVista 2013
Installation Guide
.dialog_sections_header_selected a:hover
{
background-image:url('./Images/icones3/onglet-actif-fond-centre.png');
background-repeat:repeat-x;
background-position: center center;
background-color_: #F6F6F6;
height: 24px; color: #FF3300; font-weight: bold; font-size: 11px; font-family: Trebuchet
MS;
padding-left: 2px; padding-right : 2px;
}
.dialog_sections_header_unselected
{
background-color: #F0F2F8; color: #33486C; font-weight: bold; font-size: 11px; fontfamily: Verdana;
padding-left: 2px; padding-right : 2px; border: 1px solid #C5CEE2;
}
.dialog_sections_header_unselected a,
.dialog_sections_header_unselected a:link,
.dialog_sections_header_unselected a:visited,
.dialog_sections_header_unselected a:hover
{
background-image:url('./Images/icones3/onglet-inactif-fond-centre.png');
background-repeat:repeat-x;
background-position: center center;
background-color_: #F0F2F8;
height: 24px; color: #33486C; font-weight: bold; font-size: 11px; font-family: Trebuchet
MS;
padding-left: 2px; padding-right : 2px;
}
.dialog_sections_header_between
{
border-bottom: 1px solid #C5CEE2; width: 4px; height: 16px;
}
.dialog_sections_elmt_selected
{
119
24/05/2013
EasyVista 2013
Installation Guide
background-color: #FFFFFF; color: #FF3300; font-weight: bold; font-size: 11px; fontfamily: Verdana;
padding-left: 2px; padding-right : 2px;
}
.dialog_sections_elmt_unselected a,
.dialog_sections_elmt_unselected a:link,
.dialog_sections_elmt_unselected a:visited,
.dialog_sections_elmt_unselected a:hover
{
background-color: #FFFFFF; color: #33486C; font-weight: bold; font-size: 11px; fontfamily: Trebuchet MS;
padding-left: 2px; padding-right : 2px;
}
120
24/05/2013
EasyVista 2013
Installation Guide
W.5. Troubleshooting
W.5.1. Your new style is not used when pages are displayed
Display the source code of the page (right click on a page displayed with Internet Explorer and choose
DISPLAY SOURCE CODE).
You should find the of the path CSS file used. Check that its the right one.
Shows appointment from Outlook to Easy Vistas calendar (only for visualisation, you
cannot modify this kind of item)
Create appointment automatically in Outlook from Easyvista concerning actions
(tasks) to do by the support team.
Update Outlook from Easyvista when:
the date of a task has been changed
the task has been affected to another member of the support team.
When the synchronization is activated every new tasks will be visible in Outlook, if the task:
X.2. Architecture
The communication with the Exchange server is based on MAPI.
X.3. Prerequisites
This feature works only with Exchange server and not with Lotus Notes or any other mail server.
MAPI layer must be installed on the EXCHANGE SERVER and accessible.
OUTLOOK client must be installed on the EasyVista application server in the same version than the
EXCHANGE SERVER. We require that OUTLOOK be installed to guarantee that tests can be done in
the same environment than the EasyVista application server with all the MAPI component correctly
installed.
121
24/05/2013
EasyVista 2013
Installation Guide
The calendar of each consultant defined in EasyVista must be shared and accessible to the MAPI
account defined on the application servers.
Integration is done with ECHANGE 2003 and 2007.
A local profile must be created on each application server to access to the Exchange server.
Each member of the support team must share his calendar for Easyvista Profile : Editor privileges
must be affected to Easyvista Profile.
Exchange Email Addresses of each member of the support team must be correctly specified in
Easyvista Database
X.4. Configuration
X.4.1. Create the local profile
Create a local MAPI profile on each application server to define the exchange server and the account
to use to connect to the exchange server:
Connected with the account used to run the EasyVista main service (not the localsystem
account), create the profile
Uncheck the USE CACHED EXCHANGE MODE checkbox
Run SMOAppointment
Choose the profile you created (a green line is displayed if the connection is successful)
Go to the AGENDA folder (bypass the USER DO NOT EXIST message as the default user
should not exist in your directory)
Fill in the name of the user you want to display the calendar (most of the time, use the e-mail
address)
Click the LOAD button
Fill-in the credentials if needed. Mind to check the SAVE PASSWORD checkbox (if this
credential box is displayed, it means that automatic negotiation of the credentials between the
server and the exchange server cannot be done due to specific configuration of your
infrastructure (auto negotiation disabled, etc)).
Once the calendar of the user is displayed, close SMOAppointment
Run SMOAppointment again and do the same actions. During this second attempt, the
credential box should not be displayed as the credentials are already registered
122
24/05/2013
EasyVista 2013
Installation Guide
PARAMETER
COMMENT
MAPI_PROFILE_NAME
MAPI_PASSWORD
MAPI_DEFAULT_DURATIO
N
X.4.5. Check the correct access with the Easyvista connection test tool
From the Easyvista CD, copy the file SMOAppointment_MAPI.Exe in the
[EASYVISTA_FOLDER]\tools\Servers[ORA or MSSQL]\ folder of an Easyvista Application server.
X.5. Troubleshooting
X.5.1. Cant connect to the Exchange server
Check with Outlook express on the application server that you can connect to the exchange server
with the profile you defined.
123
24/05/2013
EasyVista 2013
Installation Guide
Y.2. Architecture
The whole interactive login process of Easyvista is based a file called login_hmtl.php. The customize
method described here is the only one supported by Staff & Line and that is compliant with the
upgrades to future versions.
The login_html page is the standard page called when you login to Easyvista and when you logout
(click on LOGOUT or TIMEOUT). It means that the customization of this standard page will be applied
to each account (40000, 50004, etc) available on the platform.
If you want to use a different logon page per account, you must apply a specific configuration.
Y.3. Prerequisites
You must have some HTML and PHP notions to customize the logon page without problem. The
technical support will not take in charge such customization.
<table>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
size: 12px;font-weight: bold;">'."COMPANY ACCOUNT".'</span> </td>
<td><input class="form_input" type="text" name="url_account"
value="'.$account.'"></td>
</tr>
<tr>
124
font-
24/05/2013
EasyVista 2013
Installation Guide
font-
font-
If you use labels including whitespaces, you must use terminators before and
after the label.
<table>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
12px;font-weight: bold;">'.$account_lbl.'</span> </td>
font-size:
font-size:
125
24/05/2013
EasyVista 2013
Installation Guide
</tr>
</table>
By this one
<table>
<tr>
<td><input class="form_input" type="HIDDEN" name="url_account" value="50004"></td>
</tr>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
12px;font-weight: bold;">'.Login.'</span> </td>
font-size:
font-size:
<table>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
12px;font-weight: bold;">'."Numro de la compagnie".'</span> </td>
font-size:
126
font-size:
24/05/2013
EasyVista 2013
Installation Guide
</tr>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
12px;font-weight: bold;">'."Saisir votre mot de passe".'</span> </td>
font-size:
By this one
<table>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
weight: bold;">'."Numro de la compagnie".'</span> </td>
font-size: 12px;font-
font-size: 12px;font-
font-size: 12px;font-
127
24/05/2013
EasyVista 2013
Installation Guide
Duplicate the login_html.php page login page (one per page you want to create)
Give to each of them a specific name (for example : login_html_50004.php)
Customize each one as you want
For each company record in table EVO_ADMIN.ACOMPANY, update the LOGIN_URL field
with the fully qualified URL to access to the customized login page (ex :
http://www.myeasyvistawebsite.com/Config/login_html_5004.php)
Ask the user to connect with the fully qualified URL instead of just the web site (ex :
http://www.myeasyvistawebsite.com/Config/login_html_5004.php)
<table>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS;
12px;font-weight: bold;">'."Company name".'</span> </td>
font-size:
font-size:
font-size:
128
24/05/2013
EasyVista 2013
Installation Guide
After
<table>
<tr>
if(isset($_GET['admin']) && ($_GET['admin'] == 'yes'))
{
$result = $result.'
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS; font-size: 12px;font-weight: bold;">'."Choose
the account".'</span> </td>
<td> <select id="url_account" name="url_account">
<option value="50005" selected > PRODUCTION </option>
<option value="50004">TEST</option>
<option value="40000">DEMONSTRATION</option> </select>
</td>
</tr>
}else{
$result = $result.'
<td><input class="form_input" type="HIDDEN" name="url_account" value="50004">
</td>
}
$result = $result.'
</tr>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS; font-size: 12px;font-weight:
bold;">'.Login.'</span> </td>
<td><input class="form_input" type="text" name="url_login"></td>
</tr>
<tr>
<td> <span style="color:#4A5995;font-family: Trebuchet MS; font-size: 12px;font-weight: bold;">'."Saisir votre mot de
passe".'</span> </td>
<td><input class="form_input" type="password" name="url_password"></td>
129
24/05/2013
EasyVista 2013
Installation Guide
</tr>
</table>
Z. Single Sign On
Z.1. Presentation
The goal of SSO integration with EasyVista is to avoid the login page, by identifying the user with
information passed by the system.
EasyVista is not an SSO solution but a client of the Customer SSO system, and especially of the
information published by the Customer SSO system once the user connected.
Z.2. Architecture
The SSO system is only in charge of the identification and authentication of the user. Once identified
by the system, information is available for web applications to identify a connected user.
Easyvista is only in charge of the Habilitation, meaning checking that the identified user can access to
Easyvista and with which profile.
130
24/05/2013
EasyVista 2013
Installation Guide
131
24/05/2013
EasyVista 2013
Installation Guide
132
24/05/2013
EasyVista 2013
Installation Guide
133
24/05/2013
EasyVista 2013
Installation Guide
Z.7. Prerequisites
If SSO is configured, the authentication step is not done by Easyvista. Easyvista considers that the
credentials have already been checked by the customer system.
Information provided by the Security System must not be encrypted or encrypted with Base64 (any
others encryption methods needs specific development).
Call to Easyvista logon page must include url_account= XXXXX where XXXXX is the account
number (for example: http://MYSERVER/index.php?url_account=50004)
134
24/05/2013
EasyVista 2013
Installation Guide
Z.8. Configuration
Use the administration/parameters/other parameters page in Easyvista to change the value stored in
AM_PARAMETERS.
PARAMETER
COMMENT
SSO Enabled
SSO Type
SSO Base64
True if the field that identifies the user is crypted using a base64
algorithm.
Warning : if you use the BASE64 encryption, the
URL_ACCOUNT parameter must also be BASE64 encoded
SSO ErrorPage
SSO Logout
If you SSO system guarantees that the SSO information will be available on each call to EasyVista,
even the CLICK HERE calls, the CLICK HERE links should work without changes. You can check that
with HTTPWATCH.
135
24/05/2013
EasyVista 2013
Installation Guide
If not, EasyVista will call a specific page developed by your security team and that will be in charge of
initializing SSO information before calling back the EasyVista CLICK HERE page.
The page youve to develop can either be on the EasyVista server or anywhere else in your corporate
infrastructure. The overall process is :
Z.9.2. Limits
CLICK HERE links are limited to final users. They do not work if mail are sent to a group instead of a
unique user.
PARAMETER_GUID = {05cdea31-4498-4254-8d7d-f5cdb6516f37}
PARAMETER_EN = {ADMIN} SSO Page for autoconnect_mail.php
Restart the SMO SERVER SERVICE
PARAMETER
VALUE
Generate an e-mail with a CLICK HERE mail in it and check that everything works fine.
136
24/05/2013
EasyVista 2013
Installation Guide
Z.9.4. Troubleshooting
Use HTTPWATCH to capture the whole HTTP traffic generated when clicking on the CLICK HERE
link and check that:
When EasyVista uses an Apache WebServer, you can either use an Apache module (see the
following chapters) or an IIS server installed on another server.
Z.10.2. Prerequisites
This feature is available with IIS 7.X minimum.
The ISS server must be in the domain that the final users are connected to.
137
24/05/2013
EasyVista 2013
Installation Guide
Z.10.1. Check that the users credentials are well stored by IIS
Call the sspi/sspi_test.php file to check that the SSPI module is well configured and collects the users
identity.
http://youreasyvistaserver/sspi/sspi_test.php
or
https://youreasyvistaserver/sspi/sspi_test.php
The result page should display the identity of the user calling the page. If so the SSPI module is
working fine. If not theres a problem and the SSPI module is not well configured.
138
24/05/2013
EasyVista 2013
Installation Guide
If the user is asked for its credential instead of having its name automatically displayed, you may have
to add the EasyVista web site in the list of the local trusted web sites.
For Internet Explorer
And for the TRUSTED ZONE parameters, activate AUTOMATIC LOGON WITH CURRENT
USERNAME AND PASSWORD
139
24/05/2013
EasyVista 2013
Installation Guide
140
24/05/2013
EasyVista 2013
Installation Guide
141
24/05/2013
EasyVista 2013
Installation Guide
VALUE
SSO Enabled
TRUE
SSO Type
SERVER
SSO Base64
FALSE
REMOTE_USER
Check that the user youll use to test SSO exists in EasyVista:
The LOGIN of the user must be the login name without the domain.
Ex: if the information returned by the test page is STAFF_AND_LINE\john.supptech, then the
login must contain john.supptech
The password for this user is not empty in EasyVista. Users with empty passwords will not be
connected to EasyVista even if the identification is successful
Call the following URL to check that the SSO configuration is correct:
If everything works fine, you should be connected to EasyVista without being asked for the
credentials.
142
24/05/2013
EasyVista 2013
Installation Guide
Z.11.1. Prerequisites
This feature is available with IIS 7.X minimum.
The ISS server must be in the domain that the final users are connected to.
The EasyVista server must be accessible to the IIS server using HTTP or HTTPS depending of the
EasyVista server configuration.
or
143
24/05/2013
EasyVista 2013
Installation Guide
The result page should display the identity of the user calling the page. If so the IIS configuration is
working fine. If not theres a problem and the IIS configuration is not well configured.
Change the indexphp_redirect.php file to set the value of the EasyVista web server URL.
Configure EasyVista as described in section Z.10.2 Configure EasyVista to use these SSO credentials
and Z.10.1 Configure EasyVista to use SSPi on mails CLICK HERE links.
or
https://yourIISserver/asp2/sspi_test.aspx
144
24/05/2013
EasyVista 2013
Installation Guide
The result page should display the identity of the user calling the page. If so the IIS configuration is
working fine. If not theres a problem and the IIS configuration is not well configured.
Change the indexphp_redirect.aspx file to set the value of the EasyVista web server URL.
Configure EasyVista as described in section Z.10.2 Configure EasyVista to use these SSO credentials
and Z.10.1 Configure EasyVista to use SSPi on mails CLICK HERE links.
Z.12.1. Prerequisites
The SSPI module is not an SSO module but a security extension that checks which users are allowed
to access a folder and once granted, stores information about the connected users.
145
24/05/2013
EasyVista 2013
Installation Guide
MOD_SSPI must not be used to secure the whole EasyVista web folder but only with the configuration
described below. Securing the whole EasyVista folders may generates 401UNAUTHORIZED errors
when using web services.
Do steps one by one without switching to the next one if the current step is not working fine.
In some cases, it may be necessary that the web server be integrated in the domain that the users are
connected to.
<location "/sspi/">
AuthName "My Intranet"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIPerRequestAuth On
require valid-user
</location>
Restart Apache and check that the web server is still accessible.
Z.12.5. Check that the users credentials are well stored by Apache
Call the sspi/sspi_test.php file to check that the SSPI module is well configured and collects the users
identity.
146
24/05/2013
EasyVista 2013
Installation Guide
http://youreasyvistaserver/sspi/sspi_test.php
or
https://youreasyvistaserver/sspi/sspi_test.php
The result page should display the identity of the user calling the page. If so the SSPI module is
working fine. If not theres a problem and the SSPI module is not well configured.
VALUE
SSO Enabled
TRUE
SSO Type
HTTP
SSO Base64
FALSE
SSPI_HEADER
Check that the user youll use to test SSO exists in EasyVista:
The LOGIN of the user must be the login name without the domain.
Ex: if the information returned by the test page is STAFF_AND_LINE\john.supptech, then the
login must contain john.supptech
The password for this user is not empty in EasyVista. Users with empty passwords will not be
connected to EasyVista even if the identification is successful
147
24/05/2013
EasyVista 2013
Installation Guide
If everything works fine, you should be connected to EasyVista without being asked for the
credentials.
Restart Apache.
Check that youre automatically logged when calling the EasyVista URL without specifying a special
script to run : http://myeasyvistaserver.
PARAMETER_GUID = 05cdea31-4498-4254-8d7d-f5cdb6516f37
PARAMETER_EN = {ADMIN} SSO Page for autoconnect_mail.php
Restart the SMO SERVER SERVICE
VALUE
sspi/mailphp_redirect.php
This module is only available for Apache Linux and available as specific packages or ready to
compile sources depending of your Linux distribution.
It is not a Staff & Line module but an OpenSource project that you can use if your company doesnt
already use an internal SSO.
Staff & Line is not responsible nor of the availability nor of the smooth running of this module for
148
24/05/2013
EasyVista 2013
Installation Guide
your platform. Request for changes must be send to the opensource project team, and not to
Staff & Line technical support.
Z.13.1. Prerequisites
The MOD_AUTH_KERB module is not an SSO module but a security extension that checks which
users are allowed to access a folder and once granted, stores information about the connected users.
MOD_AUTH_KERB must not be used to secure the whole EasyVista web folder but only with the
configuration described below.
Securing the whole EasyVista folders may generates 401 UNAUTHORIZED errors when using web
services.
Do steps one by one without switching to the next one if the current step is not working fine.
The instructions presented below suppose that the KERBEROS layer is well installed and configured
on the web server and that the following KERBEROS command are working fine (how to install and
configure KERBEROS is not described in this document). :
1. A fully qualified domain must be available (named yourdomain.com in the next sections).
This domain can either be a public domain (.com, .fr, etc) or a private domain (.local)
2. The Linux web server on which EasyVista and Kerberos layer are installed is in the same
network that the LDAP/AD server (the EasyVista web server is named
easyvista_webserver_name in the next sections)
3. A user (named easyvista_service) is available in the LDAP /AD directory
4. A keytab file (named easyvista_keytab in the next sections) has been generated from the
LDAP / AD server using ktpass
This file must be available on the Linux web server in the /etc/ folder
5. From the Linux web server, the following command should not return an error (mind to
replace the italic values by your own values)
kinit [email protected]
6. and the created KERBEROS ticket should be listed using this command
klist
You must not try to configure the MOD_AUTH_KERBEROS until the KERBEROS layer is up and
running on the EasyVista webserver. This job should be done by the customer network and security
team.
149
24/05/2013
EasyVista 2013
Installation Guide
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms yourdomain.com
Krb5KeyTab /etc/easyvista_keytab
require valid-user
</location>
Restart Apache and check that the web server is still accessible.
Z.12.5 Check that the users credentials are well stored by Apache
Z.12.6 Configure EasyVista to use the SSPI information
Z.12.7 Configure Apache to use the SSPI_INDEX.PHP as the default page
Z.12.8 Configure EasyVista to use SSPi on mails CLICK HERE links
150
24/05/2013
EasyVista 2013
Installation Guide
Z.13.2. Troubleshooting
Microsoft Kerbtray Utility
The Microsoft Kerbtray.exe utility can verify whether Internet Explorer obtained a Kerberos
ticket for your web server.
You can use the klist utility in /opt/likewise/bin/klist to check the Kerberos keytab
file on a Linux or Unix computer.
The command shows all the service principal tickets contained in the keytab file so you can
verify that the correct service principal names appear.
Confirm that HTTP/[email protected] and
HTTP/[email protected] appear in the list.
It is normal to see multiple entries for the same name.
Example:
klist -k krb5_myserver.keytab
Keytab name: FILE:krb5_myserver.keytab
KVNO Principal
---- ------------------------------------------------------------------------6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
151
24/05/2013
EasyVista 2013
Installation Guide
If your service principal names are incorrect, generate a new Kerberos keytab file.
Errors when using kvno
Check that the encryption defined in ktpass is compliant with both the LDAP /AD server and
the Linux web server. For example, with Windows 2003, RC4-HMAC-NT should be used
instead of DES-xxx encryptions.
Others
Check that the clocks are well synchronized between the LINUX Web server and the
KERBEROS web server, using NTP servers for example. Servers that are not very
accurately synchronized will not be able to do automatic authentication, or this authentication
will be done randomly.
Z.15. Troubleshooting
Z.15.1. SSO not working
Check that the requested information is available in the cookie, header or request.
152
24/05/2013
EasyVista 2013
Installation Guide
-ip
-port
-account
List all the Integraion model names that you can use with the MODELNAME
Success
153
24/05/2013
EasyVista 2013
Missing parameters
Installation Guide
154