Server post-installation tasks

Check a server installation

Installation logs

Check the installation logs before running any tests:

%installdir%\InstallTemp

Server and agent acceptance tests

In Administrative Tools, open Services.
Check that the following services have the status Started and startup is set to Automatic.
- DimensionsCM:
```
OpenText Common Tomcat
Dimensions Listener Service
License Server
```
- Oracle Enterprise:
```
Oracle<oracle_service_name>TNSListener
OracleService<oracle_service>
```
- SQL Server:
```
SQL Service <instance_name>
```
Note:
- If the Dimensions Listener Service fails to start automatically on reboot, start it manually once the RDBMS database service has started.
- The default Oracle<oracle_service_name>TNSListener is: OracleDimensionsTNSListener
- The default OracleService<oracle_service> is: OracleServiceDIM14
Open the Windows task manager and check for the following processes:
- DimensionsCM
```
dimensions_service.exe
dmappsrv.exe (Oracle only)
dmappsrvm.exe (SQL Server only)
dmemail.exe
dmlsnr.exe
dmpool.exe
```
  There are multiple instances of dmappsrv.exe.
- Oracle Enterprise:
```
oracle.exe
TNSLSNR.EXE
```
- SQL Server:
```
sqlserver.exe
```
Open a command prompt, enter dmcli, and log in to CM. The output should be the Dimensions CM version number followed by a Dimensions> prompt.
Enter exit to return to the command prompt.

Check a database installation

(Oracle only) Add the connection details to tnsnames.ora.
(SQL Server only) Create an ODBC DSN connecting you to the database containing the schema. For details, see Prepare local and remote nodes .
The file %installdir%\dfs\listener.dat contains the following default values:
```
-dsn cm_typical@dim14
-initial 0
```
Edit the -dsn entry to be the <database>@<dsn> for the database containing the schema and restart the Dimensions Listener Service.
Run the Dimensions CM dmpasswd utility against the schema you plan to use, for example:
```
dmpasswd cm_typical@dim14 -add -pwd cm_typical
```
For a Dimensions CM plus schema installation, this step is automatically performed by the installer, it only being required normally for additional base databases for such an installation.

For details about dmpasswd, see the Administration Guide.
To start the server as dmsys rather than the user with local administrative rights who installed it. See Start a server in restricted mode.
If you installed or configured an SSO server and configured a smart card, see Log in to desktop client.

Start a server in restricted mode

By default the CM service, Dimensions CM Listener, is owned by the user with local administrative rights who installed the product. You can change the owner to the CM system administrator.

In Administrative Tools, open Services.
Shut down the Dimensions CM Listener Service service.
Log out as the user with local Windows administrative rights and log back in as the system administrator.
Navigate to:
```
%installdir%\dfs
```
Add the following entries to the file listener.dat:
```
-user <DSA_username>
-restricted_mode
```
where <DSA_Username> is the system administrator who runs the listener on the server (typically dmsys).
Restart the listener service.

Important: When running a server in restricted mode, area/remote node authentication credentials are not used. In restricted mode files in a remote area are owned by the user running the dmpool process (by default dmsys), regardless of which user-id is set for the area or specified in remote node authentication.

License OpenText Dimensions CM

For details on managing licenses with the AutoPass License Server (APLS), see Licensing.

Note: Dimensions CM no longer supports licensing with SLM.

Register base databases

Every base database that connects to CM must be registered using the dmpasswd utility. Registration is automatic for the base database that you select during installation. The default password is cm_typical for the Qlarius demonstration product.

To register other base databases:

dmpasswd <basedb>@<connect_string> -add -pwd <password>

To change the password assigned to a base database:
```
dmpasswd <basedb>@<connect_string> -mod
```
You need to specify the old password and then the new one.

Database administration acceptance tests

Run the dmdba spac command (available for Oracle Enterprise only) and verify that the output is correct.
Run the dmdba lsdb command and verify that the output is correct.
Run the Dimensions CM UREG and XREG commands to verify that you can create and drop users.

For information about the commands, see the Administration Guide.

Command-line acceptance tests

Run these tests from a valid Dimensions CM user account.

Open a command prompt, enter dmcli, and log in to CM.
Run the LWS command and verify that a list of projects is returned.
Run the SCWS command and verify that the correct project details are displayed.
Run the LWSD /RECURSIVE command and verify that a list of project directories and items is displayed.

Multi-homed servers

Note: The term "multi-homed server" should not be confused with Oracle-multiple-home installations.

Certain types of server platform (usually called "multi-homed") have more than one network adapter card and therefore more than one TCP/ IP address.

Dimensions CM Make requires a TCP/IP address to enable communication between the Dimensions CM client and server processes. For Make to work on a client accessing a server on a multi-homed server, specify the appropriate TCP/IP address on the server by setting the MCX_LISTEN symbol in the %installdir\dm.cfg command file.

Install Dimensions published views

Published views are automatically installed if you select the Typical, Stream Development or Typical, Non-Stream Development process models during installation.

To re-install and re-grant publish views to report users for each database:

Enter the following commands:

delv <basedb>
insv <basedb>
grtv <basedb> <basedb_report_user_name>

For example:

grtv intermediate intermediate_rept

grtv cm_typical cm_typical_rept

This initial invocation of grtv sometimes results in an error stream starting with:

SQL-1E36-40(00B0FE60) ORA-
00955: name is already used by an existing object

You can safely ignore these errors.

Enter the following command:

rekv <basedb> <basedb_report_user_name>

The following message should return:

Report views have been successfully revoked.

Enter the following command:

grtv <basedb> <basedb_report_user_name>

The following message should return:

Report views have been successfully granted.

Repeat this procedure for all report users in every base database on your server.

For more information about published views see the Reports Guide.

Set configuration variables

All Dimensions CM configuration variables are specified in the dm.cfg server file in the folder %installdir%. You do not need to modify this file unless you want to customize your environment. See the Administration Guide for details.

Web client acceptance tests

Log in to the web client:

Start | Dimensions <version> | Web Client
Click the Items tab and check that you can navigate around the project folder structure.
Check that you can browse items.
Check that the item history for items can be displayed.

Administration Console acceptance tests

Log in to the Administration Console:

Start | Dimensions <version> | Administration Console
Select a valid product and navigate to the Object Type Definitions section.
Verify that each of the lists of items and baselines are displayed and correct.
Select the Lifecycles section for a specified item type and verify that the details shown are correct and can be navigated.

File system considerations for server binaries

Server binaries should be installed on a Windows Server NTFS file system.

Note: After installation of the binaries an administrator needs to secure server components and verify that all data files have the required access privileges, specifically they cannot be deleted by ordinary users. The administrator must be familiar with the workings of Dimensions CM and Windows server security policies. They must also guarantee that all changes to the access privileges are noted and tested to ensure that Dimensions CM continues to function correctly.

The following assets should be protected:

Dimensions CM repository:
- Database files
- Product item libraries
Executables and DLLs:

All files in %installdir%\prog
Windows registry

SQL Server Enterprise memory usage

When you start SQL Server Enterprise, memory usage may continue to increase even when activity on the server is low. This is normal behavior for the SQL Server buffer pool and does not indicate a memory leak. For details, see the Knowledge Base Article 321363 in the Microsoft help.

Directories for process model demo products

Check that the following top-level deployment folders were created for the Qlarius demo product. If not, create them manually:

C:\CM_Workarea\cm_typical\DEV
C:\CM_Workarea\cm_typical\LIVE
C:\CM_Workarea\cm_typical\PREPOD
C:\CM_Workarea\cm_typical\QA
C:\CM_Workarea\cm_typical\SIT
C:\CM_Workarea\cm_typical\WORK

Configure trusted certificate authorities

For SSO and smart card installations, the most important part of authentication by certificate is checking that the certificate was issued by a trusted Certificate Authority (CA). To configure CAs correctly, you should have your certificate authority (can be CA on a Microsoft Domain Controller or externally based on OpenSSL).

Store or add a certificate in a Java Key Store

The standard Java tool "keytool" can be used to perform various operations with Java Key Store (*.JKS).

To create a new keystore or add a new certificate to existing keystore, use the following command:

"%JAVA_HOME%\bin\keytool" -import -keystore
<your_keystore_file_name> -storepass
<your_keystore_password> -file <cert_to_import> -alias
<your_cert_alias>

where

<your_keystore_file_name>	Is the existing or new keystore file name to which the certificate is added.
<your_keystore_password>	Is the password for the keystore.
<cert_to_import>	Is the certificate to be added to the keystore. Can be .PEM, .CER (Base64 or DER encoded), or *.CRT.
<your_cert_alias>	Is the alias of the certificate in the keystore. Each certificate in the keystore has an unique alias/ name.

Configure truststore in the security server identity provider

Specify one or more keystore and certificate aliases from the keystores in the X509-LDAP (or X509-BASE) authenticators of the IDP. Edit the main IDP configuration file located at:

<TOMCAT_HOME>\webapps\idp\WEB-INF\conf\Configuration.xml

The following sample and template shows how to configure trusted CAs. Pay special attention to the CertificateIssuerTrustMatcher section.

Copy code

<Setting Name="serena-ldap-authenticator" Type="htf:map">
<Setting Name="Provider" Type="xsd:string">X509-LDAP</Setting>
<Setting Name="CertificateMustExistInLDAP" Type="xsd:boolean">false
</Setting>
<Setting Name="CertificateAttributeName" Type="xsd:string"></Setting>
<Setting Name="SearchFilter" Type="xsd:string">(objectclass=*)</Setting>
<Setting Name="CompatibleRequestMatchers" Type="htf:namedlist">
<Setting Name="CredentialsTypeMatcher" Type="xsd:string">X509
</Setting>
<Setting Name="AuthenticationTypeMatcher" Type="xsd:string">*
</Setting>
<Setting Name="CertificateIssuerDNMatcher" Type="xsd:string">*
</Setting>
<Setting Name="CertificateIssuerTrustMatcher" Type="htf:map">
<!-- Sample Entry -->
<Setting Name="serena-truststore" Type="htf:keystore">
<Setting Name="Type" Type="xsd:string">JKS</Setting>
<Setting Name="File" Type="htf:file">serenaca.jks</Setting>
<Setting Name="Password" Type="xsd:string">changeit</Setting>
</Setting>
<Setting Name="serenaca" Type="htf:certificate">
<Setting Name="KeyStoreName" Type="xsd:string">serena-truststore
</Setting>
<Setting Name="Alias" Type="xsd:string">serenaca</Setting>
</Setting>
<!-- Template Entry -->
<Setting Name="[your_keystore_alias]" Type="htf:keystore">
<Setting Name="Type" Type="xsd:string">JKS</Setting>
<Setting Name="File" Type="htf:file">[your_keystore_file_name]
</Setting>
<Setting Name="Password" Type="xsd:string">[your_keystore_password]
</Setting>
</Setting>
<Setting Name="[your_certificate_alias(2)]"
Type="htf:certificate"> <Setting Name="KeyStoreName"
Type="xsd:string">[your_keystore_alias]
</Setting>
<Setting Name="Alias" Type="xsd:string">[your_certificate_alias]
</Setting>
</Setting>
</Setting>
</Setting>
<Setting Name="JNDI.Environment" Type="htf:map">
<Setting Name="java.naming.factory.initial"
Type="xsd:string">com.sun.jndi.ldap.LdapCtxFactory</Setting>
<Setting Name="java.naming.provider.url" Type="xsd:string">
ldap://serena.com:389</Setting>
<Setting Name="java.naming.security.authentication"
Type="xsd:string">simple</Setting>
<Setting Name="java.naming.security.principal"
Type="xsd:string">ldapuser</Setting>
<Setting Name="java.naming.security.credentials"
Type="xsd:string">changeit</Setting>
</Setting>
</Setting>

where:

[your_keystore_alias]	Is any unique keystore name/alias, for example: `my_company_ca_store`
[your_keystore_file_name]	Is the existing keystore filename, full path, or relative path to the folder where `Configuration.xml` is located.
[your_keystore_password]	Is the keystore password.
[your_certificate_alias]	Is the existing certificate alias from [your_keystore_file_name].
[your_certificate_alias(2)]	Is any unique certificate name/alias, for example: `my_company_ca-01`. Can be the same as [your_certificate_alias].

Important: After upgrading, if you use custom certificates with passwords that are not the default you need to update the configuration file shown above. The pre-14.x file is saved in the Tomcat 8.5 folder as:

backup_config.pre<current CM version number>

Default password: changeit

Dual authentication

Dimensions CM supports dual username/password and smart card authentication.

For all other smart card users, it is often company best practice or mandated policy to ensure that such users do not have optional access to username/password authentication. In such circumstances, the operating system administrator should either:

(Recommended) Never assign such users username/password authentication in the first place, or
Ensure that username/password authentication is removed from all normal smart card users who have such authentication. For example, users with usernames that existed before smart card authentication was introduced.

Establish a Certificate Revocation List

A Certificate Revocation List (CRL) is one of the common methods when using a public key infrastructure for maintaining user access to servers in a network. The other, newer method, which has superseded CRL in some cases, is Online Certificate Status Protocol (OCSP).

The CRL is a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reasons for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. When a potential user attempts to access a server, the server allows or denies access based on the CRL entry for that particular user. As part of smart card authentication, you have the option of comparing user certificates against one or more CRLs.

The main limitation of a CRL is that updates must be frequently dowloaded to keep the list current. OCSP overcomes this limitation by checking certificate status in real time.

Add smart card authentication

To add smart card authentication support to a server after installing Dimensions CM with SSO:

Open this file in an XML or text editor:

<TOMCAT_HOME>\webapps\idp\WEB-INF\conf\
fedsvr-core-config.xml

Locate the AllowedPrincipalAuthenticationTypes parameter and add CLIENT_CERT to it. This enables the Smart Card Login button. The parameter should look like this:
```
<parameter name="AllowedPrincipalAuthenticationTypes"
Type="xsd:string">CLIENT_CERT</parameter>
```
Save the file.

Open this file:

<TOMCAT_HOME>\webapps\idp\
WEB-INF\conf\Configuration.xml file

Uncomment the X.509 authenticators by removing the  markup. For example, remove the following markup to uncomment the X509-BASE, X509-LDAP, or X509-CRL authenticator:
```



```
Configure the Certificate Authorities (CA) in the X509-BASE and X509-LDAP authenticators. For details, see Configure trusted certificate authorities .

For the X509-LDAP authenticator, the following parameters must be substituted:
```
$X509_LDAP_HOST
$X509_LDAP_USER
$X509_LDAP_PASSWORD
```
By default, the installer configures the X509-LDAP authenticator when the smart card option is selected.
The X509-CRL authenticator can be used in addition to X509-BASE or X509-LDAP. Substitute the $X509_CRL_PATH parameter. The specified folder must contain *.CRL files.
Save the Configuration.xml file.
Restart the OpenText Common Tomcat Service.

This Configuration.xml file contains the following commented out example of an authenticator. To use it, remove the comments and substitute the variables appropriate to your set up:

Copy code

<!-- =========================================================== -->
<!-- CRL validator against file based Certificate Revocation List -->
<!-- =========================================================== -->
<!--X509-CRL
<!Setting Name="serena-crl-validator" Type="htf:map">
<!Setting Name="Provider" Type="xsd:string">X509-CRL<!/Setting>
<!Setting Name="CompatibleRequestMatchers" Type="htf:namedlist">
<!Setting Name="CredentialsTypeMatcher"
Type="xsd:string">X509<!/Setting>
<!Setting Name="AuthenticationTypeMatcher"
Type="xsd:string">*<!/Setting>
<!Setting Name="CertificateIssuerDNMatcher"
Type="xsd:string">*<!/Setting>
<!/Setting>
<!Setting Name="CRLDir" Type="xsd:string">$X509_CRL_PATH
<!/Setting>
<!Setting Name="CacheFileName"
Type="xsd:string">crl_cache.xml<!/Setting>
<!Setting Name="RefreshPeriod" Type="xsd:string">1200
<!/Setting>
<!/Setting>
X509-CRL-->

SBM smart card configuration symbols

If you are only installing the SSO component to work in conjunction with SSO and smart card located on a Solutions Business Manager (SBM) installation, add the following SSO entries manually to the server dm.cfg file and restart the listener.

If you configure smart card setup when you install an SSO server the configuration symbols are automatically added to the dm.cfg file and assigned values:

SSO_SERVER_CERTIFICATE
SSO_SERVER_PRIVATE_KEY
SSO_SERVER_PRIVATE_KEY_PASSWORD

See the Administration Guide for details.

Integrate with Dimensions RM

To use the integration between Dimensions CM and Dimensions RM, edit the RM server rmcm.xml file to provide the CM server URL.

On the Dimensions RM web server machine, go to:
```
<RM-Install-Directory>\conf
```

Open the following configuration file in a text editor:

rmcm.xml

This file has the following lines:

<project>
<!-- CMServer url="http://localhost:8080" -->
<CMServer url="" />
</project>

Update the Dimensions CM URL with the correct server information. If CM is installed on the same machine as the RM web server and was installed with the default port number 8080, the commented out URL on the preceding line is correct.

Create user accounts

Create Windows operating system user accounts for each user in the sample process model you installed.

Specify a whitelist of CM server connections

You can control which CM servers users can connect to by specifying a whitelist of base database and DSN combinations. All other connections are rejected.

Open the server listener file:
```
%installdir%\dfs\listener.dat
```

Add the following parameter:

-dsn_whitelist <basedatabse@DSN
connection>,<basedatabse@DSN connection>...

For example:

-dsn_whitelist cm_typical@dim14,intermediate@dim14

Deployment automation tasks

If you previously installed CM and Deployment Automation (DA) together and then upgraded them using the CM 14.5.1 or later server installers, edit the CM configuration file (dm.cfg) and change the following line:

DM_SDA_URL %DM_WEB_URL%/serena_ra

DM_SDA_URL %DM_WEB_URL%/da