Вы находитесь на странице: 1из 715

EMC Documentum

Content Server
Version 6.7

Administration and Configuration Guide

EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind
with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness
for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks
used herein are the property of their respective owners.
Copyright 2011 EMC Corporation. All rights reserved.

Table of Contents

Preface

................................................................................................................................ 27

Chapter 1

Administration and Configuration Tools .....................................................


Introduction .....................................................................................................
Documentum Administrator .............................................................................
Logging in to Documentum Administrator ....................................................
The System Information page ........................................................................
Determining the Documentum Administrator version ...................................
Preferences...................................................................................................
Content Server Manager ...................................................................................
Starting Content Server Manager ...................................................................
Tool suite .........................................................................................................

31
31
32
32
33
35
35
36
36
36

Chapter 2

Managing Connection Brokers ....................................................................


Connection brokers...........................................................................................
The connection broker initialization file .............................................................
Invoking the initialization file ........................................................................
Configuring shutdown security (UNIX only) ..................................................
Restricting server access ................................................................................
Translating IP addresses................................................................................
Connection broker projection targets .................................................................
Server proximity...............................................................................................
Restarting a connection broker ..........................................................................
Adding a connection broker for one session .......................................................
Implementing connection broker failover ..........................................................
Starting additional connection brokers ...............................................................
Shutting down connection brokers.....................................................................
Stopping multiple connection brokers on UNIX ..............................................
Requesting connection broker information .........................................................

39
39
40
41
41
41
42
43
43
44
44
45
45
46
47
48

Chapter 3

Managing Content Servers ..........................................................................


Content Servers ................................................................................................
Starting a server ...............................................................................................
Configuring licenses .........................................................................................
Enabling a feature or product ........................................................................
Tracking software usage and AMP .....................................................................
Managing Content Servers ................................................................................
Adding or modifying Content Servers ...........................................................
Duplicating a server configuration object .......................................................
Modifying general server configuration information .......................................
Creating or modifying connection broker projections ......................................

51
51
52
53
53
53
54
55
56
57
62

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Chapter 4

Creating or modifying network locations ......................................................


Creating or modifying application servers ......................................................
Creating or modifying cached types...............................................................
Creating or modifying locations ....................................................................
Creating or modifying far stores ....................................................................
Viewing server and connection broker log files ...............................................
Deleting a server configuration object ............................................................
Configuring a server as a process engine ........................................................
Disabling a process engine server ..................................................................
Internationalization ......................................................................................
The server.ini file ..............................................................................................
Modifying the server.ini file ..........................................................................
SERVER_STARTUP section keys....................................................................
concurrent_sessions ..................................................................................
database_refresh_interval .........................................................................
data_store and index_store .......................................................................
umask ......................................................................................................
DOCBROKER_PROJECTION_TARGET section keys ......................................
FUNCTION_SPECIFIC_STORAGE and TYPE_SPECIFIC_
STORAGE sections .......................................................................................
FUNCTION_EXTENT_SIZE and TYPE_EXTENT_SIZE sections ......................
Managing additional Content Servers ................................................................
Server load balancing and failover .....................................................................
Shutting down a server .....................................................................................
Shutting down a server running on Windows .................................................
Shutting down a server running on UNIX ......................................................
Creating a shut-down script .........................................................................
Clearing the server common area .......................................................................
Managing the JBoss application server ...............................................................
Starting and stopping the JBoss application server ..........................................
Server log files ..................................................................................................
The dm_error utility .........................................................................................
Improving performance on Oracle and DB2 databases ........................................

63
64
65
65
66
67
67
68
68
69
70
70
71
81
82
82
83
84

Managing Repositories ...............................................................................


Repositories .....................................................................................................
Managing repositories ......................................................................................
Viewing or modifying the repository configuration.........................................
Modifying repository synchronization .........................................................
Enabling a repository as a global registry .....................................................
Repository content ..........................................................................................
Windows domain authentication for UNIX repositories ....................................
Creating or modifying a domain map ..........................................................
Defining a domain ......................................................................................
Modifying users for Windows domain authentication ...................................
Type indexes ..................................................................................................
Date values ....................................................................................................
Moving or duplicating a repository..................................................................
Supporting object types...............................................................................
Dumping objects under retention ................................................................
Aspects and dump operations .....................................................................
Dumping an entire repository .....................................................................
Dumping specific objects.............................................................................

93
93
94
94
100
101
102
103
103
104
104
105
106
106
106
107
107
107
108

84
85
86
87
87
87
88
88
89
89
89
90
90
91

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Setting the type property.........................................................................


Setting the predicate properties ...............................................................
Content files and dumping ..........................................................................
Dumping without content .......................................................................
Including content ...................................................................................
Compressing content ..............................................................................
Setting the cache size ..................................................................................
Using non-restartable dump .......................................................................
Using a script to create a dump file ..............................................................
Sample script for a full repository dump with content included ................
Sample script for a partial repository dump .............................................
If the server crashes during a dump operation ..............................................
Moving the dump file .................................................................................
Loading a repository ...................................................................................
Refreshing repository objects from a dump file .........................................
Loading job objects .................................................................................
Loading registered tables ........................................................................
Turning off save event generation during load operations .........................
Loading a new repository .......................................................................
The preLoad utility ............................................................................
Load procedure for new repositories........................................................
DocApps ................................................................................................
Generating dump and load trace messages ...................................................
Repository maintenance ..................................................................................
Checking consistency ......................................................................................
Running the job from a command line .........................................................
Adding repositories ........................................................................................
Federations ....................................................................................................
Creating or modifying federations ...............................................................
Adding or deleting federation members .......................................................
Deleting Federations ...................................................................................
Connecting to the governing repository or a federation member ....................
Choosing user subtypes ..............................................................................
Choosing repository federation members .....................................................

108
109
110
110
110
111
111
111
111
112
112
114
114
114
115
115
116
116
116
117
117
118
118
119
120
121
126
126
127
128
129
129
129
130

Chapter 5

Managing Sessions ...................................................................................


The dfc.properties file .....................................................................................
Managing connection requests ........................................................................
Defining the secure connection default for connection requests..........................
Modifying the connection request queue size ..................................................
Stopping a session server ................................................................................

131
131
132
132
133
133

Chapter 6

Managing Java Method Servers ................................................................


Java Method Servers .......................................................................................
Viewing Java method server information .....................................................
Modifying a Java Method Server configuration .............................................
Adding or modifying associated Content Servers .........................................
Viewing active Java method servers .............................................................
Java methods..................................................................................................
Recording Java method output ........................................................................
Deploying Java methods .................................................................................
Adding additional servlets to the Java method server........................................

135
135
136
136
138
138
140
140
141
141

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Chapter 7

Managing LDAP Servers ...........................................................................


LDAP servers .................................................................................................
Viewing LDAP server configurations ...........................................................
Adding or modifying LDAP server configurations ........................................
LDAP Server Configuration properties ....................................................
LDAP Server Sync & Authentication properties ........................................
LDAP Server mapping properties ............................................................
LDAP Server failover properties ..............................................................
Mapping LDAP Servers ..............................................................................
Mapping guidelines ................................................................................
Using Search Builder ..............................................................................
Adding or modifying repository property mapping ..................................
Configuring secondary LDAP servers ..........................................................
Changing the binding password ..................................................................
Forcing LDAP server synchronization ..........................................................
Duplicating LDAP configurations ................................................................
Deleting LDAP configurations .....................................................................
Using LDAP directory servers with multiple Content Servers ........................
LDAP proxy server support ........................................................................
Configuring LDAP synchronization for Kerberos users .................................
LDAP Certificate Database Management ..........................................................
Downloading certificates.............................................................................
Viewing LDAP certificates ..........................................................................
Importing LDAP certificates ........................................................................
Using multiple LDAP servers in SSL mode ...................................................
Replacing or removing LDAP certificates .....................................................

143
143
144
145
146
147
149
150
152
153
153
153
154
154
155
155
155
156
156
157
157
157
158
159
159
160

Chapter 8

Distributed Content Configuration ............................................................


Network locations ..........................................................................................
Creating, viewing, or modifying network locations .......................................
Copying network locations..........................................................................
Deleting network locations ..........................................................................
ACS servers ...................................................................................................
Viewing or modifying the ACS server configuration properties .....................
ACS projections and stores ..........................................................................
Designating connection brokers for an ACS server ........................................
Choosing network locations ........................................................................
BOCS servers .................................................................................................
Creating, viewing, or modifying BOCS servers .............................................
Setting BOCS server security .......................................................................
Setting BOCS server communication protocols .............................................
Deleting BOCS servers ................................................................................
Configuring distributed transfer settings ..........................................................
Messaging server configuration .......................................................................

161
161
162
163
164
165
166
167
169
170
171
171
173
174
175
175
177

Chapter 9

User Management .....................................................................................


Administering users, groups, roles, and sessions ..............................................
Users .............................................................................................................
Locating users ............................................................................................
Creating or modifying users ........................................................................
Creating global users ..................................................................................
Setting default permissions for folders and cabinets ......................................
Importing users ..........................................................................................
Import file format ...................................................................................
Deleting users ............................................................................................

179
179
180
180
181
186
186
187
190
191

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Chapter 10

Reassigning objects to another user ..............................................................


Changing the home repository of a user .......................................................
Activating or deactivating a user account .....................................................
Viewing groups, workflows, alias sets, permission sets, and
documents of a user ....................................................................................
Viewing or deleting change home repository logs .........................................
Viewing user reassign logs ..........................................................................
Reassign reports .........................................................................................
User domain authentication ............................................................................
Groups ..........................................................................................................
Dynamic groups .........................................................................................
Privileged groups .......................................................................................
Locating groups .........................................................................................
Viewing group memberships ......................................................................
Creating, viewing, or modifying groups .......................................................
Adding users, groups, or roles to a group.....................................................
Removing users from a group .....................................................................
Deleting groups ..........................................................................................
Reassigning the objects owned by a group ...................................................
Viewing group reassign logs .......................................................................
Roles .............................................................................................................
Creating, viewing, or modifying roles ..........................................................
Adding users, groups, or roles to a role ........................................................
Reassigning roles ........................................................................................
Deleting roles .............................................................................................
Module roles ..................................................................................................
Creating, viewing, or modifying module roles ..............................................
Reassigning module roles ...........................................................................
Deleting module roles .................................................................................
Sessions .........................................................................................................
Viewing user sessions .................................................................................
Viewing user session information ................................................................
Viewing user session logs............................................................................
Killing user sessions ...................................................................................

191
192
192

Security and Authentication ......................................................................


Object permissions .........................................................................................
Changing default operating system permits on public directories and
files (UNIX only) ............................................................................................
Folder security ...............................................................................................
Additional access control entries......................................................................
Default alias sets .............................................................................................
Access evaluation process ...............................................................................
Permission sets ...............................................................................................
Locating a permission set ............................................................................
Creating, viewing, or modifying permission sets ..........................................
Adding, viewing, or modifying permissions for a permission set ...................
Copying a permission set ............................................................................
Adding users to permission sets ..................................................................
Deleting users from permission sets .............................................................
Deleting a permission set ............................................................................
Assigning basic and extended object permissions .........................................
Permission set associations ..........................................................................
Changing the permissions assigned to a user ................................................

211
211

EMC Documentum Content Server Administration and Configuration 6.7 Guide

193
193
193
194
194
194
195
196
197
198
198
200
200
200
201
201
201
201
203
204
204
204
205
206
206
207
207
207
208
209

213
214
215
216
216
217
218
218
219
221
222
223
223
223
225
225

Table of Contents

Permission set validation.............................................................................


Authenticating in domains ..............................................................................
No-domain required mode ..........................................................................
Domain-required mode...............................................................................
Principal authentication ..................................................................................
Client rights domains..................................................................................
Creating a client rights domain ................................................................
Enabling or disabling a client rights domain .............................................
Deleting a client rights domain ................................................................
Adding member repositories ...................................................................
Viewing repository memberships ............................................................
Removing a member repository from a client rights domain ......................
Privileged clients ............................................................................................
Adding privileged DFC clients ....................................................................
Configuring privileged client trusted login and trusted server
privileges ...................................................................................................
Approving or denying privileged clients ......................................................
Deleting a DFC client and certificate ............................................................
Administrator access sets ................................................................................
Creating, viewing, or modifying administrator access sets .............................
Deleting administrator access sets ................................................................
Managing Authentication Plug-Ins, Signatures, and Encryption Keys ................
Using authentication plug-ins......................................................................
Plug-in scope .........................................................................................
Identifying a plug-in ...............................................................................
Defining a plug-in identifier ................................................................
Using the RSA plug-in ............................................................................
Using the CA SiteMinder plug-in.............................................................
Implementing a custom authentication plug-in .........................................
Writing the authentication plug-in .......................................................
Internationalization ........................................................................
Tracing authentication plug-in operations ................................................
Managing encrypted passwords ..................................................................
Using encryptPassword .........................................................................
Using clear text passwords ......................................................................
Changing an encrypted password............................................................
Implementing signature support .................................................................
Using electronic signatures......................................................................
Customizing electronic signatures ...........................................................
Conguring the number of allowed signatures .....................................
Creating custom signature creation methods and associated
signature page templates ....................................................................
Publishing dynamic information .........................................................
Tracing electronic signature operations ................................................
Setting the Java memory allocation .....................................................
Supporting electronic signatures..............................................................
Customizing simple signoffs ...................................................................
Customizing the signature validation program .....................................
Registering for notification ..................................................................
Querying the audit trail for signoffs .....................................................
Managing encryption keys ..........................................................................
The AEK ................................................................................................
Sharing the AEK or passphrase ...........................................................
The AEK and distributed sites .............................................................
Backing up the AEK............................................................................
Repository encryption keys .....................................................................
Encryption utilities .................................................................................

226
226
227
227
227
228
228
229
229
229
230
231
231
232
233
234
234
234
235
237
237
237
237
238
238
239
239
240
240
241
241
242
242
243
243
245
245
246
246
247
248
249
249
249
250
250
251
251
251
251
252
252
253
253
253

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Using dm_crypto_boot ...........................................................................


Troubleshooting with dm_crypto_create ..................................................
Changing a passphrase ...........................................................................
Managing the login ticket key......................................................................
Exporting and importing a login ticket key ...............................................
Resetting a login ticket key ......................................................................
Kerberos support ............................................................................................
Kerberos authentication ..............................................................................
Determining the Kerberos Service Principal Name (SPN) ..............................
Registering the SPN on the Active Directory and generating the
Keytab file ..................................................................................................
Reinitializing the Content Server .................................................................
Creating Kerberos users in the repository .....................................................

254
254
255
256
256
257
257
257
257

Chapter 11

Logging and Tracing .................................................................................


Introduction ...................................................................................................
Content Server logging and tracing ..................................................................
Tracing from the startup command line........................................................
Using the setServerTraceLevel method .........................................................
Using the SET_OPTIONS method ................................................................
Examples of server tracing ..........................................................................
Determining active tracing options ..............................................................
DFC logging ...................................................................................................
DFC tracing....................................................................................................
Enabling DFC tracing..................................................................................
Logging appender options ..........................................................................
Defining file creation mode .........................................................................
Defining the trace file timestamp format ......................................................
Defining the date format .........................................................................
Configuring method tracing ........................................................................
Tracing users by name ................................................................................
Tracing threads by name .............................................................................
Including the session ID ..............................................................................
Tracing RPC calls .......................................................................................
Including stack trace for exceptions .............................................................
Setting verbosity ........................................................................................
Directing categories to the trace file .............................................................
Log file entry format ...................................................................................
Trace file examples .....................................................................................

261
261
261
262
263
264
264
264
265
265
265
266
267
267
268
269
269
270
270
271
271
271
271
272
273

Chapter 12

Audit Management ....................................................................................


Auditing ........................................................................................................
Audit events...................................................................................................
Audit trails.....................................................................................................
Audit properties .............................................................................................
Events audited by default................................................................................
Disabling or modifying default auditing ......................................................
Auditing by object type ...................................................................................
Choosing a type..........................................................................................
Auditing by object instance .............................................................................
Auditing by events selected for all objects in the repository ...............................
Search audit ...................................................................................................
Audit policies .................................................................................................

275
275
276
276
277
277
278
278
280
280
282
282
284

EMC Documentum Content Server Administration and Configuration 6.7 Guide

258
259
259

Table of Contents

Chapter 13

10

Creating, modifying, or deleting an audit policy ...........................................


Audit Policy example ..................................................................................
Registering audits ...........................................................................................
Adding, modifying, or removing audits ...........................................................
Verifying or purging audit trails ......................................................................
Interpreting audit trails of DFC method, workflow, and lifecycle events .............
Audit trails for events generated by non-workflow or lifecycle
methods .....................................................................................................
Lifecycle audit trails....................................................................................
Workflow audit trails ..................................................................................
Interpreting ACL and group audit trails ...........................................................

284
285
285
287
287
287

Methods and Jobs .....................................................................................


Methods ........................................................................................................
Creating or modifying methods ...................................................................
Importing method content ..........................................................................
Running methods .......................................................................................
Viewing the results of a method ..................................................................
Exporting method content ...........................................................................
Editing method content...............................................................................
Checking in method content ........................................................................
Deleting methods .......................................................................................
Method execution agents ................................................................................
Administration methods .................................................................................
Viewing administration methods .................................................................
Running administration methods ................................................................
CAN_FETCH .........................................................................................
CLEAN_LINKS ......................................................................................
DELETE_REPLICA .................................................................................
DESTROY_CONTENT ............................................................................
EXPORT_TICKET_KEY ..........................................................................
GET_PATH ............................................................................................
IMPORT_REPLICA ................................................................................
IMPORT_TICKET_KEY ..........................................................................
MIGRATE_CONTENT ............................................................................
PURGE_CONTENT ................................................................................
REPLICATE ...........................................................................................
RESTORE_CONTENT ............................................................................
SET_STORAGE_STATE...........................................................................
DB_STATS .............................................................................................
DROP_INDEX ........................................................................................
EXEC_SQL .............................................................................................
FINISH_INDEX_MOVES ........................................................................
GENERATE_PARTITION_SCHEME_SQL................................................
MAKE_INDEX .......................................................................................
MOVE_INDEX .......................................................................................
ESTIMATE_SEARCH..............................................................................
MARK_FOR_RETRY ..............................................................................
MODIFY_TRACE ...................................................................................
GET_LAST_SQL .....................................................................................
LIST_RESOURCES .................................................................................
LIST_TARGETS ......................................................................................
SET_OPTIONS .......................................................................................
RECOVER_AUTO_TASKS ......................................................................
WORKFLOW_AGENT_MANAGEMENT ................................................
Administration Methods Results Page .....................................................

303
303
303
307
307
308
309
309
310
310
311
311
312
312
313
314
314
315
316
316
317
318
318
323
324
325
326
327
327
328
328
329
331
332
333
333
334
335
335
336
337
338
339
340

288
293
293
300

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Choosing a file on the server file system ...................................................


Jobs ...............................................................................................................
Job descriptions ..........................................................................................
ACL replication (dm_ACLReplication) ....................................................
ACL replication (dm_ACLRepl_repository) ...............................................
Asynchronous Write (dm_AsynchronousWrite) ........................................
Audit management (dm_AuditMgt) ........................................................
Consistency checker (dm_ConsistencyChecker) ........................................
Content replication (dm_ContentReplication) ...........................................
Content warning (dm_ContentWarning) ..................................................
Data dictionary publisher (dm_DataDictionaryPublisher) .........................
Database space warning (dm_DBWarning) ...............................................
Distributed operations (dm_DistOperations) ............................................
Archive (dm_DMArchive) .......................................................................
Dmclean (dm_DMClean) ........................................................................
Dmfilescan (dm_DMfilescan) ..................................................................
Federation copy (dm_FederationCopy) ....................................................
Federation export (dm_FederationExport) ................................................
Federation import (dm_FederationImport) ...............................................
Federation status (dm_FederationStatus)..................................................
Federation update (dm_FederationUpdate) ..............................................
File report (dm_FileReport) .....................................................................
Group rename (dm_GroupRename and dm_GroupRename_Java) .............
LDAP synchronization (dm_LDAPSynchronization).................................
Log purge (dm_LogPurge) ......................................................................
Queue management (dm_QueueMgt) ......................................................
Remove expired retention objects
(dm_RemoveExpiredRetnObjects) ...........................................................
Rendition manager (dm_RenditionMgt) ...................................................
SCS log purge (dm_SCSLogPurgeJob) ......................................................
State of repository report (dm_StateOfDocbase)........................................
Swap info (dm_SwapInfo) .......................................................................
Update statistics (dm_UpdateStats) .........................................................
Usage tracking (dm_usageReport) ...........................................................
User change home repository (dm_UserChgHomeDb and
dm_UserChgHomeDB_Java) ...................................................................
User rename (dm_UserRename and dm_UserRename_Java) .....................
Version management (dm_VersionMgt) ...................................................
WfmsTimer (dm_WfmsTimer) ................................................................
Creating a job .............................................................................................
Changing the schedule of a job ....................................................................
Setting the qualifier rules for the remove retention-expired objects job ............
Assigning a method to a job ........................................................................
Locating a method for a job .........................................................................
Creating, viewing, or modifying SysObject properties ...................................
Creating replication jobs .............................................................................
Selecting the source repository for a replication job ...................................
Selecting the target repository for a replication job ....................................
Setting replication job options .................................................................
Choosing a replication folder...................................................................
Choosing a replication job user ................................................................
Choosing a permission set for replica objects ............................................
Choosing a storage area ..........................................................................
Choosing replication and security modes .................................................
Creating records migration jobs ...................................................................
Setting the rules of a records migration job ...............................................
Defining selection criteria for a records migration job................................
Defining version criteria for records migration job ....................................

EMC Documentum Content Server Administration and Configuration 6.7 Guide

341
341
342
343
343
343
344
344
345
345
346
346
346
346
347
347
347
347
348
348
348
348
349
349
350
350
351
352
352
352
353
353
354
354
355
355
356
356
357
358
360
361
361
362
363
364
365
366
367
367
367
367
369
370
371
372

11

Table of Contents

Creating BOCS caching jobs ........................................................................


Setting BOCS caching rules .....................................................................
Creating job sequences ................................................................................
Providing repository and job information for a job sequence .....................
Selecting jobs for a job sequence ..............................................................
Setting dependencies for a job sequence ...................................................
Running jobs ..............................................................................................
Viewing the status of a running job ..............................................................
Viewing job reports ....................................................................................
Setting the trace level for a job .....................................................................
Viewing job trace logs .................................................................................
Deleting jobs ..............................................................................................
Deactivating jobs that fail ............................................................................

373
373
375
376
377
378
378
379
379
379
380
380
380

Chapter 14

Alias Sets ..................................................................................................


Alias sets and aliases.......................................................................................
Creating or modifying alias sets.......................................................................
Viewing or removing aliases ...........................................................................
Deleting alias sets ...........................................................................................

383
383
383
384
385

Chapter 15

Formats .....................................................................................................
Formats .........................................................................................................
Viewing, creating, or modifying formats ..........................................................
Deleting formats .............................................................................................

387
387
387
389

Chapter 16

Types .........................................................................................................
Object type categories and properties ...............................................................
Type categories...........................................................................................
Lightweight object types .............................................................................
Type properties ..........................................................................................
Managing types ..............................................................................................
Creating or modifying types ............................................................................
Selecting a type ..............................................................................................
Deleting types ................................................................................................
Viewing assignment policies ...........................................................................
Converting types to shareable object types .......................................................
Converting types to lightweight object types ....................................................
Converting types to shareable and lightweight object types ...............................

391
391
391
392
392
392
393
397
397
398
398
399
400

Chapter 17

Storage Management ................................................................................


Storage management areas ..............................................................................
Storage ..........................................................................................................
File stores ...................................................................................................
Creating, viewing, or modifying file stores ...............................................
Linked stores..............................................................................................
Creating, viewing, or modifying linked stores ..........................................
Blob stores .................................................................................................
Creating, viewing, or modifying blob stores .............................................
Distributed stores .......................................................................................
Creating, viewing, or modifying distributed stores ...................................
External stores ............................................................................................
Creating, viewing, or modifying external stores ........................................

401
401
401
403
404
407
407
408
408
410
410
412
412

12

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Chapter 18

Editing a server root location ...................................................................


EMC Centera stores ....................................................................................
Creating, viewing, or modifying EMC Centera stores ................................
Defining the storage parameters for an EMC Centera store ........................
Defining EMC Centera store content attributes .........................................
NetApp SnapLock stores.............................................................................
Creating, viewing, or modifying NetApp SnapLock stores ........................
Atmos stores ..............................................................................................
Creating, viewing, or modifying Atmos stores ..........................................
Mount points .............................................................................................
Creating or modifying mount points ........................................................
Locations ...................................................................................................
Creating or modifying locations ..............................................................
Plug-ins .....................................................................................................
Creating or modifying plug-ins ...............................................................
Deleting storage areas, locations, mount points, and plug-ins ........................
Setting or updating a retention date or retention period ...............................
Assignment policies ........................................................................................
Viewing a list of assignment policies ............................................................
Creating, viewing, or modifying assignment policies ....................................
Modifying the permissions of an assignment policy ......................................
Custom assignment policy rule examples .....................................................
Associating an assignment policy with an object type ...................................
Deleting assignment policies .......................................................................
Migration policies ...........................................................................................
Creating, viewing, or modifying migration policies ......................................
Configuring a migration policy schedule ..................................................
Configuring migration policy rules ..........................................................
Configuring migration policy SysObject information ....................................
Viewing migration policy job reports ...........................................................
Deleting migration policies .........................................................................
Orphaned content objects and files ..................................................................
The dmclean utility .....................................................................................
Removing orphaned content from retention type storage areas ..................
Running dmclean with an EXECUTE statement ........................................
Running dmclean from the operating system prompt ...............................
The dmfilescan utility .................................................................................
Running dmfilescan using an EXECUTE statement ...................................
Running dmfilescan from the operating system prompt ............................
The generated script ...............................................................................
Executing the dmfilescan script ...............................................................

414
415
415
417
419
420
420
422
423
423
423
425
425
426
426
427
428
429
430
431
432
433
433
434
434
434
435
436
438
438
439
439
440
441
441
441
442
443
444
444
444

Content Delivery ........................................................................................


Content delivery services ................................................................................
Locating content delivery configurations ..........................................................
Creating or modifying content delivery configurations .....................................
Configuring the advanced properties of a content delivery configuration ............
Configuring replication properties for a content delivery configuration ..............
Configuring extra arguments for a content delivery configuration .....................
Deleting content delivery configurations ..........................................................
Testing content delivery configurations ............................................................
Duplicating a content delivery configuration ....................................................
Deactivating a content delivery configuration ...................................................
Publishing objects ...........................................................................................

447
447
448
449
451
456
457
471
471
472
472
473

EMC Documentum Content Server Administration and Configuration 6.7 Guide

13

Table of Contents

Content delivery configuration results .............................................................


Content delivery logs ......................................................................................
Viewing content delivery logs .....................................................................
Deleting content delivery logs .....................................................................
Effective labels ...............................................................................................

474
475
475
475
476

Chapter 19

Indexing Management ...............................................................................


Indexing ........................................................................................................
Index agents and xPlore ..................................................................................
Starting and stopping index agents ..................................................................
Disabling index agents ....................................................................................
Enabling index agents .....................................................................................
Verifying indexing actions ...............................................................................
Viewing or modifying index agent properties ...................................................
Managing index queue items ...........................................................................
Resubmitting individual objects ..................................................................
Resubmitting all failed queue items .............................................................
Removing queue items by status .................................................................
Removing queue items................................................................................
Viewing queue items associated with an object .............................................
Creating a new indexing queue item ............................................................

477
477
477
478
478
479
479
479
480
481
481
481
482
482
482

Chapter 20

Content Transformation Services Management ........................................


Content Transformation Services .....................................................................
Changing the CTS user ...................................................................................
Configuring a CTS instance .............................................................................
Changing the polling interval ......................................................................
Changing the logging level ..........................................................................
Changing the System Operator ....................................................................
Changing the notification setting .................................................................
Changing the maximum number of queue items ..........................................
Changing the queue item expiry ..................................................................
Viewing a CTS log file .....................................................................................
Viewing details of a CTS instance ....................................................................
Controlling your CTS instance .........................................................................
Stopping the CTS service.............................................................................
Starting the CTS service ..............................................................................
Refreshing the CTS service ..........................................................................
CTS reporting .................................................................................................
Configuring CTS reporting ..........................................................................
Viewing archived CTS reporting data ..........................................................

485
485
485
486
486
487
487
488
488
488
489
489
490
490
491
491
492
492
493

Chapter 21

Content Intelligence Services ....................................................................


Content Intelligence Services ...........................................................................
Providing evidence .....................................................................................
About confidence values and score thresholds ..........................................
About stemming and phrase order ..........................................................
Setting the language used for the stemming .........................................
Activating the stemming .....................................................................
Retaining the phrase order ..................................................................
About category links ...............................................................................
Setting up Content Intelligence Services ...........................................................

495
495
496
496
497
497
498
498
498
499

14

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Enabling Content Intelligence Services .............................................................


Missing Content Intelligence node ...................................................................
Modifying Content Intelligence Services configuration......................................
Building taxonomies .......................................................................................
Setting permissions for Content Intelligence .................................................
Defining category classes ............................................................................
Defining taxonomies ...................................................................................
Creating subtypes for a taxonomy or for a category ......................................
Creating custom tab for the subtype.........................................................
Creating subtype instances ......................................................................
Defining categories .....................................................................................
Displaying object titles ............................................................................
Setting category rules..............................................................................
Defining property rules ...........................................................................
Displaying attributes in Property rules .....................................................
Defining simple evidence terms ...............................................................
Managing taxonomies .................................................................................
Making taxonomies available ..................................................................
Synchronizing taxonomies ......................................................................
Deleting taxonomies ...............................................................................
Processing documents.....................................................................................
Test processing and production processing...................................................
Defining document sets...............................................................................
Submitting documents to CIS server ............................................................
Assigning a document manually .................................................................
Reviewing categorized documents...............................................................
Clearing assignments ..............................................................................
Refining category definitions ...........................................................................
Using compound terms ...............................................................................
Selecting terms ...........................................................................................
Using common words as evidence terms ..................................................
Modifying category and taxonomy properties ..............................................
Defining compound evidence terms.............................................................

499
500
501
502
502
503
505
507
507
509
511
513
514
515
517
518
519
519
520
521
521
521
522
524
525
525
526
527
528
529
529
529
530

Chapter 22

Resource Management ..............................................................................


Understanding Resource Management.............................................................
Managing resource agents ...............................................................................
Adding resource agents or modifying agent properties .................................
Adding resource agents ..............................................................................
Viewing or modifying resource agent properties ..........................................
Resource agent authentication failure ..........................................................
Deleting resource agents .............................................................................
Managing resource properties .........................................................................
Managing general information for resources ................................................
Managing resource attributes ......................................................................
Managing resource operations .....................................................................
Starting operations .................................................................................
Viewing resource notifications .....................................................................
Viewing the Notification page .................................................................
Viewing resource logs .................................................................................
Monitoring resources ..................................................................................
Manual configuration steps for monitoring resources ................................

533
533
533
534
534
535
535
535
536
537
537
538
539
539
540
540
541
542

Chapter 23

Cabinets, Files, and Virtual Documents .....................................................


Managing cabinets, folders and files ................................................................

545
545

EMC Documentum Content Server Administration and Configuration 6.7 Guide

15

Table of Contents

Home cabinets................................................................................................
Creating cabinets ............................................................................................
Creating folders ..............................................................................................
Creating files ..................................................................................................
Creating a form ..............................................................................................
Working with files ..........................................................................................
Checking out files .......................................................................................
Checking in files .........................................................................................
Viewing checked-out files ...........................................................................
Canceling checkout .....................................................................................
Versioning..................................................................................................
Moving files ...............................................................................................
Copying files ..............................................................................................
Viewing files in read-only mode ..................................................................
Importing folders and files .........................................................................
Exporting folders and files ..........................................................................
Linking cabinets, folders, or files..................................................................
Viewing all linked locations for an item ...................................................
Bookmarking a document or folder .........................................................
Sending a link in an email message ..........................................................
Viewing the clipboard .................................................................................
Deleting cabinets, folders, or files.....................................................................
Managing subscriptions ..................................................................................
Enabling change notifications ..........................................................................
Managing relationships...................................................................................
Renditions and transformations .......................................................................
Viewing file renditions ................................................................................
Importing a rendition .................................................................................
Setting a default rendition for an object ........................................................
Transforming a document to PDF or HTML format.......................................
Enabling inbox notification..........................................................................
Configuring PDF Annotation Service ...............................................................
Virtual documents ..........................................................................................
Creating a virtual document ........................................................................
Viewing the structure of a virtual document .................................................
Viewing virtual document content ...............................................................
Setting a version label for a virtual document ...............................................
Creating a virtual document archive ............................................................
Converting a virtual document to a simple document ...................................
Setting virtual document preferences ...........................................................

546
546
547
548
549
549
549
550
551
552
552
553
553
553
554
555
555
557
557
557
557
558
558
558
559
559
560
560
560
561
561
561
562
562
562
563
563
563
564
564

Chapter 24

API and DQL ..............................................................................................


API and DQL .................................................................................................
DQL Editor ....................................................................................................
API Tester ......................................................................................................

567
567
567
568

Chapter 25

Search .......................................................................................................
Searches .........................................................................................................
Setting search preferences ...............................................................................
Search guidelines............................................................................................
Running a simple search .................................................................................
Further define search terms .........................................................................

571
571
571
572
573
573

16

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Running an advanced search ...........................................................................


Entering values for an advanced search ........................................................
Viewing search results ....................................................................................
Smart navigation ........................................................................................
Monitoring search results in real time ..........................................................
Saving search results from external sources ..................................................
Additional configuration options .....................................................................
Saved searches ...............................................................................................
Saving a search ...........................................................................................
Running a saved search ..............................................................................
Editing a saved search ................................................................................
Creating a search template ..............................................................................

576
576
579
580
580
581
582
583
583
584
584
584

Chapter 26

Inbox .........................................................................................................
Inboxes ..........................................................................................................
Opening a task or notification ..........................................................................
Performing a task ...........................................................................................
Completing a task...........................................................................................
Accepting a group task ...................................................................................
Rejecting a task ...............................................................................................
Delegating a task ............................................................................................
Repeating a task .............................................................................................
Changing availability for tasks ........................................................................
Work queue tasks ...........................................................................................

587
587
587
588
588
589
589
590
590
590
591

Chapter 27

Workflows, Workqueues, and Lifecycles ...................................................


Workflows .....................................................................................................
Starting a workflow ....................................................................................
Sending a quickflow ...................................................................................
Viewing workflows ....................................................................................
Pausing a workflow ....................................................................................
Resuming a paused workflow .....................................................................
Stopping a workflow ..................................................................................
Emailing the workflow supervisor or a workflow performer .........................
Process a failed task in a workflow ..............................................................
Changing the workflow supervisor ..............................................................
Saving workflow information as a Microsoft Excel spreadsheet .....................
Viewing aggregated report for workflow performance ..................................
Creating a workflow template .....................................................................
The workflow agent ....................................................................................
Changing the number of worker sessions .................................................
Changing the sleep interval .....................................................................
Changing the system shutdown timeout ..................................................
Enabling immediate processing of automatic activities ..............................
Tracing the workflow agent .....................................................................
Disabling the workflow agent ..................................................................
Work queue management ...............................................................................
Setting up a new work queue ......................................................................
Setting up work assignment matching .........................................................
Setting up skill profiles in the process template.........................................
Defining work assignment matching filters ..............................................
Adding work assignment matching filters to a work queue .......................
Work queue policies ...................................................................................

593
593
593
595
595
596
596
596
597
597
597
598
598
599
599
599
599
599
600
600
601
601
602
602
603
603
604
605

EMC Documentum Content Server Administration and Configuration 6.7 Guide

17

Table of Contents

Priorities of tasks ....................................................................................


Set dynamic priority and aging logic for tasks ......................................
Creating or modify a queue policy ...........................................................
Defining a queue category ...........................................................................
Defining a work queue ................................................................................
Defining work queue override policies .........................................................
Managing work queue users .......................................................................
Adding a user or group to a work queue ..................................................
Removing a user or group from a work queue ..........................................
Adding skills to work assignment processor profiles ................................
Updating the processor profile in a work queue ........................................
Monitoring work queues .............................................................................
Assigning a work queue task to a specific user..........................................
Unassigning a work queue task from a user .............................................
Moving a work queue task to another work queue ....................................
Suspending a work queue task ................................................................
Unsuspending a work queue task ............................................................
Enabling users to select tasks from the queue ...........................................
Creating business calendars ........................................................................
Lifecycles .......................................................................................................
Assigning a lifecycle to a file........................................................................
Removing a lifecycle from a file ...................................................................
Promoting a file to the next lifecycle state .....................................................
Demoting a file to its previous lifecycle state ................................................
Suspending a file from its current lifecycle state ............................................
Resuming a suspended file ..........................................................................

605
606
606
608
608
610
610
611
612
612
614
615
616
616
617
617
617
618
618
620
620
620
620
621
621
621

Chapter 28

My Documentum for Microsoft Outlook Administration ............................


MyDocumentum for Microsoft Outlook ...........................................................
Overview page ...............................................................................................
Profiles ..........................................................................................................
Creating profiles .........................................................................................
The Info tab ................................................................................................
The Target tab ............................................................................................
The Import tab ...........................................................................................
The Permissions tab ....................................................................................
Modifying a profile .....................................................................................
Deleting profiles .........................................................................................
Client Setup ...................................................................................................

623
623
624
625
625
626
626
626
628
628
628
629

Chapter 29

Content Services for SAP Web Administrator ...........................................


SAP Web Administrator ..................................................................................
Configuring Connections to SAP .....................................................................
Creating, viewing, and editing connections to an SAP server .........................
Creating, viewing, and editing an SAP user ..................................................
Configuring HTTP Archiving Services .............................................................
Configuring, viewing, and editing archives ..................................................
Configuring HTTP certificates for archive linking .........................................
Configuring HTTP repositories for archive linking........................................
The Agent Component ....................................................................................
Using Auto Manage to execute CS SAP actions .............................................
Creating, viewing, and editing an Agent ..................................................
Registering an HVP worker .....................................................................
Creating, viewing, and editing SAP jobs...................................................
Performing job maintenance ....................................................................

631
631
632
632
633
633
634
635
636
636
637
637
638
638
640

18

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

SAP queries................................................................................................
Documentum queries .............................................................................
Creating, viewing, and editing a Documentum query ...........................
Checking the integrity of linked documents .................................................
Configuring the Manage and View Components...............................................
Configuring the Manage component ............................................................
Configuring the View component ................................................................

640
642
642
642
643
644
645

Appendix A

System Events ..........................................................................................


dm_default_set event ......................................................................................
DFC events ....................................................................................................
Workflow events ............................................................................................
Lifecycle events ..............................................................................................
Events sent to the fulltext user .........................................................................

647
647
648
652
655
655

Appendix B

Populating and Publishing the Data Dictionary .........................................


Populating the data dictionary.........................................................................
Data dictionary population script ....................................................................
The initialization file ...................................................................................
The data files ..............................................................................................
File structure ..........................................................................................
Summary of settable data dictionary properties ........................................
Setting foreign keys ................................................................................
Examples of data file entries ....................................................................
Executing the script ....................................................................................
Populating a Japanese locale on a Korean host or a Korean locale
on a Japanese host ......................................................................................
Default files provided by EMC Documentum ...............................................
Using DQL statements ................................................................................
Publishing the data dictionary information ......................................................
The data dictionary publisher job ................................................................
The publishDataDictionary method .............................................................
The PUBLISH key phrase ............................................................................

657
657
658
658
658
659
660
664
664
667

Appendix C

High-Availability Support Scripts ..............................................................


Monitoring scripts ..........................................................................................
Processes not requiring a script .......................................................................

671
671
673

Appendix D

Consistency Checks ..................................................................................


General information .......................................................................................
User and group checks ....................................................................................
ACL checks ....................................................................................................
SysObject checks ............................................................................................
Folder and cabinet checks ...............................................................................
Document checks ...........................................................................................
Content object checks ......................................................................................
Workflow checks ............................................................................................
Object type checks ..........................................................................................
Data dictionary checks ....................................................................................
Lifecycle checks ..............................................................................................

675
675
676
676
678
678
679
679
680
681
681
682

EMC Documentum Content Server Administration and Configuration 6.7 Guide

668
668
668
669
669
669
670

19

Table of Contents

Object type index checks .................................................................................


Method object consistency checks ....................................................................

682
683

Appendix E

Plug-in Library Functions for External Stores ...........................................


General recommendations ..............................................................................
dm_close_all ..................................................................................................
dm_close_content ...........................................................................................
dm_deinit_content ..........................................................................................
dm_init_content .............................................................................................
dm_open_content ...........................................................................................
dm_plugin_version.........................................................................................
dm_read_content ............................................................................................

685
685
686
686
686
686
687
688
689

Appendix F

AMP and Usage Tracking ..........................................................................


Asset management and planning tool ..............................................................
Connecting to AMP ........................................................................................
Required information .................................................................................
Configuring AMP to collect usage information .............................................
Usage Tracking ...............................................................................................
Tracking internal user accounts ...................................................................
Tracking unique users .................................................................................
Tracking login times ...................................................................................
Usage tracking and software compliance ......................................................

691
691
691
691
692
692
693
693
693
694

20

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

List of Figures

Figure 1.
Figure 2.
Figure 3.
Figure 4.
Figure 5.
Figure 6.
Figure 7.
Figure 8.
Figure 9.
Figure 10.
Figure 11.

System Information page ......................................................................................


New BOCS Server Configuration - Security page ..................................................
Privileged Clients page .......................................................................................
Default signature template ..................................................................................
Real-time results in the search monitor screen ......................................................
Client for Outlook node location in Documentum Administrator ...........................
The My Documentum for Microsoft Outlook Overview panel in
Documentum Administrator ...........................................................................
The Client Setup page .........................................................................................
Content Services for SAP in Documentum Administrator......................................
Agent services ....................................................................................................
Integrity checking ...............................................................................................

EMC Documentum Content Server Administration and Configuration 6.7 Guide

34
174
232
246
581
624
625
629
631
637
643

21

Table of Contents

List of Tables

Table 1.
Table 2.
Table 3.
Table 4.
Table 5.
Table 6.
Table 7.
Table 8.
Table 9.
Table 10.
Table 11.
Table 12.
Table 13.
Table 14.
Table 15.
Table 16.
Table 17.
Table 18.
Table 19.
Table 20.
Table 21.
Table 22.
Table 23.
Table 24.
Table 25.
Table 26.
Table 27.
Table 28.
Table 29.
Table 30.
Table 31.
Table 32.
Table 33.
Table 34.
Table 35.
Table 36.

22

System Information page ......................................................................................


EMC Documentum tool suite ................................................................................
Server configuration object information .................................................................
Server Configuration properties tabs ......................................................................
General server configuration properties .................................................................
Projection target information .................................................................................
Application server properties ................................................................................
Locations page properties .....................................................................................
Locale-based configuration settings by host machine locale .....................................
Keys in the SERVER_STARTUP section ..................................................................
Content Server directory and file permissions on UNIX platforms ...........................
Server.ini DOCBROKER_PROJECTION_TARGET keys ..........................................
Server.ini FUNCTION_SPECIFIC_STORAGE keys .................................................
Server.ini TYPE_SPECIFIC_STORAGE keys ...........................................................
Server.ini FUNCTION_EXTENT_SIZE keys ...........................................................
Server.ini TYPE_EXTENT_SIZE keys .....................................................................
Information on Repository page ............................................................................
Repository Configuration Properties ......................................................................
Synchronization properties .................................................................................
Default users created during repository conguration ...........................................
Default groups created during repository conguration ........................................
Federation properties ..........................................................................................
Java method server information ...........................................................................
JMS configuration information ............................................................................
Associated Content Servers information ...............................................................
Active Java method server information ................................................................
LDAP Server Configuration page properties ........................................................
LDAP Server Configuration Properties properties ................................................
LDAP Server Sync & Authentication properties ....................................................
LDAP Server mapping properties ........................................................................
LDAP Server failover properties ..........................................................................
Netscape iPlanet, Oracle Internet Directory Server, and Microsoft Active
Directory example ..........................................................................................
Secondary LDAP Server page properties ..............................................................
Network location properties ................................................................................
ACS Server Configurations..................................................................................
ACS Server Configuration properties ...................................................................

34
36
54
56
57
63
65
66
69
72
83
84
84
85
85
86
94
95
100
102
102
127
136
137
138
139
144
146
148
149
151
152
154
162
165
167

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Table 37.
Table 38.
Table 39.
Table 40.
Table 41.
Table 42.
Table 43.
Table 44.
Table 45.
Table 46.
Table 47.
Table 48.
Table 49.
Table 50.
Table 51.
Table 52.
Table 53.
Table 54.
Table 55.
Table 56.
Table 57.
Table 58.
Table 59.
Table 60.
Table 61.
Table 62.
Table 63.
Table 64.
Table 65.
Table 66.
Table 67.
Table 68.
Table 69.
Table 70.
Table 71.
Table 72.
Table 73.
Table 74.
Table 75.
Table 76.
Table 77.
Table 78.
Table 79.

ACS Projections & Stores properties.....................................................................


ACS Connection Broker Projections properties .....................................................
BOCS server properties .......................................................................................
BOCS server security properties ..........................................................................
Users, groups, roles, and sessions ........................................................................
User search filters ...............................................................................................
User properties ...................................................................................................
Import user properties ........................................................................................
Default values for new users ...............................................................................
Privileges for creating or modifying groups..........................................................
Privileged groups ...............................................................................................
Group properties ................................................................................................
Role properties ...................................................................................................
Module role properties .......................................................................................
Session information ............................................................................................
Basic permissions ...............................................................................................
Extended permissions ........................................................................................
Permissions required under folder security ..........................................................
Additional access control entries..........................................................................
Permissions Sets page .........................................................................................
Permission set properties ....................................................................................
Permission properties .........................................................................................
Member repository properties .............................................................................
Privileged Clients page information ....................................................................
Privileged client properties .................................................................................
Administrator access set properties......................................................................
RSA plug-in modules ..........................................................................................
CA SiteMinder plug-in files .................................................................................
Password files encrypted by default .....................................................................
Configuration parameters in esign.properties file..................................................
Parameters passed by the addESignature method .................................................
Interaction of dm_crypto_change_passphrase arguments ......................................
Server start-up trace options ................................................................................
Trace level severity values ...................................................................................
Valid facilities for setServerTraceLevel .................................................................
Logging appender configuration options..............................................................
Valid values for the dfc.tracing.file_creation_mode key .........................................
Valid values for dfc.tracing.timing_style...............................................................
Log entry components ........................................................................................
Events audited by the dm_default_event ..............................................................
Object auditing properties ...................................................................................
Object instance auditing properties ......................................................................
Audit search properties.......................................................................................

EMC Documentum Content Server Administration and Configuration 6.7 Guide

168
170
172
174
179
181
182
187
190
195
196
198
202
205
208
211
212
214
215
217
218
219
230
232
233
236
239
239
242
247
247
255
262
263
263
266
267
268
272
278
279
281
283

23

Table of Contents

Table 80.
Table 81.
Table 82.
Table 83.
Table 84.
Table 85.
Table 86.
Table 87.
Table 88.
Table 89.
Table 90.
Table 91.
Table 92.
Table 93.
Table 94.
Table 95.
Table 96.
Table 97.
Table 98.
Table 99.
Table 100.
Table 101.
Table 102.
Table 103.
Table 104.
Table 105.
Table 106.
Table 107.
Table 108.
Table 109.
Table 110.
Table 111.
Table 112.
Table 113.
Table 114.
Table 115.
Table 116.
Table 117.
Table 118.
Table 119.
Table 120.
Table 121.
Table 122.

24

Audit Policies page information ..........................................................................


Audit policy information ....................................................................................
Audit policy example values ...............................................................................
Object and object instance auditing properties ......................................................
Usage of generic properties by API events ............................................................
Usage of generic properties by lifecycle events .....................................................
Usage of generic properties by workflow events ...................................................
Method Info tab properties ..................................................................................
SysObject Info tab properties ...............................................................................
Parameters for moving a single object ..................................................................
Parameters for moving all content in a store .........................................................
Parameters for moving content selected by a query ...............................................
GENERATE_PARTITION_SCHEME_SQL parameters ..........................................
dm_AuditMgt arguments ...................................................................................
Logs deleted by log purge job ..............................................................................
Job Info properties ..............................................................................................
Job Schedule properties.......................................................................................
Job method properties.........................................................................................
SysObject properties ...........................................................................................
Replication options ............................................................................................
Security mode behavior ......................................................................................
Caching rules properties .....................................................................................
Job Connection Info properties ............................................................................
Alias set properties .............................................................................................
Format properties ...............................................................................................
Type properties ..................................................................................................
Repository storage objects ...................................................................................
File store properties ............................................................................................
Linked store properties .......................................................................................
Blob store properties ...........................................................................................
Distributed store properties.................................................................................
External store properties .....................................................................................
EMC Centera store properties..............................................................................
NetApp SnapLock store properties ......................................................................
Atmos store properties ........................................................................................
Mount point properties .......................................................................................
Location object properties ...................................................................................
Plug-in properties ...............................................................................................
Assignment policy properties ..............................................................................
Migration policy Info tab properties.....................................................................
Migration policy Schedule tab properties .............................................................
Migration policy Rules tab properties ..................................................................
Migration policy SysObject tab properties ............................................................

284
285
285
286
288
293
293
304
306
319
321
322
329
344
350
356
358
360
361
365
368
374
376
384
388
394
402
404
408
409
410
413
416
421
423
424
425
427
431
435
436
436
438

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Table of Contents

Table 123.
Table 124.
Table 125.
Table 126.
Table 127.
Table 128.
Table 129.
Table 130.
Table 131.
Table 132.
Table 133.
Table 134.
Table 135.
Table 136.
Table 137.
Table 138.
Table 139.
Table 140.
Table 141.
Table 142.
Table 143.
Table 144.
Table 145.
Table 146.
Table 147.
Table 148.
Table 149.
Table 150.
Table 151.
Table 152.
Table 153.
Table 154.
Table 155.
Table 156.
Table 157.
Table 158.
Table 159.
Table 160.
Table 161.
Table 162.
Table 163.
Table 164.
Table 165.

dmclean arguments ............................................................................................


dmfilescan utility arguments ...............................................................................
Content delivery configuration information .........................................................
Content delivery properties .................................................................................
Advanced properties for content delivery ............................................................
Content delivery replication properties ................................................................
Extra arguments .................................................................................................
Using effective labels ..........................................................................................
Date formats for property rules ...........................................................................
Start Operation page properties ...........................................................................
Fields on the Notification page ............................................................................
Permissions tab for cabinets, folders, and files ......................................................
Info tab for documents ........................................................................................
Checkin information ...........................................................................................
Properties for imported files ................................................................................
Virtual document preferences ..............................................................................
Further define search terms .................................................................................
Common properties in an advanced search ..........................................................
Select a property-to-value relationship .................................................................
User roles for work queues ..................................................................................
Import properties ...............................................................................................
Effect of changing availability of MyD Outlook profile to disabled .........................
Configuration options for clients .........................................................................
Archive properties .............................................................................................
Query types .......................................................................................................
Content Services Manage Type Defaults properties ...............................................
Content Services View properties ........................................................................
dm_default_set events ........................................................................................
DFC events ........................................................................................................
Workflow events ................................................................................................
Lifecycle events ..................................................................................................
Codepages for the data dictionary files provided with Content Server....................
Settable data dictionary properties using population script ...................................
Monitoring Scripts ..............................................................................................
Consistency checks for users and groups ..............................................................
Consistency checks for ACLs ..............................................................................
Consistency checks for SysObjects ......................................................................
Consistency checks for folders and cabinets .........................................................
Consistency checks for documents .......................................................................
Consistency checks for content objects .................................................................
Consistency checks for workflows .......................................................................
Consistency checks for object types .....................................................................
Consistency checks for the data dictionary ..........................................................

EMC Documentum Content Server Administration and Configuration 6.7 Guide

440
442
448
450
452
456
458
476
516
539
540
546
548
550
554
564
573
577
578
601
627
628
629
634
641
644
645
647
648
652
655
659
660
671
676
677
678
678
679
680
680
681
681

25

Table of Contents

Table 166.
Table 167.
Table 168.
Table 169.
Table 170.
Table 171.
Table 172.
Table 173.
Table 174.

26

Consistency checks for lifecycles ..........................................................................


Consistency checks for object type indexes ..........................................................
Consistency checks for method objects .................................................................
dm_close_all arguments ......................................................................................
dm_close_content arguments ..............................................................................
dm_init_content arguments .................................................................................
dm_open_content arguments ..............................................................................
dm_plugin_version arguments ............................................................................
dm_read_content arguments ...............................................................................

682
683
683
686
686
687
687
688
689

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Preface

This guide describes how to configure and administer Content Server. This manual contains
administration and configuration information, instructions, and procedures for a general
Documentum installation.

Intended audience
This manual is written for system and repository administrators. The system administrator is the
person who generally installs and owns the Documentum installation. Repository administrators
are the users who own and are responsible for one or more repositories. Readers should be familiar
with the general principles of client/server architecture and networking. In addition, they should
know and understand the Windows and UNIX operating systems.

Typographical conventions
The following typographical conventions are used in this guide.
Syntax conventions

Convention

Identifies

bold

Boldface type indicates graphical user interface elements


associated with an action, key names, or terms defined in
text or the glossary.
Example: From the File menu, select Open.

Italic

Italic type indicates book titles or emphasis in text.


Example: The Documentum Content Server Installation Guide
provides information on installation instructions.
Italic type also indicates user input variables for which you
supply particular values, or variables in command strings.
Example: All file names have the format <template_name>.xfm.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

27

Preface

Convention
Courier

Identifies
Courier type indicates commands within a paragraph, code
in examples, syntax examples, system output, filenames and
path names (if shown on separate line), or text that you enter.

[ ] square brackets

Square brackets indicate an optional argument that can be


included only once.

{ } curly braces

Curly braces indicates an optional argument that can be


included multiple times.

Related documentation
This guide provides instructions for tasks that affect a single repository. The following sources
provide additional information:
Documentum Content Server DQL Reference Manual
This manual is the reference manual for Document Query Language (DQL), supported by
Documentum Content Server.
Documentum Content Server Fundamentals
This guide describes the basic features of the Content Server and the repository. It explains the
data model, session and transaction management, content management, and the behavior and
implementation of features such as workflows and lifecycles.
Documentum Content Server Full-Text Indexing System Installation and Administration Guide
This guide describes the possible full-text configurations and how to install and maintain them.
Documentum Content Server Installation Guide
This guide provides information about installing Content Server.
Documentum Distributed Configuration Guide
This guide provides instructions for tasks that affect federations or distributed storage areas.
Documentum Media Transformation Services Installation Guide
This guide describes how to install Documentum Media Transformation Server and Services for
Windows.
Documentum System Object Reference Manual
This manual provides detailed information about Documentum objects.
Go to the Documentation area of the Powerlink website (http://Powerlink.EMC.com) to download
product documentation, white papers, or participate in the technical publications customer survey.
To locate product documentation, select Support > Documentation and White Papers Library,
and then select your product.
You must register online at Powerlink before you use it.

28

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Preface

Support information
Documentum technical support services are designed to make your deployment and management
of Documentum products as effective as possible. The Customer Guide to EMC Software Support
Services provides a thorough explanation of Documentum support services and policies. You can
download this document from the Powerlink website: http://powerlink.EMC.com.

Revision History
The following changes have been made to this document:
Revision history

Revision date

Description

April 2011

Initial publication for this release.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

29

Preface

30

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 1
Administration and Configuration Tools

This chapter contains the following topics:


Introduction, page 31
Documentum Administrator, page 32
Content Server Manager, page 36

Introduction
A Documentum installation typically consists of one or more repositories, Content Servers that access
the repositories, and clients that access the repositories through the Content Servers.
Content Server software manages the repository and provides content management capabilities. The
repository consists of three main components: a file store containing the content assets, attribute
tables within a relational database, and full-text indexes.
After Content Server is installed and running, typical system administration and configuration
tasks include:
Creating new repositories and maintaining existing repositories, including object types, methods,
jobs, and alias sets
Configuring, starting, and shutting down servers
Maintaining connection brokers
Managing content storage areas and content files
Administering full-text indexes
Managing users and groups
Managing security
Changing session configurations
The two main tools for administering and configuring Content Server are Documentum
Administrator and Content Server Manager. Documentum Administrator is sold separately. It
is not included with Content Server.
Most the administration and configuration tasks are typically done using Documentum
Administrator. Some tasks have to be performed using Content Server Manager or the command line.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

31

Administration and Configuration Tools

This manual provides instructions for administration and configuration tasks using Documentum
Administrator, unless a task can only be accomplished using Content Server Manager or the
command line. In that case, the instructions are provided using Content Server Manager or the
command line, respectively.

Documentum Administrator
Documentum Administrator is the primary user interface for administration tasks. Documentum
Administrator is a web-based interface for monitoring, administering, configuring, and maintaining
Documentum repositories from any system running a web browser.
For URL and login information, refer to Logging in to Documentum Administrator, page 32.
For information about installing Documentum Administrator, refer to the Documentum Administrator
Deployment Guide.

Logging in to Documentum Administrator


Before you connect, obtain the URL to the instance, which includes the name of the host where
Documentum Administrator is running and the port number on which Documentum Administrator
listens.
By default, a new Documentum Administrator installation only contains one user account with the
user name and password of the installation owner. The installation owner account has superuser
privileges. We strongly recommend adding at least one administrator account with system
administrator privileges. The system administrator is typically the user who is responsible for
configuring repositories, additional users, servers, and services.

To log in to Documentum Administrator:


1.

Start a web browser on a client machine.

2.

Connect to the following URL, where host is the host where Documentum Administrator is
installed and portnumber is a port number provided during application server installation:
http://host:portnumber/da/

3.

32

On the Documentum Administrator Login page, enter the following information:


Field

Description

Login Name

Your login name.

Password

Your login password.

Repository

Select a repository from the list. If you change the repository, retype
your password.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Administration and Configuration Tools

Field

Description

Locations

In the Location list (if available), select the location on the network
from which you are accessing Documentum Administrator.
The location allows you to access content from the nearest storage
area in the network. Depending on your organization, this location
can be a fixed value.

Remember my
credentials

Select to have the system remember your credentials, so you do not


have to type them again the next time you log in.

More options
Domain

If the repository is running in domain-required mode, type the


domain name.

Language

To set the session locale to another language, select the language


from the drop-down list.

Server

To connect to the repository using a particular server, select that


server from the Server list box.
The default is Any Running Server.

Additional Accessibility
Options

Select Additional Accessibility Options on the login page to enable


the accessibility options.

Change Password

To change your password in a repository, click Change Password,


select a repository, and type your old and new passwords, then click
Change Password.
If LDAP user authentication is used, you cannot change your
password from this page. A system administrator must change your
password on the LDAP server.
If you use Content Intelligence Services, click the Content
Intelligence Configure link to change and validate your password
on the CIS Configuration page.

4.

Click Login.
The System Information page appears with information about the system. For more information
about the System Information page, refer to The System Information page, page 33.

The System Information page


The System Information page is the first page you see after you start Documentum Administrator.
The page displays general information about the repository and host to which you are connected.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

33

Administration and Configuration Tools

Figure 1. System Information page

The following table describes the information on the System Information page.
Table 1. System Information page

Field

Description

User

The user name under which you are connected.

Licensing

Click Configure to enable product licenses for:


Collaboration Edition
Federated Record Services
Physical Records Management
Records Manager
Retention Policy Services

Repository
Repository

The repository to which you are connected.

Federation

The federation to which the current repository belongs, if any.

Global Repository

The name of the global repository.

Content Storage Service

Indicates whether Content Storage Services is enabled.

Content Intelligence

Indicates whether Content Intelligence Services is enabled. If


Content Intelligence Service is enabled, click Configure to access the
Configuration for Content Intelligence page.

34

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Administration and Configuration Tools

Field

Description

Content Server
Content Server

The Content Server to which you are connected.

Server Version

The Content Server version and platform.

Trusted Mode

Indicates whether Trusted Content Services is enabled in the


repository to which you are connected.

Hostname

The host name of the Content Server to which you are connected.

Connection Broker

The connection broker Content Server uses to connect to the


repository.

Distributed Content
Network Locations

The number of network locations associated with the repository.

BOCS Servers

The number of BOCS servers associated with the repository.

ACS Read

Indicates if users can read content in the repository through the ACS.

Messaging

Indicates whether the messaging server is enabled.

ACS Server

The name of the ACS server.

ACS Write

Indicates if users can write content to the repository through the


ACS and whether the write is synchronous or asynchronous.

BOCS Pre-caching

Indicates if the repository is enabled to process pre-caching requests.

LDAP Servers
Enabled Servers

The number of enabled LDAP servers.

Disabled Servers

The number of disabled LDAP server.

Last Sync

The time and date the Content Server and LDAP servers were last
synchronized.

Determining the Documentum Administrator version


From the System Information page, select File > About Documentum Administrator to determine
the Documentum Administrator version to which you are connected.

Preferences
The Preferences menu in Documentum Administrator specifies default settings and favorites for the
user interface display, virtual documents, repositories, search, and formats. Select Tools > Preferences
to access the Preferences menu.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

35

Administration and Configuration Tools

Content Server Manager


Content Server Manager is an administration tool added to the Windows Start menu during server
installation on Windows platforms. Content Server Manager is typically used to
Edit the server.ini file to change the Content Server configuration
Uninstall a repository
Start the IDQL utility
Modify connection brokers
Display connection broker log files
Invoke the Content Server setup program to add or remove server components
Invoke the Microsoft Performance Monitor tool
Create a configuration summary report

Starting Content Server Manager


Content Server Manager is a Content Server administration tool only available on Windows platforms.

To start Content Server Manager


1.

Log in to the Windows machine that is running Content Server.

2.

Select Start > Documentum Server Manager.


The Documentum Server Manager page displays.

Tool suite
Content Server includes various tools that automate regular administration tasks, such as removing
files, monitoring storage space and database tables. The tools are implemented as jobs and most are
installed in an inactive state. Documentum Administrator provides a graphical interface for defining,
modifying, and monitoring the tools and their associated jobs.
The following table briefly describes the tools that are available. For more information, refer to
Jobs, page 341.
Table 2. EMC Documentum tool suite

Tool

Description

Archive

Automates archive and restore operations between


content areas.

Audit Management

Deletes audit trail objects.

Consistency Checker

Checks the repository for consistency across a variety


of object types.

36

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Administration and Configuration Tools

Tool

Description

Content Replication

Automates replication of document content for


distributed file stores.

Content Storage Warning

Monitors disk space on the devices used to store


content and index files. Queues a warning message
when a disk used for content and index storage
reaches a user-defined percentage of capacity.

Data Dictionary Publisher

Publishes data dictionary information to make it


visible to users and applications.

Database Space Warning

Monitors the RDBMS. Queues a warning message


when the RDBMS reaches a user-defined percentage
of capacity.
Note: This tool is not installed for installations
running against MS SQL Server or DB2.

Dm_LDAPSynchronization

Determines all changes in the LDAP directory server


information and propagates the changes to the
repository.

Dmclean

Automates the dmclean utility, which removes


orphaned content objects, notes, ACLs, and
SendToDistribution workflow templates from a
repository.

Dmfilescan

Automates the dmfilescan utility, which removes


orphaned content files from a specified storage area
of a repository.

Distributed Operations

Performs the distributed operations necessary to


manage reference links. This is an internal job that
is installed as part of the tool suite. Refer to the
Distributed Configuration Guide for more details.

File Report Utility

Provides a report to help restore deleted or archived


document content using file system backups. This
method only applies to distributed storage areas.

Group Rename

Renames a group in the repository.

Index Agent Startup

Starts the index agent.

Log Purge

Deletes log files for the server, session, connection


broker, and agent and the trace log files resulting
from method and job executions.

Queue Management

Deletes dequeued objects in the dmi_queue_item


tables.

Remove Expired Retention Objects

Removes objects with an expired retention date, if


they are stored in an EMC Centera storage area.

Rendition Management

Removes of unwanted document renditions.

State of the Repository Report

Provides information about the repository status.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

37

Administration and Configuration Tools

Tool

Description

Swap Info

Reports on swap space availability and usage.


Note: The Swap Info tool is not installed if the
Content Server is installed on an HPUX platform.

ToolSetup

Installs system administration tools.

Update Stats

Updates stored statistics on the underlying RDBMS


tables, to aid in query performance.

User Chg Home Db

Changes the user home repository.

User Rename

Changes a user name in the repository.

Version Management

Removes of unwanted document versions.

38

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 2
Managing Connection Brokers

This chapter contains the following topics:


Connection brokers, page 39
The connection broker initialization file, page 40
Connection broker projection targets, page 43
Server proximity, page 43
Restarting a connection broker, page 44
Adding a connection broker for one session, page 44
Implementing connection broker failover , page 45
Starting additional connection brokers, page 45
Shutting down connection brokers, page 46

Connection brokers
The Documentum connection broker is a process that provides client sessions with connection
information, such as IP addresses and port numbers. The connection brokers that handle a client
connection request are defined in the dfc.properties file of the client. By default, each Content
Server installation must have one connection broker. The first connection broker is started as part
of the installation process.
When a client contacts the connection broker, the connection broker sends back the IP address and
port number of the server host. If there are multiple servers for the repository, the connection broker
returns connection information for all of them. The client session then uses that information to choose
a server and open the connection. Clients can request a connection through a particular server, any
server on a particular host, or a particular server on a specified host.
The dfc.properties file contains most of the configuration parameters for handling sessions. For
example, the file contains keys that identify which connection brokers are used to obtain a session,
specify how many sessions are allowed for one user, and enable persistent client caching. Many keys
have default values, but an administrator or application must explicitly set some of the keys. For
more information about the dfc.properties file, refer to The dfc.properties file, page 131.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

39

Managing Connection Brokers

The standard connection broker that comes with a Content Server installation can be customized
for meet more specific requirements, such as:
Protection against being shut down by an unauthorized person
A list of servers that can access the connection broker
IP listening addresses to run multiple connection brokers
Connection requests from outside a firewall
These options are configured in the connection broker initialization file. Both, the dfc.properties file
and the connection broker initialization file cannot be modified using Documentum Administrator.
When Content Server is started, it automatically broadcasts information about itself. Each connection
broker that receives the broadcast adds the server to its registry, or list of known servers. Content
Server sends the first broadcast before it is fully initialized, and the connection broker sets the
server status to starting. As soon as Content Server is fully initialized and ready to service clients, it
broadcasts a checkpoint message. The receiving connection brokers update the server status to open.
Content Server broadcasts a checkpoint message at regular intervals. By default, the checkpoint
interval is 5 minutes. If the connection broker does not receive a checkpoint message, it modifies the
server status to presumed down. A connection broker keeps the entry for a non-broadcasting server
for a specified time, called the keep_retry interval. Both, the checkpoint interval and the keep_retry
interval are specified in the server configuration object, as described in Table 5, page 57.
A connection broker deletes a Content Server from its list of known servers when:
A server sends a delete me message as a result of a manual shutdown using the shutdown
method, as described in .
A server fails to broadcast a checkpoint message within the expected keep_entry interval.
For example, a server is not active as a result of a shutdown without a delete me message, a crash,
or when the network between the server and connection broker fails.
A server is reinitialized after a change to the projection targets in the server config object that
deletes the connection broker from the targets.

The connection broker initialization file


The connection broker initialization file is an optional connection broker configuration file. The
initialization file can have any valid file name. You can store the file in any location, but the most
convenient place is the same directory in which the dm_launch_docbroker script is stored.
The initialization file is a plain text file and has the following format:
[SECURITY]
password = string_value
allow_hosts=host_name_list|deny_hosts=host_name_list
[DOCBROKER_CONFIGURATION]
host = host_name|IP_address_string
service = service_name
port = port_number
[TRANSLATION]port=["]inside_firewall_port=outside_firewall_port
{,inside_firewall_port=outside_firewall_port}["]

40

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Connection Brokers

host=["] inside_firewall_ip=outside_firewall_ip
{,inside_firewall_ip=outside_firewall_ip}["]

Note: The password key in the [SECURITY] section is only valid on UNIX platforms. Connection
brokers on Windows platforms do not use the security password. The port translation strings are
enclosed in double quotes when multiple ports or hosts are specified.
If the initialization file includes a valid service name, the connection broker is started with the
service name. If the initialization file does not provide a service name, but a valid port number,
the connection broker is started using the port number. If a service name or a port number is not
included, the connection broker is started on port 1489.

Invoking the initialization file


When you start a connection broker, the initialization file is not automatically invoked. To invoke the
file, include the -init_file argument on the startup command line.
For Windows platforms, the syntax is:
drive:\documentum\product\version_number\bin\dmdocbroker.exe
-init_file filename

If the connection broker is running as a service, edit the service entry to include the argument on the
command line. You can use the Documentum Server Manager to edit the service entry.
For UNIX platforms, the syntax is:
% dm_launch_docbroker -init_file filename

If there are other arguments on the command line in addition the initialization file argument, the
-init_file argument must appear first or it is ignored.

Configuring shutdown security (UNIX only)


Defining a security password for a connection broker ensures that only a user who knows the
password can stop the connection broker. Define a password in the [SECURITY] section with the
password key:
[SECURITY]
password=string_value

Restricting server access


By default, a connection broker accepts broadcasts from any server. However, you can configure a
connection broker to either:
Accept broadcasts only from specified servers
Reject broadcasts from specified servers
To define accepted servers, use the following format in the initialization file:
[SECURITY]

EMC Documentum Content Server Administration and Configuration 6.7 Guide

41

Managing Connection Brokers

...
allow_hosts=host_name_list

To define rejected servers, use the following format:


[SECURITY]
...
deny_hosts=host_name_list

host_name_list is a list of the host machines on which the servers reside. Separate multiple host names
by commas. For example:
[SECURITY]
...
deny_hosts=bigdog,fatcat,mouse

The options are mutually exclusive. For each connection broker, you can configure either the accepted
servers or the rejected servers, but not both.

Translating IP addresses
For security reasons, many enterprises set up firewalls to prevent outside users from accessing
enterprise repositories and file systems.
To allow a user or client application outside the firewall to connect to a repository inside the firewall,
the connection broker initialization file includes a [TRANSLATION] section. This section redirects a
request to a safe IP address and port name. The section has the following format:
[TRANSLATION]
port=inside_firewall_port=outside_firewall_port
{,inside_firewall_port=outside_firewall_port}
host=inside_firewall_IP=outside_firewall_IP
{,inside_firewall_IP=outside_firewall_IP}

inside_firewall_port and outside_firewall_port are port numbers.


inside_firewall_IP and outside_firewall_IP are IP addresses.
For example, suppose repository A is inside a firewall and that application B, outside the firewall,
wants to connect to repository A. Also suppose the connection broker that receives the request has
the following TRANSLATION section in its initialization file:
[TRANSLATION]
port=2231=4532
host=2.18.13.211=172.18.23.257

When the connection broker receives the request, it translates 2231 to 4532 and 2.18.13.211 to
172.18.23.257. It sends the values 4532 and 172.18.23.257 back to application B, which uses them
to establish the connection.
If you specify multiple ports or hosts for translation, enclose the translation string in double quotes.
For example:
[TRANSLATION]
port="2253=6452,2254=6754"

To use a [TRANSLATION] section:


1.

42

Define the IP address translation rules in the firewall.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Connection Brokers

2.

Enter the rules in the [TRANSLATION] section of the connection broker initialization file.

3.

Restart the connection broker, specifying the initialization file on the command line.

Connection broker projection targets


Active Content Servers must regularly broadcast, or project, connection information to at least one
connection broker. Server broadcasts are called checkpoints. The connection brokers receiving the
checkpoints are called connection broker projection targets.
Connection broker projection targets are defined in the server configuration object. The Content
Server installation procedure defines one connection broker projection target in the server.ini file.
The target is the connection broker that is specified during the installation procedure. When the
installation procedure is complete, the target definition can be moved to the server configuration
object.
For information about modifying connection broker projection targets, refer to Creating or modifying
connection broker projections, page 62.

Server proximity
Content Servers send a proximity value to each connection broker projection target. The proximity
value represents physical proximity of the server to the connection broker. By default, clients connect
to the server with the smallest proximity value since that server is the closest available server. If two
or more servers have the same proximity value, the client makes a random choice between the servers.
The proximity values should reflect the topology of a Content Server installation. For example,
an installation with three servers and one connection broker, the server closest to the connection
broker projects the lowest proximity value. The server farthest from the connection broker projects
the highest proximity value.
The server proximity value is specified in the network location section of the server configuration
object, as described in Creating or modifying network locations , page 63.
An individual server that has multiple connection broker projection targets can project a different
proximity value to each target. Guidelines for setting proximity values are:
Proximity values should have a value of 1 to 999, unless the content servers are in a distributed
configuration.
Any server with a proximity value of 9000 to 9999 is considered a Content Server and typically
only handles content requests.
For values from 1001 through 8999, the first digit is ignored and only the last three digits are
used as the proximity value. For example, if for a proximity value of 8245, clients ignore the 8
and only consider 245 the proximity value.
On Windows platforms, proximity values of 10,000 and more represent servers in another
domain. Users who want to connect to such servers must specify the server by name in the
Connect command line.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

43

Managing Connection Brokers

Restarting a connection broker


On Windows platforms, a connection broker can either be started as a service or from the command
line. On UNIX platforms, a connection broker is always started from the command line.

To restart a connection broker running as a Windows service:


1.

Double-click Start connection broker in the Documentum group.


This launches the connection broker executable.
Note: The connection broker service name is Documentum Docbroker Service
connection_broker_name where connection_broker_name is the name of the connection broker. The
default service name is Documentum Docbroker Service Docbroker.

To restart a connection broker that is not running as a Windows service:


1.

At the operating system prompt, enter the startup command line.


The syntax for the startup command is:
dmdocbroker.exe [-init_file filename ] -host
-service service_name - port port_number

host_name

For example:
d:\documentum\product\6.0\bin\dmdocbroker.exe
-init_file DocBrok.ini -host engr -service engr_01

To restart a connection broker on a UNIX platform:


1.

Log in to the machine on which to start the connection broker.

2.

Change to the $DOCUMENTUM/dba directory:


% cd $DOCUMENTUM/dba

3.

At the operating system prompt, type the command line for the dm_launch_docbroker utility.
The command-line syntax is:
dm_launch_docbroker [-init_file file_name] [-host host_name] [service service_name] [-port port_number]

Include the host name and a service name or port number to identify the connection broker.
Otherwise specify an initialization file that includes a [DOCBROKER_CONFIGURATION]
section to identify the connection broker.

Adding a connection broker for one session


Documentum Administrator obtains connection information from the connection broker referenced
in the dfc.properties file of the Documentum Administrator installation. You cannot modify the
dfc.properties file using Documentum Administrator. If you have system administrator or superuser
privileges, you can add connection brokers for an active session by storing connection broker
information in a cookie. However, the repositories of that connection broker can only be accessed
during the current session.

44

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Connection Brokers

To add a connection broker for a session:


1.

Connect to Documentum Administrator.

2.

Click Add Repository to access the Add a Repository page.

3.

Select a repository and then click the more repositories link to access the Connection Brokers
page.

4.

To add a connection broker, type its name in the Enter New Connection Broker text box and
then click Add.
If the connection broker uses a port other than 1489, use the follow format:
connection_broker_name:port_number

For example:
mozart:1756

Implementing connection broker failover


Failover for connection information requests from a client is implemented by listing
multiple connection brokers in the dfc.properties file. In addition, the value of the
dfc.docbroker.auto_request_forward key in the dfc.properties file must be set to T.
By default, the first connection broker listed in the file handles the connection request. If that
connection broker does not respond within 15 seconds or less, the request is forwarded to the next
connection broker that is listed in the dfc.properties file. The request is forwarded sequentially until a
connection broker responds successfully or until all connection brokers defined in the file have been
tried. If there is no successful response, the connection request fails.

Starting additional connection brokers


A repository can have multiple connection brokers. The connection brokers can run on separate
machines or on the same machine. With multiple connection brokers on the same machine, each
connection broker on the machine must use a separate port or a separate network card.
Configuring a connection broker to use a separate port, requires defining a services file entry that
identifies the service name for the connection broker. The service name for the connection broker
must be unique among the service names. Alternatively, you can create an initialization file that
identifies the service. For example:
[DOCBROKER_CONFIGURATION]
host=host_machine_name
service=service_name

or
[DOCBROKER_CONFIGURATION]
host=host_machine_name
port=port_number

where port_number is the port identified in the new service.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

45

Managing Connection Brokers

To configure a connection broker to use a separate network card, create an initialization file for the
connection broker. The file must include a [DOCBROKER_CONFIGURATION] section to identify the
IP address of the network card. Use the following format:
[DOCBROKER_CONFIGURATION]
host=IP_address_string
service=service_name
port=port_number

IP_address_string must be in the dotted decimal format (for example, 143.23.125.65).


The service name is the connection broker service name, defined in the host machine services file. The
port number is the port defined in the service. Refer to Content Server Installation Guide for instructions
on setting up service names. If you include a service name, the connection broker is started using that
service. Otherwise, if you include a port number, the connection broker is started using that port. If
you do not include a service name or a port number, the connection broker uses port number 1489.

To start additional connection brokers:


1.

Start the connection broker from the operating system prompt.


On Windows:
d:\documentum\product\6.0\bin\dmdocbroker.exe
[-init_file filename ]-host host_name -service

service_name

On UNIX:
dm_launch_docbroker [-init_file filename]-host host_name
-service service_name

Include the host name and a service name or port number to identify the connection broker.
Otherwise, specify an initialization file that includes a [DOCBROKER_CONFIGURATION]
section to identify the connection broker.
2.

Modify the projection properties in the server config object to add the new connection broker as
a server projection target.

3.

Optionally, modify the server.ini file to add the new connection broker as a server projection
target.

4.

Reinitialize the server.

Shutting down connection brokers


The connection broker shutdown procedure varies, depending on whether the connection broker
runs on a Windows platform or UNIX platform. The shutdown procedure also depends on whether
the connection broker was started as a service or from the command line.
If the connection broker was configured with shutdown security, supply the correct password to shut
down the connection broker.

To stop a connection broker running as a service on Windows:


1.

Click Start > Program Files > Documentum > Server Manager

2.

Select the connection broker tab.

46

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Connection Brokers

3.

Select the correct connection broker.

4.

Click Stop.

To stop a connection broker started from the Windows command line:


1.

Close the window in which the connection broker is running.

To stop a connection broker on a UNIX platform:


1.

Execute the dm_stop_docbroker utility on the command line:


% dm_stop_docbroker [-Ppassword][-B[atch]]
[-Nport_number][-Sservice_name]

The utility stops the connection broker that is running on the host specified in the dmshutdown
script. That connection broker was specified during the initial server installation. If you are
executing the dm_stop_docbroker utility in interactive mode (without the -B flag), the utility
displays which connection broker it intends to stop and prompts for a confirmation. If you
include the -B flag, the utility does not prompt for confirmation or display which connection
broker it is stopping. The default for the -B flag is FALSE.
If you have multiple connection brokers on one machine, you can include the -N and -S
arguments to identify a particular connection broker to shut down.
The password is the password specified in the connection broker initialization file. For more
information about connection broker security, refer to Configuring shutdown security (UNIX
only), page 41. If the connection broker initialization file contains a password, supply this
password to stop the connection broker.
If you cannot use the dm_stop_docbroker utility, you can use the UNIX kill command to stop the
connection broker if it was started without security. If you do not know the process ID for the
connection broker, you can obtain it using the UNIX ps command. You cannot use the UNIX
kill command to stop a connection broker that was started with security. Only the UNIX kill -9
command stops a secured connection broker.

Stopping multiple connection brokers on UNIX


If you have multiple connection brokers, stop two or more by editing the dm_stop_docbroker script
before running the dm_stop_docbroker utility. The script resides in the $DOCUMENTUM/dba
directory. The last line in this script contains the connection broker host name that is stopped when
the dm_stop_docbroker utility runs:
./dmshutdown docbroker -Tlapdog -P$password $@
# lapdog is the host name

To stop multiple connection brokers, add a line one for each host on which a connection broker
resides to the script. For example, connection brokers are running on hosts named lapdog, fatcat, and
mouse. To stop all three connection brokers, edit dm_stop_docbroker to include these three lines:
./dmshutdown docbroker -Tlapdog -P$password $@
#lapdog is the host name
./dmshutdown docbroker -Tfatcat -P$password $@
#fatcat is the host name
./dmshutdown docbroker -Tmouse -P$password $@
#mouse is the host name

EMC Documentum Content Server Administration and Configuration 6.7 Guide

47

Managing Connection Brokers

If all connection brokers use the same password, the dm_stop_docbroker utility substitutes the
password specified on the command line for $password in the script. If each connection broker
requires a different password, add the password for each connection broker in the script:
./dmshutdown docbroker -Tlapdog -Pbigbark $@
#lapdog is the host name
./dmshutdown docbroker -Tfatcat -Pmeowmeow $@
#fatcat is the host name
./dmshutdown docbroker -Tmouse -Psqueak $@
#mouse is the host name

Requesting connection broker information


To obtain information about servers or repositories associated with a particular connection broker, or
which connection broker a client can access, use the following methods:
getServermap: Returns information about associated servers for a particular connection broker.
The IDfDocbrokerClient.getServerMap method returns the non-persistent server locator object.
The server information appears at corresponding index positions in the repeating properties of
the object. For example, the name of the host machine for the server named in r_server_name[0]
is specified in r_host_name[0]. The process ID is specified in r_process_id[0], and the status is
specified in r_last_status[0].
For more information about the server locator object, refer to the Documentum System Object
Reference Manual .
getDocbaseMap: Returns information about associated repositories for a particular connection
broker.
The IDfDocbrokerClient.getDocbaseMap method returns the non-persistent docbase locator
object. The repository information appears at corresponding index positions in the repeating
properties. For example, the name of the repository whose ID is in r_docbase_id[3] is found in
r_docbase_name[3] and its description is found in r_docbase_description[3].
For more information about the docbase locator object, refer to the Documentum System Object
Reference Manual .
getDocbrokerMap: Returns a list of connection brokers a client can access.
The IDfTypedObject.getDocbrokerMap method returns the non-persistent docbroker locator
object.
The information for a single connection broker appears at corresponding index positions
in the repeating properties. For example, the values at network_protocol[2], host_name[2],
port_number[2], and time_out[2] describe one connection broker.
The method is also useful when sending a getDocbaseMap or getServerMap method to a
particular connection broker to find the protocol, host name, and port number values for the
connection broker.
For more information about the docbroker locator object, refer to the Documentum System Object
Reference Manual .
Query the client config object.

48

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Connection Brokers

Each client session references a non-persistent client config object for configuration information.
The client object properties are populated from the keys of the dfc.properties file. Any key value
specified in the file is reflected in the client config object.
The keys in the dfc.docbroker category contain information about the connection brokers in
the properties file is contained in the keys with the category dfc.docbroker. For example, a
dfc.docbroker.host key identifies a connection broker host and a dfc.docbroker.port key identifies
a connection broker port.
The repeating properties of the client config object use the same names as the keys in the
dfc.properties file. For example, connection brokers hosts are found in the dfc.docbroker.host
property.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

49

Managing Connection Brokers

50

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 3
Managing Content Servers

This chapter contains the following topics:


Content Servers, page 51
Starting a server, page 52
Configuring licenses, page 53
Tracking software usage and AMP, page 53
Managing Content Servers, page 54
The server.ini file, page 70
Managing additional Content Servers, page 86
Server load balancing and failover, page 87
Shutting down a server, page 87
Clearing the server common area, page 89
Managing the JBoss application server, page 89
Server log files, page 90
The dm_error utility, page 90
Improving performance on Oracle and DB2 databases, page 91

Content Servers
A Content Server is a process that provides client access to the repository. Content Servers receive
queries from clients in the form of DFC methods or DQL statements and make the actual call to the
underlying RDBMS or the file directories. Every repository must have at least one active Content
Server. If a repository does not have an active server, users cannot access that repository.
The default Content Server installation starts one Content Server for a repository. However, a
repository can have more than one Content Server. If a repository is very active, serving many
users, or its users are widely spread geographically, multiple servers can provide load balancing
and enhance performance. For information about adding Content Servers to a repository, refer to
Adding or modifying Content Servers, page 55.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

51

Managing Content Servers

Repositories are comprised of object type tables, type indexes, and content files. The type tables and
type indexes are tables in an underlying relational database. The content files are typically stored in
directories on disks in a given installation. However, content files can also be stored in the database, in
a retention storage system such as EMC Centera or NetApp SnapLock, or on external storage devices.
A full-text index is associated with a particular repository or, in a consolidated deployment, with all
repositories indexed by a xPlore installation. Full-text indexes enable rapid searching for designated
values or strings in content files and property values.

Starting a server
Content Server can only be started or restarted using Documentum Server Manager or a startup script.

To restart a server using Documentum Server Manager (Windows):


1.

Log into the machine where Content Server is installed as the Documentum installation owner.

2.

Navigate to Start > Programs > Documentum > Documentum Server Manager.

3.

Click the DocBroker tab, select a connection broker, then click Start .

4.

Click the Repository tab, select a repository, then click Start to start Content Server.

5.

Click Start > Programs > Administrative Tools > Services.

6.

Right-click Documentum Java Method Server in the Services list, then click Start to start the
Java Method Server.

To restart a server using the startup script (UNIX):


1.

Log into the machine where Content Server is installed as the Documentum installation owner.

2.

Start the connection broker by running the $Documentum/dba/dm_launch/docbrokerName script,


where docBrokername is the name of the connection broker.
Change to the $DOCUMENTUM/dba directory.

3.

Run the dm_start_repositoryname script that references the server to start.


The dm_start_repositoryname script checks that a log directory is defined for the installation,
copies any existing log file to a new location, and starts the server. The script has an optional
argument, -oclean, that removes the files in the server common area if the argument is included it
in the command line.

4.

Navigate to the $DOCUMENTUM_SHARED/jboss4.2.0/domains/DctmDomain directory and run


the startMethodServer.sh script to start the application server.

52

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Configuring licenses
Certain Content Server and repository features require an additional license. Documentum
Administrator provides a license configuration feature to enable licenses in existing repositories for
the following features or products:
Collaboration Edition
Federated Record Services
Physical Records Management
Records Manager
Retention Policy Services

To view which licenses are enabled:


1.

Connect to Documentum Administrator.

2.

On the System Information page, click Licensing: Configure Licenses.


A list of features appears, including which licenses are enabled. For instructions on enabling a
license, click the Help link or Enabling a feature or product, page 53.

Enabling a feature or product


Use these instructions to enable the license for a particular feature or product.

To enable a product or feature license:


1.

Connect to Documentum Administrator.

2.

On the System Information page, click Licensing: Configure Licenses.


The Product Licensing page appears. The page displays a list of products and features and
indicates which licenses are enabled.

3.

Select the feature or product.

4.

Click Enable.
The Product License page appears.

5.

Type the license key for the feature or product.

6.

Click OK to return to the Product Licensing page.

7.

Click OK to return to the System Information page.

Tracking software usage and AMP


EMC Documentum provides an application for software usage reporting. The primary reporting
tool, EMC Asset Management & Planning (AMP) is a virtual appliance that provides the ability to
track deployed software assets and generate online and graphical reports based on the collected

EMC Documentum Content Server Administration and Configuration 6.7 Guide

53

Managing Content Servers

data. The AMP configuration and usage monitoring policies are completed through a browser
interface. However, all data is contained behind the firewall of the customer to help prevent
third-party access to the data. Additionally, a single instance of AMP has the ability to access multiple
global registries to provide a collated view of software usage in the customer environment. This
aggregated and confidential view into current usage trends allows optimizing capacity planning and
asset management strategies. The usage reports, or raw data, provided in AMP can be exported if
additional analysis, graphical reports or retention is needed.
The EMC Asset Management & Planning (AMP) User Guide provides information about obtaining,
installing, and configuring AMP for Content Server and other EMC products. Appendix F, AMP and
Usage Tracking, provides more details about AMP.
If AMP is not installed, Content Server only provides basic report for the system administrator. For
more information, refer to Usage tracking (dm_usageReport), page 354.

Managing Content Servers


The default Content Server installation creates a repository with one server. In Documentum
Administrator, administrators can configure additional servers to run against a particular repository.
Each Content Server is associated with a server configuration object. A server configuration object is a
template for a Content Server. A server configuration is defined by the properties in the associated
server configuration object and the parameters in the server.ini file that is read during server startup.
At startup, a server always reads the CURRENT version of its server configuration object.
All server configuration objects for the current repository are listed on the Content Server
Configuration page in Documentum Administrator, as described in Table 3, page 54.
Server configuration objects are stored in the repository System cabinet. You can add Content Servers
by creating multiple server configuration objects, as long as they are uniquely named. You can also
modify a server configuration object and save it as a new object.
Note: For information about creating, starting, and stopping a remote Content Server, refer to the
Content Server Installation Guide and Distributed Configuration Guide.
Table 3. Server configuration object information

Column

Description

Name

The name of the server configuration object.

Host

The name of the host on which the Content


Server associated with the server configuration
object is running.

Current Status

The current status of the Content Server. Valid


values are:
Running
Unknown

Version

54

The version of the server configuration object.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Adding or modifying Content Servers


The Server Configuration list page in Documentum Administrator lists the server configuration
objects of all Content Servers for the current repository. Each Content Server has a server
configuration object in the repository.

To create, view, or modify server configuration object properties:


1.

Log in to Documentum Administrator.

2.

Select Administration > Basic Configuration > Content Servers.


The Content Server Configuration page displays.

3.

On the Content Server Configuration page, do one of the following:


To add a Content Server, select File > New > Server Config.
To modify the server configuration object of an existing Content Server, select the server
configuration object in the Name column, then select View > Properties > Info.
The Server Configuration Properties page displays.

The Server Configuration Properties page is organized into tabbed pages as follows:

EMC Documentum Content Server Administration and Configuration 6.7 Guide

55

Managing Content Servers

Table 4. Server Configuration properties tabs

Tab

Description

Info

Select the Info tab to view or modify information on the server host, the
platform on which the server is running, code pages and locales, and other
general information. For instructions, refer to Modifying general server
configuration information, page 57.

Connection Brokers

Select the Connection Brokers tab to view or modify connection broker


projections, as described in Creating or modifying connection broker
projections, page 62.

Network Locations

Select the Network Locations tab to view or modify the proximity values
for the associated network locations, as described in Creating or modifying
network locations , page 63.

App Servers

Select the App Servers tab to add an application server for Java method
execution, as described in Creating or modifying application servers,
page 64.

Cached Types

Select the Cached Types tab to specify which user-defined types are to be
cached at server startup, as described in Creating or modifying cached
types, page 65.

Locations

Select the Locations tab to view the locations of certain files, objects, and
programs that exist on the server host file system, including the assume
user program, change password program, log file. For instructions on
creating or modifying locations, refer to Creating or modifying locations,
page 65.

Far Stores

Select the Far Stores tab to view accessible storage areas and to designate
far stores, as described in Creating or modifying far stores, page 66. A
server cannot store content in a far store. For more information about far
stores, refer to the Documentum Distributed Configuration Guide.

If you are creating a server configuration object, start with the Info page and proceed sequentially
through the tabs. However, the easiest way to create a server configuration object is to copy an
existing server configuration object and then modify the new server configuration object properties,
as described in Duplicating a server configuration object, page 56.

Duplicating a server configuration object


Use these instructions to create a server configuration object using an existing server configuration
object as a template. Create a server configuration object when you run additional servers against a
repository, whether on the same host or a different host.

To duplicate a server configuration object:


1.

Navigate to Administration > Basic Configuration > Content Servers.


The Content Server Configuration list page appears.

2.

56

Select the server name to copy and then select File > Save As.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

The Server Configuration Properties - Info page appears.


3.

In the Name field, type the name of the new server configuration object.

4.

Modify any properties that you want to change.


Refer to Adding or modifying Content Servers, page 55 for information on modifying the other
properties.

5.

Click OK to save the new server configuration object or Cancel to exit.

Modifying general server configuration information


Use these instructions to create or modify the general server information, such as the server host, the
platform on which the server is running, code pages and locales.

To modify general server configuration information:


1.

Navigate to Administration > Basic Configuration > Content Servers.


The Content Server Configuration list page displays.

2.

On the Content Server Configuration page, do one of the following:


To create a new server configuration object, select File > New > Server Config.
To modify an existing server configuration object, select the server configuration object in the
Name column, then select View > Properties > Info.
The Server Configuration Properties page displays with the Info tab selected.

3.

Enter or modify the server configuration object properties, as described in the following table:

Table 5. General server configuration properties

Field label

Value

Name

The name of the initial server configuration object created.


By default, the server configuration object has the same
name as the repository. When you create a new server
configuration object, you assign it a new name.

Host Name

The name of the host on which the server is installed.


Read-only.

Server Version

The version, operating system, and database of the server


defined by the server configuration object. Read-only.

Process ID

The servers process ID on its host. Read-only.

Install Owner

The Documentum installation owner. Read-only.

Install Domain

On Windows, the domain in which the server is installed


and running. Read-only.

Trusted Mode

Indicates whether Trusted Content Services is enabled.


Read-only.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

57

Managing Content Servers

Field label

Value

Update Configuration Changes


Re-Initialize Server

Select to reinitialize the server after the server configuration


object is saved.

Configuration Changes
Web Server Location

The name of the web server host and its domain. Used by
client applications for creating DRLs.

Web Server Port

Identifies the port the web server uses. The default is 80.

Agent Launcher

Defines the method that launches the agent exec process.


The default value is agent_exec_method.
The agent_exec_method is created when you install Content
Server. Its name is stored in the agent_launcher property of
the server configuration object. It polls jobs that contain
scheduling information for methods. Jobs are launched by
the agent_exec process.
To disable all job execution, leave this field empty.
Click the Select Agent Launcher Method link to access the
Choose a method page.

Operator Name

The name for the repository operator if the repository


operator is not explicitly named on the dmarchive.bat
command line or in the Archive or Request method. This
must be manually configured. The default is the owner of
the server configuration object (the repository owner).
The repository operator is the user whose Inbox receives all
archive and restore requests.
Click the Select Operator link to access the Choose a user
page.

58

Server Cache Size

The maximum number of objects allowed in the server


cache. The default is 200.

Client Cache Size

The maximum permitted size of the client cache, expressed


as the number of objects. The default is 50.

Network File Share

Indicates whether the server is using Network File Share for


file sharing.

Checkpoint Interval

Defines the interval at which the server broadcasts service


information to connection brokers. The unit of measurement
is seconds. The default is 300 seconds.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Field label

Value

Keep Entry Interval

Specifies how long each connection broker keeps a server


entry if the connection broker does not receive checkpoint
broadcasts from the server. This time limit is included in the
servers broadcast information.
By default, the value is 1,440 minutes (24 hours).

Locale Name

Indicates the server locale.


The value is determined during server installation.

Default Client Codepage

The default codepage for clients. The value is determined


programmatically and is set during server installation. In
general, it does not need to be changed.
Options are:
UTF-8
ISO_8859-1
Shift_JIS
EUC-JP
EUC-KR
US-ASCII
ISO_10646-UCS-2
IBM850

Server OS Codepage

The code page used by the operating system of the machine


on which the server resides. The value is determined
programmatically and is set during server installation. In
general, this value is not changed.
Options are:
UTF-8
ISO_8859-1
Shift_JIS
EUC-JP
EUC-KR
US-ASCII
ISO_10646-UCS-2

EMC Documentum Content Server Administration and Configuration 6.7 Guide

59

Managing Content Servers

Field label

Value
IBM850

Turbo Backing Store

The name of the file store storage area where the server puts
renditions generated by indexing blob and turbo content.
The default is filestore_01.

Rendition Backing Store

The name of the file store storage area where the server will
store renditions generated by full-text indexing operations.

Modifications Comments

Remarks on changes made to the server configuration object


in this version.

SMTP Server

The name of the computer hosting the SMTP Server that


provides mail services to Content Server.
The value is provided during server installation.

Workflow Agent Worker


Threads

The number of workflow agent worker sessions. The


maximum value is 1000. The default value is 3. Setting this
to 0 disables the workflow agent.
For more information about workflows, refer to The
workflow agent, page 599.

Secure Connect Mode

Specifies whether type of connection the server accepts.


Options are:
Dual: Uses encrypted and unencrypted connections.
Native: Uses unencrypted connections only.
Secure: Uses encrypted connections only.
If you change the mode, you must restart the server.
Re-initializing the server does not suffice.

Maximum Content Migration


Threads

Defines a valid value range for the argument


PARALLEL_DEGREE for parallel content migration when
running MIGRATE_CONTENT administration method or
setting up a migration policy rule. Valid values are between
1 and 128.
This option requires a Content Storage Services license that
is enabled on the Content Server.

60

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Field label

Value

System Shutdown Timeout

The time in seconds that the workflow agent attempts to


shut down work items gracefully after receiving a shutdown
command. The default value is 120 seconds.
When the timeout value expires, the server takes over
and shuts down the workflow agent. This feature is only
applicable for repositories that use multiple Content Servers.
If the timeout period is exceeded (or is set to zero), Content
Server takes over and shuts down the workflow agent
immediately.
If the timeout period is a negative value, Content Server
waits for the workflow agent threads to complete the
automatic tasks held by workflow agent workers before
shutting down gracefully.
For more information about system shutdown behavior,
refer to Changing the system shutdown timeout, page 599.

Authorization Settings
Inherit Permission Set From

The permission set the server uses for new objects if a user
fails to specify a permission set for an object or fails to
specify that no default permission set is wanted. Options
are:
A User permission set is defined for a user when a system
administrator, superuser, or repository owner creates a
user. This permission set can be used as the permission set
for any object created by the user. Because user objects are
not subtypes of SysObject, the permission set is not used to
enforce any kind of security on the user. A User permission
set can only be used as a default permission set.
A Type permission set is associated with the type definition
for a SysObject or SysObject subtype. A Type permission set
can only be used as a default permission set.
A Folder permission set is associated with a folder or
cabinet. If a user wants to change a folder or cabinets
properties, modify the folder or cabinet object itself, or
move, copy, or link an object to the folder, the server uses the
permissions in the associated permission set to determine
whether the user can perform the requested operation.

Default Alias Set

The default alias set for new objects. Click the Select Alias
Set link to access the Choose an alias set page.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

61

Managing Content Servers

Field label

Value

Enabled LDAP Servers

The LDAP configuration objects for LDAP servers used for


user authentication and synchronization.
Click the Select link to access the Choose LDAP Server
Configurations page to add LDAP servers.

4.

Maximum Login Ticket


Expiration Time

The maximum length of time, in minutes, that a login ticket


generated by the current server can remain valid. The
minimum value is 1 minute. The maximum value is 43200
minutes (30 days). The default value at server installation is
43200.

Default Login Ticket Expiration


Time

The default length of time, in minutes, that a login ticket


generated by the current server can remain valid. The value
must always be less than or equal to the maximum login
ticket expiration time. The default value is 5 minutes.

Application Access

Application access control (AAC) tokens are encoded


strings that may accompany connection requests from
applications. The information in a token defines constraints
on the connection request. If selected, a connection request
received by this server from a non-superuser must be
accompanied by a valid application access control token and
the connection request must comply with the constraints
in the token.

Superuser Access

When selected, a user with superuser privileges cannot


connect to the server using a global login ticket.

Do one of the following:


If you are creating a server configuration object, click Next to configure connection brokers.
If you are modifying an existing server configuration object, click OK to save your changes or
click one of the other tabs to make additional changes.

Creating or modifying connection broker projections


The connection broker is the intermediary between a client and the server when the client wants a
repository connection. If a server is not known to at least one connection broker, no clients can
connect to the repository associated with the server. Each server broadcasts information to connection
brokers at regular intervals. The broadcast contains the information maintained by connection
brokers about the server and the repository accessed by the server.
When a client requests a connection to a repository, the connection broker sends the client the
connection information for each server associated with the repository. The client can then choose
which server to use.
You access the Connection Brokers page by selecting the Connection Brokers tab on the Server
Configuration Properties page, as described in Adding or modifying Content Servers, page 55.

62

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

To create, modify, or delete connection broker projection targets:


1.

On the Connection Broker page, you can:


Click Add to add a connection broker projection target.
Modify an existing projection target by selecting the target in the Target Host column, then
click Edit.
Delete an existing connection broker by selecting a connection broker, then click Remove.
The Connection Broker Projection for ACS Server page displays.

2.

Enter or modify the projection target information, as described in Table 6, page 63.

3.

Do one of the following:


If you are creating a server configuration object, click Next to configure network locations.
If you are modifying an existing server configuration object, click OK to save your changes or
click another tab to make additional changes. To enable the changes, reinitialize the server.
Restarting the server is not required.

Table 6. Projection target information

Field

Description

Target Host

Type the name of the host on which the connection broker resides.

Port

Type the port number on which the connection broker is listening.

Proximity

Type the correct proximity value for the connection broker.

Note

Type a note about the connection broker.

Status

Select Enabled to enable projection to the connection broker.

Creating or modifying network locations


A network location identifies locations from which end users connect to Documentum web clients.
Network locations define specific IP address ranges. Content Servers use network locations to
determine the content storage location from which a content file is provided to web client users.
You access the Network Location page by selecting the Network Locations tab on the Server
Configuration Properties page, as described in Adding or modifying Content Servers, page 55.

To create, modify, or delete network locations:


1.

On the Network Locations page, you can:


Click Add to create a network location.
Delete an existing network location by selecting a network location in the Network location ID
column, then click Remove.

2.

To add network locations on the Choose Network Locations page, select a network location in
the left column and click

The network locations move to the right-hand column.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

63

Managing Content Servers

3.

Click OK to save the change or Cancel to exit without saving.

4.

To change the proximity values for a network location, edit the Proximity field.
Servers send a proximity value to each connection broker projection target. The proximity value
represents the physical server proximity to the connection broker.

5.

Select or clear the Enabled option to enable or disable the server projection to a network location, .

6.

Do one of the following:


If you are creating a new server configuration object, click Next to configure application
servers.
If you are modifying an existing server configuration object, click OK to save your changes or
click another tab to make additional changes. To enable the changes, reinitialize the server.
Restarting the server is not required.

Creating or modifying application servers


Content Server supports application servers in the server configuration object. The Content Server
configuration object specifies the name and the URI of the associated application servers.
Content Server supports a wide variety of network-accessible application, personalization, portal,
and e-commerce servers from enterprise vendors such as BEA, IBM, Microsoft, Oracle, Sun, and SAP.
For more information about how to deploy an application server, refer to the vendor documentation
that came with the application server.
You access the App Servers page by selecting the App Servers tab on the Server Configuration
Properties page, as described in Adding or modifying Content Servers, page 55.

To create, modify, or delete application servers:


1.

On the App Servers page, you can:


Click Add to add an application server.
Modify an existing application server by selecting the application server in the Name column,
then click Edit.
Delete an existing application server by selecting the application server in the Name column,
then click Remove.

2.

Add or modify information on the Application Server page, as described in Table 7, page 65.

3.

Do one of the following:


If you are creating a new server configuration object, click Next to configure cached types.
If you are modifying an existing server configuration object, click OK to save your changes or
click another tab to make additional changes. To enable the changes, reinitialize the server.
Restarting the server is not required.

64

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Table 7. Application server properties

Field

Description

Name

Type the application server name.

URI

Type the URI to the application server, in the following format:


http://host_name:port_number/servlet_path

Creating or modifying cached types


Cached types specify which user-defined types are to be cached at server startup. By default,
no user-defined objects are cached.
You access the Cached Types by selecting the Cached Types tab on the Server Configuration
Properties page, as described in Adding or modifying Content Servers, page 55.

To create, modify, or delete cached types:


1.

On the Cached Types page, you can:


Click Add to add one or more cached types. The Choose a type page appears.
Delete an existing cached type by selecting the cached type, then click Remove.

2.

To add one or more cached types on the Choose a type page, select one or more cached types in
the left column and click

The cache types move to the right-hand column.


3.

Click OK to save your changes.

4.

Do one of the following:


If you are creating a new server configuration object, click Next to configure locations.
If you are modifying an existing server configuration object, click OK to save your changes or
click another tab to make additional changes. To enable the changes, reinitialize the server.
Restarting the server is not required.

Creating or modifying locations


The Location tab lets you view and modify the locations of files, objects, and programs on the server
hosts file system, including the assume user program, change password program, and log file.
You access the Locations page by selecting the Locations tab on the Server Configuration Properties
page, as described in Adding or modifying Content Servers, page 55.

To view or modify locations:


1.

On the Locations page, you can click Select Location next to the file, object, or program, to change
the location, as described in Table 8, page 66.
The Choose a location page appears.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

65

Managing Content Servers

2.

Select a Location and File System Path, then click OK.

3.

Do one of the following:


If you are creating a new server configuration object, click Next to configure far stores.
If you are modifying an existing server configuration object, click OK to save your changes or
click another tab to make additional changes. To enable the changes, reinitialize the server.
Restarting the server is not required.

Table 8. Locations page properties

Field label

Value

Assume User

The location of the directory containing the assume user


program. The default is assume_user.

Change Password

The location of the directory containing the change password


program. The default is change_password.

Common

The location of the common directory. The default is common.

Events

The location of the events directory. The default is events.

Log

The location of the logs directory. The default is temp.

Nls

The location of the NLS directory. The default is a single blank.

Secure Writer

The location of the directory containing the secure writer


program. The default is secure_common_area_writer.

System Converter

The location of the directory containing the convert.tbl file


and the system-supplied transformation scripts. There is no
default for this field.

Temp

The location of the temp directory.

User Converter

The full path for the user-defined transformation scripts. The


default is convert.

User Validation

The full path to the user validation program. The default is


validate_user.

Verity

5.3 and later repositories, contains a dummy value for


compatibility with Webtop 5.2.x. The default value is
verity_location.

Signature Check

The location of the directory that contains the signature


validation program. The default is validate_signature.

Authentication Plugin

The location of an authentication plug-in, if used. The default


is auth_plugin in $Documentum/dba/auth.

Creating or modifying far stores


In a distributed content environment, a far store is a storage area remote or inaccessible from the
current Content Server, in which the server cannot store content. For more information on distributed
content environments, refer to the Distributed Configuration Guide.

66

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

You access the Far Store page by selecting the Locations tab on the Server Configuration Properties
page, as described in Adding or modifying Content Servers, page 55.

To add or remove a far store:


1.

On the Far Stores page, you can:


Click Add to add one or more far stores. The Choose a storage page appears.
Delete an existing far stores by selecting the far store, then click Remove.

2.

To add one or more far stores on the Choose a storage page, select one or more far stores in the
left column and click

The far stores move to the right-hand column.


3.

Click OK to save your changes.

4.

Click OK to save the changes. To enable the changes, reinitialize the server. Restarting the
server is not required.

Viewing server and connection broker log files


The server log file records server activities. Server logs provide valuable information for
troubleshooting server or repository problems.
Connection broker logs record information about connection brokers, which provide connection
information to clients.
Note: If you are connected to a secondary server, you see only the server and connection broker logs
for that server.

To view server or connection broker logs:


1.

Navigate to Administration > Basic Configuration > Content Servers.

2.

Select the server configuration object of the server whose log you want to view.

3.

Do one of the following:


Select View > Server Log, select the log to view, then click View Log.
The server log is displayed.
Select View > Connection broker Log, select the log to view, then click View Log.
The connection broker log is displayed.

To delete server log files, run the Log Purge tool. For more information about the tool, refer to
Log purge (dm_LogPurge), page 350.

Deleting a server configuration object


Do not delete the CURRENT version of the server configuration object of an active server. You can
safely delete the CURRENT version of the server configuration object of a server that is shut down, or

EMC Documentum Content Server Administration and Configuration 6.7 Guide

67

Managing Content Servers

old configuration object versions of an active server. To display old versions of server configuration
objects, select the All Versions filter from the list box on the server configuration object page.

To delete a server configuration object:


1.

Navigate to Administration > Basic Configuration > Content Servers.


The Server Configuration list page appears.

2.

Select the server configuration objects to delete.

3.

Select File > Delete.


The Delete Object page appears.

4.

Click OK to delete the server configuration objects or Cancel to leave the server configuration
objects in the repository.
The Server Configuration list page appears.

Configuring a server as a process engine


If the Business Process Manager (BPM) application is installed in a repository and you have a license
for process engines, you can configure a server as a process engine.

To configure a server as a process engine:


1.

Connect to the repository where you want to configure a server as a process engine.

2.

Navigate to Administration > Basic Configuration > Content Servers.

3.

Select a server.

4.

Select Tools > Configure Process Engine.

5.

Type the license key and click OK.


The system displays a confirmation page.

6.

Click OK or Cancel.
The server is now able to run workflows.

Note: Documentum Administrator does not provide an interface for disabling the process
engine server. The server can only be disabled by deleting the server instance in the
/System/Workflow/Process Engine folder. For more information, refer to Disabling a process engine
server, page 68.

Disabling a process engine server


Use these instructions to disable a server as a process engine.

To disable a server as a process engine:


1.

Using any client, connect to the repository whose server you are disabling as a process engine.

2.

Navigate to the /System/Workflow/Process Engine folder.

68

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

3.

Ensure that all objects in the folder are displayed.


For example, in Documentum Administrator or Webtop, select Show All Objects and Versions
from the list box.

4.

Delete the object corresponding to the name of the server that is configured as a process engine.

Internationalization
During Content Server installation, the installation procedure determines the locale of the host
machine and sets the Content Server locale accordingly. The supported locales are:
English
Chinese
French
German
Italian
Japanese
Korean
Portuguese
Russian
Spanish
Swedish
The procedure also uses the locale of the host machine as the basis for setting some other configuration
parameters that define the expected code page for clients and the host machines operating system, as
described in Table 9, page 69 .
Table 9. Locale-based configuration settings by host machine locale

Host machine
locale

Parameter
locale_name

default_client_codepage

server_os_codepage

English

en

ISO-8859-1

ISO-8859-1

Chinese

zh

MS936

MS936

French

fr

ISO-8859-1

ISO-8859-1

German

de

ISO-8859-1

ISO-8859-1

Italian

it

ISO-8859-1

ISO-8859-1

Japanese

ja

Shift_JIS

On Windows: Shift_JIS
On UNIX: EUC-JP

Korean

ko

EUC-KR

EUC-KR

Portuguese

pt

Windows-1252

Windows-1252

EMC Documentum Content Server Administration and Configuration 6.7 Guide

69

Managing Content Servers

Host machine
locale

Parameter
locale_name

default_client_codepage

server_os_codepage

Russian

ru

Windows-1251

Windows-1251

Spanish

es

ISO-8859-1

ISO-8859-1

Swedish

sv

ISO-8859-1

ISO-8859-1

The Content Server uses the UTF-8 code page. If the server_codepage key is set in the server.ini
file, it must be set to UTF-8. While Documentum requires Unicode UTF-8 for the Content Server
internal code page, the database (RDBMS) and operating system of the server host machine could
use non-Unicode code pages.
On clients, the Shift_JIS code page supports the NEC extensions.

The server.ini file


The server configuration is defined by the server.ini file and the server configuration object. The
server installation procedure creates both files automatically and the files are called when the server
is started.
The properties in the server configuration object provide operating parameters and a map to the files
and directories that the server can access. At startup, a Content Server always reads the CURRENT
version of server configuration object.
The server.ini file contains information you provide during the installation process, including the
repository name and the repository ID. That information allows the server to access the repository and
contact the RDBMS server. The server.ini file also contains the name of the server configuration object.
You can use Documentum Administrator to modify the server configuration object, as described in
Adding or modifying Content Servers, page 55. However, the server configuration object pages in
Documentum Administrator do not contain all of the default and optional properties that are defined
in the server.ini file. Some those properties can only be modified in the server.ini file using the
Content Server Manager. Typically, only the installation owner can modify the server.ini file.

Modifying the server.ini file


The server.ini file contains configuration information for the server. The file is stored in the
%DOCUMENTUM%\dba\config\repository directory ($DOCUMENTUM/dba/config/repository) and
is called when the server is started.
The server.ini file has the following format:
[SERVER_STARTUP]
key=value
[DOCBROKER_PROJECTION_TARGET]
key=value
[DOCBROKER_PROJECTION_TARGET_n] #n can be 0-49

70

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

key=value
[FUNCTION_SPECIFIC_STORAGE] #Oracle & DB2 only
key=value
[TYPE_SPECIFIC_STORAGE]
key=value

#Oracle & DB2 only

[FUNCTION_EXTENT_SIZE]
key=value

#Oracle only

[TYPE_EXTENT_SIZE]
key=value

#Oracle only

Only the [SERVER_STARTUP] section is required. The other sections are optional.
Changes to the server.ini file take effect only after the server is stopped and restarted.
Note: To receive a verbose description of the server.ini file, type the following command at the
operating system prompt:
documentum -h

If you want to add a comment to the file, use a semicolon (;) as the comment character.
To change the server.ini file, you must have appropriate access privileges for the
%DOCUMENTUM%\dba\config\repository ($DOCUMENTUM/dba/config/repository) directory in
which the file resides. Typically, only the installation owner can access this directory.

To modify the server.ini file:


1.

Open the server.ini file:


On UNIX, use the text editor of your choice.
On Windows:
a.

Navigate to Start > Programs > Documentum > Documentum Server Manager.

b. Select the Repository tab.


c.

Select the repository associated with the server.ini file.

d. Click Edit Server.ini.


2.

Edit the properties that you want to change.

3.

Save the file.

4.

Stop and restart the server to make the changes take effect.

SERVER_STARTUP section keys


The keys in the [SERVER_STARTUP] section provide repository and the database access information
as well as default operating parameters. The default and optional keys can be modified using
Documentum Server Manager.
Table 10, page 72, describes the keys in the server startup section in alphabetical order.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

71

Managing Content Servers

Table 10. Keys in the SERVER_STARTUP section

Key

Data type

Description

acl_update_threshold

integer

Optional key. Improves performance when


the dm_world permission in an ACL is
updated.
If the key is not specified, Content Server
updates the entire dmr_content object type
table. If the key value is larger than the
number of affected rows, only the affected
rows are updated. Otherwise, Content
Server updates the entire table.

check_user_interval

integer

Optional key. The interval, in seconds, in


which Content Server checks the login status
of a user. The default value is 0, meaning
that the status is only checked when the
user logs in.

client_session_timeout

integer

Optional key. Specifies, in minutes, how


long the server waits for a communication
from a client session before disconnecting
the session.
The default value is 5 minutes.

commit_read_operations

Boolean

Optional key. Specifies whether an


explicit commit call is performed after each
read-only repository operation is completed.
The default is TRUE, meaning a commit
is issued after each read-only repository
operation, with two exceptions:
When the operation is part of a
multi-statement transaction, the commit
must be issued by the caller.
When a collection is open, the commit is
issued when the last collection is closed.

concurrent_sessions

integer

Optional key. Specifies the number of


connections the Content Server can handle
concurrently. The default is 100. For more
information, refer to concurrent_sessions,
page 81.

data_store

string

Optional key for DB2 databases only.


The key specifies the tablespace in which
the repository tables are stored. For
more information, refer to data_store and
index_store , page 82.

72

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Key

Data type

Description

database_conn

string

The database connection string, which is


used by the server to connect with the
RDBMS server. This key is specified during
Content Server installation and is only
required for Oracle and DB2 databases.

database_name

string

The tablespace or database in the RDBMS.


This key is specified during Content Server
installation and only required by Sybase
and MS SQL Server databases.

database_owner

string

The RDBMS login name of the repository


owner. This key is specified during Content
Server installation

database_password_file

string

The name of the file that contains database


passwords.

deferred_update_queue_size

integer

Optional key. Controls the size of the


deferred object update record queue. The
default queue size is 1000, the valid range
for this parameter is 256 to 4096.
Increase the queue size, ff repository
operations generate a large number of
deferred object updates. If the queue fills
up, the deferred updates are performed
immediately, which can impact application
performance.

distinct_query_results

Boolean

Optional key. Specifies whether duplicate


rows are included in query results. Valid
values are:
FALSE: The default value. Duplicate
rows are included in query results.
TRUE: Only distinct rows are returned
in query results.
The NOFTDQL hint returns only unique
results. If the identical query is executed
in FTDQL, the key is ignored and
all results of the query are returned,
including duplicate results.

docbase_id

integer

The repository ID. The repository ID


must be unique among all the repositories
installed on the system. This key is specified
during Content Server installation.

docbase_name

string

The repository name. This key is specified


during Content Server installation.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

73

Managing Content Servers

Key

Data type

Description

enforce_four_digit_year

Boolean

Optional key. Specifies whether Content


Server displays dates using four digits.
Valid values are:
TRUE: The default value. Content Server
displays the year date using four digits if
the user does not specify a date format.
FALSE: Content Server does not display
the year in four digits by default.

gethostbyaddr

Boolean

Optional key. Specifies whether the Content


Server calls the gethostbyaddr() function
during connection requests to obtain the
host name of the machine on which a client
application resides. Valid values are:
TRUE: The default value. Content Server
uses the gethostbyaddr() function to
obtain the host name.
FALSE: Content Server skips the
gethostbyaddr () calls during connection
requests and uses host addresses instead.
If a large number of client machines do not
have names, set the key to FALSE to skip to
achieve better performance.

history_cuttoff

integer

Optional key. Specifies a cut-off time


for historical sessions in minutes. For
example, if the history_cutoff value is 15,
the server does not return any historical
session older than 15 minutes, even if the
maximum number of sessions defined in
history_sessions has not been reached.
The default for history_cutoff value is 240
minutes.

history_sessions

74

integer

Optional key. Specifies the number of


maximum timed-out sessions returned by
the SHOW_SESSIONS function. Use the
apply method or the EXECUTE statement
to run SHOW_SESSIONS. For more
information, refer to the DQL Reference
Manual.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Key

Data type

Description

host

string

The IP address on which the server listens.


The host key value is specified during
Content Server installation.
Some host machines have multiple network
cards. If you want Content Server to use
a particular network card on the host
machine, specify the IP address of the card
in this key before starting the server.

ignore_client_domain

Boolean

Optional key. Specifies whether the Content


Server ignores the domain passed by the
client during a connection request. Valid
values are:
TRUE: The Content Server ignores the
client domain and uses the domain
specified in user_auth_target attribute for
all user authentications.
FALSE: The default value. The Content
Server uses the client domain passed in a
connection request.

index_store

string

Optional key. Specifies the tablespace in


which the type index tables are stored. This
key is only used for DB2 databases. For
more information, refer to data_store and
index_store , page 82.

install_owner

string

This key is not used. The value in the server


config object is used instead.

ip_mode

string

Optional key. Specifies whether Content


Server supports IP addresses in IPv6 format.
Valid values are
DUALSTACK: The default value.
Content Server accepts both, IPv4 and
IPv6 addresses.
V4ONLY: Content Server only accepts
IPv4 addresses.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

75

Managing Content Servers

Key

Data type

Description

listener_queue_length

integer

Optional key. Specifies the queue for


connection requests. This key is only used
on Windows platforms.
Content Server creates a socket listener for
incoming connection requests. By default,
the maximum backlog queue value is 200.
The key must be a positive integer value.
Content Server passes the specified value to
the listen () Windows Sockets call.

mail_notification

Boolean

Optional key. Specifies whether email


messages are sent when a work item or an
event is queued. Valid values are
TRUE: The default value. Email messages
are sent.
FALSE: Users are not notified.

max_nqa_string

integer

Optional key. Defines the maximum length


of a non-qualifiable string property, in bytes.
The default is 2000.
If the key is not specified, the default is the
maximum length allowed by the underlying
relational database.

max_ftacl_cache_size

integer

Optional key. Limits the number of


elements cached per session to process
FTDQL-compliant full-text queries. Content
Server caches ACL information on objects
to evaluate security on the results returned
by full-text queries.
The default value is -1 (no limit). If the value
is 0, no security information is cached. The
key can have any integer value greater than
-1. However, It is recommended that you do
not change the default value.

max_session_heap_size

76

integer

Optional key. Specifies, in bytes, how much


memory a session can use. The default value
is -1, which means that the heap grows
as necessary to whatever size the server
machine resources allow, up to the server
addressing memory limit of 2 GByte.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Key

Data type

Description

max_storage_info_count

integer

Optional key. Defines the maximum


number of storage areas for which Content
Server maintains information in shared
memory. The default is 100. Valid values
are positive integers from 100 to 65535.
The value does not limit the number of
storage areas. For example, if the key value
is 150, it is possible to create additional
storage areas, but information for the
additional storage areas is not maintained
in memory. In a multiserver environment,
all Content Servers must use the same
max_storage_info_count value.

method_server_enabled

Boolean

Optional key. Specifies whether the Content


Server or the Java method server is used to
execute dm_method objects. Valid values
are:
TRUE: The default value. The Java
method server executes dm_method
objects that are configured to run on the
Java method server. If the methods are
not configured correctly, Content Server
executes the method instead.
FALSE: Content Server executes
dm_method objects.

method_server_threads

integer

Optional key. Specifies the maximum


number of method server worker processes
that are available to execute method objects.
The default (and minimum) value is 5. The
maximum value for this key is the value set
in the concurrent_sessions property of the
server config object.
The method_server_threads values are for
the dmbasic method server only and do not
have any impact on the Java method server.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

77

Managing Content Servers

Key

Data type

Description

owner_xpermit_default

string

Optional key. Specifies whether object


owners are assigned extended permissions
for an object by default or have the
permissions that are explicitly assigned to
the them. Valid values are:
ACL: Object owners have only the
extended permissions that are assigned
explicitly and are not granted extended
permissions by default. The key value is
case-sensitive and must be specified in
capital letters.
If no value is assigned to the key,
object owners are assigned all extended
permissions by default.

preserve_existing_types

Boolean

Optional key. Specifies whether Content


Server queries the RDBMS at startup to
determine if the object type tables are
present for all defined object types. Valid
values are:
TRUE: The default value. Content server
preserves existing types and does not
dynamically destroy and recreate object
type tables for types that are reported
missing by the RDBMS.
FALSE: Content Server dynamically
destroys and recreates object type tables
for types that are reported missing by the
RDBMS.

rdbms_connect_retry_timeout

integer

Optional key. Specifies how long the server


tries to connect to the RDBMS. The server
attempts to connect every 30 seconds until it
is successful or the time-out limit is reached.
The default timeout value is 5 minutes.

saveasnew_retain_source_group

Boolean

Optional key. Specifies which default group


is assigned to a new object created by a
IDfSysObject.saveAsNew method. Valid
values are:
TRUE: The new object is assigned to the
default group of the original (source)
object.
FALSE: The default value. The new object
is assigned to the default group of the
user who issues the saveAsNew method.

78

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Key

Data type

Description

server_codepage

string

UTF-8 is the only allowed value

server_config_name

string

Specifies which server config object is used


to start Content Server. The Content Server
installation procedure assigns the name of
the repository to the server config object
generated for the server.
The default value is the name of the
repository.

server_login_ticket_version

integer

Specifies the format of the generated login


ticket, for backwards compatibility.

server_startup_sleep_time

integer

Specifies the amount of time, in seconds,


that Content Server waits before trying
to connect to the RDBMS. The time delay
allows the underlying RDBMS to start
before Content Server attempts to connect.
The default value is 0.

service

string

The TCP/IP service name for the Content


Server. This key is configured during
Content Server installation. The value is
the service name that appears in services
file of the Content Server host machine. If
a repository has multiple Content Servers,
this name must be unique for each Content
Server.

start_index_agents

Boolean

Specifies whether Content Server starts


configured index agent instances at Content
Server startup.
The default value is TRUE.

ticket_multiplier

integer

Specifies the number of login tickets with


server scope allocated in shared memory.
The number of tickets allocated by the
server is computed as follows:
#tickets = concurrent_sessions *
ticket_multiplier
The default value is 10.

umask

string(4)

Optional key. Modifies the default


operating system permissions assigned
to public directories and files created by
Content Server in the server or repository
installation on UNIX platforms only. For
more information, refer to umask, page 83.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

79

Managing Content Servers

Key

Data type

Description

update_access_date

Boolean

Specifies whether the r_access_date


property is updated in the deferred update
process. Valid values are:
TRUE: The default value. Content Server
updates the r_access_date property as
part of the deferred update process.
FALSE: Content Server does not update
the r_access_date property.

upd_last_chg_time_from_db

Boolean

Optional key. Specifies that all Content


Servers in a clustered environment have
timely access to all changes in group
membership. Valid values are:
TRUE: Should only be used for
environments with multiple Content
Servers. The value should be set to TRUE
for all running Content Servers.
FALSE: The default value.

use_estimate_search

Boolean

Specifies whether users can execute the


ESTIMATE_SEARCH administration
method. The administration method is used
to fine-tune SEARCH conditions for queries.
Valid values are:
TRUE: The default value. Users can
execute the method.
FALSE: The method does not execute.

use_group_address

integer

Specifies who receives email notifications


when an event is queued to a group. Valid
values are:
0: The default value. Content Server send
email to each group member.
1: Content Server sends email to the
groups address . If the group has no email
address, the server sends notifications to
each group member.
2: Content Server sends email to each
group member and to the group address.

80

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Key

Data type

Description

user_auth_case

string

Specifies the case Content Server converts


the user name of the client before
authenticating the user. Valid values are:
upper: The user name is converted to
upper case.
lower: The user name is converted to
lower case.
NULL: The default value. The name is
authenticated using the case in which it
was entered by the user.

user_auth_target

string

Specifies the domain or default LDAP server


that Content Server uses to authenticate
client user names and passwords on
Windows platforms only.
The default is the domain in which the
server resides.

validate_database_user

Boolean

Specifies whether Content Server


validates that the user identified in the
database_owner key in the server.ini file has
a valid operating system user account. Valid
values are:
TRUE: The default value. Content Server
validates the operating system user
account.
FALSE: Content Server does not validate
the operating system user account.

wait_for_connect_timeout

integer

Specifies how long Content Server waits


for a connection request before starting
to process other work, such as deferred
updates.
The default value is 10 seconds.

concurrent_sessions
The concurrent_sessions key controls the number of connections the server can handle concurrently.
This number must take into account not only the number of users who are using the repository

EMC Documentum Content Server Administration and Configuration 6.7 Guide

81

Managing Content Servers

concurrently, but also the operations those users are executing. Some operations require a separate
connection to complete the operation. For example:
Issuing an IDfQuery.execute method with the readquery flag set to FALSE causes an internal
connection request.
Executing an apply method or an EXECUTE DQL statement starts another connection.
When the agent exec executes a job, it generally requires two additional connections.
Issuing a full-text query requires an additional connection.
The default value is 100. Consider the number of active concurrent users you expect, the operations
they are performing, and the number of methods or jobs you execute regularly, and then modify
this value accordingly.
The maximum number of concurrent sessions is dependent on the operating system of the server
host machine. The limit is:
1022 for Solaris and AIX platforms
1637 for HP-UX
3275 for Windows systems
1020 for Linux systems

database_refresh_interval
The database_refresh_interval key defines how often the main server thread (parent server) reads the
repository to refresh its global caches. You can raise this value but it cannot be lowered.
The default value is 1 minute.

data_store and index_store


The data_store and index_store keys are used only by installations running on DB2. The data_store
key identifies the tablespace in which the repository tables are to be stored. The index_store key
identifies the tablespace in which the type index tables are to be stored.
By default, these keys are set to the default tablespace of the user performing the repository
configuration. You can change the default during repository configuration if you use the custom
configuration option to configure the repository. The behavior when you set these keys is as follows:
If you set data_store and do not set index_store, the system creates both the object type tables
and the index tables in the tablespace defined by data_store.
If you set index_store and do not set data_store, the system creates the indexes in the tablespace
defined by index_store and creates the object type tables in the users default tablespace.
If you set both keys, the system creates the object type tables in the tablespace specified in
data_store and the indexes in the tablespace specified in index_store.
Note: On DB2, you cannot move indexes after the index tables are created.

82

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

If you uninstall a DB2 repository with separate tablespaces for the object type and index tables, the
procedure does not destroy the tablespaces, nor does it destroy all the repository tables. It destroys
only the following repository tables:
dmi_vstamp
dmi_object
dmi_object_type

umask
On UNIX platforms, permissions can be expressed as a 3-digit octal number, representing the
permission level for the owner, group owner, and others. For example, a file created with permissions
700 grants the owner read, write and execute permission, but the group owner and others get
no permissions at all. Permissions of 644 grants the owner read and write permission, but the
group owner and others only have read permission. Similarly, 640 gives the owner read and write
permission, the group owner read only permission and others get no permissions.
The umask is also expressed as an octal number and is used to further restrict (or mask) the
permissions when a directory or file is created. For example, if the requested permissions are 766
and the umask is 22, the actual permissions applied is 744. A bit set in the umask turns off the
corresponding bit in the requested permissions.
Content Server uses a umask key in the server.ini file that is separate from the UNIX per-process
umask, but applies it in a similar fashion. The Content Server internally refers to permissions
with the symbolic names dmOSFSAP_Public, dmOSFSAP_Private, dmOSFSAP_Public ReadOnly,
dmOSFSAP_PrivateReadOnly, and dmOSFSAP_PublicOpen. Table 11, page 83 describes the
associated permission values.
Table 11. Content Server directory and file permissions on UNIX platforms

Permission Name

Directory Value

File Value

dmOSFSAP_Public

755

644

dmOSFSAP_Private

700

600

dmOSFSAP_Public ReadOnly

555

444

dmOSFSAP_PrivateReadOnly

500

400

dmOSFSAP_PublicOpen

777

666

Note: The umask in the server.ini configuration file only modifies the values for the
dmOSFSAP_PublicOpen permissions. If the umask is not specified in the server.ini file, the default
setting for the dmOSFSAP_PublicOpen permissions is 777 for directories and 666 for files. Any
directories or files that are publicly accessible outside the Content Server are created using this
permission.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

83

Managing Content Servers

DOCBROKER_PROJECTION_TARGET section keys


The [DOCBROKER_PROJECTION_TARGET] and [DOCBROKER_PROJECTION_TARGET_n]
sections define the connection brokers to which Content Server sends connection information. The
Content Server installation procedure creates one [DOCBROKER_PROJECTION_TARGET] section
in the server.ini file, which contains access information the first broadcast to a connection broker.
For the first broadcast, the connection broker name provided during the installation is used as the
host key. The proximity key is assigned 1, the default value. When the Content Server is started at
the end of the installation procedure, it projects the connection information to the connection broker
specified in the host key.
Connection broker projection targets are also defined in a set of properties in the server config object.
We recommend to use the server config properties to define additional projection targets, instead
of the server.ini file. Modifying the server config object allows changing a target without restarting
Content Server. If the same projection target is defined in both the server config properties and in the
server.ini file, Content Server uses the values for the target in the server config properties.
The [DOCBROKER_PROJECTION_TARGET] section defines the first projection target. To define
additional targets, use [DOCBROKER_PROJECTION_TARGET_n] sections. The n can be any
integer from 0 to 49.
Table 12, page 84 describes the keys.
Table 12. Server.ini DOCBROKER_PROJECTION_TARGET keys

Key

Datatype

Comments

host

string

Name of connection broker host

port

integer

Port number used by the connection broker

proximity

integer

User-defined value that represents distance of


server from connection broker

FUNCTION_SPECIFIC_STORAGE and TYPE_SPECIFIC_


STORAGE sections
The [FUNCTION_SPECIFIC_STORAGE] and [TYPE_SPECIFIC_STORAGE] sections in the server.ini
file define which tablespace or device stores the RDBMS tables and indexes for object types. These
sections are available only for Oracle and DB2, and must be defined during the Content Server
installation procedure. For information about these sections, refer to the Content Server Installation
Guide.
Table 13, page 84 lists the keys for the FUNCTION_SPECIFIC_STORAGE section.
Table 13. Server.ini FUNCTION_SPECIFIC_STORAGE keys

Key

Datatype

Description

database_table_large

string

The name of a tablespace.

database_table_small

string

The name of a tablespace.

84

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Key

Datatype

Description

database_index_large

string

The name of a tablespace.

database_index_small

string

The name of a tablespace.

Table 14, page 85 describes the keys for the TYPE_SPECIFIC_STORAGE section.
Table 14. Server.ini TYPE_SPECIFIC_STORAGE keys

Key

Datatype

Description

database_table_typename

string

The name of a tablespace, where typename


is the name of the object type.

database_index_typename

string

The name of a tablespace, where typename


is the name of the object type.

FUNCTION_EXTENT_SIZE and TYPE_EXTENT_SIZE


sections
The [FUNCTION_EXTENT_SIZE] and [TYPE_EXTENT_SIZE] sections specify how much space is
allocated in the RDBMS for the object type tables. They are available only for Oracle and must be
defined when the repository is installed. For information about these sections, refer to the Content
Server Installation Guide.
Table 15, page 85, lists the keys for the FUNCTION_EXTENT_SIZE section.
Table 15. Server.ini FUNCTION_EXTENT_SIZE keys

Key

Datatype

Description

database_ini_ext_large

integer

Specifies the size of the initial extent


allotted by default to object types
categorized as large.

database_ini_ext_small

integer

Specifies the size of the initial extent


allotted by default to object types
categorized as small.

database_ini_ext_default

integer

Specifies the size of the initial extent


allotted by default to object types
categorized as default.

database_next_ext_large

integer

Specifies the size of the second extent


allotted by default to object types
categorized as large.

database_next_ext_small

integer

Specifies the size of the second extent


allotted by default to object types
categorized as small.

database_next_ext_default

integer

Specifies the size of the second extent


allotted by default to object types
categorized as default.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

85

Managing Content Servers

Table 16, page 86, lists the keys for the TYPE_EXTENT_SIZE section.
Table 16. Server.ini TYPE_EXTENT_SIZE keys

Key

Datatype

Comments

database_ini_ext_typename

integer

Replace typename with the name of the


object type.

database_next_ext_typename

integer

Replace typename with the name of the


object type.

Managing additional Content Servers


A repository can have more than one Content Server. For information about adding Content Servers
to a repository, refer to Adding or modifying Content Servers, page 55.
Additional Content Servers serving a single repository require:
Unique service names
The service name for each server must be unique within the network connecting the machines
and that service name must be referenced in the service property of the server.ini file invoked for
the server.
The same trust level
Servers servicing one repository must be all non-trusted servers or all trusted servers. It is not
possible to have trusted and non-trusted servers servicing one repository.
Individual server configuration objects and server.ini files
On a Windows host, each server must have its own server config object and server.ini file.
On a UNIX host, each server must have its own server config object and server.ini file, and start
up script.
On Windows hosts:
The primary installation account must be in the domain administrators group. The program
SC.EXE must be installed in %SystemRoot%\System32\SC.EXE. SC.EXE is available on the
Windows SDK CD. It is used to create and start services for Documentum servers.
On UNIX hosts:
The installation account of the primary host must have sufficient privilege to execute remsh
commands.
The primary host must be able to resolve target machine names through the /etc/hosts file or
DNS.
Each target machine must be able to resolve the primary host name through the /etc/hosts
file or DNS.
For information about starting additional servers, refer to the Content Server Installation Guide.

86

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Server load balancing and failover


When an installation has a large number of users or there is a lot of activity in the repository, multiple
Content Servers can be used to balance the load. Starting multiple servers also allows graceful
failover if a particular server stops for any reason.
The Content Servers used for load balancing must project identical proximity values to the connection
broker. If the servers have identical proximity values, clients pick one of the servers randomly. If the
proximity values are different, clients always choose the server with the lowest proximity value.
Sessions cannot fail over to a Content Server with a proximity of 9000 or greater. Content Servers
with a proximity of 9000 or higher are called content-file servers. Remote Content Servers installed
at remote, distributed sites are configured as content-file servers by default. A client session
can only fail over to servers that are known to the connection broker used by that session. For a
proper failover, ensure that Content Servers project to the appropriate connection brokers and with
appropriate proximity values.
If a Content Server stops and additional servers are running against the repository with proximity
values less than 9000, the client library gracefully reconnects any disconnected sessions unless one
of the following exceptions occurs:
If the client application is processing a collection when the disconnection occurs, the collection is
closed and must be regenerated again when the connection is reestablished.
If there is ongoing transfer between the client and server, the content transfer must be restarted
from the beginning.
If the client had an open explicit transaction when the disconnection occurred, the transaction is
rolled back and must be restarted from the beginning.
If the original connection was started with a single-use login ticket or a login ticket scoped to the
original server, the session cannot be reconnected to a failover server because the login ticket
cannot be reused.

Shutting down a server


On Windows platforms, Documentum Server Manager can be used to shut down Content Server. On
UNIX, the dm_shutdown_repository script or the shutdown method shuts down Content Server. To
ensure that Content Server shuts down properly, the Java Method Server should be stopped first, then
stop the repository services and the connection broker.
You must have system administrator or superuser user privileges to stop a server.

Shutting down a server running on Windows


To shut down a server:
1.

Navigate to Start > Control Panel > Administrative Tools > Services. select the Java Method
Server, then click Stop.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

87

Managing Content Servers

2.

Navigate to Start > Programs > Documentum > Documentum Server Manager, click the
Repository tab, select the repository, then click Stop.

3.

Select the DocBroker tab, select the connection broker, then click Stop.
Caution: On Windows platforms, it is not recommended to use an IDfSession.shutdown method
to shut down the server. The method does not necessarily shut down all relevant processes.

Shutting down a server running on UNIX


On UNIX platforms, the dm_shutdown_repository script logs into the specified repository and issues a
shutdown request. The script waits 90 seconds before exiting. If the repository shuts down more
quickly, the script exits as soon as the server is down. This script is useful when you want to shut
down the server as part of a program or application, without human intervention.
You must run the script on the machine where the server resides. To invoke the script, issue the
command:
dm_shutdown_repository [-k]

where repository is the name of the repository. The -k flag instructs the script to issue an
operating-system kill command to stop the server if the shutdown request has not been completed in
90 seconds.

Creating a shut-down script


Use the instructions in this section to create a shut-down script for a Content Server running on a
UNIX host.

To create a script for a new server:


1.

Make a copy of an existing dm_shutdown_repository script and save the copy with a new name.
dm_shutdown_repository scripts are found in $DOCUMENTUM/dba.
For example:
% cd $DOCUMENTUM/dba
% cp dm_shutdown_engrrepository dm_shutdown_devrepository1

2.

In the new copy, edit the line immediately preceding shutdown,c,T by replacing repository
namewith repository_name.server_config_name.
The line you want to edit looks like this:
./iapi <repository name> -U$DM_DMADMIN_USER -P -e << EOF

Use the name of the server configuration object that you created for the server. For example:
./iapi devrepository2.server2 -U$DM_DMADMIN_USER -P -e << EOF

3.

88

Save the file.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

Clearing the server common area


Use the procedures in this section to remove files that are in the server common area.

To remove all files from the server common area:


1.

Stop Content Server.

2.

Do one of the following:


On Windows, edit the Content Server service to add -oclean to the end of the command line.
On UNIX, add the -oclean argument in the dm_start_repositoryname command line.

3.

Restart the server.

Managing the JBoss application server


The JBoss binary is bundled with the Content Server installation suite. The application server is
installed into the jboss<version> subdirectory of the Content Server installation directory. The default
the JBoss root directory is:
C:\documentum\jboss<version> on Windows platforms
$DOCUMENTUM_SHARED\jboss<version> on UNIX platforms
The Content Server installation creates a JBoss server instance in the <JBossRoot>\server\<instance
name> directory. For example, C:\documentum\jboss4.2.0\server\DctmServer_MethodServer.

Starting and stopping the JBoss application server


The JBoss application server is started automatically after a Content Server installation. However,
starting and stopping a Content Server does not automatically start or stop the JBoss application
server.
The application server hosts one or more Java applications or processes, such as the method server,
the Java Method Server, ACS server, and the DmMail application.

To start the application server:


On Windows platforms:
1.

Navigate to <JBossRoot>\server.

2.

Execute startMethodServer.cmd or start the Windows service for the server instance..
For the Java method server, and the server instance hosting the Java method server, the service
name is Documentum Java Method Server. Starting that service is equivalent to executing
startMethodServer.cmd.

On UNIX platforms
1.

Navigate to <JBossRoot>\server.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

89

Managing Content Servers

2.

Execute start MethodServer.sh.

Stopping the server stops all applications running within it.

To stop an instance server:


On Windows platforms:
1.

Navigate to <JBossRoot>\server.

2.

Execute stopMethodServer.cmd or stop the Windows service for the server instance.
For the Java method server, and the server instance hosting the Java method server, the service
name is Documentum Java Method Server. Stopping that service is equivalent to executing
stopMethodServer.cmd.

On UNIX platforms:
1.

Navigate to <JBossRoot>\server.

2.

Execute stopMethodServer.sh.

Server log files


Each Content Server maintains a log file. By default, the serverconfig_name.log log file is stored in the
%DOCUMENTUM%\dba\log directory, where serverconfig_name is the name of the Content Server
server config object. The default location is defined in the log location object that is referenced by the
log_location property in the server config object.
Both, the name and the location of the file can be modified using the -logfile parameter on the server
start-up command line. The server appends to the log file while the server is running. If the server
is stopped and restarted, the file is saved and another log file started. The saved log files have the
following format:
On Windows platforms: serverconfig_name.log.save.mm-dd-yy_hh.mi.ss
On UNIX platforms: serverconfig_name.log.save.mm.dd.yyyy.hh.mi.ss

The dm_error utility


The dm_error utility returns information about Content Server errors. The utility is run from the
command line:
dm_error <error_code>

Where error_code is the abbreviated text that describes the error. For example,
DM_SERVER_E_NO_MTHDSVR_BINARY.
The utility output of the displays the cause of the error and possible solutions, as described in the
following example:
[DM_SERVER_E_NO_MTHDSVR_BINARY]
"%s: Method server binary is not accessible."
CAUSE: The method server binary "mthdsvr" is not under
$DM_HOME/bin or it does not have the proper permission.

90

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Content Servers

ACTION: Make sure method server binary "mthdsvr" is under


$DM_HOME/bin and set execution permission for it.

Improving performance on Oracle and DB2


databases
The performance and throughput of Content Server depends to a certain extend on where the
repository content is stored in the underlying database. When a repository is created, the Content
Server creates object-type tables and indexes in the underlying RDBMS in the same tablespace by
default.
Oracle or DB2 can be partitioned to store data in different tablespaces. For example, frequently used
data could be stored in a designated tablespace. The size and number of the extents allotted for each
table are determined by default configuration parameters in the server.ini file.
For instructions, refer to the Content Server Installation Guide.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

91

Managing Content Servers

92

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 4
Managing Repositories

This chapter contains the following topics:


Repositories, page 93
Managing repositories, page 94
Repository content, page 102
Windows domain authentication for UNIX repositories, page 103
Type indexes, page 105
Date values, page 106
Repository maintenance, page 119
Moving or duplicating a repository, page 106

Repositories
Repositories are comprised of object type tables, type indexes, and content files. The type tables and
type indexes are tables in an underlying relational database. The content files are typically stored
in directories on local disks. Content files can also be stored in the database, in a retention storage
system such as EMC Centera or NetApp SnapLock, or on external storage devices.
A full-text index is associated with a particular repository or, in a consolidated deployment, with all
repositories indexed by a particular index server installation. Full-text indexes enable rapid searching
for designated values or strings in content files and property values.
Users access repositories through Content Servers. The Content Servers receive queries from clients
in the form of Documentum Foundation Classes (DFC) methods or Documentum Query Language
(DQL) statements and make the actual call to the underlying relational database management system
(RDBMS) or the file directories. Every repository must have at least one active Content Server. If a
repository does not have an active server, users cannot access that repository.
Information that about the repository is located in a server startup file. The startup file is executed
whenever the associated Content Server is started. The information in the startup file binds the
Content Server to the repository.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

93

Managing Repositories

Managing repositories
The repository is configured on the Administration > Basic Configuration > Repository page in
Documentum Administrator. A repository is represented by a docbase config object that defines
configuration parameters, such as the name of the underlying RDBMS, security levels for the
repository, and other operating configuration parameters.
Only users with superuser privileges can view or modify the docbase config object of a repository.
It is not possible to use Documentum Administrator to create additional repositories or delete an
existing repository. Adding another repository requires running the Content Server installer.
The Repository list page displays the following information:
Table 17. Information on Repository page

Basic Configuration

Description

Name

The name of the repository configuration object of the repository.

DBMS

The underlying database used for the repository.

Federation

The federation to which the repository belongs.

Effective Date

The effective date of the docbase configuration object. The effective date
is used to manage client query caches.

Viewing or modifying the repository configuration


You can modify some, but not all, of the repository configuration values. This section describes the
values that can be modified using Documentum Administrator.

To view or modify the repository configuration:


1.

Start Documentum Administrator and connect as a superuser to the repository you want to
modify.

2.

Navigate to Administration > Basic Configuration > Repository to access the Repository list
page.

3.

Select the repository name and then select View > Properties > Info.
The Repository Configuration Properties - Info page displays.

4.

Modify the values that you want to change, as described in Table 18, page 95.

5.

If you are running the repository on a UNIX host, you can enable Windows domain
authentication.

6.

Click the Synchronization tab to manage the repository synchronization with Documentum
Offline Client.
For more information, refer to Modifying repository synchronization, page 100.

7.

94

Click OK to accept the changes or Cancel to discard the modifications.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Table 18. Repository Configuration Properties

Field label

Value

Database

The name of the RDBMS vendor. Read-only.

Repository ID

The repository ID number assigned during installation.


Read-only.

Federation

Specifies if the repository is a member of a federation.


Read-only.

Security

The security mode of the repository. ACL and None are


valid values. None means repository security is disabled.
ACL means access control lists (permission sets) are enabled.
Read-only.

Index Store

The name of the tablespace or other storage area where type


indexes for the repository are stored.

Partitioned

Indicates whether the repository is partitioned. When a


repository is created or updated with partitioning enabled, the
Content Server sets the flag to True.
The Partitioned field is:
Not selectable or changeable.
Available only in 6.5 repositories.
Not available for DB2 or Sybase repositories.

Update Configuration Changes


Re-Initialize Server

Select to reinitialize the server to which you are connected.


This is necessary for changes to objects to take effect.

Configuration Changes
Folder Security

Specifies whether folder security is enabled. Select to enable


folder security. The server performs the permission checks
required by the repository security level and for some
operations, also checks and applies permissions on the folder
in which an object is stored or on the objects primary folder.

Rich Media

Specifies whether the server processes rich-media content.


This feature only works if Media Server is installed in the
repository. If you enable the Rich Media feature, you must
re-initialize the server for the changes to take effect.

Workflow Packages

Specifies whether the object names of workflow package


components are displayed. By default, the object names are
displayed. Select this option to not display the object names.

Data Dictionary Locales

Specifies the locale of the data dictionary. The default local is


en (English). Click Edit to configure a different locale. The
server must be reinitialized for any changes to be visible.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

95

Managing Repositories

Field label

Value

Oldest Client Version

Specifies which DFC version is used for chunked XML


documents. The value must be changed manually. If the field
is left blank, the DFC format is compatible with client versions
earlier than the current DFC version. If a particular DFC
version is specified, clients running an earlier DFC version
cannot access the chunked XML documents. Set the property
value to the client version number in the format XX.YY, where
X is the major version and Y is the minor version.

Modifications Comment

This field is optional. It can be used to add a comment about


any modifications made to the repository configuration.

Default Application Permit

The default user permission level for application-controlled


objects accessed through an application that does not own the
object. Valid values are:
2: Browse
3: Read
4: Relate
5: Version
6: Write
7: Delete
The default value is 3, Read permission.

Fulltext Install Locations

Specifies the Verity versions installed and their locations in


pre-5.3 repositories.

Content Storage Services Enabled

Specifies whether Content Storage Services were enabled


during Content Server installation. If the value is true, Content
Storage Services are enabled.

Minimum Owner Permission

Specifies the minimum permission for an object owner after all


ACL rules have been applied. The permission applies to the
entire repository. Valid values are:
Browse
Read
Relate
Version
Write
Delete
The default value is Browse.

96

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Field label

Value

Minimum Owner Extended


Permission

Specifies the minimum owner extended permissions for an


object owner after all ACL rules have been applied. One or
more extended permissions can be selected. By default, no
extended permission is selected. Valid values are:
Execute Procedure
Users with superuser privileges can change the owner of an
item and run external procedures on certain types.
Change Location
Allows the object owner to move the object in the repository.
Change State
Allows the object owner to change the state of a lifecycle
attached to the object.
Change Permission
Allows the object owner to modify the basic permissions
associated with the object.
Change Ownership
Allows the object owner to change the object owner.
Extended Delete
Allows the object owner to delete the object.
Change Folder Links
Allows the object owner to link or unlink the object to a
folder.

Authorization Settings
MAC Access Protocol

The file-sharing software type in use for Macintosh clients.


Valid values are:
None
NT
Ushare
Double
The default value is None.
If you change the value from NT, Ushare, or Double to None,
existing resource forks are no longer be accessible.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

97

Managing Repositories

Field label

Value
To change the value from or to NT, Ushare, or Double, you
must first change the value to None, save the configuration,
and then change it from None to the new value.

Authentication Protocol

Defines the authentication protocol used by the repository.


On Windows, if set to Domain Required, it indicates that
the repository is running in domain-required mode.
If a repository is running in domain-required mode, the
login domain value in the login ticket generated for a user
attempting to log in using an inline password defaults to
the domain of the superuser even if the user on the login
ticket belongs to a different domain. Users from a different
domain must specify the their login domain name when
logging into the repository.
If a repository is running in no-domain required mode,
users can login with only their user name and inline
password. It is also possible to prepend the user name with
a backslash (\). A backslash specifies an empty domain.
On UNIX platforms, choose between UNIX authentication
or Windows domain authentication.

Cached Query Effective Date

Used to manage the client query caches. The default is


NULLDATE.

Run Actions As

The user account that is used to run business policy (document


lifecycle) actions. Options are:
Session User (default)
Superuser
Lifecycle Owner
Named User
If selected, click the Select User link to access the Choose
a user page to select a user.

Login Tickets

Specifies that all other repositories are trusted and login tickets
from all repositories are accepted by the current repository.
If selected, Allow login tickets from repositories is not
displayed.

Allow login tickets from


repositories

This field is only displayed if Allow all login tickets is not


selected.
Click Select to access the Choose Repositories page to
designate repositories whose login tickets are permitted in the
current repository (the trusted repositories).

98

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Field label

Value

Designate Login Ticket Expiration

Specifies the earliest possible creation date for valid login


tickets. Tickets issued before the designated date are not valid
in the current repository. Select one of the following:
Null date: Specifies that there is no cutoff date for login
tickets in the current repository. This is the default value.
Expire login tickets on the following date and time:
Specifies the earliest possible creation date for valid login
tickets. Use the calendar control to choose the correct date
and time.
Login tickets created before that time and date cannot be
used to establish a connection. Currently connected users
are not affected by setting the time and date.

Maximum Authentication
Attempts

The number of times user authentication can fail for a user


before that user is disabled in the repository. Authentication
attempts are counted for logins and API methods requiring
the server to validate user credentials, including the
Changepassword, Authenticate, Signoff, Assume, and Connect
methods.
By default, the installation owners account is not subject
to the failure threshold and is not disabled when it reaches
the maximum number of attempts. You can modify the
installation owner account from the User pages.
A value of zero (0) means that the feature is not enabled.
Requires the server to be reinitialized for changes to take effect.

LDAP Synchronization
On-Demand

Used to synchronize LDAP directory users with the repository


between scheduled runs of the LDAP synchronization job:
When cleared, LDAP directory users who do not exist in
the repository cannot log in.
When selected, if an LDAP directory user attempts to log in
and is found not to exist in the repository, Content Server
searches all active directory connections for the user. If the
user is found and can be authenticated, the user is created
in the repository.

Privileged Clients

Boolean. If selected, indicates that the repository is accessible


to privileged clients only.
This checkbox is only available if a DFC client exists in the
repository and is approved to perform privilege escalations.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

99

Managing Repositories

Modifying repository synchronization


The synchronization options control the behavior of Documentum Offline Client.

To modify the synchronization settings for a repository:


1.

Connect as a superuser to the repository for which you want to modify synchronization with
Documentum Offline Client.

2.

Navigate to Administration > Basic Configuration > Repository to access the Repository list
page.

3.

Select the repository name, then select View > Properties > Info.
The Repository Configuration Properties - Info page appears.

4.

Click the Synchronization tab.


The Repository Configuration Properties - Synchronization page appears.

5.

Modify the values, as described in Table 19, page 100.

6.

Click OK to accept the changes.

Table 19. Synchronization properties

Field label

Value

Synchronization Settings

For repositories where Offline Client is enabled. Options are:


None: no content synchronization to local machine.
No content is synchronized to the local machine. This is the
default setting for a repository.
Basic: 1-way download to local machine as read only.
Content is downloaded to the local machine and marked
read-only. No content is uploaded from the local machine.
Role-Based: assign sync permissions to specific repository
roles.
Synchronization permissions are based on specific user
roles. Synchronization is enabled and users can download
content. Whether content can be uploaded depends on a
particular users role. If selected, you must designate the
synchronization roles and check-in settings.

100

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Field label

Value

Synchronization Role

If you selected role-based synchronization where Offline


Client is enabled, you must designate the roles. Click the
Select users/groups for offline upload link to access the Chose
a user/group page to select users who you want to use offline
upload.

Check In Settings

Select to use the client dialog or the users local settings to


check content into the repository. Options are:
Always Use client dialog to check in content
Use Users local check in setting

Enabling a repository as a global registry


Enabling a repository as a global registry after configuration, requires activating the dm_bof_registry
user. The global registry and user credentials can also be configured in the dfc.properties file.

To enable a repository as a global registry:


1.

Open Documentum Administrator and connect to the repository.

2.

Navigate to Administration > User Management > Users.

3.

Locate the dm_bof_registry user and select View > Properties > Info to access the User Properties
page.

4.

Verify that the Name value is dm_bof_registry.


The dm_bof_registry Name value is required, but you have the option to change the User Login
Name value, if desired.

5.

Change the password.

6.

Activate the user by selecting Active from the State drop-down list.

7.

Click OK to save your changes.

During the DFC installation on client machines, such as the Webtop or Documentum Administrator
hosts, provide the user login name and password for the dm_bof_registry user. This action updates
the dfc.properties file and enables the DFC installation to contact the global registry.

To modify the dfc.properties file manually:


1.

On the DFC host, navigate to $DOCUMENTUM/config (UNIX or Linux) or


%DOCUMENTUM%\config (Windows).

2.

From a command prompt, execute the following command to generate the encrypted form of
the global registry users password:
java -cp dfc.jar com.documentum.fc.tools.RegistryPasswordUtils
password_of_user

where password_of_user is the clear-text password of the global registry user.


3.

Open the dfc.properties file in a text editor and modify the following attributes:

EMC Documentum Content Server Administration and Configuration 6.7 Guide

101

Managing Repositories

dfc.globalregistry.repository=global_registry_repository_name
dfc.globalregistry.username=user_login_name
dfc.globalregistry.password=encryped_password_of_user

where encryped_password_of_user is the encrypted password you generated in step 2.


4.

Save the dfc.properties file.

Repository content
The Content Server installation program and the scripts that run during repository configuration
automatically create various objects, such as cabinets, configuration objects, users, and groups.
Table 20, page 102 lists the default users that are created during repository configuration.
Table 20. Default users created during repository configuration

User

User Privileges

Extended User Privileges

repository_owner

Superuser

None

installation_owner

Superuser

None

global registry user

None

None

dm_bpm_inbound_user

None

None

dm_autorender_win32

System Administrator

None

dm_autorender_mac

System Administrator

None

dm_mediaserver

System Administrator

None

dm_fulltext_index_user

Superuser

None

The configuration program creates a number of default groups.Table 21, page 102 describes the default
groups. In addition to the default groups, the configuration program also creates a set of privileged
groups. For more information about privileged groups, refer to Privileged groups, page 196.
Table 21. Default groups created during repository configuration

Group

Members

admingroup

installation_owner, repository_owner

docu

repository_owner, installation_owner,
dm_autorender_win32, dm_autorender_mac,
dm_mediaserver

queue_admin

None.
This is a role group supporting the queue
management feature of Documentum Process
Builder.

102

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Group

Members

queue_manager

queue_admin group
This is a role group supporting the queue
management feature of Documentum Process
Builder.

queue_processor

queue_manager group
This is a role group supporting the queue
management feature of Documentum Process
Builder.

process_report_admin

queue_admin
This is a role group supporting the queue
management feature of Documentum Process
Builder.

Windows domain authentication for UNIX


repositories
A repository on a UNIX host can use Windows domain authentication to authenticate repository
users. Configuring Windows domain authentication for UNIX repositories requires the following:
Defining a domain map that includes the Windows domain, as described in Creating or modifying
a domain map, page 103 and Defining a domain, page 104.
Configure repository users for Windows domain authentication, as described in Modifying users
for Windows domain authentication, page 104.
Modifying the dm_check_password program to work with Windows domain authentication.
Modifying the user_source property in the user object for each user in the UNIX repository.
Each user in a UNIX repository must have the user_source property set to domain only, UNIX first,
or domain first. You can modify the property with Documentum Administrator on the User page.
Note: UNIX users who are authenticated against a Windows domain cannot execute methods under
their own accounts. All methods executed by such users must be run with run_as_server set to TRUE.

Creating or modifying a domain map


Use these instructions to create or modify a domain map for Windows authentication on a UNIX
repository.

To create or modify a domain map:


1.

Connect as a superuser to the repository whose docbase configuration object you want to modify.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

103

Managing Repositories

2.

Navigate to Administration > Basic Configuration > Repository to access the Repository list
page.

3.

Select the repository name and then select View > Properties > Info.
The Repository Configuration Properties - Info page appears.

4.

In the Authentication Protocol section, select Windows Domain Authentication.

5.

Click Define Domain Map to access the Domain Map page.


The Define Domain Map link does not appear on the Repository Configuration Properties - Info
page unless Windows Domain Authentication is selected.

6.

On the Domain Map page:


To add a domain, click Add to access the Domain Entry page.
On the Domain Entry page, enter information in the Domain, Primary Controller, and
Backup Controller fields, then click OK to return to the Domain Entry page.
To modify a domain, select it and click Edit.
To delete a domain, select it and click Remove.

7.

Click OK to return to the Repository Configuration Properties - Info page.

Defining a domain
The Domain Entry page defines a Windows domain that is used for Windows domain authentication
of users in a UNIX repository. Defining a domain, requires the primary controller name of the domain
and any backup controllers names. Under Windows NT 4.0 and earlier, the primary domain controller
is the computer that authenticates domain logins and maintains the directory database for a domain.
A backup domain controller is a computer that receives a copy of the domains directory database.

To define a domain:
1.

Type a domain name.


The domain name is a required field.

2.

Type the primary controller name.


The primary controller name is a required field.

3.

Type the backup controller domain name.


The backup controller domain name is an optional field.

4.

Click OK.

Modifying users for Windows domain authentication


After the domain map is set up, configure users in the repository.

To modify users for Windows domain authentication:


1.

104

Navigate to Administration > User Management > Users.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

The Users list page appears.


2.

For each user, select View > Properties > Info to access the User Properties - Info page.

3.

For each user, modify the User Source field:


Domain Only
The user is authenticated only against the Windows domain.
UNIX First
The server attempts to authenticate the user first using default UNIX authentication. If that
fails, the server attempts to authenticate the user against the Windows domain.
Domain First
The server attempts to authenticate the user first against the Windows domain. If that fails,
the server attempts to authenticate the user using UNIX authentication.

4.

Click OK to save the changes and return to the Users list page.

Type indexes
Indexes on the object type tables in the RDBMS enhance the performance of repository queries. When
a repository is configured, the Content Server creates various object type indexes. There are several
administration methods for managing type indexes:
MAKE_INDEX
Creates type indexes for special requirements. For more information about the MAKE_INDEX
method, refer to MAKE_INDEX, page 331.
MOVE_INDEX
By default, type tables and indexes are stored in the same tablespace or segment. However, you
can create a repository with separate tablespaces or segments for each or you can move the indexes
later, using the MOVE_INDEX method. Indexes that you create can be placed in any directory.
For more information about the MOVE_INDEX method, refer to MOVE_INDEX, page 332.
For more information about creating a repository with separate tablespaces, refer to the EMC
Documentum Content Server Installation Guide.
DROP_INDEX
Removes a user-defined index. It is strongly recommended to not remove any of the
system-defined indexes. For more information about the DROP_INDEX method, refer to
DROP_INDEX, page 327.
Each method can be executed through Documentum Administrator, an apply method, or the DQL
EXECUTE statement.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

105

Managing Repositories

Date values
By default, Content Server stores date values as UTC (Coordinated Universal Time) time in new
repositories (Documentum 6 and later), and as the local time in repositories that are upgraded from
before version 6.
The r_normal_tz property in the docbase config object controls how Content Server stores dates in the
repository. If the property value is 0, all dates are stored in UTC time. If the property contains an
offset value, dates are normalized using the offset value before being stored in the repository. Offset
values must use a time zone offset from UTC time, expressed as seconds. For example, if the offset
represents the Pacific Standard Time zone, the offset value is -8*60*60, or -28800 seconds. When the
property is set to an offset value, Content Server stores all date values based on the time identified by
the time zone offset.
In a Documentum 6 or later repository, r_normal_tz value is set to 0. In a repository upgraded from
a release earlier than version 6, the r_normal_tz value is set to the offset that represents Content
Server local time and cannot be changed.

Moving or duplicating a repository


Moving or duplicating a repository requires dump and load operations. Dump and load operations
can be used to:
Move part of a repository from one location to another.
Duplicate part of a repository.
Use dump and load operations to create a duplicated repository with a different name or
repository ID than the source repository.
Dump or load operations require superuser privileges. A dump operation creates a binary file of
objects dumped from a repository. If a dumped object has associated content files, the content files
are either referenced by full path or included directly in the dump file. The load operation loads the
objects and content files into another repository.
Dump files are created by using the session code page. For example, if the session in which the dump
file was created was using UTF-8, the dump file is a UTF-8 dump file. The repository into which the
dump file is loaded must use the same code page the source repository.
Dump and load operations can be performed manually using either IAPI, Docbasic scripts, or the
IDfDumpRecord and IDfLoadRecord DFC interfaces.
Note: Dump and load operations require additional steps for repositories where Web Publisher is
installed. Refer to the Web Publisher Deployment Guide for details.

Supporting object types


There are several object types that support dump and load operations:
Dump Record (dm_dump_record)

106

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

A dump record object contains information about a specific dump execution. It has a property
that contains the name of the file with the dumped information and properties whose values tell
Content Server which objects to copy into the specified file.
Dump Object Record (dmi_dump_object_record)
A dA dump object record object contains information about one specific object that is copied out
to the dump file. Dump object record objects are used internally.
Load Record (dm_load_record)
A load record object contains information about a specific load operation. Its properties are used
by Content Server to manage the loading process. It also has two properties that contain the
starting and ending times of the load operation.
Load Object Record (dmi_load_object_record)
A load object record object contains information about one specific object that is loaded from the
dump file into a repository. Load object record objects are used internally.
For information about the properties of these object types, refer to the Documentum System Object
Reference.

Dumping objects under retention


If a dumped SysObject is associated with a retainer, the dump operation also dumps the retainer.
Retainers record retention policy definitions.
If a retainer object is dumped directly, the object identified in the retainer_root_id property of the
retainer is also dumped. That object can be a single SysObject or a container, such as a folder. If it is a
container, the objects in that container are not dumped, only the container itself is dumped.
Note: This information does not apply to dump and load operations that are used to execute object
replication jobs.

Aspects and dump operations


A dump operation does not dump aspects associated with a dumped object. If aspects are associated
with specific instances of an object type, those aspects must be created in the target repository.
Similarly, if default aspects are defined for an object type and instances of that type are dumped, the
default aspects must be manually created in the target repository. The aspects must be created in the
target repository before performing the load operation.

Dumping an entire repository


Dumping the contents of an entire repository by setting the dump_operation property of the dump
record object to full_docbase_dump is currently not supported.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

107

Managing Repositories

Dumping specific objects


To dump only specific objects in a repository, set the type, predicate, and predicate2 repeating
properties of the dump record object. The type property identifies the type of object you want to
dump and the predicate and predicate2 properties define a qualification that determines which
objects of that type are dumped. The Documentum System Object Reference Manual contains a full
description of a dump record objects properties.
However, when you dump an object, the server includes any objects referenced by the dumped object.
This process is recursive, so the resulting dump file can contain many more objects than the object
specified in the type, predicate, and predicate2 repeating properties of the dump record object.
When dumping a type that has a null supertype, the server also dumps all the objects whose
r_object_ids are listed in the ID field of the type.
The ACL associated with a dumped object is also dumped.

Setting the type property


The type property is a repeating property. The object type specified at each index position is
associated with the WHERE clause qualification defined in the predicate at the corresponding
position.
The dump operation dumps objects of the specified type and any of its subtypes that meet the
qualification specified in the predicate. Consequently, it is not necessary to specify each type by name
in the type property. For example, if you specify the SysObject type, then Content Server dumps
objects of any SysObject or SysObject subtype that meets the qualification.
Use the following guidelines when specifying object types and predicates:
The object type must be identified by using its internal name, such as dm_document or
dmr_containment.
Object type definitions are only dumped if objects of that type are dumped or if objects that are
a subtype of the type are dumped.
This means that if a subtype of a specified type has no objects in the repository or if no objects of
the subtype are dumped, the dump process does not dump the subtypes definition. For example,
suppose you have a subtype of documents called proposal, but there are no objects of that type in
the repository yet. If you dump the repository and specify dm_document as a type to dump, the
type definition of the proposal subtype is not dumped.
This behavior is important to remember if you have user-defined subtypes in the repository and
want to ensure that their definitions are loaded into the target repository.
To dump subtype definitions for types that have no objects instances in the repository or whose
objects are not dumped, you must explicitly specify the subtype in the dump script.
If you have created user-defined types that have no supertype, be sure to explicitly include them
in the dump script if you want to dump objects of those types. For example, the following
commands will include all instances of your_type_name:
append,c,l,type
your_type_name
append,c,l,predicate

108

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

1=1

If you have system or private ACLs that are not currently associated with an object, they are
not dumped unless you specify dm_acl as a type in the dump script. For example, include the
following lines in a dump script to dump all ACLs in the repository (including orphan ACLs):
append,c,l,type
dm_acl
append,c,l,predicate
1=1

You may want to specify a qualification in the predicate to exclude orphaned internal ACLs.
By default, storage area definitions are only included if content associated with the storage is
dumped. If you want to dump the definitions of all storage areas, even though you may not
dump content from some, include the storage type (file store, linked, and distributed) explicitly
in the dump script.
When you dump the dm_registered object type, Content Server dumps only the object
(dm_registered) that corresponds to the registered table. The underlying RDBMS table is not
dumped. Use the dump facilities of the underlying RDBMS to dump the underlying table.

Setting the predicate properties


You must supply a predicate for each object type you define in the type property. If you fail to supply
a predicate for a specified type, then no objects of that type are dumped.
To dump all instances of the type, specify a predicate that is true for all instances of the type, such
as 1=1.
To dump a subset of the instances of the object type, define a WHERE clause qualification in the
predicate properties. The qualification is imposed on the object type specified at the corresponding
index level in the type property. That is, the qualification defined in predicate[0] is imposed on the
type defined in type[0], the qualification defined in predicate[1] is imposed on the type defined in
type[1], and so forth.
For example, if the value of type[1] is dm_document and the value of predicate[1] is object_name =
foo, then only documents or document subtypes that have an object name of foo are dumped. The
qualification can be any valid WHERE clause qualification. The Content Server DQL Reference Manual
contains the description of a valid WHERE clause qualification.
The predicate property accepts a maximum of 255 characters. If the qualification exceeds 255
characters, place the remaining characters in the predicate2 property at the corresponding index
level. For example, if the qualification defined for type[0] is 300 characters, you put the first 255
characters in predicate[0] and the remaining 45 in predicate2[0]. When the dump is executed, Content
Server concatenates predicate[0] and predicate2[0]. The predicate2 property accepts a maximum
of 255 characters also.
Important: If you use the predicate2 property at any index position, you must also set the predicate2
property at all index positions before the desired position. Content Server does not allow you to
skip index positions when setting repeating properties. For example, if you set predicate2[2] and
predicate2[4], you must also set predicate2[0], predicate2[1], and predicate2[3]. It is valid to set the
values for these intervening index positions to a single blank.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

109

Managing Repositories

Content files and dumping


How the dump operation handles content depends on where the content is stored and how the
include_content parameter is set in the dump_parameter argument of the dump object.
By default, if the content is stored in a file store, EMC Centera storage area, or NetApp SnapLock
storage area, the content is not included in the dump file. You can set the include_content parameter
to include such content. If you are dumping a repository that has encrypted file store storage areas,
you must include the content in the dump file. Content Server decrypts the content before placing
it into the dump file.
Dumping without content, page 110 describes the default behavior and requirements for handling
dump files without content. Including content, page 110 describes how to include content and
the requirements for dump files with content.
If the content is stored in a blob or turbo storage area, the content is automatically included in the
dump file because the content is stored in the repository.
Content stored in external storage cannot be included in a dump file.

Dumping without content


By default, a dump operation on content in file stores, EMC Centera stores, or NetApp SnapLock
stores does not include content. Instead, when an object with content is dumped, the operation places
a reference to the content in the dump file. If the content is stored in a file system, the reference is a file
system path. If the object is stored in a retention storage system, the reference is the contents address.
When the dump file is loaded into the target repository, any file systems referenced for content must
be visible to the server at the target site. For content in retention storage, the ca_store object at the
target site must have an identical definition as the ca_store object at the source repository and must
point to the same storage system used by the source repository.
In the target repository, the storage objects for the newly loaded content must have the same name as
the storage objects in the source repository but the filepaths for the storage locations must be different.
The owner of the target repository must have Read permission in the content storage areas of the
dumped repository when the load operation is executed. The load operation uses the target repository
owners account to read the files in the source repository and copy them into the target repository.

Including content
To include content in a dump file, set the include_content property to T (TRUE) in the dump record
object. If the property is true, when Content Server dumps an object with content, the content is copied
into the dump file also. The content must be stored in a file store, EMC Centera store, or NetApp
SnapLock storage area. Content Server cannot copy content from external storage into a dump file.
In the target repository, the storage objects for the newly loaded content must have the same names
as those in the source repository, but the actual directory location, or IP address for a retention
store, can be different or the same.

110

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Always include content if you are dumping a repository to make a backup copy, to archive a
repository, or to move the content or if the repository includes an encrypted storage area.

Compressing content
When you include content, you can create a compressed dump file to save space. To compress the
content in the dump file, set the dump_parameter property to compress_content = T.
Content Server automatically decompresses a compressed dump file during a load operation.

Setting the cache size


Content Server uses an in-memory cache to store the object IDs of dumped objects. Before dumping
an object, Content Server checks the cache to see if the object has already been dumped.
You can improve the performance of a large dump operation by setting a larger cache size. If you do
not specify a cache size, the server uses a default size of 1 MB, which can hold up to 43,690 object IDs.
To increase the cache size, set the cache_size argument of the dump_parameter property to a value
between 1 and 100. The value is interpreted as megabytes and defines the maximum cache size. The
memory used for the cache is allocated dynamically as the number of dumped objects increases.
Content Server ignores the cache setting when doing a full repository dump.

Using non-restartable dump


You can also improve the performance of a dump operation by creating a non-restartable dump.
However, if a non-restartable dump operation fails, you will not be able to restart the dump from
the failure point. Instead, you must create a new dump record object to start the dump operation
from the beginning.
A dump operation can only be non-restartable if it is a partial repository dump. Full repository
dump operations are always restartable.
To create a non-restartable dump, set the dump_parameter property to restartable=F.

Using a script to create a dump file


For dump operations that you execute regularly, we recommend that you write a script that creates
and saves the dump object and checks for errors after the execution. Using a script avoids re-creating
the dump object manually each time you want to perform the task.

To use a script:
1.

Write a script that creates the dump object, sets its properties, saves the object, and checks for
errors.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

111

Managing Repositories

If you do not set the file_name property to a full path, Content Server assumes the path is relative
to the root directory of the server. The filename must be unique within its directory. This means
that after a successful load operation that uses the dump file, you must move the dump file to
archival storage or destroy it so you can successfully execute the script later.
2.

Use IAPI to execute the script. Use the following command-line syntax:
iapi source_db -Uusername -Ppassword < script_filename

where:
source_db is the name of the repository that you want to dump.
username is the user name of the user who is executing the operation.
password is the user password.
script_filename is the name of the file you created in Step 1.
3.

If the dump was successful, destroy the dump object. If the Save on the dump operation did
not return OK, the dump was not successful.
Destruction of the dump object cleans up the repository and removes the dump object records
and state information that are no longer needed.

Sample script for a full repository dump with content included


The following script dumps an entire repository by setting the dump_operation property of the
dump record object to full_docbase_dump, includes the content directly in the dump file, and
compresses the content:
create,c,dm_dump_record
set,c,l,file_name
/tmp/dumpfile.out
set,c,l,dump_operation
full_docbase_dump
set,c,l,include_content
T
append,c,l,dump_parameter
compress_content=T
save,c,l
getmessage,c #Check for dump errors

Sample script for a partial repository dump


Note: There is a template for a sample script in %DM_HOME%\install\DBA\dump_template.bat
($DM_HOME/install/DBA/dump_template.api ).
The script below has the following characteristics:
It does not copy content files into the dump file.
It only dumps ACLs associated with a dumped object.
It does not dump subtype definitions if there are no objects of that subtype.
It does not dump storage area definitions if the dump does not include any content associated
with the storage area.

112

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

It does not dump user-defined subtypes that have no supertype.


It does not dump job objects.
It is not restartable.
The script assumes that you want to dump all instances of the types, not just a subset. Consequently,
the predicates are set as 1=1 (you cannot leave them blank). If you want to dump only some subset of
objects or want to include all ACLs, type definitions, or storage area definitions, modify the script
accordingly.
Here is the script:
create,c,dm_dump_record
set,c,l,file_name
dump file name# Supply your own file name.
# This must be a new file
append,c,l,type
dm_sysobject
append,c,l,predicate
1=1
append,c,l,type
dm_assembly
append,c,l,predicate
1=1
append,c,l,type
dm_format
append,c,l,predicate
1=1
append,c,l,type
dm_user
append,c,l,predicate
1=1
append,c,l,type
dm_group
append,c,l,predicate
1=1
append,c,l,type
dmi_queue_item
append,c,l,predicate
1=1
append,c,l,type
dmi_registry
append,c,l,predicate
1=1
append,c,l,type
dm_relation
append,c,l,predicate
1=1
append,c,l,type
dm_relation_type
append,c,l,predicate
1=1
append,c,l,type
dmr_containment
append,c,l,predicate
1=1
append,c,l,type
dmr_content
append,c,l,predicate
1=1
append,c,l,dump_parameter
cache_size=60 #set cache size
append,c,l,dump_parameter

EMC Documentum Content Server Administration and Configuration 6.7 Guide

113

Managing Repositories

restartable=F #non-restartable dump


append,c,l,predicate
1=1
save,c,l
getmessage,c

Notes:
In the append command line, the l is the lowercase letter L.
If you do not set the file_name property to a full path, Content Server assumes the path is relative
to the root directory of the server. The filename must be unique within its directory. This means
that after a successful load operation using the dump file, you must move the dump file to archival
storage or destroy it so that you can successfully execute the script later.
To dump user-defined types that have no supertype, add Append methods for each to the script:
append,c,l,type
your_type_name
append,c,l,predicate
1=1

If the server crashes during a dump operation


If Content Server crashes during a dump operation, there are two alternatives:
Destroy the dump file (target file named in the script) if it exists and then re-execute the script.
If the specified file already exists when you try to save a new dump record object, the save
operation fails. Re-executing the script creates a new dump record object.
If the dump operation is restartable, fetch the existing dump object from the source repository
and save it again. Saving the object starts the dump operation. Content Server begins where
it left off when the crash occurred.

Moving the dump file


The dump file is a binary file. If you move a dump file from one machine to another electronically, be
sure to use a binary transfer protocol.
If your operating system is configured to allow files larger than 2 GB, the dump file can exceed 2
GB in size. If you create a dump file larger than 2 GB, you cannot load it on a machine that does
not support large file sizes or large file systems.

Loading a repository
Loading a repository puts the objects stored in a dump file into the repository. The dump file header
does not indicate the session code page in which the dump file was created. If you do not know the
session code page in use when a dump file was created, do not load the dump file.
If the dump file does not include the actual content files associated with the objects you are loading,
the operation reads the content from the storage areas of the dumped repository. This means that the

114

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

owner of the repository that you are loading must have Read privileges at the operating system level
for the storage areas in the source repository.
The load operation generates a dmi_queue_item for the dm_save event for each object of type
SysObject or a subtype that is loaded into the target repository. The event is queued to the
dm_fulltext_index_user user account. This ensures that the objects are added to the target repositorys
index. You can turn off this behavior. For instructions, refer to Turning off save event generation
during load operations, page 116.
Loading a repository is accomplished by creating and saving a load record object. The act of saving
the object starts the operation.
Note: The load operation performs periodic commits to the repository. Consequently, you cannot
load a repository if you are in an explicit transaction. The Content Server does not allow you to save
a load record object if you are in an explicit transaction. Similarly, you cannot perform a revert or
destroy operation on a load record object if you are in an explicit transaction.

Refreshing repository objects from a dump file


Generally, when you load objects into a repository, the operation does not overwrite any existing
objects in the repository. However, in two situations overwriting an existing object is the desired
behavior:
When replicating content between distributed storage areas
When restoring archived content
In both situations, the content object that you are loading into the repository could already exist. To
accommodate these instances, the load record object has a relocate property. The relocate property is
a Boolean property that controls whether the load operation assigns new object IDs to the objects it
is loading.
The type and predicate properties are for internal use and cannot be used to load documents of a
certain type.

Loading job objects


If you dump and load job objects, the load operation automatically sets the job to inactive in the new
repository. This ensures that the job is not unintentionally started before the load process is finished
and it allows you the opportunity to modify the job object if needed. For example, to adjust the
scheduling to coordinate with other jobs in the new repository.
The load operation sets jobs to inactive (is_inactive=TRUE) when it loads the jobs, and sets the jobs
run_now property to FALSE.
If the load operation finds an existing job in the target repository that has the same name as a job
it is trying to load, it does not load the job from the dump file.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

115

Managing Repositories

Loading registered tables


When you load a registered table, the table permits defined for that table are carried over to the
target repository.

Turning off save event generation during load operations


During a load operation, every object of type SysObject or SysObject subtype loaded into the target
repository generates a save event. The event is queued to the dm_fulltext_index_user. This behavior
ensures that the object is added to the target index of the repository.
The behavior is controlled by the load parameter called generate_event. The parameter is T by
default. If you do not want the load operation to queue save events to the dm_fulltext_index_user, set
the parameter to F for the operation. The parameter is set in the load_parameter property as:
generate_event=F

Loading a new repository


New repositories are not empty. They contain various cabinets and folders created by the installation
process, such as:
A user object for the repository owner
A cabinet for the repository owner
The docu group
The System cabinet, which contains a number of subfolders
The Temp cabinet
When you load a dump file into a new repository, these objects are not replaced by their counterparts
in the dump file because they already exist in the new repository.
However, if you have changed any of these objects in the source repository (the source of the dump
file), the changes are lost because these objects are not loaded. For example, if you have added any
users to the docu group or if you have altered permissions on the System cabinet, those changes
are lost.
To ensure that any changes you have made are not lost, fetch from the source repository any of the
system objects that you have altered and then use the Dump method to get a record of the changes.
For example, if the repository owners cabinet was modified, use the following command sequence to
obtain a listing of its property values:
fetch,c,cabinet_id
dump,c,l

After the load operation, you can fetch and dump the objects from the new repository, compare the
new dump results with the previous dump results, and make any necessary changes.

116

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

The preLoad utility


Documentum provides a utility that you can run on a dump file to tell you what objects that you must
create in the new repository before you load the dump file. The utility can also create a DQL script
that you can edit and then run to create the needed objects. The syntax for the preload utility is:
preload repository [-Uusername] -Ppassword -dump_file filename
[-script_file name]

repository is the name of the repository into which you are loading the dump file.
filename is the name of the dump file.
name defines a name for the output DQL script.
If you do not include a username, the current user is assumed.
Note: This utility does not report all storage areas in the source repository, but only those that have
been copied into the dump file.

Load procedure for new repositories


Use the following procedure to load a dump file into a new repository.
Note: You cannot perform this procedure in an explicit transaction because the load operation
performs periodic commits to the repository. Content Server does not allow you to save the load
record object to start the load operation if you are in an explicit transaction.

To load a dump file into a new repository:


1.

Create the repository.


Notes:
If the repository shares any directories with the source repository, you must assign the
repository an ID that differs from the source repository ID.
If the old and new repositories have different owners, ensure that the new repositorys owner
has Read privileges in the storage areas used by the old repository if the old repository was
not dumped with the include_content property set to TRUE.

2.

Create the necessary storage objects and associated location objects in your new repository.
Each storage object in your source repository must have a storage object with the same name in
the new repository. The filestore objects in the new repository must reference location objects
that point to actual directories that differ from those referenced by the location objects in the
source repository.
For example, suppose you have a file store object with the name storage_1 in your source
repository that points to the location object named engr_store, which references the
d:\documentum\data\engr (/u04/home/installation_owner/data/engr) directory. In the new
repository, you must create a file store object with the name storage_1 that references a location
object that points to a different directory.
Note: The location objects can be named with different names or they can have the same name.
Either option is acceptable.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

117

Managing Repositories

3.

4.

If your storage areas in the source repository had associated full-text indexes, create
corresponding fulltext index objects and their location objects in the new repository. Note that
these have the same naming requirements as the new storage objects described in Load procedure
for new repositories, page 117.
Create and save the following script:
create,c,dm_load_record
set,c,l,file_name
full_path_of_dump file
save,c,l
getmessage,c

5.

Log in as the owner of the installation and use IAPI to execute the script.
When you start IAPI, connect to the new repository as a user who has Sysadmin privileges in
the repository.

6.

After the load completes successfully, you can destroy the load object:
destroy,c,load_object_id

Notes:
Destroying the load object cleans the load object record objects that are generated by the
loading process and old state information.
If you created the dump file by using a script, move the dump file to archival storage or
destroy it after you successfully load the file. You cannot successfully execute the script again
if you leave the dump file in the location where the script created it. Content Server does not
overwrite an existing dump file with another dump file of the same name.
If Content Server crashes during a load, you can fetch the Load Object and save it again, to
restart the process. Content Server begins where it left off when the crash occurred.

DocApps
DocApps are not dumped when you dump a repository. Consequently, after you load a new
repository, install and run the DocApp installer to reinstall the DocApps in the newly loaded
repository.

Generating dump and load trace messages


You can activate tracing during dump and load operations to generate trace messages in the Content
Server session log.
To activate tracing, use a setServerTraceLevel method.
The trace information includes:
Whether Content Server fails to dump or load an object
The query used to search for matching objects for a dump or load operation
The current progress and status of a dump or load operation

118

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Repository maintenance
Repositories should be cleaned up regularly as part of a maintenance schedule. Cleaning a repository
involves removal of:
Orphaned content files
When users delete a document, or any object that has a content file associated with it, the system
deletes the object and marks the content as an orphan. The system does not delete the actual
content file. This must be done using the dmclean utility.
Unwanted document versions and renditions
Orphaned annotations and internal ACLs
An annotation is orphaned when it is detached from all documents or other objects to which
it was attached.
An internal ACL is orphaned when it is no longer referenced by any object.
Aborted workflows
A workflow that has been stopped by the execution of an Abort method is an aborted workflow.
Old log files

To clean a repository:
1.

Perform a complete backup of the repository.

2.

Delete unwanted versions of documents.


You can delete only versions created before a certain date or by a certain author or delete all but
the CURRENT version from one or more version trees.
To delete selected versions of documents, use the DELETE...OBJECT statement.
Identify the documents to delete by their creation date, modification date, or some other
criteria that you choose. For example, the following statement deletes all documents that
have not been changed since January 1, 2000:
DELETE "dm_document" OBJECTS
WHERE "r_modify_date" < DATE('01/01/2000')

To delete versions from a version tree, use a IDfSysObject.prune method.


Prune deletes all unwanted versions on a specified tree or branch of a tree. An unwanted
version is any version that has no symbolic label and that does not belong to a virtual
document. Refer to the Javadocs for the usage of the method.
3.

Delete unused renditions.


A rendition is represented in the repository by a content object that points to the source document
and by a content file.
To delete a rendition (without deleting its source document, first update the content object for
the rendition to remove its reference to the source document.
For example, the following UPDATE...OBJECT statement updates all server- and user-generated
renditions created before January 1, 2000. The updates in the statement detach the affected
renditions from their source documents, effectively deleting them from the repository.
UPDATE "dmr_content" OBJECTS

EMC Documentum Content Server Administration and Configuration 6.7 Guide

119

Managing Repositories

SET "parent_count" = 0,
TRUNCATE "parent_id",
TRUNCATE "page"
WHERE "rendition" != 0 AND "set_time" < DATE('01/01/2000')

4.

Clean the temp directory by deleting the temporary files in that location.
You can determine the location of the temp directory with the following query:
SELECT "file_system_path" FROM "dm_location"
WHERE "object_name" = 'temp'

5.

Delete any unwanted dmi_queue_item objects.


Every time an object is placed in the inbox of a user, a dmi_queue_item object is created. When
the object is removed, the queue item object is not destroyed, but it is marked in the repository as
dequeued. Use the DELETE...OBJECT statement to remove dmi_queue_item objects.
For example, the following statement removes all queue items objects that were dequeued before
January 1, 2000:
DELETE "dmi_queue_item" OBJECTS
WHERE "dequeued_date" < DATE('01/01/2000')
AND "delete_flag'=true

6.

Run the dmclean utility to remove orphaned content files, orphaned annotations and ACLs, and
aborted workflows. You can execute the Dmclean administration tool or run the dmclean utility
manually. For more information abut the dmclean utility, refer to Dmclean (dm_DMClean),
page 347.

7.

Delete or archive old server logs, session logs, trace files, and old versions of the product.
Session logs are located in the %DOCUMENTUM%\dba\log\repository_id
($DOCUMENTUM/dba/log/repository_id) directory.
Content Server and connection broker log files are found in the %DOCUMENTUM%\dba\log
($DOCUMENTUM/dba/log) directory. The server log for the current server session is named
repository_name.log. The log for the current instance of the connection broker is named
docbroker.docbroker_hostname.log. Older versions of these files have the extension .save and the
time of their creation appended to their name.
On Windows, you can use the del command or the File Manager to remove unwanted session
logs, server logs, and connection broker logs. On UNIX, use the rm command.

Checking consistency
Content Server provides the Consistency Checker, a tool that scans a repository and reports any
inconsistencies. Inconsistencies typically include type or object corruptions, objects that reference a
user, group, or other object that does no exist, and so forth. The tool does not fix the inconsistencies.
Contact Documentum Technical Support for assistance in correcting errors found by the consistency
checker.
The Consistency Checker tool is a job that can be run from the command line or using Documentum
Administrator. For information about running the job in Documentum Administrator, refer to
Running jobs, page 378.
The job generates a report that lists the checked categories and any inconsistencies that were
found. The report is saved in the /System/Sysadmin/Reports/ConsistencyChecker directory. If no

120

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

errors are found, the current report overwrites the previous report. If an error is found, the current
report is saved as a new version of the previous report. By default, the Consistency Checker job is
active and runs once a day. For more information about consistency checks, refer to Appendix D,
Consistency Checks.
EMC Documentum recommends to run this tool on a repository before upgrading the repository
to a new version of the Documentum Server.

Running the job from a command line


The Consistency Checker job is implemented as the consistency_checker.ebs script. To run the script
from the command line, enter the following syntax at the command-line prompt:
dmbasic -fconsistency_checker.ebs -eEntry_Point --repository_
name superuser password

Where repository_name is the name of the repository that is checked, superuser is the user name of a
repository superuser, and password is the password of the superuser account.
The results of the checks are directed to standard output.

Example report
The following example describes a Consistency Checker report. In this case, the tool detected five
inconsistencies in the Users & Groups section.
Beginning Consistency Checks.....
Repository Name:
buzzard
Server Version: 5.1.0.63 Win32.SQLServer
Database:
SQLServer
#################################################
##
## CONSISTENCY_CHECK: Users & Groups
##
##
Start Time: 09-10-2002 10:15:55
##
##
#################################################
Checking for users with non-existent group
WARNING CC-0001: User 'docu' belongs to
non-existent group ''
WARNING CC-0001: User 'engr' belongs to
non-existent group ''
WARNING CC-0001: User 'marketing' belongs to
non-existent group ''
WARNING CC-0001: User 'nagboat' belongs to
non-existent group ''
WARNING CC-0001: User 'admingroup' belongs to
non-existent group ''
Rows Returned: 5
Checking
Checking
Checking
Checking

for
for
for
for

users belonging to groups not in dm_user


users not listed in dmi_object_type
groups not listed in dmi_object_type
groups belonging to non-existent groups

EMC Documentum Content Server Administration and Configuration 6.7 Guide

121

Managing Repositories

Checking for groups with non-existent super groups


##################################################
##
##
## CONSISTENCY_CHECK: ACLs ##
##
##
Start Time: 09-10-2002 10:15:55
##
##
##################################################
Checking for ACLs with non-existent users
Checking for ACLs with missing dm_acl_r table entries
Checking for sysobjects with acl_domain set to
non-existent user
Checking for sysobjects that belong to
non-existent users
Checking for sysobjects with non-existent ACLs
Checking for ACL objects with missing dm_acl_s entry
Checking for ACL objects with r_accessor_permit
value but missing r_accessor_name value
Checking for ACL objects with r_accessor_name value
but missing r_accessor_permit value
Checking for ACL objects with r_is_group value but
missing r_accessor_permit value
Checking for ACL objects with r_is_group value but
missing r_accessor_name value
Checking for ACL object with r_accessor_name value
but missing r_is_group value
Checking for ACL object with r_accessor_permit value
but missing r_is_group value
################################################
##
##
## CONSISTENCY_CHECK: Sysobjects
##
##
##
Start Time: 09-10-2002 10:15:58
##
##
#################################################
Checking for sysobjects
dmi_object_type
Checking for sysobjects
content
Checking for sysobjects
folders
Checking for sysobjects
primary cabinets
Checking for sysobjects
Checking for sysobjects
Checking for sysobjects
dm_sysobject_r entries
Checking for sysobjects
dm_sysobject_s entry

which are not referenced in


that point to non-existent
that are linked to non-existent
that are linked to non-existent
with non-existent i_chronicle_id
with non-existent i_antecedent_id
with missing
with missing

#################################################
##
##
## CONSISTENCY_CHECK: Folders and Cabinets
##
##
Start Time: 09-10-2002 10:16:02
##
##

122

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

#################################################
Checking for folders with missing dm_folder_r table
entries
Checking for folders that are referenced in dm_folder_r
but not in dm_folder_s
Checking for dm_folder objects that are missing an
entry in dmi_object_type
Checking for dm_folder objects that are missing
corresponding dm_sysobject entries
Checking for folders with non-existent ancestor_id
Checking for cabinet that have missing dm_folder_r
table entries
Checking for cabinets that are missing an entry in
dmi_object_type
Checking for folder objects with missing
dm_sysobject_r entries
Checking for folder objects with null r_folder_path
#################################################
##
##
## CONSISTENCY_CHECK: Documents
##
##
##
Start Time: 09-10-2002 10:16:03
##
##
#################################################
Checking for documents with a dm_sysobject_s entry
but no dm_document_s entry
Checking for documents with missing dm_sysobect_s
entries
Checking for documents with missing dmi_object_type
entry
#################################################
##
##
## CONSISTENCY_CHECK: Content
##
##
Start Time: 09-10-2002 10:16:03
##
##
##
#################################################
Checking for
non-existent
Checking for
Checking for

content objects that reference


parents
content with invalid storage_id
content objects with non-existent format

#################################################
##
##
## CONSISTENCY_CHECK: Workflow
##
##
##
Start Time: 09-10-2002 10:16:03
##
##
#################################################
Checking for dmi_queue_item objects with non-existent
queued objects
Checking for dmi_workitem objects that reference

EMC Documentum Content Server Administration and Configuration 6.7 Guide

123

Managing Repositories

non-existent dm_workflow objects


Checking for dmi_package objects with missing
dmi_package_s entries
Checking for dmi_package objects that reference
non-existent dm_workflow objects
Checking for workflow objects with non-existent
r_component_id
Checking for workflow objects with missing
dm_workflow_s entry
Checking for work item objects with missing
dm_workitem_s entry
################################################
##
##
## CONSISTENCY_CHECK: Types
##
##
Start Time: 09-10-2002 10:16:04
##
##
################################################
Checking for dm_type objects with a non-existen
t dmi_type_info object
Checking for dmi_type_info objects with a non-existent
dm_type object
Checking for type objects with corrupted property
positions
Checking for types with invalid property counts
#################################################
##
##
## CONSISTENCY_CHECK: Data Dictionary
##
##
Start Time: 09-10-2002 10:16:04
##
##
#################################################
Checking
Checking
Checking
missing
Checking
missing
Checking
missing
Checking
missing

for duplicate dmi_dd_attr_info objects


for duplicate dmi_dd_type_info objects
for any dmi_dd_attr_info objects that are
an entry in dmi_dd_common_info_s
for any dmi_dd_type_info objects that are
an entry in dmi_dd_common_info_s
for any dmi_dd_attr_info objects that are
an entry in dmi_dd_attr_info_s
for any dmi_dd_type_info objects that are
an entry in dmi_dd_type_info_s

################################################
##
##
## CONSISTENCY_CHECK: Lifecycles
##
##
Start Time: 09-10-2002 10:16:11
##
#################################################
Checking for sysobjects that reference non_existent
policy objects
Checking for any policy objects that reference
non-existent types in included_type
Checking for any policy objects with missing
dm_sysobject_s entry
Checking for any policy objects with missing

124

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

dm_sysobject_r entries
Checking for policy objects with missing dm_policy_r
entries
Checking for policy objects with missing dm_policy_s
entry
################################################
##
##
## CONSISTENCY_CHECK: FullText
##
##
Start Time: 09-10-2002 10:16:11
##
################################################
Checking for tdk index objects that point to
non-existent fulltext index objects
Checking for any tdk collect objects that point to
non-existent tdk index objects
Checking for any fulltext index objects that point
to non-existent tdk index objects
Checking for any tdk index objects that point to
non-existent tdk collect objects
Checking for any non-orphaned dmr_content objects
that point to types that do not exist
Checking for any non-orphaned dmr_content objects
that point to non-existent formats
Checking for any dmr_content objects that point to
a non-existent fulltext index
Checking for any fulltext index propertys that are
no longer in dm_type
#################################################
##
##
## CONSISTENCY_CHECK: Indices
##
##
Start Time: 09-10-2002 10:16:11
##
#################################################
Checking for dmi_index objects that reference
non-existent types
Checking for types with non-existent dmi_index
object for <type>_s table
Checking for types with non-existent dmi_index
object for <type>_r table
Checking for index objects with invalid property
positions
################################################
##
##
## CONSISTENCY_CHECK: Methods
##
##
Start Time: 09-10-2002 10:16:11
##
################################################
Checking for java dm_method objects that reference
jview
Consistency Checker completed successfully
Total number of inconsistencies found: 5
Disconnected from the server.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

125

Managing Repositories

Adding repositories
Adding repositories requires creating a repository running the Documentum Server Manager on
Windows platforms or the Content Server configuration program on UNIX or Linux platforms.

To create a repository on Windows platforms:


1.

Start the Documentum Server Manager by selecting Start > Programs > Documentum >
Documentum Server Manager.

2.

Click the Utilities tab, then click Server Configuration.


The Content Server Configuration Program starts.

3.

Click Next and follow the configuration instructions on the screen.

To create a repository on UNIX or Linux platforms:


1.

Start the Content Server configuration program.

2.

Follow the instructions in the Content Server configuration sections to create new repositories.

For more information about pre-installation checklists and the Content Server configuration options,
refer to the Content Server Installation Guide.

Federations
A federation is a set of two or more repositories bound together to facilitate the management of a
multi-repository distributed configuration. Federations share a common name space for users and
groups and project to the same connection brokers.
Global users, global groups, and global permission sets are managed through the governing
repository, and have the same property values in each member repository within the federation. For
example, if you add a global user to the governing repository, that user added to all the member
repositories by a federation job that synchronizes the repositories.
One enterprise can have multiple repository federations, but each repository can belong to only one
federation. Repository federations are best used in multi-repository production environments where
users share objects among the repositories. We do not recommend creating federations that include
production, development, and test repositories, because object types and format definitions change
frequently in development and test environments, and these must be kept consistent across the
repositories in a federation.
The repositories in a federation can run on different operating systems and database platforms.
Repositories in a federation can have different server versions; however, the client running on the
governing repository must be version-compatible with the member repository in order to connect to it.
To create or modify federations, you do not have to be connected to a repository in the federation.
To add a repository to a federation, your Documentum Administrator connection broker list must
include a connection broker to which the particular repository projects.
Before you set up a repository federation, refer to the appropriate chapters in the Distributed
Configuration Guide.

126

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Creating or modifying federations


Use these instructions to create a federation. Before you create a federation, obtain the user name and
password of a superuser account in each repository.
All repositories in a federation must project to the same connection brokers. When you create a
federation, Documentum Administrator updates the connection broker projection information in the
server configuration object for each member repository. No manual configuration is necessary.
The repositories in a federation can run on different operating systems and database platforms.
Repositories in a federation can have different server versions; however, the client running on the
governing repository must be version-compatible with the member repository in order to connect to it.
For more information on federations, refer to the Distributed Configuration Guide.

To create or modify a federation:


1.

Navigate to Administration > Basic Configuration > Federation.


The Federations list page appears.

2.

Do one of the following:


Select File > New > Federation to create a federation.
The New Federation Configuration page appears.
Select the governing repository of the new federation from the repository list and click Next.
If you do not see a particular repository on the page, that repository is already a member
of a federation.
Select the federation to modify and then select View > Properties > Info.

3.

Type the name and password of a user who has superuser privileges in the governing repository
and click Next to access the New Federation Configuration - Info or page or the Federation
Configuration Properties - Info page.

4.

Enter information for the federation, as described in Table 22, page 127.

5.

Ensure that all repositories project to the same connection brokers.

Table 22. Federation properties

Field

Description

Info tab
Name

Type the name of the new federation.

Make All Governing


Repository Users & Groups
Global

Select to make all users and groups in the governing repository


global users and global groups.

Active

This option is available if you are modifying an existing federation.


To change the status of an existing federation, select or clear the
Active checkbox.

User Subtypes tab

EMC Documentum Content Server Administration and Configuration 6.7 Guide

127

Managing Repositories

Field

Description

Add

Click Add to add user subtypes.


If there are user subtypes in the repository, a list of user subtypes
is displayed on the Choose a user subtype page. Select the user
subtypes to propagated to member repositories.

Members tab
Add

Click Add to add member repositories.


Select the repositories that you want to be member repositories
and click Add.
To remove any member repositories from the Selected Items list,
select them and then click Remove.

Name

The login name of a superuser account that is configured for the


repository.

Password

The password of a superuser account this is configured for the


repository.

Skip this member and


continue authentication

Select this option if you want to skip entering the name and
password at this time.

Adding or deleting federation members


You can add or delete federation member repositories using the Members tab on the Federation
Configuration Properties page.

To add or delete federation members:


1.

Connect to a repository using the same connection broker as at least one of the member
repositories.

2.

Navigate to Administration > Basic Configuration > Federations.


The Federations list page appears.

3.

Select the federation to modify and then select View > Properties > Info.

4.

Type the name and password of a user who has superuser privileges for the federation.
The Federation Configuration Properties - Info page appears.

5.

Click the Members tab to access the Federation Configuration Properties - Members page.

6.

Do one of the following:


To add a member repository, click the Add link to access the Choose Member Repositories
page.

128

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Repositories

Locate the repository that you want to add, select the checkbox next to the repository name,
then click Add and OK. Type the name and password of a user who has superuser privileges
in the new member repository and click OK.
To delete a member repository, select the checkbox next to any members that you want to
remove and click the Remove link, then click OK.
7.

Click Finish.

Deleting Federations
Use these instructions to delete a federation. Alternatively, you can make a federation inactive by
accessing the Info page of the federation and clearing the Active checkbox.

To delete a federation:
1.

Navigate to Administration > Basic Configuration > Federations.

2.

Select the federation to delete.

3.

Select File > Delete.

4.

Type the user ID and password of a superuser in the governing repository.

5.

Click OK.
The federation is deleted.

Connecting to the governing repository or a federation


member
On this page, provide the login information for the governing repository or a federation member.

To connect to a federation member:


1.

Type the user name and password of a superuser in the repository.

2.

If necessary, type in the domain where the user is authenticated.

3.

Click Next or OK.

Choosing user subtypes


On the New Federation Configuration - User Subtypes or Federation Configuration Properties User Subtypes page, choose user subtypes to be propagated to all members of the federation. The
type itself must be created in each repository in the federation. This page ensures that users of that
particular subtype are propagated to the member repositories.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

129

Managing Repositories

To choose user subtypes:


1.

Click Add to access the Choose a user subtype page to designate the user subtypes to propagate
to member repositories.
If there are user subtypes in the repository, the system displays a list of user subtypes.

2.

To jump to a subtype or group of subtypes, type the first few letters of the type name in the
Starts with field and click Go.
To view more pages, click the forward and back buttons.
To view more subtypes on one page, select a different number from the Show items list box.

3.

Select the subtypes and then click Add.

4.

To deselect subtypes, select them in the right-hand column and click Remove.

5.

Click OK to accept the user subtypes or Cancel to return to the New Federation Configuration User Subtypes or Federation Configuration Properties - User Subtypes page.

Choosing repository federation members


On this page, select the members of a repository federation. The repositories listed are all repositories
not already in a federation that are known to all the connection brokers in your preferences. You can
sort the list of repositories by repository name or connection broker.

To select the members of a repository Federation:


1.

To jump to a particular repository or group of repositories, type the first few letters of the
repository name in the Starts with field and click Go.

2.

To view more pages, click the forward and back buttons.

3.

To view more repositories on one page, select a different number from the Show items list box.

4.

To select members, select the checkboxes next to their names and click Add.

5.

To deselect members, select them in the right-hand column and click Remove.

6.

Click OK.

130

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 5
Managing Sessions

This chapter contains the following topics:


The dfc.properties file, page 131
Managing connection requests, page 132
Modifying the connection request queue size , page 133
Stopping a session server, page 133

The dfc.properties file


The dfc.properties file contains most of the configuration parameters that specify how DFC handles
repository sessions. The configuration parameters are stored as a key and a corresponding value.
For example, the dfc.properties file contains keys that specify which connection brokers are used to
obtain a session, how many sessions are allowed for one user, and enable persistent client caching.
Many keys have default values, but some must be explicitly set by an administrator or application.
Some of the keys in the file are dynamic that affect open sessions. Changing non-dynamic keys
affects only future sessions. By default, Content Server checks every 30 seconds for changes in
the dfc.properties file.
The dfc.properties keys and associated values are described in the dfcfull.properties file, which is
installed with DFC. The keys in the dfc.properties file have the following format:
dfc.category.name=value

The category identifies the functionality, feature, or facility that the key controls. When adding a key
to the dfc.properties file, both the category and the name, in addition to a value must be specifies.
For example:
dfc.data.dir= value
dfc.tracing.enable= value
dfc.search.ecs.broker_count = value

For EMC Documentum web-based products, the dfc.properties file is packaged in the application
WAR file.
For desktop applications and Content Server, the dfc.properties file is installed in the
C:\Documentum\Config directory on Windows hosts, and the $DOCUMENTUM_SHARED/config
directory on UNIX hosts. The file can be edited using any text editor.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

131

Managing Sessions

The dfc.properties file is a standard Java properties file. If a key value has a special character, use a
backslash (\) to escape the character. In directory path specifications, use a forward slash (/) to
delimit directories in the path.

Managing connection requests


When a client requests a connection, the request is sent to a connection broker, which returns server
connection information to the client. There must be at least one connection broker identified in the
dfc.properties file of the client. If multiple connection brokers are defined in the file, the system uses
the additional connection brokers for backup or failover.
To specify a connection broker in the dfc.properties file, use the following keys:
dfc.docbroker.host[n]=host_name|IP_address
#required
dfc.docbroker.port[n]=port_number
#optional

The [n] is a numeric index, where n is an integer starting with 1. All keys for a particular connection
broker must have the same numeric index. If there are entries for multiple connection brokers, DFC
contacts the connection brokers in ascending order based on the numeric index by default.
The host_name is the name of the machine on which the connection broker resides. The IP_address is
the IP address of the machine.
The port is the TCP/IP port number that the connection broker is using for communications. The
port number defaults to 1489 if it is not specified. If the connection broker is using a different port,
you must include this key.
The following example defines two connection brokers for the client. Because lapdog is not using the
default port number, the port number is also specified in the file:
dfc.docbroker.host[1]=bigdog
dfc.docbroker.port[1]=1489
dfc.docbroker.host[2]=lapdog
dfc.docbroker.port[2]=1491

Only the host specification is required. The other related keys are optional.
If you add, change, or delete a connection brokers keys, the changes are visible immediately. You
do not have to restart your session.

Defining the secure connection default for


connection requests
All connections between Content Server and a client application are either secure or native
(unsecured) connections. Which option is used for a particular connection depends on how the server
is configured and what sort of connection is requested by the client application when it attempts to
obtain a session. If the request does not specify what type of connection is requested, the connection
type specified in the dfc.properties file, in the dfc.session.secure_connect_default key, is used.

132

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Sessions

There are four possible settings for this key:


native
Only a native connections are allowed. If DFC cannot establish a native connection, the connection
attempt fails.
secure
Only secure connection are allowed. If DFC cannot establish a secure connection, the connection
attempt fails.
try_secure_first
A secure connection is preferred, but a native (unsecured) connection is excepted. DFC attempts
to establish a secure connection first. If it cannot, it tries to establish a native connection. If that
also fails, the connection attempt fails.
try_native_first
A native connection is preferred, but a secure connection is also accepted. DFC attempts to
establish a native connection first. If it cannot, it tries to establish a secure connection. If that also
fails, the connection attempt fails.
The default setting for the key is try_native_first.
Specifying a connection type in the application overrides the default setting in the
secure_connect_default key. For information on how to specify it in an application, refer to the DFC
Development Guide. For information about configuring the server default for connections, refer the
Secure Connect Mode property in Modifying general server configuration information, page 57.

Modifying the connection request queue size


Content Server creates a socket listener for incoming connection requests. By default, the maximum
backlog queue value is 200. The value can be changed on Windows platforms by modifying the
listener_queue_length key in the server.ini file. The key must be a positive integer value. Content
Server passes the specified value to the listen () Windows Sockets call.

Stopping a session server


A kill method should be used to shut down a session server. Using a kill method requires system
administrator or superuser privileges and the session ID. The session ID can be obtained using the
LIST_SESSIONS or SHOW_SESSIONS administration method. For more information about the
administration methods, refer to the DQL Reference.
A session can be terminated in one of three ways:
Default kill
The default kill provides the least disruption to the end user. The targeted session terminates when
it has no more open transactions and no more open collections. The client remains functional.
After current request kill

EMC Documentum Content Server Administration and Configuration 6.7 Guide

133

Managing Sessions

An after current request kill provides a safe and more immediate means of terminating a session.
If the session is not currently executing a request, the session is terminated. Transactions can be
rolled back and collections can be lost.
Unsafe kill
An unsafe kill can be used to terminate a session when all other techniques have failed and should
be used with caution. It can result in a general server failure.

134

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 6
Managing Java Method Servers

This chapter contains the following topics:


Java Method Servers, page 135
Java methods, page 140
Recording Java method output, page 140
Deploying Java methods, page 141

Java Method Servers


EMC Documentum includes Java Method Server (JMS), a customized version of JBoss to execute
Content Server Java methods. One Java Method Server is installed with each Content Server
installation. You can use Documentum Administrator to modify existing Java Method Servers,
but you cannot add new Java Method Servers from the Documentum Administrator interface. To
add a Java Method Server, you have to run the Content Server Configuration Program. For more
information about installing multiple Content Servers, Java Method Servers, and the supported JMS
failover configurations, refer to the Content Server Enterprise Edition Installation Guide.
EMC Documentum provides a servlet called DO_METHOD to execute Documentum Server methods.
The compiled servlet code is found in the mthdservlet.jar file located on the same host as Content
Server. The file contains the IDmMethod class. Java Method Server runs as an independent process.
The process can be stopped or started without recycling the Content Server. On Windows platforms,
the Java Method Server can be run as a Windows service or as a process.
The method server itself is a Java-based web application. Each time a method is invoked, the Content
Server makes an HTTP request passing the name of the Java class which implements the method
along with any specified arguments to a servlet which knows how to execute the specified method.
Note: The Java method server can also be used to execute Java methods that are not associated with a
method object. Use an HTTP_POST administration method to send the request to the Java method
server. For details about the administration method, refer to the Content Server DQL Reference Manual.
Documentum Administrator provides a Java Method Server configuration page for
Viewing and updating Java Method Servers.
Associating Content Servers with Java Method Servers.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

135

Managing Java Method Servers

Viewing the Java Method Server status information in the Content Server memory cache.
Resetting the Java Method Server information in the Content Server memory cache.

Viewing Java method server information


All available Java Method Servers (JMS) are displayed on the Java Method Server Configuration
page. Users with superuser or system administrator privileges can access the Java Method Server
Configuration page. To access the page, log into a repository and navigate to Administration >
Basic Configuration > Java Method Servers.
Each JMS is represented by a JMS configuration object. The Java Method Server Configuration page
displays information for all Java method server configuration objects in the repository, as described
in Table 23, page 136.
Table 23. Java method server information

Column label

Description

Name

The name of the JMS configuration object.

Is Enabled

Specifies whether the Java method server is enabled or disabled.

Associated Content Servers

The Content Server with which the JMS configuration object is


associated.

The Tools menu on the Java Method Server Configuration page also provides the option to view
information about all active Java method servers. Select Tools > Active Java Method Servers List to
display the Active Java Method Servers List page. For more information, refer to Viewing active Java
method servers, page 138.

Modifying a Java Method Server configuration


Only users with superuser privileges can modify Java Method Server (JMS) configurations.

To modify Java method server configuration:


1.

Log in to the repository for which you want to modify the JMS configuration.

2.

Select Administration > Basic Configuration > Java Method Servers


Java Method Server Configuration page displays.

3.

Select the JMS configuration you want to modify, then select View > Properties > Info or
right-click the JMS configuration object and select Properties.
The Java Method Server Configuration Properties page displays.

4.

136

View or modify the information for the JMS configuration, as described in Table 24, page 137.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Java Method Servers

Table 24. JMS configuration information

Field label

Description

Name

The name of the JMS configuration.

Enable

Enables or disables the JMS.


Select this option to enable the JMS configuration or deselect
to disable the JMS.

Associated Content Servers


Content Server

The list of Content Servers that is associated with the JMS


configuration.
A JMS configuration can be associated with one or more
Content Servers. For more information about installing
multiple Content Servers, Java Method Servers, and the
supported JMS failover configurations, refer to the Content
Server Enterprise Edition Installation Guide.

Content Server location

Specifies whether the JMS is associated with a remote Content


Server. Valid values are:
Java Method Server for primary Content Server: The
associated Content Server is local.
Java Method Server for secondary (or additional) Content
Server: The associated Content Server is remote (RCS).

Add

Click Add to add and associate a Content Server with the JMS
configuration.
The Servlet URL Editor page displays. Select the Content
Server and intended purpose, as described in Adding or
modifying associated Content Servers, page 138.

Edit

Select the Content Server and click Edit to modify the Content
Server associated with the JMS configuration.
The Servlet URL Editor page displays. Modify the intended
purpose, as described in Adding or modifying associated
Content Servers, page 138.

Remove

Select the Content Server and click Remove to remove the


Content Server from the JMS configuration.

Java Method Server Servlet URLs


Name

The name of the Java servlet.

URL

The location of the Java servlet.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

137

Managing Java Method Servers

Adding or modifying associated Content Servers


Use the Associated Content Servers page to add or modify Content Servers that are associated with a
Java Method Server.

To add or modify associated Content Servers:


1.

Log in to the repository for which you want to create the JMS configuration.

2.

Select Administration > Basic Configuration > Java Method Servers


Java Method Server Configuration page displays.

3.

Select the JMS configuration you want to modify, then select View > Properties > Info or
right-click the JMS configuration object and select Properties.
The Java Method Server Configuration Properties page displays.

4.

Do one of the following:


Click Add to associate a Content Server with the JMS.
Select a Content Server and click Edit to modify the failover behavior for the JMS.
The Associated Content Servers page displays.

5.

Enter the Content Server and JMS failover information, as described in Table 25, page 138.

Table 25. Associated Content Servers information

Column label

Description

Content Server

The name of the Content Server associated with the JMS.


To add a Content Server, select the Content Server from the
drop-down list.
The drop-down list displays Content Server that were previously
installed on the host machine using the Content Server Configuration
program. For more information about installing multiple Content
Servers, Java Method Servers, and the supported JMS failover
configurations, refer to the Content Server Enterprise Edition
Installation Guide.

Content Server location

Specifies whether the JMS is associated with a remote Content


Server. Valid values are:
Java Method Server for primary Content Server: The associated
Content Server is local.
Java Method Server for secondary (or additional) Content
Server: The associated Content Server is remote.

Viewing active Java method servers


All active Java method servers are displayed on the Active Java Method Servers List.

138

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Java Method Servers

To display all active Java method servers:


1.
2.

Log in to a repository and navigate to Administration > Basic Configuration > Java Method
Servers.
Select Tools > Active Java Method Servers List.
The Active Java Methods Servers List page displays with the information described in Table 26,
page 139.
To reset the information on the Active Java Methods Servers List page, click Refresh.

Table 26. Active Java method server information

Field label

Description

Associated Content Server

The Content Server with which the JMS cache is associated.

Last Refreshed Time

The last time the Content Server JMS cache was reset.

Incremental Wait Time on Failure

The time Content Server waits before contacting the JMS, if


the JMS fails to respond.
The wait time is doubled each time the JMS fails to respond
until the maximum wait time is reached.

Maximum Wait Time on Failure

The maximum wait time Content Server keeps trying to


contact the JMS, if the JMS fails to respond.

Java Method Server in Use

The name of the active Java method server that was used last
time.

Java Method Servers associated


with the Content Server
Name

The name of the JMS configuration object.

Is Enabled

Specifies whether the Java method server is enabled or


disabled.

Status

The current status of the JMS configuration object.

Content Server location

Specifies whether the JMS is associated with a remote Content


Server. Valid values are:
Java Method Server for primary Content Server: The
associated Content Server is local.
Java Method Server for secondary (or additional) Content
Server: The associated Content Server is remote.

Last Failure Time

The last time the JMS failed to respond.

Next Retry Time

The next time the Content Server tries to contact the JMS, if
the JMS fails to respond.

Failure Count

The number of times the JMS failed to respond.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

139

Managing Java Method Servers

Java methods
Technically, all EMC Documentum Java methods are simple Java classes. A plain Java class becomes a
Java method if it implements either the IDfMethod or IDmMethod interfaces. If a program starts a
repository session, the program should call an explicit Disconnect when the session is finished.
Methods are deployed as a BOF module and executed on a Java method server. The methods must
have the following property values:
The method must implement the IDfMethod interface.
The module must be a simple module, one which implements the IDfModule interface.
The method_verb property of the dm_method object must be set to the module name, not the
class name.
The method_type property must be set to Java.
The use_method_server property must be set to T (TRUE).
The run_as_server property must be set to T (TRUE).
Note: UNIX users who are authenticated against a Windows domain cannot execute methods
under their own accounts. All methods executed by such users must be run with run_as_server
set to TRUE.
Note: Documentum does not provide basic support for resolving problems encountered when
creating or executing custom Java methods or classes. For help, contact Developer Support or
Documentum Professional Services.

Recording Java method output


If the DO_METHOD method is executed on the Java method server, Documentum recommends to
include the IDmMethod interface in the program. The interface saves the response to the repository
in a document. The interface can also be used to capture error or trace messages from the Java
method or servlet.
package com.documentum.mthdservlet;
import java.io.OutputStream;
import java.util.Map;
/**
* Interface for Java Methods that are invoked by the
* Documentum Content Server.
*
*/
public interface IDmMethod
{
/**
* Serves as the entry point to a Java method (installed
* in application server) executed by the Content
* Server DO_METHOD apply method.
*
* @param parameters A Map containing parameter names as keys
* and parameter values as map values.The keys in the parameter
* are of type String.
* The values in the parameter map are of type String array.

140

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing Java Method Servers

* (This map corresponds to the string ARGUMENTS passed by the


* DO_METHOD apply call.)
*
* @param output OutputStream to be sent back as the
* HTTP response content, to be saved in the repository
* if SAVE_RESULTS was set to TRUE in the DO_METHOD apply call.
* NOTE: This output stream is NULL if the DO_METHOD was
* launched asynchronously. Always check for a null before
* writing to the OutputStream.
*/
public void execute(Map parameters, OutputStream output) throws
Exception;
}

Deploying Java methods


Java methods are developed as self-contained BOF modules. Developing and deploying a Java
method has the following advantages:
Developers can package and deploy the Java server method implementation in the same DAR
file as the dm_method definition.
The Java method is self contained and is stored automatically in the default location for the
module.
The Java method server does not have to be restarted to implement the method.
Note: We strongly recommend that developers avoid using the dba\java_methods directory to
deploy Java methods.

Adding additional servlets to the Java method


server
To use the HTTP_POST administration method, you must write and install the servlet or servlets that
handles those calls. Use the following procedure to implement such a servlet.

To implement a new servlet:


1.

Write the servlet.

2.

Install the servlet on the Java method server.

3.

Update the server config object for each server from which HTTP_POST methods might originate.
Add the new servlets name to the app_server_name property and the servlets URI to the
app_server_uri property.
Use Documentum Administrator to modify the server config object.

4.

Select Re-initialize.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

141

Managing Java Method Servers

5.

142

Click Check In.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 7
Managing LDAP Servers

This chapter contains the following topics:


LDAP servers, page 143
LDAP Certificate Database Management, page 157

LDAP servers
An LDAP directory server is a third-party product that maintains information about users and
groups. Documentum Content Servers use LDAP directory servers for two purposes:
Manage users and groups from a central location.
Authenticate users.
It is not necessary for all users and groups in a repository to be managed through an LDAP directory
server. A repository can have local users and groups in addition to the users and groups managed
through a directory server. You can use more than one LDAP directory server for managing users
and groups in a particular repository.
Using an LDAP server provides a single place for making additions and changes to users and groups.
Content Server runs a synchronization job to automatically propagate the changes from the directory
server to all the repositories using the directory server.
The LDAP support provided by Content Server allows mapping LDAP user and group attributes to
user and group repository properties or a constant value. When the user or group is imported into
the repository or updated from the directory server, the repository properties are set to the values of
the LDAP properties or the constant. The mappings are defined when Content Server creates the
LDAP configuration. The mappings can be modified later.
Using an LDAP directory server includes the following constraints:
The changePassword method is not supported for users managed through an LDAP directory
server.
Dynamic groups are supported only on Sun Java System directory servers.
The LDAP synchronization job must have at least read access to a unique identifier on the
directory server, as follows:
nsuniqueid on SunDirectory processor
objectguid on Active Directory Server

EMC Documentum Content Server Administration and Configuration 6.7 Guide

143

Managing LDAP Servers

ibm-entryuuid on IBM
guid on Novell
orclguid on Oracle
Apart from the unique identifiers, all the attributes that have been mapped in the LDAP
configuration object should also have read access in the directory server.
For information about certified LDAP servers, refer to the Content Server Release Notes for your
Content Server version.

Viewing LDAP server configurations


LDAP directory server configurations are managed under the Administration > Basic Configuration
> LDAP Servers node. You can configure and map your existing LDAP configuration to a Content
Server. Each LDAP server is associated with an LDAP configuration object. You must have superuser
privileges to create, view, modify, or delete LDAP configuration objects.
Select Administration > Basic Configuration > LDAP Servers to view all primary LDAP servers
that are configured to the repository. If there are no LDAP servers configured to the repository,
Documentum Administrator displays the message No LDAP Server Configurations. Table 27, page 144
describes the properties that are displayed on the LDAP Server Configuration page.
From the LDAP Server Configuration page, you can:
Add new LDAP servers
View or modify existing LDAP server properties
Synchronize LDAP servers
Duplicate an existing LDAP server configuration
Delete existing LDAP servers configurations
Table 27. LDAP Server Configuration page properties

Field label

Value

Name

The name of the LDAP configuration object.

Hostname

The name of the host on which the LDAP directory server is


running.

Port

The port number where the LDAP directory server is listening


for requests..

SSL Port

The SSL port for the LDAP directory server.

Directory Type

The directory type used by the LDAP directory server. .

Import

Indicates if users and groups, groups and member users, or users


only are imported.

Sync Type

Indicates if synchronization is full or incremental.

144

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Field label

Value

Failover

Indicates if failover settings have been established for the primary


server.

Enabled

Indicates whether the LDAP server is active.

Adding or modifying LDAP server configurations


When adding an LDAP directory server to an existing Documentum installation, the users and
groups defined in the LDAP directory server are given precedence. The user or group entry in the
directory server matches a user or group in the repository, the repository information is overwritten
by information in directory server in case synchronization type is set to full synchronization on
Sync and Authentication tab.
To create a new LDAP configuration, you need the following information about the LDAP directory
server:
The name of the host where the LDAP directory server is running
The port where the LDAP directory server is listening
The type of LDAP directory server
The binding distinguished name and password for accessing the LDAP directory server
The person and group object classes for the LDAP directory server
The person and group search bases
The person and group search filters
The Documentum attributes that you are mapping to the LDAP attributes

To add or modify an LDAP server configuration:


1.

Navigate to Administration > Basic Configuration > LDAP Servers.


The system displays the LDAP Server Configuration page.

2.

Do one of the following:


To add an LDAP server configuration, select File > New > LDAP Server Configuration.
To modify an LDAP server configuration, select the LDAP server configuration, then select
View > Properties > Info.

3.

Enter or modify the information on Info tab of the LDAP Server Configuration page, as described
in LDAP Server Configuration properties, page 146.

4.

Click the Sync & Authentication tab and enter or modify the information on the LDAP
Server Configuration - Synch & Authentication page, as described in LDAP Server Sync &
Authentication properties, page 147.

5.

Click the Mapping tab and enter or modify the mapping information on the LDAP Server
Configuration - Mapping page, as described in LDAP Server mapping properties, page 149.

6.

Click the Failover tab and enter or modify the information on the LDAP Server Configuration Failover page, as described in LDAP Server failover properties, page 150.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

145

Managing LDAP Servers

7.

Click Finish when you have completed configuring the new LDAP server.

Content Server creates an ldap<objectID>.cnt password when you create the LDAP configuration
object. If you have more than one Content Server associated with the repository, the password file
must be copied to each Content Server in the environment or authentication fails.

LDAP Server Configuration properties


Table 28, page 146 describes the properties on the Info tab of the LDAP Server Configuration page.
The properties apply to new and existing LDAP configuration objects.
Table 28. LDAP Server Configuration Properties properties

Field

Description

Name

The name of the new LDAP configuration object.


This field is read-only if you are viewing or modifying the
LDAP configuration object.

Status

Select the Enable this LDAP Configuration checkbox to enable


the LDAP configuration.

Directory Type

Refer to the Release Notes for your version of Documentum


Content Server to see which LDAP server versions are
supported.
Options are:
Sun One/Netscape/iPlanet Directory Server (default)
Microsoft Active Directory
Microsoft ADAM
Oracle Internet Directory Server
IBM Directory Server
Novell eDirectory

Hostname / IP Address

The name of the host on which the LDAP directory server is


running.

Port

The port number where the LDAP directory server is listening


for requests.
The default is 389.

Binding Name

146

The binding distinguished name used to authenticate requests


to the LDAP directory server by Content Server or the check
password program.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Field

Description

Binding Password

The binding distinguished password used to authenticate


requests to the LDAP directory server by Content Server or
the check password program.
The Binding Password field only appears on the New LDAP
Server Configuration - Info page.

Confirm Password

If adding a new LDAP server configuration, re-enter the


binding password for verification.
The Confirm Password field only appears on the New LDAP
Server Configuration page.

Set

Click to access the LDAP Server Configuration Properties page


to set the password. This link appears only on the LDAP
Server Configuration Properties - Info page.

Use SSL

Specifies whether SSL is used for authentication.

SSL Port

Specifies the SSL port. This option only displays when the Use
SSLoption is selected.
Enter 636 for the SSL port value.

Certificate Location

Specifies the location of the LDAP certificate database. If you


selected Use SSL, the default location is ldapcertdb_loc.
If you want to store your LDAP certificates at different
location, click the Select link to access the Location Chooser
page and select a different value for the certificate location.
If you are using more than one LDAP server in SSL mode, you
must store the LDAP certificates a single location, as described
in Using multiple LDAP servers in SSL mode, page 159.

Validate SSL Connection

If you selected Use SSL, click to validate that a secure


connection can be established with the LDAP server on the
specified port. If the validation fails, the system displays an
error message and you cannot proceed further until valid
information is provided.

LDAP Server Sync & Authentication properties


Table 29, page 148 describes the properties on the Sync & Authentication tab of the LDAP Server
Configuration page. The properties apply to new and existing LDAP configuration objects.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

147

Managing LDAP Servers

Table 29. LDAP Server Sync & Authentication properties

Field

Description

Import

Specifies how users and groups are imported. Available


options are:
Users and groups (default)
Users only
Groups and member users

Sync Type

Specifies how users and groups are synchronized. Available


options are:
Full: Import all based on user/group mappings (default)
Incremental: Import only new or updated
user/groups/members
If Groups and member users is selected in the Import field
and a group was not updated but any of the group members
were, the incremental synchronization is updating users
identified by the user search filter.

Deleted Users

Specifies whether deleted user accounts are marked inactive.


Available options are:
set to inactive (default)
unchanged

Update Names

Select to Update user names in repository or Update group


names in repository.
The Update group names in repository checkbox is not enabled
if Users Only is selected in the Import field.

User Type

Select a user type. The default is dm_user.

Bind to User DN

Options are:
Search for DN in directory using users login name
Use DN stored with user record in repository (default)

External Password Check

Select to use external password check to authenticate users


to directory.

The LDAP synchronization job must have at least read access to a unique identifier on the directory
server, as follows:
nsuniqueid on Sun One/Netscape/iPlanet Directory Server
objectguid on Microsoft Active Directory Server
ibm-entryuuid on IBM Directory Server
guid on Novell eDirectory
orclguid on Oracle Internet Directory Server

148

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Apart from the unique identifiers, all the attributes that have been mapped in the LDAP configuration
object should also have read access in the directory server.

LDAP Server mapping properties


Table 30, page 149 describes the properties on the Mapping tab of the LDAP Server Configuration
page. The properties apply to new and existing LDAP configuration objects.
Table 30. LDAP Server mapping properties

Field

Description

User Object Class

Type the user object class to use for searching the users in the
directory server.

User Search Base

Type the user search base. This is the point in the LDAP tree
where searches for users start. For example:
cn=Users,ou=Server,dc=sds,dc=inengvm1llc,dc=corp,dc=
emc,dc=com.

User Search Filter

Type the person search filter. This is the name of the filter used
to make an LDAP user search more specific. The typical filter
is cn=*

Search Builder

Click to access the Search Builder page. This page enables you
to build and test a user search filter. When finished, the User
Search Filter field is populated with the resulting filter.

Group Object Class

Type the group object class to use for searching the groups in
the directory server. Typical values are:
For Netscape and Oracle LDAP servers: groupOfUniqueNames
For Microsoft Active Directory: group

Group Search Base

Type the group search base. This is the point in the LDAP tree
where searches for groups start. For example:
cn=Groups,ou=Server,dc=sds,dc=inengvm1llc,dc=corp,dc=
emc,dc=com

Group Search Filter

Type the group search filter. This is the name of the filter used
to make an LDAP group search more specific. The typical filter
is cn=*

Search Builder

Click to access the Search Builder page. This page enables


you to build and test a group search filter. When finished, the
Group Search Filter field is populated with the resulting filter.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

149

Managing LDAP Servers

Field

Description

Property Mapping

When a new configuration is added, this table populates


with the mandatory mapping attributes. The mappings are
dependent upon the directory type. This table defines the
pre-populated attributes and their mappings. All mapping
types are LDAP Attribute.

Add

Click to access the Map Property page to add an attribute.


From there, select a Documentum attribute, then select the
LDAP attribute to which the Documentum attribute maps or
type in a custom value.

Edit

Select an attribute and then click Edit to access the Map


Property page. On the Map Property page, edit the attribute
properties.

Delete

Select an attribute and then click Delete to remove an attribute.


The system displays the Deletion Confirmation page.

Repository Property

Displays the repository property that is the target of the


mapping.

Type

Identifies the source of the property: User or Group.

Map To

Displays which attributes on LDAP that the property is


mapped to.

Map Type

Identifies the type of data: LDAP attribute, expressions, or a


fixed constant.

Mandatory

Indicates if the mapping is mandatory for the attribute.


Content Server requires three properties to be defined for a user
and one property to be defined for a group. The mandatory
properties are:
user_name
user_login_name
group_name
You can change the defaults, but you must provide some value
or mapping for these properties. Users cannot be saved to the
repository without values for these three properties, nor can a
group be saved to the repository without a group name.

LDAP Server failover properties


Table 31, page 151 describes the properties on the Failover tab of the LDAP Server Configuration
page. The properties apply to new and existing LDAP configuration objects.

150

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Table 31. LDAP Server failover properties

Field

Description

Failover Settings

Use this section to enter settings for the primary LDAP server.

Retry Count

The number of times Content Server tries to connect to the


primary LDAP server before failing over to a designated
secondary LDAP server. The default is 3.
If the retry count value is set to 0, Content Server immediately
reports that it failed to contact the primary LDAP directory
server.

Retry Interval

Enter an interval number and select a duration (seconds,


minutes, or hours) between retries. The default is at 3 seconds.
Content Server fails to bind to the primary LDAP directory
server, it waits the number of seconds specified before
attempting to bind to the primary LDAP directory server
again.

Reconnect

Enter an interval number and select a duration (seconds,


minutes, or hours) after a failover for the system to try to
reconnect to the primary LDAP server.
The default is set at 5 minutes.

Secondary LDAP Servers

Specifies secondary LDAP servers.


To add a new secondary LDAP server, click Add. The
Secondary LDAP Server page is displayed.
To modify an existing secondary LDAP server, select the
checkbox next to the name and click Edit. The Secondary
LDAP Server page is displayed.
To delete an existing secondary LDAP server, select the
checkbox next to the name and click Delete.
To reorder the list of LDAP servers, click Move Up or Move
Down.

Name

Name of the secondary LDAP server.

Hostname

The name of the host on which the secondary LDAP directory


server is running.

Port

The port information.

SSL Port

The SSL port number.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

151

Managing LDAP Servers

Mapping LDAP Servers


LDAP directory servers allow you to define attribute values for user and group entries in the directory
server. Content Server supports mapping those directory server values to user and group properties
in the repository. Using mapping automates setting user and group properties.
Mappings between LDAP attributes and repository properties are defined when you create the LDAP
configuration object. You can map the LDAP values to the following properties:
System or user-defined properties
Multiple directory values to a single repository property, using an expression.
For example, the following expression uses the LDAP attributes sn and given name to generate a
user_address value:
${sn}_${givenname#1}@company.com

If the users sn (surname) is Smith and the given name is Patty, the expression above resolves to
smith_p@company.com. The 1 at the end of given name directs the system to only use the first
letter of the given name.
You can specify an integer at the end of an LDAP attribute name in an expression to denote that you
want to include only a substring of that specified length in the resolved value. The integer must be
preceded by a pound (#) sign. The substring is extracted from the value from the left to the right. For
example, if the expression includes ${sn#5} and the surname is Anderson, the extracted substring
is Ander.
Values of repository properties that are set through mappings to LDAP attributes can only be
changed either through the LDAP entry or by a user with superuser privileges.
Note: Changing mappings for the user_name, user_login_name, or group_name after the user or
group is synchronized for the first time is not recommended. Doing so may cause inconsistencies in
the repository.
Table 32, page 152 contain examples of how the Attribute Map page for LDAP configurations is
typically completed for Netscape iPlanet, Oracle Internet Directory Server, and Microsoft Active
Directory LDAP servers.
Table 32. Netscape iPlanet, Oracle Internet Directory Server, and Microsoft Active Directory example

DM attribute

DM type

LDAP attribute

Type

user_name

dm_user

cn

user_login_name

dm_user

uid

152

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Mapping guidelines
The following rules apply when mapping LDAP group or user attributes to a repository property:
In expressions, spaces are not required between references to LDAP attributes due to the bracket
delimiter. If there is a space between mapped values, it appears in the result of the mapping.
The length of the expression mapped to a single repository property cannot exceed 64 characters.
Expressions that exceed 64 characters are truncated. The expression is recorded in the map_val
property of the ldap config object. This property has a length of 64.
All standard Documentum property lengths apply to the mappings. For example, the mapping
string for user_name must resolve to 32 characters or less.

Using Search Builder


Access the Search Builder page by clicking the Search Builder button on the Mapping tab of the New
LDAP Server Configuration or LDAP Server Configuration Properties page.
The Search Builder page enables you to build and test a user or group search filter. You can enter up
to ten lines of search criteria. When finished, the User Search Filter or Group Search Filter field is
populated with the resulting filter.

Adding or modifying repository property mapping


On the Map Property page, you can add or modify mapping properties.

To add or modify repository property mapping:


1.

Access the Map Property page.

2.

Select a repository property to map.

3.

In the Map To section, select the LDAP property to which the repository property maps or
type a custom value. Options are:
Single LDAP Attributes: If selected, select an LDAP attribute from the drop-down list.
Fixed Value: If selected, type a custom value.
Expression: If selected, type an expression and select an LDAP attribute reference from the
drop-down list. Click the Test Expression button to test.

4.

In the Reject User/Group section, select to reject synchronization of any LDAP user or group.
Options for when to reject synchronization are:
Is empty or has insufficient characters
Is empty
Never reject any user/group

5.

Click OK to save the changes or click Cancel.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

153

Managing LDAP Servers

Configuring secondary LDAP servers


You can configure Content Server to use other LDAP directory servers for user authentication in the
event that the first LDAP directory server is down. By default, the primary LDAP server handles all
user authentication requests. However, if Content Server fails to bind to the primary LDAP directory
server, you can define a way for it to bind to secondary LDAP servers, authenticate users, and then
reattempt the connection with the primary LDAP directory server.
Enter the information for the secondary LDAP server, as described in Table 33, page 154.
Table 33. Secondary LDAP Server page properties

Field

Description

Name

Enter the name of the secondary LDAP server.

Hostname / IP Address

Type the name of the host on which the secondary LDAP


directory server is running.

Port

The port information is copied from the primary LDAP server.

Binding Name

The binding name is copied from the primary LDAP server.

Binding Password

Type the binding distinguished password used to authenticate


requests to the secondary LDAP directory server by Content
Server or the check password program.

Confirm Password

Re-enter the binding password for verification.

Bind to User DN

The bind to user DN information is copied from the primary


LDAP server.

Use SSL

The SSL information is copied from the primary LDAP server.

SSL Port

The SSL port number is copied from the primary LDAP server.

Certificate Location

The certificate location is copied from the primary LDAP


server.

Changing the binding password


Change the binding password for LDAP directories on the LDAP Server Configuration Properties
page. Access this page by clicking the Change link on the Info tab of the LDAP Server Configuration
Properties page.

To change the binding password


1.

In the Password field, type the binding distinguished name used to authenticate requests to the
LDAP directory server by Content Server or the check password program.

2.

In the Confirm Password field, re-enter the binding password for verification.

3.

Click OK to save the changes or click Cancel.


The system displays the LDAP Server Configuration Properties - Info page.

154

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Forcing LDAP server synchronization


Use the instructions in this section to synchronize LDAP servers.
The Synchronize Now option calls the SBO API to synchronize the LDAP configuration. The type of
synchronization is determined by the first_time_sync flag on the LDAP configuration object.

To synchronize LDAP servers:


1.

Select Administration > Basic Configuration > LDAP Servers to access the LDAP Server
Configuration list page.

2.

Select the LDAP servers to synchronize and then select File > Synchronize Now to force
synchronization of the selected servers.

Duplicating LDAP configurations


Use the instructions in this section to duplicate LDAP configurations.
Use the Save As option to create a copy of an LDAP configuration. The new LDAP configuration
contains all the details of the original configuration object except for the secondary, or failover,
servers. Secondary servers cannot be shared by the primary server.

To duplicate LDAP servers:


1.

Select Administration > Basic Configuration > LDAP Servers to access the LDAP Server
Configuration list page.

2.

Select the LDAP server to duplicate and then select File > Save As.
The system opens a new LDAP server dialog with attributes copied from the selected LDAP
Server configuration object.
Note: The Duplicate option is not available if you select more than one server.

Deleting LDAP configurations


Use the instructions in this section to delete an LDAP configuration. You must be a superuser to
delete an LDAP configuration.
Before deleting an LDAP configuration object, note the following potential consequences:
If you delete an LDAP configuration object that is referenced by a Content Servers server
configuration object, the Content Server cannot use that LDAP server to authenticate users and
there is no default LDAP object referenced in the server configuration object.
If you delete an LDAP configuration object that is referenced by a Content Servers server
configuration object and by user or group objects, the server cannot use the LDAP server to
authenticate users, no default LDAP object is referenced in the server configuration object, and
user and group objects referencing the LDAP object cannot be updated correctly.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

155

Managing LDAP Servers

If you delete the LDAP configuration object, you must manually update user and group objects
referencing the LDAP object so that the users and groups can be authenticated with a different
authentication mechanism. To locate users referencing the LDAP configuration object, click User
Management > Users and search by typing the LDAP Config object name in the User Login
Domain field.

To delete an LDAP server configuration:


1.

Select Administration > Basic Configuration > LDAP Servers to access the LDAP Server
Configuration list page.

2.

Select the LDAP servers to delete and then select File > Delete.
The system displays the Delete confirmation page.

3.

Click OK to delete the LDAP server configuration or Cancel to return to the LDAP list page
without deleting the configuration.

Using LDAP directory servers with multiple Content


Servers
If multiple Content Servers are running against a particular repository, you must perform some
additional steps to enable LDAP authentication regardless of the particular Content Server to which
a user connects.

To enable LDAP authentication with multiple Content Servers:


1.

Using Documentum Administrator, connect to one of the nonprimary Content Servers.

2.

Navigate to the existing ldap configuration object.

3.

Re-enter the Binding Name and Binding Password for the LDAP directory server.

4.

Save the ldap configuration object.

5.

Perform steps 1 to 4 for each nonprimary Content Server.

LDAP proxy server support


Content Server supports LDAP proxy servers, for use in LDAP configurations. If you are using
Global Catalog in Microsoft Active Directory Server, you have to ensure that all attributes required
during LDAP synchronization are present in the Global Catalog.

156

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Configuring LDAP synchronization for Kerberos users


LDAP synchronization in conjunction with Kerberos SSO authentication can be implemented in two
different ways:
Using an existing LDAP configuration to authenticate Kerberos users.
Creating a new LDAP configuration to authenticate Kerberos users.

To use an existing LDAP configuration to authenticate Kerberos users:


1.

Modify the user login domain attribute in the user object of all Kerberos users to use the short
domain name instead of the name of the LDAP server.
For example, if a Kerberos user is part of the wdkdomain.com domain, change the user login
domain attribute to wdkdomain.

2.

Change the user source attribute in the user object to dm_krb for all Kerberos users that are
synchronized via LDAP, if the password is not in plug-in format. Changing the user source
attribute is optional.

3.

Run the LDAP synchronization job.

To create a new LDAP configuration to authenticate Kerberos users


1.

Create an LDAP configuration object, as described in Adding or modifying LDAP server


configurations, page 145. Use the short domain name as the LDAP configuration object name.
For example, if Kerberos users are part of the wdkdomain.com domain, create an LDAP
configuration object using wdkdomain as the LDAP configuration object name.

2.

Change the user source attribute in the user object to dm_krb for all Kerberos users that are
synchronized via LDAP.

3.

Run the LDAP synchronization job.

LDAP Certificate Database Management


The LDAP Certificate Database Management system enables administrators to:
Import certificates into the LDAP certificate database on the Content Server.
View certificate information in the LDAP certificate database.
Only an administrator who is the installation owner can access the LDAP Certificate Database
Management node.

Downloading certificates
Configuring an LDAP server in SSL mode requires a certificate database on Content Server. The
certutil utility is used to load CA certificates into the database.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

157

Managing LDAP Servers

To download CA certificates:
1.

Download the certutil utility from the following site:


ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

2.

Copy the utility to %DM_HOME%\bin ($DM_HOME/bin).


For more information about the utility, refer to http://www.mozilla.org/projects/security/pki/
nss/tools/certutil.html.

3.

Download CA certificates from the web site of the vendor who provided the directory server with
the SSL server certificate.
You must download the Root Certificate Authority and the issuing certificate authorities all
the way up to the self-signed root certificate.

4.

Create the cert.db file, as follows:


On Windows:
certutil -N -d %DOCUMENTUM%\dba\secure\ldapdb

On UNIX:
certutil -N -d $DOCUMENTUM/dba/secure/ldapdb

5.

Add the Root Certificate Authority to the database and provide the necessary trust level:
certutil -A -n "documentum ldap root" -t "C,C,C" -i rootcert.crt

6.

Install any remaining CA certificates in the chain:


certutil -A -n "documentum ldap sub root" -t "C,C,C" -i subrootcert.crt

Viewing LDAP certificates


Content Server creates a certificate database when an administrator attempts to view the LDAP
Certificate Database List page for the first time and the certificate database is not present at the
certificate location that was specified when the LDAP server was added.

To view LDAP certificates:


1.

Navigate to Administration > Basic Configuration > LDAP Certificate Database Management.
The LDAP Certificate Database List page appears and displays a list of certificates that are
available in the LDAP certificate database.

2.

Select a certificate and then click View > Properties.


The Certificate Info page is displayed.

3.

View the information on the Certificate Info page:


Nickname: The unique name for the certificate.
Valid From: The date from which the certificate is valid.
Valid To: Date up to which the certificate is valid.
Signature Algorithm: The certificate signature algorithm.
Serial Number: The serial number for the certificate.

158

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Managing LDAP Servers

Version
Issuer DN: The distinguished name of the issuer.
Subject DN: The distinguished name for the subject.
4.

Click OK or Cancel to return to the LDAP Certificate Database List page.

Importing LDAP certificates


Use the instructions in this section to import new certificates.

To import LDAP certificates:


1.

Navigate to Administration > Basic Configuration > LDAP Certificate Database Management.
The LDAP Certificate Database List page appears and displays a list of certificates that are
available in the LDAP certificate database.

2.

Select File > Import > LDAP Certificate.


The Import Certificate page appears.

3.

Enter the path and filename of the certificate in the Certificate File Name field.

4.

Click OK.
The system imports the certificate to the certificate database. The system displays an error
message if the certificate import fails.

Using multiple LDAP servers in SSL mode


Content Server supports running more than one LDAP server in SSL mode. However, in this case
all SSL-enabled LDAP configuration objects must point to the same certificate database location.
Otherwise, LDAP synchronization does not work properly.

To set up multiple LDAP servers in SSL mode:


1.

Identify a location for the certificate database.


The default location for the certificate database is the location that is specified in the
ldapcertdb_loc object.

2.

Import all required certificates into the certificate database, as described in Importing LDAP
certificates, page 159.

3.

Modify the certification location field for each LDAP server configuration that uses SSL to point
to the same certificate database location.
By default, Content Server assigns the file path that is specified in the ldapcertdb_loc object.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

159

Managing LDAP Servers

Replacing or removing LDAP certificates


Replacing , deleting or revoking of LDAP database certificates in the LDAP certificate database is
not supported using the LDAP Certificate Management functionality. To update the certificates,
manually remove the existing LDAP certificate database on the Content Server, restart the method
server, then import the new certificates, as described in Importing LDAP certificates, page 159.

160

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 8
Distributed Content Configuration

This chapter contains the following topics:


Network locations, page 161
ACS servers, page 165
BOCS servers, page 171
Configuring distributed transfer settings, page 175
Messaging server configuration, page 177

Network locations
Network locations are a basic building block of a single-repository distributed environment for
web-based clients. Network locations identify locations on a network, and, optionally, a range of
IP addresses, from which users connect to Documentum web clients. For example, a Documentum
installation could include network locations called San Francisco, New York, London, Athens, Tokyo,
and Sydney, corresponding to users in those cities. A network location can also identify specific
offices, network subnets, or even routers.
Network locations are associated with server configuration objects and acs configuration objects. The
server configuration objects and acs configuration objects contain information defining the proximity
of a Content Server or ACS Server to the network location. Content Server uses the information in the
server configuration objects and acs configuration objects and their associated network locations to
determine the correct content storage area from which to serve content to a web client end user and to
determine the correct server to serve the content.
Creating network locations requires superuser privileges. Network locations can be created only in
a repository designated as a global registry, and the name of each location must be unique among
the set of network locations in the global registry. Network locations should be created in the global
registry repository that is defined when DFC is installed on the Documentum Administrator host. If
a network contains multiple global registry repositories, a particular Documentum Administrator
instance only recognizes the global registry that was designated during DFC installation on the
Documentum Administrator host. You can connect to a global registry repository without being able
to create network locations in that global registry.
Use the Administration > Distributed Content Configuration > Network Locations navigation
to access the Network Locations list page. From the Network Locations list page, you can create,
copy, view, modify, and delete network locations.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

161

Distributed Content Configuration

For more information about network locations, refer to the Distributed Configuration Guide.

Creating, viewing, or modifying network locations


Network locations should be created in the global registry repository that is defined when DFC
is installed on the Documentum Administrator host. You must have superuser privileges in the
global registry repository to create network locations. The Distributed Configuration Guide provides
additional information on network locations.
Note: When localhost is in the URL used from a browser on the application server host to access
an application server, it resolves to 127.0.0.1. Unless 127.0.0.1 is included in a network location, the
correct network location is not selected automatically. Therefore, when you create network locations,
include the IP address 127.0.0.1 in a network location if you want to:
Run a browser on the application server host where a WDK application is located.
Use localhost in the URL when accessing the application.
Automatically select the correct network location.

To create, view, or modify network locations:


1.

Log in to the global repository that was created during DFC installation.

2.

Select Administration > Distributed Content Configuration > Network Locations.


The Network Locations page appears.
If you do not see the Network Locations page, you are not connected to the correct global
repository. Click Global Registry Login and connect to the correct repository.

3.

Do one of the following:


Select File > New > Network Location to create a network location.
Select a network location, then View > Properties > Info to view or modify the network
location properties.

4.

Enter or modify the network location properties on the Info tab of the New Network Locations
page or the Network Locations Properties page, as described in Table 34, page 162.

5.

Click OK to save your changes.

Table 34. Network location properties

Field label

Value

Network Location Identifier

An identifier that is used by system and network administrators.


For example, to identify network locations by network subnets.
This field cannot be edited after the network location is created.

Subject

A description of the network location.

162

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

Field label

Value

Default Network Location

Select to display the network location to users whose IP address


is not mapped to a particular network location.
At log-in time, an end user whose IP address is not mapped
to a network location sees a set of possible network locations.
When selected, this network location is on the list from which
the user selects. If there is only one network location with this
checkbox selected, that network location is used automatically
and the user does not see the list.

Network Location Name

A descriptive name of the network location. For example,


the geographical location of the network, such as Paris, San
Francisco. The name is displayed on the login page for
Documentum web clients, such as Webtop, when users must
choose a network location. The display name is not the object
name. The display name can be modified after the network
location is created.

IP Address Ranges

The IP address range identified by the network location. Each


range must conform to standard IP address conventions. A
network location may have multiple IP address ranges. It
is recommended that each IP address is mapped to a single
network location, but if an IP address maps to multiple physical
locations, you may need to map that address to multiple
network locations.
Type the IP address in one of the following formats:
IPv4 address range can be entered by separating the two IP
address with a hyphen(-). For example: x.x.x.x-x.x.x.x where
x is from 0 to 255.
IPv6 address range can be entered by separating
the two IP addresses with a hyphen(-). For
example: x:x:x:x:x:x:x:x-x:x:x:x:x:x:x:x or x:x:x::/y
(ipv6-address/prefix-length) where the xs are the
hexadecimal values of the eight 16-bit pieces of the address
and y is a decimal value specifying how many of the leftmost
contiguous bits of the address comprise the prefix.

Copying network locations


To save time retyping existing information, you can copy a network location file using the Save
As option. To copy a network location, you must be connected to the repository known to DFC
on the Documentum Administrator host as a global registry and you must be logged in as a user
with superuser privileges.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

163

Distributed Content Configuration

To copy a network location:


1.

Connect with superuser privileges to the global registry repository.

2.

Select Administration > Distributed Content Configuration > Network Locations.


The Network Locations page appears.
Note: Click Global Registry Login and connect to the correct repository if you see the following
warning message instead of the Network Locations list page:
Network locations can only be created in repositories that are designated as global registries.
The current repository is not a global registry. Click the link below to log in to the global
registry repository known to DFC on the Documentum Administrator host. You must have
superuser privileges to create network locations.

3.

Select a network location and then select File > Save As.
The Network Location Properties page appears. The fields display the values copied from the
selected network location; however, the Network Location Identifier and Network Location
Name fields display Copy [x] of [name]/[display name] to keep the network location and display
names unique.

4.

Modify the properties on Info tab of the Network Location Properties page.

5.

Click OK to save the changes or Cancel to exit without saving.

Deleting network locations


You must have superuser privileges to delete a network location. Users who connect from a location
that was mapped to a deleted network location are not automatically mapped when they connect to a
web client. If you selected any network locations to be displayed to users who are not automatically
mapped, the users see that list when they log in.
Network locations are used to determine which server provides content files to end users. If the
network location that you are deleting is associated with any BOCS or ACS servers, users at those
locations could not receive content in the most efficient manner possible.
When you delete network locations, references to the network locations in existing server
configuration objects, acs configuration objects, bocs configuration objects, and BOCS caching jobs
are not automatically removed. You must manually remove any references to the deleted network
locations.

To delete network locations:


1.

Connect to the global registry repository known to DFC as a user with superuser privileges.

2.

Select Administration > Distributed Content Configuration > Network Locations.


The Network Locations list page appears. You do not see any network locations listed if you are
not connected to the global registry.
Note: Click Global Registry Login and connect to the correct repository if you see the following
warning message instead of the Network Locations list page:
Network locations can only be created in repositories that are designated as global registries.
The current repository is not a global registry. Click the link below to log in to the global

164

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

registry repository known to DFC on the Documentum Administrator host. You must have
superuser privileges to create network locations.
3.

On the Network Location list page, select the network location to delete.

4.

Note the Network Location Name and Network Location Identifier for the network location.

5.

Select File > Delete.


The Network Location object Delete page appears.

6.

Click OK to delete the selected network location or Cancel to retain the network location.
If deleting multiple network locations, select Next or Finish.

7.

Delete references to the network location from existing server configuration objects, acs
configuration objects, bocs configuration objects, and BOCS caching jobs in the current repository
and any other repositories.

ACS servers
An Accelerated Content Services (ACS) server is a light-weight server that is automatically created
during a Content Server installation. The ACS server reads and writes content for web-based client
applications using HTTP and HTTPS protocols. ACS servers do not modify object metadata but
write content to storage areas.
Each Content Server host installation has one ACS server that communicates with one Content Server
per repository and the Documentum Message Services (DMS) server. A single ACS server can serve
content from multiple repositories. WDK-based applications can use the ACS server if the ACS server
is enabled in the app.xml file of the applications.
Most ACS server properties can be modified using Documentum Administrator. Certain ACS server
behavior is configured the acs.properties file on the ACS server host and cannot be modified by
Documentum Administrator.
The Distributed Configuration Guide provides information on modifying the acs.properties file and
additional information about the ACS server.
The ACS server is configured on the ACS Servers Configuration page that can be accessed in the
Administration > Distributed Content Configuration > ACS Servers node. The ACS Servers
Configuration page displays information about the ACS server, as described in Table 35, page 165.
Table 35. ACS Server Configurations

Column

Description

Name

The name that is assigned to the ACS server during the


Content Server installation. The name cannot be modified.

Content Server

The name of the Content Server the ACS server is associated


with.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

165

Distributed Content Configuration

Column

Description

Content Access

Specifies how the ACS server can access content. Valid values
are:
Access all stores: The ACS server can access all stores that
are connected to the Content Server.
Access local stores only: The ACS server can read content
from local file stores, but is unable to use Surrogate Get to
request content files it does not find in the local file stores.
None (disabled): The ACS server is disabled.

Projections & Stores from


Description

A description of the ACS server.

Viewing or modifying the ACS server configuration


properties
Use these instructions to view or modify information on the ACS Server Configuration Properties
page.

To view or modify ACS servers configuration properties:


1.

Connect as a superuser to the repository in which you want to view or modify the ACS server.

2.

Select Administration > Configuration > ACS Servers.


The ACS Servers Configurations list page appears.

3.

Select the ACS server to view or modify and then select View > Properties > Info.
The ACS Server Configuration Properties - Info page appears.

4.

View or modify properties in the ACS Server Configuration section, as described in Table 36,
page 167.

5.

Click the Projections & Stores tab to view or modify the connection broker projections, network
locations, and local stores information for the ACS server, as described in ACS projections and
stores, page 167.

6.

Click OK to save your changes.

7.

Restart the ACS server.


The ACS server runs in the same servlet container as the Documentum Java method server. You
must manually restart the Java method server on the host where it is installed. You cannot restart
the Java Method Server from Documentum Administrator.
Refer to the Content Server Installation Guide for instructions on stopping and starting the Java
method server.

166

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

Table 36. ACS Server Configuration properties

Field

Description

ACS Server Configuration


Name

The name that is assigned to the ACS server during the


Content Server installation. The name cannot be modified.

Associated Content Server

The name of the Content Server the ACS server is associated


with.

Description

A description of the ACS server.

ACS Server Version

The major and minor version of the ACS server.


The ACS server version indicates the underlying repository
version. For example, 2.2 designates that the ACS server
is bundled with a Documentum 6.6 repository, while 1.0
designates that the ACS server is bundled with a 5.3 SPx
repository.

Content Access

Specifies how the ACS server can access content. Valid values
are:
Access all stores: The ACS server can access all stores that
are connected to the Content Server.
Access local stores only: The ACS server can read content
from local file stores in the repository.
None (disabled): The ACS server is disabled.

ACS Server Connections


Protocol

The protocol the ACS server uses. Valid values are http and
https. Click Add to add a protocol, or select a protocol from the
list and click Edit to modify it or Delete to remove the protocol.

Base URL

The base URL for the ACS server. The base URL requires the
following format:
protocol://host:port/ACS/servlet/ACS

ACS projections and stores


ACS projections and stores are configured on the Projections & Stores page.

To view or modify ACS projections and stores:


1.

Connect with superuser privileges to the repository in which you want to view or modify the
ACS projections and stores.

2.

Select Administration > Configuration > ACS Servers.


The ACS Servers Configurations Properties list page appears.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

167

Distributed Content Configuration

3.

Select the ACS server to view or modify and then select View > Properties > Info.
The ACS Server Configuration Properties - Info page appears.

4.

Click the Projections & Stores tab.

5.

Add or modify the information on the Projections & Stores page, as described in Table 37,
page 168.

6.

Click OK to save your changes.

7.

Restart the ACS server.


The ACS server runs in the same servlet container as the Documentum Java method server. You
must manually restart the Java method server on the host where it is installed. You cannot restart
the Java Method Server from Documentum Administrator.
Refer to the Content Server Installation Guide for instructions on stopping and starting the Java
method server.

Table 37. ACS Projections & Stores properties

Field

Description

Source

Specifies where to use projections and stores for the ACS


server. Valid values are:
Associated content server: The ACS server uses the
connection broker projections, network locations, and local
stores already configured for the associated Content Server.
Settings entered here: You must enter the ACS server uses
connection brokers, network locations, and near stores
manually.
If you select this option, an Add buttons displays in
the Connection Broker Projections, Network Location
Projections, and Local Stores sections.

Connection Broker Projections


Target Host

The host name of the server that hosts the connection broker.
Click Add to add a target host, or select a host from the list and
click Delete to remove the host.
The Documentum connection broker is a process that provides
client sessions with server connection information. Each ACS
server broadcasts information to connection brokers at regular
intervals.

Port

The port number on which the connection broker is listening.

Enabled

Enables projections to the connection broker.

Network Location Projections

168

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

Field

Description

Network Location

Specifies a network location in the global registry of the


Content Server host.
Click Add to add a network location, or select a location from
the list and click Delete to remove the location.
Network locations identify locations on a network, and,
optionally, a range of IP addresses, from which users connect
to Documentum web clients.

Display Name

A name that describes the network location.

Proximity

The proximity value for the network location.

Enabled

Enables projection to that network location.

Local Stores
Local Store

A local store.
Click Add to add a store, or select a store from the list and click
Delete to remove the store.
Local stores are defined as near to the ACS server.

Type

Specifies the storage type associated with the local store. This
property cannot be modified.

Designating connection brokers for an ACS server


Connection broker projections are configured in the Connection Broker Projections section of the ACS
Server Configurations page.

To designate a connection broker for an ACS server:


1.

Connect with superuser privileges to the repository in which you want to view or modify the
connection broker.

2.

Select Administration > Configuration > ACS Servers.

3.

Select the ACS server to view or modify, select View > Properties > Info and click the Projections
& Stores tab.

4.

Enter the information for the connection broker, as described in Table 38, page 170.

5.

Click OK.

6.

Restart the ACS server.


The ACS server runs in the same servlet container as the Documentum Java method server. You
must manually restart the Java method server on the host where it is installed. You cannot restart
the Java Method Server from Documentum Administrator.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

169

Distributed Content Configuration

Refer to the Content Server Installation Guide for instructions on stopping and starting the Java
method server.
Table 38. ACS Connection Broker Projections properties

Field

Description

Source

Specifies where to use projections for the ACS server.


Valid values are:
Associated content server: The ACS server uses the
connection broker projections, network locations,
and local stores already configured for the associated
Content Server.
When this option is selected, you cannot modify the
connection broker projections.
Settings entered here: Select this option to designate
connection broker projections.
If you select this option, an Add buttons displays
in the Connection Broker Projections, Network
Location Projections, and Local Stores sections.

Connection Broker Projections


Target Host

The host name of the server that hosts the connection


broker.
Click Add to add a target host, or select a host from the
list and click Delete to remove the host.
The Documentum connection broker is a process
that provides client sessions with server connection
information. Each ACS server broadcasts information
to connection brokers at regular intervals.

Port

The port number on which the connection broker is


listening.

Enabled

Enables projections to the connection broker.

Choosing network locations


Use the Choose Network Locations page to designate network locations. The network locations
displayed on this page are in the global registry known to DFC on the Documentum Administrator
host.

To add or delete network locations:


1.

170

Select the network locations to add.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

2.

Click the > button.


The network locations move to the right-hand column.

3.

To remove a network location, select it and then click the < button.
The network location moves to the left-hand column.

4.

Click OK to save your changes.

BOCS servers
Branch Office Caching Services (BOCS) servers cache content locally. Caching content allow quick
access to content. The amount of cached content and the storage time can be configured. Content can
also be cached programmatically prior to user requests or through a pre-caching job. A BOCS server
can serve content from multiple repositories.
BOCS servers communicate only with ACS servers and DMS servers, but not directly with
Content Servers. Every BOCS server for Documentum 6 or later repositories is associated with
a dm_bocs_config object. The installation program for the BOCS server does not create the object
at installation time. The BOCS server must be added manually, using the properties on the BOCS
Servers Configuration page. All BOCS configuration objects for Documentum 6 or later repositories
reside in the global registry in the /System/BocsConfig folder.
To create, modify, or view BOCS configuration objects, you must have superuser privileges and
be connected to the global repository that is associated with the DFC installation. If you are not
connected to the global repository and click the BOCS Server node, the system displays an error
message and provides a link to the login page of the global registry repository.

Creating, viewing, or modifying BOCS servers


Use the instructions in this section to create, view, or modify the BOCS configuration object in the
global registry repository after the BOCS server is installed on its host. To create, view, or modify
BOCS configuration objects, you must have superuser privileges and be connected to the global
registry that is associated with the DFC installation.

To create, view, or modify BOCS servers:


1.

Connect to the global registry associated with the DFC installation using superuser privileges.

2.

Navigate to Administration > Distributed Content Configuration > BOCS Servers.


The BOCS Server Configurations list page appears. If you do not see the BOCS Server
Configurations page, you are not connected to the global registry.
Click Global Registry Login and connect to the correct repository.

3.

Do one of the following:


Select File > New > BOCS Server Configuration to create a BOCS server configuration object.
Select a BOCS server configuration object, then select View > Properties > Info to view or
modify a BOCS server configuration object.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

171

Distributed Content Configuration

4.

Enter or modify the information on the Info and Security tabs of the New BOCS Server
Configuration or BOCS Server Configuration page, as described in Table 39, page 172 and
Setting BOCS server security, page 173.

5.

Click Finish or OK to save your changes.

Table 39. BOCS server properties

Field label

Value

BOCS Server Configuration Info


Name

The object name of the BOCS server.


The object name cannot be modified for existing BOCS server
configuration objects.

Description

Description of the BOCS server.

BOCS Server Version

Select a major version and a minor version level of the BOCS


server. For example, select 2 for the major version and select 0
for the minor version level for a BOCS Documentum 6 server.
The major and minor version information indicates to the
distributed content infrastructure what the capabilities are of
the BOCS server.
If you select 1, the Content Access options are limited to Read
Only and None (disabled).

Content Access

Select an access type, as follows:


Read and synchronous write: Select this option for the
BOCS server to support read and synchronous write.
Read, synchronous, and asynchronous write: Select this
option for the BOCS server to support read, synchronous
write, and asynchronous write.

Network Locations

Network locations served by the BOCS server.


Click Select to access the Choose a Network Location page to
select network locations.

Repositories

Select a repository from which to serve content, as follows:


all repositories: Content is served from all repositories.
selected repositories only: Serves content from all
repositories that are specified on the Include list. Click Edit
to add specific repositories.
all except selected repositories: Serves content from all
repositories except the repositories that are specified in the
Exclude list.

172

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

Field label

Value
Click the Edit link to add specific repositories to exclude.

Proxy URL

The BOCS proxy URL. The URL can contain up to 240


characters. The BOCS proxy URL is a message URL that only
DMS uses when BOCS is in push mode.

BOCS Server Connections


Add

Click to access the BOCS Server Connection page to add a


protocol and base URL for the BOCS server.

Edit

Select a communication protocol and then click Edit to access


the BOCS Server Connection page to edit a protocol and base
URL for the BOCS server.

Delete

To delete a BOCS server protocol and base URL, select a


communication protocol and then click Delete.

Protocol and Base URL

The communication protocols used by the BOCS server to


provide content to end users. The HTTP and HTTPS protocols
are supported. The Base URL must be provided when the
BOCS server is created. It is in the form:
protocol://host:port/ACS/servlet/ACS

where protocol is http or https; host is the name of the


computer on which the BOCS server is installed; and port is
the port designated for communications during BOCS server
installation.

Setting BOCS server security


The BOCS server security properties specify whether the BOCS server is in push or pull mode and
whether to upload a public key from the BOCS server.
When the pull mode is enabled, the BOCS server configuration object in the global registry contains
the public key information and generates an electronic signature for the BOCS server to use when
contacting the DMS server. When the BOCS server connects to the DMS server in pull mode, it sends
its electronic signature to DMS where DMS matches the electronic signature to the public key in the
bocs configuration object. If the DMS server authenticates the BOCS electronic signature, the BOCS
server can then pull its messages from the DMS server.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

173

Distributed Content Configuration

Figure 2. New BOCS Server Configuration - Security page

To set BOCS server security:


1.

Connect to the global registry associated with the DFC installation using superuser privileges.

2.

Navigate to Administration > Distributed Content Configuration > BOCS Servers.

3.

Do one of the following:


Select File > New > BOCS Server Configuration to create a BOCS server configuration object.
Enter the BOCS server properties on the Info tab.
Select a BOCS server configuration object, then select View > Properties > Info to view or
modify a BOCS server configuration object.

4.

Click the Security tab and enter, view, or modify the security properties for the BOCS server,
as described in Table 40, page 174.

5.

Click OK to save changes.

Table 40. BOCS server security properties

Field label

Value

Pull Mode Enabled

Specifies whether the BOCS server communicates with the


DMS server using the pull mode. If you select this option,
must also upload the public key file for the DMS server to use
to authenticate the BOCS server.
If this option is not selected, the BOCS server communicates
with the DMS server using the push mode.

Public Key Installed

Displays the last updated status for the public key.

Upload Public Key File

Click Browse to locate and install the public key file for the
BOCS server.

Setting BOCS server communication protocols


On the BOCS Server Connection page, set the communication protocols used by the BOCS server.

174

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

To access the BOCS Server Connection page, click Add or Edit in the BOCS Server Connections
section of the BOCS Server Configuration page. Refer to Creating, viewing, or modifying BOCS
servers, page 171 for instructions.

To set the BOCS server communication protocols:


1.

Access the BOCS Server Connection page.

2.

In the Protocol field, add or modify the protocol. Currently, the Http and Https protocols are
supported.

3.

In the Base URL field, add or modify the base URL used by the BOCS server in the following
format:
protocol://host:port/ACS/servlet/ACS

where protocol is Http or Https; host is the name of the computer on which the BOCS server is
installed; and port is the port designated for communications during BOCS server installation.
4.

Click OK.

Deleting BOCS servers


Use the instructionsin this section to delete BOCS server configuration objects from a global registry
repository.
Deleting the configuration object does not uninstall the BOCS servers; they must be manually
uninstalled from the hosts on which they are running. Without the configuration object, the BOCS
Server cannot provide content from this repository.

To delete BOCS servers:


1.

Connect to the global registry known to DFC as a user with superuser privileges.

2.

Navigate to Administration > Distributed Content Configuration > BOCS Servers.


The BOCS Server Configurations page displays.
If the BOCS Server Configurations page does not display, you are not connected to the global
registry. Click Global Registry Login and connect to the correct repository

3.

Select BOCS servers to delete.

4.

Select File > Delete.


The BOCS config object Delete page appears.

5.

Click OK to delete the selected object or Cancel to retain the object.


If deleting multiple BOCS servers, select Next or Finish.

Configuring distributed transfer settings


The distributed transfer object is created when the repository is created. The distributed transfer
configuration object controls whether reading and writing content through ACS is enabled for the
repository and whether BOCS pre-caching is also enabled. Administrators cannot create new

EMC Documentum Content Server Administration and Configuration 6.7 Guide

175

Distributed Content Configuration

distributed transfer objects; however, administrators with superuser privileges can configure the
default object.

To configure the distributed transfer settings:


1.

Connect to the repository as a user with superuser privileges.

2.

Navigate to Administration > Distributed Content Configuration > Distributed Transfer.


The Distributed Transfer Settings list page appears. You do not see the distributed transfer
setting listed if you are not connected to the global registry.

3.

Locate the distributed transfer setting and select View > Properties > Info.
The Distributed Transfer Settings Properties - Info page appears.

4.

Modify the properties:


Name: Read only. Indicates the name of the content transfer object assigned by the system
when the repository is created. There can be only one distributed transfer setting in a
repository.
ACS Read: Select to enable users to read content in this repository through the ACS.
If not selected, users requesting documents must go directly to the repository to obtain the
requested content.
ACS Write: Write content in this repository through ACS. Options are:
Synchronous write
Synchronous and Asynchronous write
None (disabled): This is the default.
BOCS Pre-caching: Select to enable the repository to process pre-caching requests. Clear the
checkbox to not pre-cache content in the repository.

5.

BOCS Encryption: Select to allow, disable, or require content encryption.


If you use a default type-based business object (TBO) and content is in an encrypted store, the
Require BOCS to always encrypt option is used, regardless of which option you select on the
Distributed Transfer Settings Properties - Info page.
If you write your own TBO, content is encrypted based on what the doGetContentEncryptionMode
method returns, regardless of what option you select on the Distributed Transfer Settings
Properties page.
Options are:
Use BOCS encryption setting: Select to encrypt content only if the encryption.mode
parameter in BOCS acs.properties file is set to Required.
Require BOCS to always encrypt content: Select to encrypt content on BOCS. Content is not
stored on BOCS if BOCS version does not support encryption or if the encryption.mode
parameter in BOCS acs.properties file is set to Disabled.
Disable BOCS content encryption: Select to not encrypt content on BOCS.

6.

Click OK to save changes made to the distributed transfer settings properties or Cancel to exit
without saving the changes.
The Distributed Transfer Settings list page appears.

176

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Distributed Content Configuration

Messaging server configuration


A Documentum Messaging Services (DMS) server is an intermediary server that provides
messaging services between an ACS or BOCS server and a web application server. The messaging
server configuration object must be created and set up in the global registry using Documentum
Administrator. Administrators with superuser privileges can configure the default messaging server
configuration object; however, if a messaging server configuration object exists, administrators
cannot create new objects.
Use the Administration > Distributed Content Configuration > Messaging Server navigation to
access the Messaging Server Configuration list page.
To modify or view the DMS server configuration object, you must be connected to the repository
known to DFC on the Documentum Administrator host as a global registry and you must be logged
in as a user with superuser privileges. Administrators logging in to a Documentum 6 repository that
is not the global registry do not see a Messaging Server Configuration list page. If they click the
Messaging Server node, the system displays a message informing administrators that they logged in
to a non-global registry repository and the messaging server configuration object is stored only in the
global registry repository. The system also shows a link for the administrator to click to navigate to
the login page of the global registry repository.

To view or modify the messaging server configuration:


1.

Connect to the global registry known to DFC as a user with superuser privileges.

2.

Navigate to Administration > Distributed Content Configuration > Messaging Server.


The Messaging Server Configuration list page appears. The messaging server configuration is
not visible if you are not connected to the global registry.
Note: Click the Global Registry Login link and connect to the correct repository if you see the
following warning message instead of the Messaging Server Configuration list page:
Messaging Servers can only be created in repositories that are designated as global registries.
The current repository is not a global registry. Click the link below to log in to the global
registry repository known to DFC on the Documentum Administrator host. You must have
superuser privileges to create Messaging Servers.

3.

Select the messaging server configuration and then select View > Properties > Info.
The Messaging Server Configuration Properties - Info page appears.

4.

View the properties or change the messaging flag:


Name: Read-only. The name of the messaging server configuration.
Messaging Server Version: Indicates the version of the messaging server, which is
automatically set when creating a new messaging server. The messaging server version must
be 1.0 for Documentum 6.
Messaging: Select to enable content transfer messaging to the DMS server. This checkbox
must be selected to enable asynchronous content transfer through BOCS and for predictive
caching to work.
Clear the checkbox to disable content transfer messages to the DMS server, even if the DMS
server is running.

5.

Enter information in the BOCS Message Routing section:

EMC Documentum Content Server Administration and Configuration 6.7 Guide

177

Distributed Content Configuration

a.

Post URL: Type the hostname and port where to send messages to the DMS server. This
is a required field.

b. Consume URL: Type the hostname and port where BOCS servers in pull mode pick up
messages from the DMS server. If you do not have BOCS servers using the pull mode, then
this field is optional.
6.

Click OK to save changes made to the messaging server configuration object or Cancel to exit
without saving the changes.
The Messaging Server Configuration list page appears.

178

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 9
User Management

This chapter contains the following topics:


Administering users, groups, roles, and sessions, page 179
Users, page 180
User domain authentication, page 194
Groups, page 194
Roles, page 201
Module roles, page 204
Sessions, page 207

Administering users, groups, roles, and


sessions
Users, groups, roles, and sessions are managed in the User Management node. The User Management
node is accessed by selecting Administration >
User Management.
The User Management page contains links to the user management features that can be configured
for a repository, as described in Table 41, page 179.
Table 41. Users, groups, roles, and sessions

Link

Description

Users

Accesses the Users page. From the Users page you can
Search for existing user accounts.
Create, modify, and delete user accounts.
View and assign group memberships for a particular user account.
Change the home repository for particular user accounts.
For more information about user accounts, refer to Users, page 180.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

179

User Management

Link

Description

Groups

Accesses the Groups page. From the Groups page you can
Search for existing group accounts.
Create, modify, and delete group accounts.
View and reassign group a particular group account.
For more information about group accounts, refer to Groups, page 194.

Roles

Accesses the Roles page. From the Roles page you can
Search for existing roles.
Create, modify, and delete roles.
View current group memberships and reassign roles.
For more information about roles, refer to Roles, page 201.

Module Roles

Accesses the Modules Roles page. From the Modules Roles page you
can
Search for existing module roles.
Create, modify, and delete module roles.
View current group memberships and reassign module roles.
For more information about module roles, refer to Module roles, page
204.

Sessions

Accesses the Sessions page. From the Sessions page you can
Search for sessions.
View session properties and session logs.
For more information about module roles, refer to Sessions, page 207.

Users
A repository user is a person or application with a user account that has been configured for a
repository. User accounts are created, managed, and deleted on the User node. In a Documentum
repository, user accounts are represented by user objects. Whenever a new user account is added
to a repository, Content Server creates a user object. A user object specifies how a user can access a
repository and what information the user can access.

Locating users
Use the search filters on the Users page to located users.

180

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

To locate users:
1.

Connect to the repository where you want to locate a particular user.

2.

Navigate to Administration > User Management > Users


The User page displays.

3.

Type information into one of more the search fields as described in Table 42, page 181.
You can search by entering partial information, such as the first letter or a user name, group,
or domain.

4.

Click Search to use the search filters or click Locate All Users to display all user accounts for
the repository.

Table 42. User search filters

Field

Description

User Name

Filters the search results by user name.

Default Group

Filters the search results the name of the default group.

User Login Name

Filters the search results by the login name of the user.

User Login Domain

Filters the search results by login domain.

Creating or modifying users


You must be the installation owner, or have system administrator or superuser privileges to create
users. Superusers and system administrators cannot modify their own extended privileges.
Before you create users, determine what type of authentication the server uses. If the server
authenticates users against the operating system, each user must have an account on the server host.
If the server uses an LDAP directory server for user authentication, the users do not need to have
operating system accounts.
If the repository is the governing member of a federation, a new user can be a global user. Global users
are managed through the governing repository in a federation, and have the same attribute values in
each member repositories within the federation. If you add a global user to the governing repository,
that user is added to all the member repositories by a federation job that synchronizes the repositories.
If a user is authenticated by an LDAP server, only a superuser can modify the users LDAP-mapped
attributes.

To create or modify user accounts:


1.

Connect to the repository where you want to create new users.

2.

Navigate to Administration > User Management > Users.

3.

Do one of the following:


To create a user, select File > New > User.
The New User page displays.
To modify an existing user, select the user, then select View > Properties > Info.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

181

User Management

The User Properties page displays.


4.

Enter or modify the user information, as described inTable 43, page 182.

5.

Click OK.

Table 43. User properties

Field label

Value

State

Indicates the user account state in the repository. Valid values are:
Active: The user is a currently active repository user. Active users
are able to connect to the repository.
Inactive: The user is not currently active in the repository. Inactive
users are unable to connect to the repository.
Locked: The user is unable to connect to the repository.
Locked and inactive: The user is inactive and unable to connect to
the repository.
If the user is a superuser, only another superuser can reset the state.

Name

The user name for the new user. The user name cannot be modified,
but can be reassigned to another user. For more information, refer to
Reassigning objects to another user, page 191.

User Login Name

The login name used for authenticating a user in repositories.


If the user is an operating system user, the user login name must
match the operating system name of the user. If the user is an LDAP
user, the user login name must match the LDAP authentication name
of the user.

User Login Domain

Identifies the domain in which the user is authenticated. This is


typically a Windows domain or the name of the LDAP server used
for authentication.
If you are using Kerberos authentication with LDAP synchronization,
the user login domain must be set to the short domain name, as
described in Configuring LDAP synchronization for Kerberos users,
page 157.

User Source

Specifies how to authenticate a given repository users user name and


password. Valid values depend on whether the repository runs on a
UNIX or Windows server.
None: The user is authenticated in a Windows domain.
UNIX only: The user is authenticated using the default UNIX
mechanism, dm_check_password or other external password
checking program.
Domain only: The user is authenticated against a Windows
domain.

182

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Field label

Value
UNIX first: This is used for UNIX repositories where Windows
domain authentication is in use. The user is authenticated first by
the default UNIX mechanism; if that fails, the user is authenticated
against a Windows domain.
Domain first: This is used for UNIX repositories where Windows
domain authentication is in use. The user is authenticated first
against a Windows domain; if that fails, the user is authenticated by
the default UNIX mechanism.
LDAP: The user is authenticated through an LDAP directory server.
Inline Password: The user is authenticated based on a password
stored in the repository. This option is available only when
Documentum Administrator is used to create users. It is not
available in other applications in which it is possible to create users.
dm_krb: The user is authenticated using Kerberos Single-Sign-On
(SSO).

Password

The password for the user.


This field is displayed if Inline Password is selected as the User
Source. Type the password, which is then encrypted and stored in
the repository.
This must be provided manually for users added using an imported
LDIF file.

Confirm Password

The password for the user.


This field is displayed if Inline Password is selected as the User Source.
Enter the same password you entered in the Password field.

Description

A description of the user account.

E-Mail Address

The E-mail address of the user. This is the E-Mail address to which
notifications are sent for workflow tasks and registered events.

User OS Name

The operating system user name of the user.

Windows Domain

The Windows domain associated with the user account or the domain
on which the user is authenticated. The latter applies if Content Server
is installed on a UNIX host and Windows domain authentication is
used.

Home Repository

The repository where the user receives notifications and tasks.

User is global

If the user is created in the governing repository of a federation,


select this option to propagate the user account to all members of the
federation.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

183

User Management

Field label

Value

Restrict Folder Access To

Specifies which folders the user can access. Click Select to specify a
cabinet or folder. Only the selected cabinets and folders display for
the user. The other folders do not display but the user can access the
folders using the search or advanced search options.
If no folders or cabinets are specified, the user has access to all folders
and cabinets in the repository, depending on the permissions on those
cabinets and folders, and depending on folder security.

Default Folder

The default storage place for any object the user creates. This option
only displays when you are creating a user. Valid values are:
Choose existing folder: Select this option to assign a folder you
already created as the default folder for that user.
Choose/Create folder with the user name: Select this option to
automatically create a folder with the name of the user as the object
name.

Default Group

The group that is associated with the default permission set of the
user. Click Select to specify a default group.
When the user creates an object in the repository, it automatically
belongs to this group.

Default Permission Set

The permission set that assigns the default permissions to objects the
user creates. Click Select to specify a default permission set.

Db Name

The user name of the user in the underlying RDBMS. The DB Name is
only required if the user is a repository owner or a user who registers
RDBMS tables.

Privileges

The privileges that are assigned to the user.


User privileges authorize certain users to perform activities in the
repository. Select one of the privileges from the drop-down list, as
follows:
None
Create Type
Create Cabinet
Create Cabinet and Type
Create Group
Create Group and Type
Create Group and Cabinet
Create Group, Cabinet, and Type
System administrator

184

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Field label

Value
Superuser: If you grant superuser privileges to a user, add that user
manually to the group called admingroup. If you revoke a users
superuser privileges, remove the user from the admingroup.

Extended Privileges

Specifies the auditing privileges for the user. Superusers and system
administrators cannot modify their own extended privileges.
None: The user cannot configure auditing, view audit trails, or
purge audit trails.
Config audit: The user can configure auditing.
Purge audit: The user can purge existing audit trails.
Config and Purge Audit: The user can configure auditing and
purge existing audit trails.
View Audit: The user can view audit trails.
Config and View Audit: The user can configure auditing and view
existing audit trails.
View and Purge Audit: The user can view existing audit trails and
purge them.
Config, View, and Purge Audit: The user can configure auditing
and view and purge existing audit trails.

Client Capability

Describes the expertise level of the user.


The client capability setting is used by Documentum client products,
such as Webtop, to determine which functionality to deliver to the
user. Content Server does not recognize or use the client capability
setting. For information about the client features available with each
setting, refer to the Documentum client documentation.
Choose a user type from the list:
Consumer
Contributor
Coordinator
System Administrator

Alias Set

The default alias set for the user. Click Select to specify an alias set.

Disable Workflow

Indicates whether a user can receive workflow tasks.

Disable Authentication
Failure Checking

If selected, user can exceed the number of failed logins specified


in the Maximum Authentication Attempts field of the repository
configuration object.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

185

User Management

Creating global users


A global user is a repository user who is found in all members of a repository federation and whose
attribute values are the same in all of the repositories. Global users are managed through the
governing repository. If you add a global user to the governing repository, that user is added to all
the member repositories by a federation job that synchronizes the repositories.
To create a global user, connect to the governing repository of a federation and create the user there.
On the New User - Info page, select User is global to make the user global. Use the instructions in
Creating or modifying users, page 181 to create the user.
Connect to the governing repository to modify the attributes of a global user.
Global users can also have local attributes, which you can modify in a local repository.

Setting default permissions for folders and cabinets


When you create a new user, you assign the user a default folder. Documentum Administrator allows
you to select between assigning an existing folder as the default folder or creating a folder with the
users name. If you have Documentum Administrator create the folder for a new user and you
can control the permissions assigned to folder.

To set default permissions for folders:


1.

Create a alias set called UserPropertiesConfiguration.

2.

Assign ownership of the UserPropertiesConfiguration alias set to the repository owner.


This is the user whose account is used for database access (dm_dbo).

3.

Create two aliases in UserPropertiesConfiguration.


DefaultFolderAcl
Point this alias to the permission set to be applied to the new folder created for new users.
DefaultFolderAclDomain
Point this alias to the user who owns the permission set you use for the DefaultFolderAcl alias.

When you add a user, Documentum Administrator applies the permission set you designate to the
new folder. If a new user is not present as an accessor in the permission set, the user is granted write
permission on the folder. The permission set for the folder is then modified to a system-generated
permission set, but it otherwise has the permissions from the permission set you created.
You can use Documentum Administrator to create a default folder for an existing user and
permissions on the set are applied if you have created the necessary alias set and aliases.
If the UserPropertiesConfiguration alias set does not exist and a superuser creates the user, the user
owns the folder and has delete permission. If a system administrator creates the user, the user is not
the owner of the default folder, but the user has change owner permission on the folder as well
as write permission.

186

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Importing users
You can create repository users from information contained in an input file. Before you begin
importing users, determine the following:
Authentication type
If the server authenticates users against the operating system, each user must have an account on
the server host. If the server uses an LDAP directory server for user authentication, the users do
not need to have operating system accounts.
Groups and ACLs
If you specify the attributes user_group (the users default group) and acl_name (the users default
permission set), any groups and permission sets must already exist before you import the users.
Passwords
If you are creating a user who is authenticated using a password stored in the repository, the
password cannot be assigned in the input file. You must assign the password manually by
modifying the user account after the user has been imported..

To import new users:


1.

On the file system of the host where your browser is running, create a text file in LDIF format.

2.

Save the text file.

3.

Connect to the repository where you want to create new users.

4.

Navigate to Administration > User Management > Users.

5.

Select File > Import Users.


The Import User page displays.

6.

Enter the user information, as described in Table 44, page 187.

7.

Click Finish.

Table 44. Import user properties

Field label

Value

State

Indicates the users state in the repository. Select one of the following:
Active: The user is a currently active repository user. Active users
are able to connect to the repository.
Inactive: The user is not currently active in the repository. Inactive
users are unable to connect to the repository.
If the user is a superuser, only another superuser can reset the state.

Source

The name of an input file. Click Browse to browse to the location of


the LDIF file containing information for creating the new users.
For more information about the LDIF file format, refer to Import file
format, page 190.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

187

User Management

Field label

Value

User Source

Specifies how to authenticate a given repository users user name and


password. Valid values are:
None: Windows only. This means the user is authenticated in a
Windows domain.
UNIX only: The user is authenticated using the default UNIX
mechanism, dm_check_password or other external password
checking program. This option only displays on UNIX hosts.
Domain only: The user is authenticated against a Windows
domain. This option only displays on UNIX hosts.
UNIX first: This is used for UNIX repositories where Windows
domain authentication is in use. This option only displays on UNIX
hosts.
The user is authenticated first by the default UNIX mechanism.
If the authentication fails, the user is authenticated against a
Windows domain.
Domain first: This is used for UNIX repositories where Windows
domain authentication is in use. This option only displays on UNIX
hosts.
The user is authenticated first against a Windows domain; if that
fails, the user is authenticated by the default UNIX mechanism.
LDAP: The user is authenticated through an LDAP directory server.

Description

A description of the user account.

E-Mail Address

The E-mail address of the user. This is the E-Mail address to which
notifications are sent for workflow tasks and registered events.

Windows Domain

(Windows only.) The domain name associated with the new users
Windows account.

Home Repository

The repository where the user receives notifications and tasks.

User is global

If the user is created in the governing repository of a federation,


select this option to propagate the user account to all members of the
federation.

Default Folder

The default storage place for any object the user creates. Click Select
to assign a folder.

Default Group

The group that is associated with the default permission set of the
user. Click Select to specify a default group.
When the user creates an object in the repository, it automatically
belongs to this group.

Default ACL

188

The permission set that assigns the default permissions to objects the
user creates. Click Select to specify a default permission set.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Field label

Value

Db Name

The user name of the user in the underlying RDBMS. The DB Name is
only required if the user is a repository owner or a user who registers
RDBMS tables.

Privileges

The privileges that are assigned to the user.


User privileges authorize certain users to perform activities in the
repository. Select one of the privileges from the drop-down list, as
follows:
None
Create Type
Create Cabinet
Create Cabinet and Type
Create Group
Create Group and Type
Create Group and Cabinet
Create Group, Cabinet, and Type
System Administrator
Superuser: If you grant superuser privileges to a user, add that user
manually to the group called admingroup. If you revoke a users
superuser privileges, remove the user from the admingroup.

Client Capability

Indicates what expertise level of the user. This option is for


informative purposes only and is not associated with any privileges.
Content Server does not recognize or enforce these settings.
Choose a user type from the list:
Consumer
Contributor
Coordinator
System Administrator

Alias Set

The default alias set for the user. Click Select to specify an alias set.

If user exists, then


overwrite user
information

Select this option if a user already exists in the repository and you
want to replace existing information with the imported information.

If user exists, then ignore


information

Select this option if a user already exists in the repository and you
want to retain the existing information.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

189

User Management

Import file format


You can create repository users from information contained in an input file.
Each imported user starts with the header object_type:dm_user. Follow the header with a list of
attribute_name:attribute_value pairs. The attributes user_name and user_os_name are required. In
addition, the following default values are assigned when the LDIF file is imported:
Table 45. Default values for new users

Argument

Default

user_login_name

username

privileges

0 (None)

folder

/username

group

docu

client_capability

Each attribute_name:attribute_value pair must be on a new line. For example:


object_type:dm_user
user_name:Pat Smith
user_group:accounting
acl_domain:smith
acl_name:Global User Default ACL
object_type:dm_user
user_name:John Brown

If the ldif file contains umlauts, accent marks, or other extended characters, store the file as a UTF-8
file, or users whose names contain the extended characters are not imported.
The attributes you can set through the LDIF file are:
user_name
user_os_name
user_os_domain
user_login_name
user_login_domain
user_password
user_address
user_db_name
user_group_name
user_privileges (set to integer value)
default_folder
user_db_name
description
acl_domain
acl_name
user_source (set to integer value)
home_docbase
user_state (set to integer value)
client_capability (set to integer value)
globally_managed (set to T or F)
alias_set_id (set to an object ID)
workflow_disabled (set to T or F)
user_xprivileges (set to integer value)
failed_auth_attempt (set to integer value)

190

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

You can specify as many of the attributes as you wish, but the attribute_names must match the
actual attributes of the type.
The attributes may be included in any order after the first line (object_type:dm_user). The Boolean
attributes are specified using T (for true) or F (for false). Use of true, false, 1, or 0 is deprecated.
Any ACLs that you identify by acl_domain and acl_name must exist before you run the file to import
the users. Additionally, the ACLs must represent system ACLs. They cannot represent private ACLs.
Any groups that you identify by user_group_name must exist before you run the file to import
the users.
Content Server creates the default folder for each user if it does not already exist.

Deleting users
You can remove users from the repository, but Documentum strongly recommends making users
inactive or reassigning them rather than deleting them from the repository.
When you delete a user, the server does not remove the users name from objects in the repository
such as groups and ACLs. Consequently, when you delete a user, you must also remove or change
all references to that user in objects in the repository. To reassign objects to another user, use the
instructions in Reassigning objects to another user, page 191.
You can delete a user and then create a user with the same name. If you add a new user with the same
name as a deleted user and have not removed references to the deleted user, the new user inherits the
group membership and object permissions belonging to the deleted user.
You cannot delete the repository owner, installation owner, or yourself.

To delete users:
1.

Navigate to Administration > User Management > Users.

2.

Select the users to delete by checking the check boxes next to their names.

3.

Select File > Delete.

4.

Click Finish.

Reassigning objects to another user


If you want to delete a user from the repository, make the user inactive, or rename a user, you can
assign objects owned by that user to another user. For example, to change the user name of a
particular user, you have to create a new user and assign the objects that belonged to the old user
name to the new user.

To reassign objects to another user:


1.

Navigate to Administration > User Management > Users.

2.

Select the user whose objects are being reassigned and then select Tools > Reassign User.
The Reassign User page is displayed.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

191

User Management

3.

Enter information on the Reassign Userpage:


a.

Name: Displays the name of the current repository.

b. Reassign: Type the name of the user to which to reassign the current users objects or click
Select User.
c.

Run the Reassign job: Select when to run the reassign job. Options are At next job execution
and Now.

d. Checked Out Objects: Indicate whether to unlock check-out objects or ignore them.
e.
4.

Report Results: Indicate whether to save changes and report results or just report results.

Click OK.

Changing the home repository of a user


The home repository is where users receive tasks and notifications in their inboxes.

To change a home repository:


1.

Navigate to Administration > User Management > Users.

2.

Select the user for whom you want to change the home repository.

3.

Select Tools > Change Home Repository.

4.

From the list, select the users new home repository.

5.

Indicate whether to run the job that changes the home repository when it is next scheduled or
to run the job now.

6.

Click OK.

Activating or deactivating a user account


Changing a user account from active to inactive is an alternative to deleting the user from the
repository. If the account is a superuser account, only another superuser can reset the account.

To change a user from active to inactive or inactive to active:


1.

Navigate to Administration > User Management > Users.

2.

Select the user and then select View > Properties > Info to access the User Properties - Info page.

3.

To make an active user inactive, select Inactive from the State drop-down list.

4.

To make an inactive user active, select Active from the State drop-down list.

5.

Click OK.

192

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Viewing groups, workflows, alias sets, permission sets,


and documents of a user
Use these instructions to determine the groups to which a user belongs.

To view the groups, workflows, permission sets, alias sets, or documents of a user:
1.

Navigate to Administration > User Management > Users.

2.

Select the user and then select View > View Current User Memberships.

3.

From the list, select Groups, Acl, Alias Sets, Documents, Workflows, or All.

4.

Click the user navigation path at the top of the screen to return to the User list page.

Viewing or deleting change home repository logs


Use these instructions to view or delete the logs generated by changing a users home repository.

To view or delete change home repository logs:


1.

From the User list page, click View > Change Home Repository Logs.

2.

To view a log, click the job request ID of the job.

3.

To delete a log, select the log and the select File > Delete.

4.

To exit viewing the log, click OK.

5.

To exit the log list page, click Users in the navigation trail at the top of the right pane.

Viewing user reassign logs


Use these instructions to view or delete the logs generated by reassigning a users objects to another
user.

To view the user reassign logs:


1.

From the User list page, select View > Reassign Logs.
The Reassign Logs list page is displayed. The list page tells you:
The job request ID
The users old and new names
Whether the job generated a report only or proceeded with the reassign operation
Whether locked objects were unlocked
Whether the request was completed
You can sort on each column.

2.

To view a log, click the job request ID for the rename job.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

193

User Management

If the job request ID is not a clickable link, a log was not generated for the job.
3.

To delete a log, select the log and then click File > Delete.

4.

To exit viewing the log, click OK.

5.

To exit the log list page, click Users in the navigation path at the top of the right pane.

Reassign reports
This page displays reassign logs, including group and user reassign logs.

User domain authentication


If you are authenticating against the operating system on a Windows platform, Content Server
authenticates the operating system name and password of a user within a domain. The domain is
stored in the user_os_domain property of the user. A default domain is defined for all users in the
repository in the user_auth_target key of the server.ini file.
Whether the server uses the user-specific domain or the default domain for authentication depends
on whether the server is running in domain-required mode or not.
The Content Server installation procedure installs a repository in no-domain required mode. If a
Windows configuration has only users from one domain accessing the repository, the no-domain
required mode is sufficient. If the users accessing the repository are from varied domains, using
domain-required mode provides better security for the repository.
If a repository is running in domain-required mode, the login domain value in the login ticket
generated for a user attempting to log in using an inline password defaults to the domain of the
superuser even if the user on the login ticket belongs to a different domain. Users from a different
domain must specify their login domain name when logging into the repository.
If a repository is running in no-domain required mode, users can login with only their user name
and inline password. It is also possible to prepend the user name with a backslash (\), for example
\janedoe. The backslash specifies an empty domain name.

Groups
A group represents multiple repository users, and can contain groups, users, or roles. By default,
a group is owned by the user who creates the group. Groups can be public or private. By default,
groups created by a user with Create Group privileges are private, while groups created by a user
with system administrator or superuser privileges are public.
A group can be a dynamic group. A dynamic group is a group, of any group class, whose list
of members is considered a list of potential members. For more information on dynamic groups,
refer to Dynamic groups, page 195.
To create or modify groups, you must have privileges as shown in the following table:

194

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Table 46. Privileges for creating or modifying groups

Privilege

Create

Modify

Delete

Create Group

Can create group or


assign ownership to
a group to which the
user belongs.

Can add or delete


members and assign
ownership to a group
to which the user
belongs.

Can delete groups the


user owns, including
groups where a group
is owner and the user
is a member of the
group.

System administrator

Can create group or


assign ownership to
a group to which the
user belongs.

Can update the


group the system
administrator owns,
including groups
where a group is
owner and the system
administrator is a
member of the group.

Can delete groups the


system administrator
owns, including
groups where a group
is owner and the
system administrator
is a member of the
group.

Superuser

Can create a group and


assign ownership to a
different user or group.

Can delete any group.


Can update group
administrator, owner,
or members of a group.

A group can own SysObjects and permission sets.


The name assigned to a group must consist of characters that are compatible with the Content Server
OS code page.
If you create a role as a domain, it is listed on the groups list, not the roles list.
To jump to a particular group, type the first few letters of its object name in the Starts with box and
click Search. To view a list of all groups beginning with a particular letter, click that letter. To view
a different number of groups than the number currently displayed, select a different number in
the Show Items list.
To view the members of a group, click the group name.

Dynamic groups
A dynamic group is a group, of any group class, whose list of members is considered a list of
potential members. A dynamic group is created and populated with members like any other group.
Whether or not a group is dynamic is part of the groups definition. It is recorded in the is_dynamic
attribute and can be changed after the group is created. (In this application, is_dynamic is the field
labeled Dynamic Group.
When a session is started, whether Content Server treats a user in a dynamic group as an actual
member is dependent on two factors:
The default membership setting in the group object
Whether the application from which the user is accessing the repository requests that the user be
added or removed from the group

EMC Documentum Content Server Administration and Configuration 6.7 Guide

195

User Management

You can use dynamic groups to model role-based security. For example, suppose you define a
dynamic group called EngrMgrs. Its default membership behavior is to assume that users are
not members of the group. The group is granted the privileges to change ownership and change
permissions. When a user in the group accesses the repository from a secure application, the
application can issue the session call to add the user to the group. If the user accesses the repository
from outside your firewall or from an unapproved application, no session call is issued and Content
Server does not treat the user as a member of the group. The user cannot exercise the change
ownership or change permissions permits through the group.

Privileged groups
Installing Content Server installs a set of privileged groups. Members of privileged are allowed to
perform privileged operations even though the members do not have the privileges as individuals.
The privileged groups are divided into two sets.
The first set of privileged groups are used in applications or for administration needs. With two
exceptions, these privileged groups have no default members when they are created. You must
populate the groups. The following table describes these groups.
Table 47. Privileged groups

Group

Description

dm_browse_all

Members of this group can browse any cabinets and folders in


the repository, folders except the rooms that were created using
Documentum Collaborative Services (DCS).
The dm_browse_all_dynamic is a member of this group by default.

dm_browse_all_dynamic

This is a dynamic role group whose members can browse any object
in the repository. The dm_browse_all_dynamic group is a member of
the dm_browse_all group.

dm_retention_managers

Members of this group can:


Own retainer objects (representing retention policies)
Add and remove a retainer from any SysObject.
Add and remove content in a retained object
Change the containment in a retained virtual document
This is a non-dynamic group.

dm_retention_users

Members of this group can add retainers (retention policies) to


SysObjects.
This is a non-dynamic group.

dm_superusers

Members of this group are treated as superusers in the repository.


The dm_superusers_dynamic group is a member of this group by
default.

196

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Group

Description

dm_superusers_dynamic

A dynamic role group whose members are treated as superusers in


the repository. The dm_superusers_dynamic group is a member of
the dm_superusers group.

dm_sysadmin

Members of this group are treated as users with system administrator


user privileges.

dm_create_user

Member of this group have Create User user privilege.

dm_create_type

Member of this group have Create Type user privilege.

dm_create_group

Member of this group have Create Group user privilege.

dm_create_cabinet

Member of this group have Create Cabinet user privilege.

The second set of privileged groups are privileged roles that are used internally by DFC. You cannot
add or remove members from these groups. The groups are:
dm_assume_user
dm_datefield_override
dm_escalated_delete
dm_escalated_full_control
dm_escalated_owner_control
dm_escalated_full_control
dm_escalated_relate
dm_escalated_version
dm_escalated_write
dm_internal_attrib_override
dm_user_identity_override

Locating groups
Use these instructions to locate groups in a repository.

To locate groups:
1.

Connect to a repository.

2.

Navigate to Administration > User Management > Groups.


The Groups page displays the first ten groups in the repository.

3.

To jump to a particular group or to groups starting with a particular string, type the string in the
Starts with field and click Search.

4.

To see more groups, click the Forward or Back buttons or click a letter corresponding to the
first letter of a group.

5.

To change the number of groups displayed, select a different number from the Show Items list.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

197

User Management

Viewing group memberships


Use these instructions to see where a group is used.

To view group memberships:


1.

Select the correct group.

2.

Select View > View Current Group Memberships.

Creating, viewing, or modifying groups


You can create a group or view and modify group properties on the Info tab of the New Group
and Group properties pages.

To create, view, or modify groups:


1.

Navigate to Administration > User Management > Groups.


The Groups page displays.

2.

Do one of the following:


Select File > New > Group to create a group.
Select an existing group from the list and select View > Properties > Info to view or modify
the properties of the group.

3.

Enter or modify information on the Info tab of the New Group page or Group Properties page,
as described in Table 48, page 198.

4.

Click OK to save your changes.

Table 48. Group properties

Field label

Value

Name

The name of the repository group.

Group Native Room

The groups native room. This field appears only if the rooms
feature of Collaborative Services is enabled.

E-Mail Address

The email address for the new group.


If no value is entered in this field, the group email address
defaults to the group name.

Owner

The name of a repository user who has the Create Group


privilege and who owns this group.
If you are a superuser, you can select the owner. Otherwise,
you can set this to a group of which you are a member.

198

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Field label

Value

Administrator

Specifies a user or group, in addition to a superuser or the


group owner, who can modify the group. If this is null, only
a superuser and the group owner can modify the group.
Only a superuser and the group owner can change the
administrator of a group.

Alias Set

The default alias set for the group.

Group is Global

Displayed only in the governing repository of a federation


and the group must be a global group.

Description

A description of the group.

Private

Defines whether the group is private. If not selected, the


group is created as a public group.
A group with Private enabled can be updated only by a
user who is the owner of the group or is listed as the group
administrator of the group.
A group with Private not enabled can be updated by a user
with system administrator privileges as well as by the group
owner or administrator.
A superuser can update any group, regardless if Private is
enabled or not.

Dynamic

Indicates if the group is a dynamic group. A dynamic group


is a group, of any group class, whose list of members is
considered a list of potential members. User membership is
controlled on a session-by-session basis by the application
at runtime. The members of a dynamic group comprise of
the set of users who are allowed to use the group; but a
session started by one of those users will behave as though
it is not part of the group until it is specifically requested
by the application.
For more information about dynamic groups, refer to
Dynamic groups, page 195.

Protected

Indicates if the group is protected against adding or deleting


members. Use of a protected dynamic group is limited
to applications running with a DFC installation that has
been configured as privileged through the Documentum
Administrator client rights administration.
The Protected checkbox is enabled only when Dynamic
Group is selected.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

199

User Management

Adding users, groups, or roles to a group


A group can contain users, other groups, or roles. Use these instructions to add users, groups, or
roles to a group.

To add users to a group:


1.

Navigate to Administration > User Management > Groups to access the Groups page.

2.

Double-click the name of the group to which you want to add users and then select File > Add
Members.

3.

To jump to a particular user, group, or role, type the name in the text box and click Go, or filter
the list using one of the predefined filters from the drop-down list.

4.

Select the names of the users, groups, or roles you are adding to the group.

5.

Click the right arrow.


The members are moved to the right-hand side of the page.

6.

Click OK.

Removing users from a group


Use these instructions to remove users from a group.

To remove users from a group:


1.

Navigate to Administration > User Management > Groups to access the Groups page.

2.

Double-click the group from which you want to delete users.

3.

Select the names of the users you are deleting from the group.

4.

Select File > Remove Member(s).

Deleting groups
You can delete a group if you are the groups owner, a superuser, a member of the group that owns
the group to be deleted, or identified in the groups group_admin attribute, either as an individual
or as a member of a group specified in the attribute. However, to preserve repository consistency,
do not remove groups from the repository. Instead, remove all members of the group and leave
the group in the repository, or reassign all objects owned by the group to another group or user
and then delete the group.

To delete a group:
1.

Navigate to Administration > User Management > Groups to access the Groups page.

2.

Select the name of the group you are deleting and then select File > Delete.

3.

Click OK to confirm that you want to delete the group.

200

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Reassigning the objects owned by a group


Use these instructions to reassign the objects owned by a group to another group.

To reassign a group:
1.

Navigate to Administration > User Management > Groups to access the Groups page.

2.

Select the group you are reassigning and then select Tools > Reassign.

3.

Type the name of the group to which this groups users and objects are being reassigned or
click Select to select a group.

4.

Indicate whether to run the reassign job at the next time the job is scheduled or now.

5.

Indicate whether to unlock or ignore checked-out objects.

6.

Indicate whether to save changes and report results or just report results.

7.

Click OK.

Viewing group reassign logs


Use these instructions to view or delete the logs generated by reassigning the members of a group to
another group.
1.

From the groups list page, select View > Reassign Logs.

2.

To view a log, click the job request ID.


If the job request ID is not a clickable link, no log was generated for the job.

3.

To delete a log, select the log and then select File > Delete.

4.

To exit viewing the log, click OK.

Roles
A role is a type of group that contains a set of users or other groups that are assigned a particular role
within a client application domain.
If you create a role as a domain, it is listed in the groups list, not the roles list.

Creating, viewing, or modifying roles


Use these instructions to create, view, or modify roles.

To create roles:
1.

Navigate to Administration > User Management > Roles .

EMC Documentum Content Server Administration and Configuration 6.7 Guide

201

User Management

The Roles page displays.


2.

Do one of the following:


Select File > New > Role to create a role.
Select a group, then select View > Properties> Info to view or modify the properties of the role.

3.

Enter or modify information on the Info tab of the New Role page or Role Properties page,
as described in Table 49, page 202.

4.

Click OK to save your changes.

Table 49. Role properties

Field label

Value

Name

The name of the repository role.

Group Native Room

The native room for the role. The field appears only if the
rooms feature of Collaborative Services is enabled.

E-Mail Address

The email address for the new role. This is typically the email
address of the roles owner.
If no value is entered in this field, the role email address
defaults to the role name.

Owner

The name of a repository user who has the Create Group


privilege and who owns this role.

Administrator

Specifies a user or group, in addition to a superuser or the


role owner, who can modify the role. If this is null, only a
superuser and the role owner can modify the role.

Alias Set

The default alias set for the role.

Description

A description of the role.

Private

Defines whether the role is private. If not selected, the role is


created as a public role.
A role with Private enabled can be updated only by a
user who is the owner of the role or is listed as the roll
administrator. A role with Private not enabled can be
updated by a user with system administrator privileges as
well as by the role owner or administrator. A superuser can
update any role, regardless if Private is enabled or not.
By default, roles created by users with System Administration
or superuser privileges are public, and roles created by users
with a lower user privilege level are private.

Create role as domain

Select to create a dm_group object with group_class as


domain.
This field only appears on the New Role - Info page.

202

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Field label

Value

Dynamic

Indicates if the role a dynamic role. A dynamic role


is a role whose list of members is considered a list of
potential members. User membership is controlled on a
session-by-session basis by the application at runtime. The
members of a dynamic role comprise of the set of users who
are allowed to use the role; but a session started by one of
those users will behave as though it is not part of the role
until it is specifically requested by the application.

Protected

Indicates if the role is protected against adding or deleting


members. Use of a protected dynamic role is limited to
applications running with a DFC installation that has
been configured as privileged through the Documentum
Administrator client rights administration.
The Protected checkbox is enabled only when Dynamic Role
is selected.

Adding users, groups, or roles to a role


Use these instructions to add users, groups, or roles to a role.

To add users, groups, or roles to a role:


1.

Navigate to Administration > User Management > Roles to access the Roles list page.

2.

Click the role to which you want to add users.


The list page with members of the role is displayed.

3.

To filter the list, select Only Groups, Only Users, or Only Roles from the list.

4.

Click File > Add Member(s) to access the Choose a user/group page.

5.

To jump to a particular user, group, or role, type the name in the text box and click Go.

6.

To filter the page, select one of the following:


Show Users, Groups, And Roles
Show Users
Show Groups
Show Roles
Show Private Groups and Roles

7.

Select the names of the users, groups, or roles you are adding to the role.

8.

Click the right arrow.


The members are moved to the right-hand side of the page.

9.

Click OK.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

203

User Management

Reassigning roles
If you plan to delete a role, consider reassigning the users and other objects belonging to the role. Use
these instructions to reassign the users and other objects.

To reassign a role:
1.

Navigate to Administration > User Management > Roles to access the Roles list page.

2.

Select the name of the role you are reassigning and then select Tools > Reassign.

3.

Type the name of the role or group to which this roles users and objects are being reassigned, or
click Select to select a group.

4.

Indicate whether to run the reassign job at the next time the job is scheduled or now.

5.

Indicate whether to unlock or ignore checked-out objects.

6.

Indicate whether to save changes and report results or just report results.

7.

Click OK.

Deleting roles
Roles are a type of group. It is therefore recommended that you do not delete a role. Instead, remove
all members of the role and leave the role in the repository. You can also reassign the members
of the role to another role.

To delete a role:
1.

Navigate to Administration > User Management > Roles to access the Roles list page.

2.

Select the name of the role to delete.

3.

Select File > Delete.

4.

Click OK.

Module roles
Module roles are required by applications that run privileged escalations and they behave the same
as roles with respect to memberships. Module roles are dm_group objects with group_class set to
module role. Any user, group, or dynamic group can be a member of a module role.
By default, module roles are dynamic. A dynamic module role is a role whose list of members
is considered a list of potential members. User membership is controlled on a session-by-session
basis by the application at runtime. The members of a dynamic module role comprise of the set
of users who are allowed to use the module role; but a session started by one of those users will
behave as though it is not part of the module role until it is specifically requested by the application.
Administrators should not modify module roles unless they are configuring a client that requires
privileged escalations.

204

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Creating, viewing, or modifying module roles


Use these instructions to create new module roles.

To create, view, or modify module roles:


1.

Navigate to Administration > User Management > Module Roles .


The Module Roles page displays.

2.

Do one of the following:


Select File > New > Module Role to create a module role.
Select a module role, then select View > Properties > Infor to view or modify the properties
of the module role.

3.

Enter or modify the information on Info tab of the New Module Role - Info page or the Module
Role Properties page, as described in Table 50, page 205.

4.

Click OK to save your changes.

Table 50. Module role properties

Field label

Value

Name

The name of the repository module role.

Group Native Room

The native room for the module role. The field appears only
if the rooms feature of Collaborative Services is enabled.

E-Mail Address

The email address for the module role.


If no value is entered in this field, the module role email
address defaults to the module role name.

Owner

The name of a repository user who has the Create Group


privilege and who owns this module role.

Administrator

Specifies a user or group, in addition to a superuser or the


module role owner, who can modify the module role. If this
is null, only a superuser and the module role owner can
modify the module role.

Alias Set

The default alias set for the module role.

Module Role is Global

If the module role is being created in the governing


repository of a federation, select to propagate the module
roles attributes to all members of the federation.

Description

A description of the module role.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

205

User Management

Field label

Value

Private

Defines whether the module role is private. If not selected,


the module role is created as a public module role.
A module role with Private enabled can be updated only
by a user who is the owner of the role or is listed as the roll
administrator. A module role with Private not enabled can
be updated by a user with system administrator privileges
as well as by the role owner or administrator. A superuser
can update any module role, regardless if Private is enabled
or not.

Protected

Select to restrict the module role to be used only by


applications running on a privileged client.

Reassigning module roles


If you plan to delete a module role, consider reassigning the users and other objects belonging to the
module role. Use these instructions to reassign the users and other objects.

To reassign a module role:


1.

Navigate to Administration > User Management > Module Roles to access the Module Roles
list page.

2.

Select the name of the module role you are reassigning and then select Tools > Reassign.

3.

Type the name of the module role to which this module roles users and objects are being
reassigned, or click Select to select a group.

4.

Indicate whether to run the reassign job at the next time the job is scheduled or now.

5.

Indicate whether to unlock or ignore checked-out objects.

6.

Indicate whether to save changes and report results or just report results.

7.

Click OK.

Deleting module roles


Module roles are a type of group. It is therefore recommended that you do not delete a module role.
Instead, remove all members of the module role and leave the module role in the repository. You can
also reassign the members of the module role to another module role.

To delete a module role:


1.

Navigate to Administration > User Management > Module Roles to access the Module Roles
list page.

2.

Select the name of the module role to delete.

206

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

3.

Select File > Delete.

4.

Click OK.

Sessions
A repository session is opened when an end user or application establishes a connection to a server.
Each repository session has a unique ID.
During any single API session, an external application can have multiple repository sessions, each
with a different repository or server or both.
A repository session is terminated when the end user explicitly disconnects from the repository or
the application terminates.
You can use Documentum Administrator to monitor repository sessions only. It cannot monitor any
other sessions (for example, eConnector for JDBC sessions).
The Sessions page lists sessions in the current repository. For each session, the name, Documentum
Session ID, Database Session ID, Client Host, Start Time, time Last Used, and State are displayed.
To view all sessions or user sessions, make a selection from the drop-down list. To view a different
number of sessions, select a new number from the Show Items drop-down list. To view the next page
of sessions, click the > button. To view the previous page of sessions, click the < button. To jump to
the first page of sessions, click the << button. To jump to the last page, click >>.

Viewing user sessions


Use these instructions to view user sessions and details of user sessions. User session information that
can be viewed includes the root process start time, root process ID, session ID, client library version,
and how the user is authenticated.

To view user sessions:


1.

Connect to the repository where you are viewing users sessions.


If you are viewing user sessions in a federation, connect to the governing repository.

2.

Navigate to Administration > Sessions.

3.

A list of current user sessions is displayed.


To view all sessions, select All from the drop-down list.
To view user sessions, select User Sessions from the drop-down list.

Viewing user session information


Use these instructions for viewing information about user sessions.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

207

User Management

To view user session info:


1.

On the Sessions list page, click the Session ID corresponding to the session for which you want to
view session details.
The following session information is displayed:
Table 51. Session information

2.

Field

Description

Root Process Start Date

The last start date for the server to which the


session is connected

Root Process ID

The process ID of the server on its host

User Name

The session user

Client Host

The host from which the session is connected

Session ID

The ID of the current repository session

Database Session ID

The ID of the current database session

Session Process ID

The operating system ID of the current session


process

Start Time

The time the session was opened

Last Used

The time of the last activity for the session

Session Status

The status of the current session

Client Library Version

The DMCL version in use

User Authentication

The authentication type

Shutdown Flag

An internal flag

Client Locale

The preferred locale for repository sessions


started during an API session

Click OK or Cancel to return to the Sessions page.

Viewing user session logs


Use these instructions to view user session logs. Session logs provide information about the actions
performed in a session.

To view user session logs:


1.

From the Sessions list page, select the session whose sessions logs you want to view.

2.

Select View > Session Log.


The session log is displayed.

3.

208

Click OK or Cancel to return to the Session list page.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

User Management

Killing user sessions


Use these instructions to kill user sessions.

To kill user sessions:


1.

From the Sessions page, select the session you want to kill.

2.

Select Tools > Kill Session.


The Kill Session page is displayed.

3.

Indicate when to kill the session:


When the sessions has no open transactions
After the current request is completed
Immediately

4.

Type a message to be sent to the session owner.

5.

Click OK.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

209

User Management

210

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 10
Security and Authentication

This chapter contains the following topics:


Object permissions, page 211
Folder security, page 214
Additional access control entries, page 215
Default alias sets, page 216
Access evaluation process, page 216
Permission sets, page 217
Authenticating in domains, page 226
Principal authentication, page 227
Privileged clients, page 231
Administrator access sets, page 234

Object permissions
Access to folders and documents in a repository is subject to an organizations security restrictions.
All content in the repository is associated with object permissions, which determines the access users
have to each object in the repository such as a file, folder, or cabinet and governs their ability to
perform specific actions. There are two categories of object permissions:
Basic: Required for each object in the repository
Extended: Optional
Basic permissions grant the ability to access and manipulate an objects content. The seven basic
permission levels are hierarchical and each higher access level includes the capabilities of the
preceding access levels. For example, a user with Relate permission also has Read and Browse.
Table 52. Basic permissions

Basic permission

Description

None

No access to the object is permitted.

Browse

Users can view the objects properties but not the objects content.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

211

Security and Authentication

Basic permission

Description

Read

Users can view both the properties and content of the object.

Relate

Users can do the above and add annotations to the object.

Version

Users can do the above and modify the objects content and check
in a new version of the item (with a new version number). Users
cannot overwrite an existing version or edit the items properties.

Write

Users can do the above and edit object properties and check in
the object as the same version.

Delete

Users can do all the above and delete objects.

Extended permissions are optional, grant the ability to perform specific actions against an object,
and are assigned in addition to basic permissions. The six levels of extended permissions are not
hierarchical, so each must be assigned explicitly. Only system administrators and superusers can
grant or modify extended permissions.
Table 53. Extended permissions

Extended permission

Description

Execute Procedure

Superusers can change the owner of an item and use Execute


Procedure to run external procedures on certain object types.
A procedure is a Docbasic program stored in the repository as
a dm_procedure object.

Change Location

Users can move an object from one folder to another in the


repository. A user also must have Write permission to move
the object. To link an object, a user also must have Browse
permission.

Change State

Users can change the state of an item with a lifecycle applied to it.

Change Permission

Users can modify the basic permissions of an object.

Change Ownership

Users can change the owner of the object. If the user is not
the object owner or a superuser, they also must have Write
permission.

Extended Delete

Users can only delete the object. For example, you may want a
user to delete documents but not read them. This is useful for
Records Management applications where discrete permissions
are common.

When a user tries to access an object, Content Server first determines if the user has the necessary
level of basic permissions. If not, extended permissions are ignored.
Permission sets (also known as access control lists, or ACLs) are configurations of basic and extended
permissions assigned to objects in the repository that lists users and user groups and the actions they
can perform. Each repository object has a permission set that defines the object-level permissions
applied to it, including who can access the object. Depending on the permissions, users can create
new objects; perform file-management actions such as importing, copying, or linking files; and start
processes, such as sending files to workflows.
Each user is assigned a default permission set. When a user creates an object, the repository assigns
the users default permission set to that object. For example, if the default permission set gives all

212

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

members of a department Write access and all other users Read access, then those are the access
levels assigned to the object.
Users can change an objects access levels by changing the objects permission set. To do this, the user
must be the objects owner (typically the owner is the user who created the object) or they must have
superuser privileges in the objects repository.
When a user modifies a permission set, it is saved as a permission set assigned to them. They can
then apply the permission set to other objects in the repository.
The ability to modify permission sets depends on the user privileges in the repository:
Users with superuser privileges can modify any permission set in the repository. They can
designate any user as the owner of a permission set, and change the owner of a permission set.
This permission is usually assigned to the repository administrator.
Users with system administrator privileges can modify any permission set owned by them or
by the repository owner. They can designate themselves or the repository owner as the owner
of a permission set they created and can change whether they or the repository owner owns the
permission set. This permission is usually assigned to the repository administrator.
Users with any privileges less than the superuser or system administrator privileges are the
owner only of the permission sets they create. They can modify any permission set they own, but
cannot change the owner of the permission set.
If you designate the repository owner as the owner of a permission set, that permission set is a
System (or Public) permission set. Only a superuser, system administrator, or the repository owner
can edit the permission set. If a different user is the owner of the permission set, it is a Regular
(or Private) permission set. It can be edited by the owner, a superuser, system administrator, or
the repository owner.
A user with Write or Delete permission can change which permission set is assigned to an object.
Security protects the information in each repository using object permissions to control access to
cabinets, folders, documents, and other objects. Object permissions determine what actions users can
perform on objects. Permissions can be added, removed, modified, or replaced, and set differently for
different users.
If you use Documentums Web Publisher and if the user does not assign the default permission
set, the Content Server assigns a default permission set according to the setting in the default_acl
property in the server config object.

Changing default operating system permits on


public directories and files (UNIX only)
On UNIX platforms, Content Server assigns default operating system permissions to newly created
files and directories. For example, when DFC creates directories on the client machines or writes
files to directories on the client machines, it assigns default operating system permissions to those
directories and files.
Internally, Content Cerver refers to permissions with the symbolic names dmOSFSAP_Public,
dmOSFSAP_Private, dmOSFSAP_Public ReadOnly, dmOSFSAP_PrivateReadOnly, and
dmOSFSAP_PublicOpen. The dmOSFSAP_PublicOpen permissions assigned to public directories

EMC Documentum Content Server Administration and Configuration 6.7 Guide

213

Security and Authentication

and files can be modified using the umask key in the server.ini file or the dfc.data.umask value in the
dfc.properties file. Setting umask affects all public directories and files created after the key is set. By
default the dmOSFSAP_PublicOpen permissions are 777 for directories and 666 for files.
The dfc.data.umask value works similarly to the UNIX umask functionality. The value is subtracted
from the default permissions to determine the actual permissions assigned to a file or directory. For
example, if you set umask=2, then the default permissions assigned to directories becomes 775 and
the default permissions for files becomes 664. Or, if you set umask=22, then the permissions become
755 for directories and 644 for files.
For more information about the umask key, refer to umask, page 83.

Folder security
Folder security is an additional level of security that supplements the existing repository security.
Implementing this security option further restricts allowable operations in a repository. Folder
security prevents unauthorized users from adding documents to, removing documents from, or
changing contents of secured folders. When folder security is enabled, a user must have Write
permission or Change Folder Links permission for the:
Target folder to create, import, copy, or link an object into the folder.
Source folder to move or delete an object from a folder.
Folder security only pertains to changing the contents in a folder. For example, a user with Browse
permission on a folder can still check out and check in objects within the folder.
If you use Documentums Web Publisher, and if folder security is used in a repository, any content files
in the WIP state must have the same permission as the folder. To use the same folder permission, the
administrator must ensure the lifecycle in WIP state does not apply any set ACL action. For example:
WIP - folder acl
Staging - WP "Default Staging ACL"
Approved - WP "Default Approved ACL"

The following table lists the actions affected by folder security.


Table 54. Permissions required under folder security

Action

Requires at least Write or Change Folder Links


permission for:

Create an object

Cabinet or folder in which you create the new


object

Import file(s) or folder

Cabinet or folder to which you import the file(s)


or folder

Move an object

Both the cabinet or folder from which you


remove the object and the destination folder or
cabinet

Copy an object

Destination cabinet or folder

Link an object

Destination cabinet or folder

214

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Action

Requires at least Write or Change Folder Links


permission for:

Unlink an object

Cabinet or folder from which you unlink the


object

Delete one version of a document

The documents primary folder

Delete all versions of a document

The documents primary folder

Delete unused versions of a document

The documents primary folder

Consult the repository administrator to determine if folder security is enabled in the repository.

Additional access control entries


When Trusted Content Services is enabled in a repository, additional access control entries are
available. Set up the additional access control entries on the Permissions page under the Security
node. The access control entries described in the following table are independent of each other, not
hierarchical, and must be explicitly assigned.
Table 55. Additional access control entries

Access control entry

Effect of the entry

Access Restriction

An access restriction entry denies a user the


right to the base object-level permission level
specified in the entry. For example, if a user
would otherwise have Delete permission as
a member of a particular group, an access
restriction might limit the user to, at most,
Version permission. The user would therefore
lose Write and Delete permissions.

Extended Restriction

An extended restriction entry denies a user


or the members of a specified group the
specified extended object-level permission. For
example, if a user would otherwise have Change
Permission rights as a member of a particular
group, an extended restriction would remove
that right.

Required Groups

A required group entry requires a user


requesting access to an object governed by the
permission set to be a member of the group
identified in the entry. If there are entries for
multiple groups, the user must be a member
of all the groups before Content Server allows
access to the object.

Required Group Set

A required group set entry requires a user


requesting access to an object governed by the

EMC Documentum Content Server Administration and Configuration 6.7 Guide

215

Security and Authentication

Access control entry

Effect of the entry


permission set to be a member of at least one
group in the set of groups.

Default alias sets


The Content Server adds two default aliases to a permission set:
dm_owner: Represents the owner of the permission set.
dm_world: Represents all repository users.
Note: You cannot delete dm_owner or dm_world aliases from a permission set.

Access evaluation process


When a user who is not the owner of the object or a superuser requests access to an object, Content
Server evaluates the entries in the permission set of the object, as follows:
1.

Checks for a basic access permission or extended permission entry that gives the user the
requested access level (Browse, Read, Write, and so forth)
Note: Users are always granted Read access if the user owns the document, regardless of whether
there is an explicit entry granting Read access or not.

2.

Checks for no access restriction or extended restriction entries that deny the user access at the
requested level.
A restricting entry, if present, can restrict the user specifically or can restrict access for a group
to which the user belongs.

3.

If there are required group entries, the server checks that the user is a member of each specified
group.

4.

If there are required group set entries, the server checks that the user is a member of at least one
of the groups specified in the set.
If the user has the required permission, with no access restrictions, and is a member of any
required groups or groups sets, the user is granted access at the requested level.

When a user is the object owner, Content Server evaluates the entries in the objects permission
set in the following manner:
1.

Checks if the owner belongs to any required groups or a required group set.
If the owner does not belong to the required groups or group set, then the owner is allowed only
Read permission as their default base permission, but is not granted any extended permissions.

2.

216

Determines what base and extended permissions are granted to the owner through entries for
dm_owner, the owner specifically (by name), or through group membership.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

3.

Applies any restricting entries for dm_owner, the owner specifically (by name), or any groups to
which the owner belongs.

4.

The result constitutes the owners base and extended permissions.


If there are no restrictions on the base permissions of the owner and the dm_owner entry does
not specify a lower level, the owner has Delete permission by default.
If there are restrictions on the base permission of the owner, the owner has the permission
level allowed by the restrictions. However, an owner will always have at least Browse
permission; they cannot be restricted to None permission.
If there are no restrictions on the owners extended permissions, they have, at minimum, all
extended permissions except delete_object by default. The owner may also have delete_object
if that permission was granted to dm_owner, the user specifically (by name), or through a
group to which the owner belongs.
If there are restrictions on the owners extended permissions, then the owners extended
permissions are those remaining after applying the restrictions.

When Content Server evaluates a superusers access to an object, the server does not apply
AccessRestriction, ExtendedRestriction, RequiredGroup, or RequiredGroupSet entries to the
superuser. A superusers base permission is determined by evaluating the AccessPermit entries for
the user, for dm_owner, and for any groups to which the user belongs. The superuser is granted the
least restrictive permission among those entries. If that permission is less than Read, it is ignored and
the superuser has Read permission by default.
A superusers extended permissions are all extended permits other than delete_object plus any
granted to dm_owner, the superuser by name, or to any groups to which the superuser belongs. This
means that the superusers extended permissions may include delete_object if that permit is explicitly
granted to dm_owner, the superuser by name, or to groups to which the superuser belongs.

Permission sets
Permission sets are displayed on the Permission Sets page and are accessed by selecting
Administration > Security. The Permission Sets page displays all permission sets that are configured
for the repository, as described in Table 56, page 217
Table 56. Permissions Sets page

Column

Description

Name

The object name of the permission set.

Owner

The user or group that owns the permission set.

Class

Specifies set how the permission set is used:


Regular: The permission set can only be used
by the owner.
Public: The permission set can be used by
any user.

Description

A description of the permission set.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

217

Security and Authentication

Locating a permission set


Use the instructions in this section to locate permission sets.

To locate a permission set:


1.

Navigate to Administration > Security.


The Permission Sets list page appears.

2.

To view a specific permission set type:


Select Current Users Permission Sets to view only your permission sets.
Select System Permission Sets to view only system permission sets.
Select Manually Created to view only manually-created permission sets.
Select Auto Generated to view only automatically-created permission sets.

Creating, viewing, or modifying permission sets


Use the instructions in this section to create new permission sets.

To create, view, or modify a permission set:


1.

Navigate to Administration > Security.


The Permission Sets list page appears.

2.

Do one of the following:


Select File > New > Permission Set to create a permission set.
Select a permission set, the select View > Properties > Info to view or modify the properties of
the permission set.

3.

Enter the properties on the Info tab of the New Permission Set - Info or view and modify
properties on the Info tab of the Permission Sets Properties page, as described in Table 57,
page 218.

4.

Enter the properties on the Permissions tab of the New Permission Set - Info or view and
modify properties on the Permissions tab of the Permission Sets Properties page, as described
in Table 58, page 219.

5.

Click OK to save your changes.


Before the permission set is saved, Content Server validates the permission set, as described in
Permission set validation, page 226.

Table 57. Permission set properties

Field label

Value

Name

The name of the permission set.

Description

A description of the permission set.

218

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Field label

Value

Owner

Indicates who owns the permission set.


If connected as a superuser or the repository owner, you can
change who owns the permission set.
If creating a permission set and connected with user privileges
other than superuser or the repository owner, you are the
owner.

Class

Specifies the class for the permission set. Valid values are:
Regular: Only the user or group who creates the permission
set can use it. Any user or group in the repository except the
repository owner can create a Regular permission set.
Public: The permission set used by anyone in a repository.
Any user or group in the repository can create a Public
permission set. Public permission sets can be modified or
deleted and deleted only by the permission set owner (the user
or group that creates it), a superuser, a system administrator,
or the repository owner. If the repository owner is the owner
of a particular permission set, it is called a system permission
set.

Adding, viewing, or modifying permissions for a


permission set
Permissions are added, viewed, or modified on the Permissions tab of the New Permission Set - Info
or the Permissions tab of the Permission Sets Properties page, as described in Table 58, page 219.
Table 58. Permission properties

Field label

Value

Required Groups

A required group entry requires a user requesting access to an


object governed by the permission set to be a member of the
group identified in the entry. If there are entries for multiple
groups, the user must be a member of all of the groups before
Content Server allows access to the object.
Click Add to access the Choose a group page to add groups
to the permission set, of which a user must be a member for
repositories where Trusted Content Services is enabled.
Select a group and click Remove to remove a required group.

Group

Displays groups of which a user must be a member for


repositories where Trusted Content Services is enabled. If
no groups are defined, the system displays the message No
Required Groups exist for the permission set.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

219

Security and Authentication

Field label

Value

Required Group Set

A required group set entry requires a user requesting access to an


object governed by the permission set to be a member of at least
one group in the set of groups.
Click Add to access the Choose a group page to add groups to
the permission set, of which a user must be a member of at least
one for repositories where Trusted Content Services is enabled.
Select a group and click Remove to remove a group set.

Group

Displays groups of which a user must be a member of at least


one for repositories where Trusted Content Services is enabled.
If no groups are defined, the system displays the message No
Required Groups exist for the permission set.

Grant access to

The Content Server automatically adds dm_owner and


dm_world to a permission set. The default alias dm_owner
represents the owner of the permission set and dm_world
represents all repository users. You cannot delete dm_owner or
dm_world from a permission set.
Click Add to add users or groups and their permissions for
the permission set.
Select a user and click Edit to modify basic or extended
permissions.
Select a user and click Remove to delete a user or group from
the permission set.
Select a user and click Add to group to add them to access
the Add to Group page.

Accessors

Displays users and groups who are included in the permission


set.

Permissions

Displays the basic permission level access for the user or group.
To change the basic permission level access, select a user and
click Edit.

Extended Permissions

Displays the extended permissions for the user or group. To


change the extended permissions, select a user and click Edit.

Conflict

If there are validation conflicts, the system displays reasons for


the conflicts. For example:
Not a member of the following required group: Indicates
which required groups that a user currently does not have
any membership to.
Not a member of any required group set: Indicates that the
user currently is not a member of any group in the required
group set.

220

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Field label

Value

Deny access to

An access restriction entry denies a user the right to the base


object-level permission level specified in the entry. For example,
if a user would otherwise have Delete permission as a member
of a particular group, an access restriction might limit the user
to, at most, Version permission. The user would therefore lose
Write and Delete permissions.
Click Add to add users or groups to restrict their permissions
for the permission set.
Select a user and click Edit to modify basic or extended
permission restrictions.
Select a user and click Remove to delete an access restriction
entry.
Select a user and click Add to group to access the Add to
Group page to add the user to a group or group set.

Accessors

Displays users and groups who have restricted permissions in


the permission set.

Denied Access Level

Displays the restricted access level for the user or group. For
example, if the user would otherwise have Delete permission as
a member of a particular group and you set it to Version, the
user loses Write and Delete permissions. To change the restricted
basic permission level access, select a user and click Edit.

Extended Restrictions

Displays the extended restrictions for the user or group. To


change the extended restrictions, select a user and click Edit.

Conflict

If there are validation conflicts, the system displays reasons for


the conflicts.

Copying a permission set


Use the instructions in this section to copy a permission set. You can only copy a permission set if you
are connected as a superuser. The File > Save As... option only displays for superusers.

To copy a permission set:


1.

Navigate to Administration > Security.


The Permission Sets list page appears.

2.

Select a permission set that you want to copy.

3.

Select the File > Save As... option.


The Permission Set Properties page appears.

4.

Edit general information on the Permission Set Properties - Info page.

5.

Click the Permissions tab to edit/assign permission sets for users/groups.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

221

Security and Authentication

6.

Click OK.

Adding users to permission sets


Use the instructions in this section to add users to a permission set.

To add users to an existing permission set:


1.

Navigate to Administration > Security.


The Permission Sets list page displays.

2.

Select the permission set to modify and then select View > Properties > Info.
The Info page appears where you can edit the description or change the class of the permission set.

3.

Click the Permissions tab.


The Permissions page displays.

4.

In the Grant access to section, click Add.


The first set of users, groups, and roles in the repository is displayed on the Choose a user/group
page.
To view more users, groups, and roles, click the navigation arrows.
To display only users, groups, or roles, select Show Users, Show Groups, or Show Roles.

5.

Select the users, groups, or roles to add to the permission set.


a.

Select the checkbox next to the names of any users, groups, or roles to add to the permission
set.

b. Click the Add arrow.


c.

Click OK or Cancel.
Click OK to add the users, groups, and roles to the permission set.
The system displays the Set Access Permission page.
Click Cancel to cancel the operation and return to the Permissions page.

6.

On the Set Access Permission page, select the basic and extended permissions for each user,
group, or role being added.

7.

Click Next, Finish, or Cancel.


Click Next to assign permissions to each individual user, group, or role.
Click Finish to apply the changes to all the remaining users, groups, and roles.
The system displays the Confirm page with the message that proceeding will apply the
changes to all the remaining selections. To apply individual changes to different selections,
click Cancel and walk through the selections using the Next and Previous buttons.
Click Cancel to cancel the operation and return to the Permissions page without adding any
users, groups, or roles to the permission set.

222

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Deleting users from permission sets


Use the instructions in this section to delete a user from a permission set.

To delete users from a permission set:


1.

Navigate to Administration > Security.


The Permission Sets list page appears.

2.

Select the permission set to modify and then select View > Properties > Info.
The Info page appears where you can edit the description or change the class of the permission set.

3.

Click the Permissions tab.


The Permissions page appears.

4.

In the Grant access to section, select the checkbox next to the users to delete.

5.

Click Remove.

6.

Click OK or Cancel.
Click OK to delete the users from the permission set.
Click Cancel to cancel the operation and return to the Permission Sets list page without
deleting users from the permission set.

Deleting a permission set


Use these instructions to delete permission sets.

To delete a permission set:


1.

Navigate to Administration > Security.

2.

Select the permission sets to delete.

3.

Select File > Delete.

4.

Click OK.

Assigning basic and extended object permissions


On the Set Access Permissions page, set the basic and extended permissions for a user.

To assign basic and extended permissions:


1.

To set the users basic permissions, select the correct level from the Basic Permissions drop-down
list.
The permission levels are cumulative; that is, a user with Read permission on an object can read
an associate content file and also view the objects properties. The permission levels are:
None

EMC Documentum Content Server Administration and Configuration 6.7 Guide

223

Security and Authentication

No access is permitted to the object.


Browse
Users can view the properties but not the content of the object.
Read
Users can view both the properties and content of the object.
Relate
Users can browse, read, and add annotations to the object.
Version
Users can browse, read, relate, and they can modify the content of the object. Users can
check in a new version of the object (with a new version number). Users cannot overwrite
an existing version or edit object properties.
Write
Users can browse, read, relate, version, and they can edit object properties and check in the
object as the same version.
Delete
Users can browse, read, relate, version, write, and delete items.
2.

To assign extended permissions to a user, select the appropriate checkboxes.


The extended user permissions are not cumulative. The extended permission levels are:
Execute Procedure
Superusers can change the owner of an item and can use Execute Procedure to run external
procedures on certain item types. A procedure is a Docbasic program stored in the repository
as a dm_procedure object.
Change Location
Users with Change Location permissions can move an object in the repository. A user must
also have Write permission to move the object. To link an object, a user must also have
Browse permission.
Change State
Users with Change State permissions can change the state of an object with a lifecycle applied
to it.
Change Permission
Users with Change Permissions can modify the basic permissions of an object.
Change Ownership
Users with Change Ownership permissions can change the owner of the object. If the user is
not the object owner or a superuser, the user must also have Write permission.
Extended Delete
Users with the Delete Object extended permission have the right only to delete the object.
For example, a user is allowed to delete documents but not to read them. This is useful for
Records Management applications where discrete permissions are common.

224

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

3.

Click Next to assign the permissions of the next accessor, Finish to assign the same permissions
to all accessors whose permissions you are changing, or Cancel to exit the operation without
saving any changes.

Permission set associations


Use the instructions in this section to locate the objects that use a particular permission set.

To view permission set associations:


1.

Navigate to Administration > Security.


The Permission Sets list page appears.

2.

Locate and select a permission set.

3.

Select View > Associations.


The Permission Set Associations page appears that displays a list of documents that use the
permission set.

4.

To view objects or users who use the permission set, select that object type from the list.

Changing the permissions assigned to a user


Use the instructions in this section to change user permissions in a permission set.

To change the permissions of a user:


1.

Navigate to Administration > Security.


The Permission Sets list page displays.

2.

Select the permission set to modify and then click View > Properties > Info.
The Info page displays.

3.

Click the Permissions tab.


The Permissions page displays.

4.

In the Grant access to section, select the users to modify.

5.

Click Edit.
The Set Access Permission page displays

6.

Change the user permissions.

7.

Click OK, Previous, Next, Finish, or Cancel.


Click OK to apply the changes to the permission set and return to the Permissions page.
Click Next or Previous to assign different permissions to the next or previous user.
Click Finish to apply the changes to all remaining users.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

225

Security and Authentication

The system displays the Confirm page with the message that proceeding will apply the
changes to all the remaining selections. To apply individual changes to different selections,
click Cancel and walk through the selections using the Next and Previous buttons.
Click Cancel to cancel the operation and return to the Permissions page without changing
the permission set.
Note: The OK and Cancel buttons appear when only one checkbox is selected in the Grant access
to section on the Permissions page. If more than one checkbox is selected, the Previous, Next,
Finish, and Cancel buttons appear.
8.

Click OK or Cancel on the Permissions page.


Click OK to save the changes made to the permission set.
Click Cancel to cancel the operation and return to the Permission Sets list page without
deleting users from the permission set.

Permission set validation


Content Server validates permission sets before a permission set is saved, as follows:
New accessors (users or groups) for permissions are evaluated to confirm they belong to all the
required groups and at least one of the groups listed in the required group set.
New accessors for restrictions are evaluated to confirm that they belong to all the required groups
and at least one of the groups listed in the required group set.
If Trusted Content Services is enabled, the Content Server performs the following additional
validations:
When new groups are added to a required group list, all accessors listed for both permissions
and restrictions are evaluated and any accessors who do not belong to the newly added groups
are flagged.
When new groups are added to a required group set list, all accessors listed for both permissions
and restrictions are evaluated and any accessors who do not belong to the newly added groups
are flagged.
When a user accesses the permissions tab in this application:
Accessors currently listed for both permissions and restrictions are evaluated.
Accessors who do not belong to all the groups in the required groups list and to at least one of
the groups in the required group set are flagged.

Authenticating in domains
For domain authentication on Windows platforms, Content Server authenticates user names and
passwords within a domain. The user domain is stored in the user_os_domain property of the
user object. A default domain is defined for all users in the repository in the user_auth_target key
of the server.ini file.

226

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Whether the server uses the user-specific domain or the default domain for authentication depends on
whether the server is running in domain-required mode. By default, the Content Server installation
procedure installs a repository in no-domain required mode. If a Windows configuration has only
users from one domain accessing the repository, the no-domain required mode is sufficient. If the
users accessing the repository are from varied domains, using domain-required mode provides better
security for the repository.

No-domain required mode


In no-domain required mode, users are not required to enter a domain name when they connect to
the repository. In this mode, a user name must be unique among the user_os_name values in the
repository.
The server authenticates users depending on the user_os_domain property value. The property can
contain an asterisk (*), a blank, or a domain name.
If user_os_domain contains an asterisk or blank, Content Server authenticates the user with
the user name and the domain specified in the connection request. If no domain is included
in the connection request, the server uses the domain defined in the user_auth_target key in
the server.ini file.
If user_os_domain contains a domain name, Content Server authenticates against the domain
identified in the user_os_domain property.

Domain-required mode
In domain-required mode, users must enter a domain name or the name of an LDAP server when
they connect to the repository. The domain value is defined when the user is created and is stored in
the user_login_domain property in the user object.
In domain-required mode, the combination of the login name and domain or LDAP server name
must be unique in the repository. It is possible to have multiple users with the same user login name
if each user is in a different domain.
Trusted logins do not require a domain name even if the repository is running in domain-required
mode.

Principal authentication
Some applications require authenticating users with external authentication mechanisms that are not
accessible to Content Server. For these cases, Content Server supports principal authentication and
principal mode for privileged DFC clients (trusted clients). Principal mode is a DFC mechanism that
allows trusted clients to log in to Content Server without having to go through another password
authentication process.
Privileged DFC provides a client rights domain that is implemented using a client rights domain
object (dm_client_rights_domain). The client rights domain contains the Content Servers that share

EMC Documentum Content Server Administration and Configuration 6.7 Guide

227

Security and Authentication

the same set of client rights objects (dm_client_rights). The client rights domain is configured in a
global repository that acts as a governing repository. Multiple repositories can be grouped together
under the global repository to share privileged DFC information. The global repository propagates
all changes in the client rights objects to the repositories that are members of the domain.
Privileged DFC is configured using the Documentum Administrator interface.

Client rights domains


A client rights domain is a group of repositories that share the same client rights. The group of
repositories in a client rights domain is typically governed by a global repository (global registry).
The following rules and restrictions apply to a client rights domain and repository members of
that domain:
A client rights domain can only be configured in a global repository.
Only a global repository can be a governing repository.
A global repository can only have one client rights domain.
A global repository cannot be the governing repository and also a member repository of the
client rights domain.
A repository can only be a member of one client rights domain.
The global repository must have access to all member repositories in the client rights domain.
Changes to the client rights in the governing repository are automatically propagated to all
member repositories in the same domain.

Creating a client rights domain


Creating a clients right domain requires superuser privileges and the repository on which you are
creating a client rights domain must be a global registry.

To add a client rights domain:


1.

In Documentum Administrator, navigate to Administration > Client Rights Management >


Client Rights Domain to access the Client Rights Domain page.

2.

Select File > New > Client Rights Domain.


The New Client Rights Domain page displays.

3.

Enter a name for the client rights domain in the Name field.

4.

Select the Activate option to enable the client rights domain right now or do not select the option
to enable the client rights domain at a later time.

5.

Click OK to save your changes.

228

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Enabling or disabling a client rights domain


Any modifications to a client rights domain require superuser privileges.

To enable or disable a clients rights domain:


1.

Navigate to Administration > Client Rights Management > Client Rights Domain to access the
Client Rights Domain page.

2.

Select the client rights domain, then select View > Properties > Info.
The Client Rights Domain Properties page displays.

3.

Do one of the following:


Select Activate to enable an inactive client rights domain.
Deselect Activate to disable an active client rights domain.

4.

Click OK to save your changes.

Deleting a client rights domain


Deleting a clients rights domain requires superuser privileges. Deleting a client rights domain also
deletes associated member repository entries.
Deleting a client rights domain automatically starts dm_PropagateClientRights job, which removes
the associated member repository entries. The job execution can take approximately 2 to 4 minutes
and until the job has completed successfully, any member repository of the deleted client rights
domain cannot be associated with another client rights domain.

To delete a clients rights domain:


1.

Navigate to Administration > Client Rights Management > Client Rights Domain to access the
Client Rights Domain page.

2.

Select the client rights domain, then select File > Delete.
You are prompted to confirm that you want to delete the clients rights domain.

3.

Click OK to save your changes.

Adding member repositories


Adding a repository to a client rights domain requires superuser privileges.

To add a repository to a domain:


1.

Navigate to Administration > Client Rights Management > Client Rights Domain to access the
Client Rights Domain page.

2.

Select the client rights domain, then select File > View > Member Repositories.
The Member Repositories page displays.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

229

Security and Authentication

3.

Select File > Add Member Repository.


The Properties page displays

4.

Enter the information for the member repository as described in Table 59, page 230.

5.

Click OK to save your changes.

Table 59. Member repository properties

Field Name

Description

Member Repository Name

The name of the repository. The repository


cannot be the governing repository (global
registry).

Login Name

The login name of the repository user. The user


must have system administrator privileges and
be a member of the dm_sysadmin group.

Password

The password of the repository user.

User Login Domain

The name of the login domain for the user.


Optional property.

Application Alias Name

The application name for the DFC instance.


Optional property.

Viewing repository memberships


Viewing a member repository or modifying repository login information in a client rights domain
requires superuser privileges.

To view a member repository:


1.

Navigate to Administration > Client Rights Management > Client Rights Domain to access the
Client Rights Domain page.

2.

Select the client rights domain, then select File > View > Member Repositories.
The Member Repositories page displays.

3.

Select the member repository you want to view, then select File > View > Properties.
The Properties page displays.
You can view the member repository name and login name information. You can only modify
the login name field value.
If the domain name was specified when the repository was initially added to the client rights
domain, the login name field also displays the domain name. In this case, you must enter the
domain name with the login name using the same format:
<DOMAIN_NAME>\<LOGIN_NAME>

Make sure that you enter the correct domain name and login name. Content Server does not
validate the domain or the login name. The new values are saved, even if they are invalid.
4.

230

Click OK.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Removing a member repository from a client rights domain


Removing a member repository from a client rights domain requires superuser privileges. Removing
a member repository also removes the client rights entries from the member repository.
Removing a member repository automatically starts dm_PropagateClientRights job, which removes
the client rights entries from the member repository. The job execution can take approximately 2 to 4
minutes and until the job has completed successfully, the member repository cannot be associated
with another client rights domain.

To remove a member repository:


1.

Navigate to Administration > Client Rights Management > Client Rights Domain to access the
Client Rights Domain page.

2.

Select the client rights domain, then select File > View > Member Repositories.
The Member Repositories page displays.

3.

Select the member repository you want to remove, then select File > Delete.
You are prompted to confirm that you want to remove the repository from the clients rights
domain.

4.

Click OK.

Privileged clients
Privileged DFC is the term used to refer to DFC instances that are recognized by Content Servers
as privileged to invoke escalated privileges or permissions for a particular operation. In some
circumstances, an application needs to perform an operation that requires higher permissions or a
privilege than is accorded to the user running the application. In such circumstances, a privileged
DFC can request to use a privileged role to perform the operation. The operation is encapsulated in a
privileged module invoked by the DFC instance. Supporting privileged DFC is a set of privileged
groups, privileged roles, and the ability to define TBOs and simple modules as privileged modules.
The privileged groups are groups whose members are granted a particular permission or privileged
automatically.
Each installed DFC has an identity, with a unique identifier extracted from the PKI credentials. The
first time an installed DFC is initialized, it creates its PKI credentials and publishes its identity to the
global registry known to the DFC. In response, a client registration object and a public key certificate
object are created in the global registry. The client registration object records the identity of the DFC
instance. The public key certificate object records the certificate used to verify that identity.
In Documentum Administrator, the privileged DFC clients are managed on the Privileged Clients
page (Figure 3, page 232). To access the Privileged Clients page, select Administration > Client
Rights Management >
Privileged Clients.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

231

Security and Authentication

Figure 3. Privileged Clients page

The Privileged Clients page provides the following information:


Table 60. Privileged Clients page information

Column

Description

Client Name

The name of the DFC client.

Client ID

A unique identifier for the DFC client.

Host Name

The name of the host on which the DFC client is installed.

Approved

Indicates if the given DFC client is approved to perform


privilege escalations.

Manage Clients

The Manage Client button displays the Manage Client page,


which lists all DFC clients that are registered in the global
registry.

For information about locating registered DFC clients and adding them as privileged DFC clients,
refer to Adding privileged DFC clients, page 232.
For information about trusted login and trusted server privileges, refer to Configuring privileged
client trusted login and trusted server privileges, page 233.

Adding privileged DFC clients


The Manage Clients page displays the list of DFC clients created in the repository. When an you
select one or more DFC clients as a privileged DFC client, a DFC client object is created in the logged
in repository and displayed on the Privileged Clients page. The public key certificate is copied to
the local repository.
Note: To add a privileged DFC client, you must be logged in as a superuser and you must be the
owner of the dm_acl_superusers ACL or the install owner.
1.

Navigate to Administration > Client Rights Management > Privileged Clients to access the
Privileged Clients list page.

2.

Click Manage Clients to access the Manage Clients page.


Note: The Manage Clients button is disabled if a global registry is not configured or is unavailable.

3.

To search for a DFC client, enter the name, or a portion of the name of the DFC client in the
search field, then click

The system displays all registered DFC clients that match the criteria that you entered.

232

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

4.

Select the registered DFC clients that you want to add as privileged clients, then click

The selected DFC clients move to the right side.


5.

Click OK to return to the Privileged Clients list page.

Configuring privileged client trusted login and trusted


server privileges
Privileged Client trusted login and trusted server privileges are configured on the Privileged Client
Properties page.

To enable or disable trusted login and trusted server privileges:


1.

Navigate to Administration > Client Rights Management > Privileged Clients to access the
Privileged Clients list page.

2.

Click the Manage Clients button on the top right to access the Manage Clients page.
Note: The Manage Clients button is disabled if a global registry is not configured or is unavailable.

3.

Select the privileged client for which you want to enable or disable trusted login or trusted server
privileges and select View > Properties > Info or right-click and select Properties.
The Privileged Client Properties page displays.

4.

Enable or disable trusted login or trusted server privileges, by selecting the Trusted Login and
Trusted Server Privilege fields, as described in Table 61, page 233.

Table 61. Privileged client properties

Field label

Value

Client Name

The name of the DFC client.

Client ID

The unique identifier for the DFC client.

Host Name

The name of the host on which the DFC client is installed.

Client Privilege

Indicates whether the DFC client is approved to perform privilege


escalations.

Trusted Login

Specifies whether the client is allowed to create sessions for users


without user credentials.
Select this option to enable the client to create sessions for users
without credentials.

Trusted Server Privilege

Specifies whether the DFC client is part of a trusted Content Server


domain. If this option is enabled, the client has direct access to the
repositories on the server.

Is globally managed

Select to propagate the privileged DFC information by domain.


Optional property.

Application Name

The application name for the DFC instance. Optional property.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

233

Security and Authentication

Approving or denying privileged clients


DFC client privilege escalations are approved or denied on the Privileged Clients page.

To approve or deny privileged clients:


1.

Navigate to Administration > Client Rights Management > Privileged Clients to access the
Privileged Clients list page.

2.

If the DFC client does not appear on the Privileged Clients list page, click Manage Clients to
access the Manage Clients page and add the DFC client, as described in Adding privileged
DFC clients, page 232.

3.

To approve a privileged DFC client, select the DFC client and do one of the following:
Select Tools > Approve Privilege.
Right-click and select Approve Privilege.

4.

To deny a privileged DFC client, select the DFC client and do one of the following:
Select Tools > Deny Privilege.
Right-click and select Deny Privilege.

Deleting a DFC client and certificate


Use the instructions in this section to delete a DFC client and the certificate. You cannot delete a
certificate is also used by another DFC client.

Deleting a DFC certificate.


1.

Navigate to Administration > Client Rights Management > Privileged Clients to access the
Privileged Clients list page.

2.

Select the DFC client you want to delete, then select Tools > Remove from List.

Administrator access sets


The administrator access functionality enables access to administration nodes based on roles. The
nodes, such as Basic Configuration, User Management, Job Management, and Audit Management,
provide access to different repository and server functions.
In Documentum Administrator, the administrator access sets are managed on the Administrator
Access Sets page. To access the Administrator Access Sets page, select Administration >
Administrator Access.
Note: Administrator Access functionality is available only on Documentum 6 and later repositories.
Administrator access set definitions reside in the global registry. The access sets do not conflict
with Content Server privileges. Object level and user level permissions and permission sets take

234

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

precedence over administrator access sets. In general, administrator access sets control node access
as follows:
Users are not assigned an administrator access set and do not have superuser privileges, cannot
access administration nodes.
Users who are assigned an administration access set, but do no have superuser privileges, can
only access the nodes that are enabled in their administration access set.
Users with superuser privileges and at least coordinator client capabilities are not affected by
administrator access sets. These users always have access to the entire administration node.
The Groups node is always enabled for users with Create Group privileges.
The Types node is always enabled for users with Create Type privileges.
The list of available roles is retrieved from the repository to which the administrator is connected. To
ensure that administrator access sets function correctly across an application, the roles associated
with the administrator access sets must exist in all repositories.
Note: The following Administration nodes are currently not available for the administrator access
set functionality:
Work Queue Management
Distributed Content Configuration
Privileged Clients
The User Management chapter provides information about setting up roles.

Creating, viewing, or modifying administrator access


sets
Use the instructions in this section to create new administrator access sets. Only users with superuser
privileges and Coordinator client capabilities or greater can create, view, or modify administrator
access sets.

To create administrator access sets:


1.

Connect to a repository with superuser privileges and client capability of Coordinator or greater.

2.

Navigate to Administration > Administrator Access.


The Administrator Access Sets list page appears.

3.

Do one of the following


To create an administrator access set, select File > New > Administrator Access Set.
The New Administrator Access Set - Info page displays.
To view or modify an administrator access set, select the access set, then select View >
Properties > Info.
The Administrator Access Set Properties page displays.

4.

Enter or modify administrator access set information, as described in Table 62, page 236.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

235

Security and Authentication

5.

Click OK to save your changes.

Table 62. Administrator access set properties

Field label

Value

Name

Name of the administrator access set. The administrator access set name
must be unique. After creating and saving an administrator access set,
the name cannot be modified.

Description

Description of the administrator access set.

Nodes

Select one or more node options to designate the nodes that users with
this administrator access set can access. At least one node must be
selected for an administrator access set. The available node options are:
Basic Configuration
LDAP Server Configuration
Java Method Servers
User Management
Audit Management
Jobs and Methods
Content Objects
Storage Management
Content Delivery
Index Management
Content Intelligence
Content Transformation Services
Resource Management

Assigned Role

Indicates the role assigned to the administrator access set. If the role does
not exist in the connected repository, the role is displayed in a red font.
To select or modify a role, click Select to select a role on the Choose a
role page. The assigned role must be unique for an administrator access
set or an error message displays, prompting the user to select a different
role.
The list of available roles is retrieved from the repository to which the
administrator is connected. To ensure that administrator access sets
function correctly across an application, the roles associated with the
administrator access sets must exist in all repositories. If an assigned
role is missing in a connecting repository, the administrator access
set does not apply for the missing role. Documentum Administrator
displays a message notifying the user when an assigned role is missing.

236

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Field label

Value
Administrator access sets can be created without assigning a role, and
they can contain an inactive or missing role. This is useful during the
initial setup of your system.

Deleting administrator access sets


Use the instructions in this section to delete administrator access sets. Only users with superuser
privileges and Coordinator client capabilities or greater can delete administrator access sets.

To delete administrator access sets:


1.

Connect to a repository with superuser privileges.

2.

Navigate to Administration > Administrator Access.


The Administrator Access Sets list page appears.

3.

Select an administrator access set and then select File > Delete.
The Delete Administrator Access Set page appears.

4.

Click one of the following:


OK to delete the object.
Finish to delete multiple objects.
Cancel to exit without deleting any administrator access sets.
The Administrator Access Sets list page appears.

Managing Authentication Plug-Ins, Signatures,


and Encryption Keys
Using authentication plug-ins
Content Server supports authentication plug-ins that are implemented as DLLs or shared libraries,
depending on the platform hosting the plug-in. The two plug-ins provided with Content Server are
for RSA and CA SiteMinder support. You can also write and install custom modules.

Plug-in scope
You can use a plug-in to authenticate users connecting to a particular repository or to any repository
in the installation. All plug-in modules are installed at the root of the base directory or one of the
subdirectories. If they are installed at the root of the base directory, they are loaded for all repositories

EMC Documentum Content Server Administration and Configuration 6.7 Guide

237

Security and Authentication

in the installation. If the plug-ins are installed in repository-specific subdirectories, they are only
loaded for those specific repositories.
A default %DOCUMENTUM%\dba\auth ($DOCUMENTUM/dba/auth) base directory is created
automatically during Content Server installation. For every repository, there is a subdirectory under
the base directory specific to that repository. There also is a location object, called auth_plugin, that
points to the base directory and sets the auth_plugin_location property in the server configuration
object to the name of the location object.
When a Content Server starts, it loads the plug-ins found in its repository-specific directory first
and then those located in the base directory. If two or more plug-ins loaded by the server have
the same identifier, only the first one loaded is recognized. The remaining plug-ins with the same
name are not loaded.

Identifying a plug-in
There are two ways to identify an authentication plug-in:
Include the plug-in identifier in the connection request arguments.
Set the User Source property of a user account to the plug-in identifier of the module.
When Content Server receives a connection request, it checks whether a plug-in identifier is included
in the arguments. If not, the server examines the User Source property of the user account to
determine which authentication mechanism to use.
To use a plug-in to authenticate users for connection requests issued by an application, the application
must prepend the plug-in identifier to the password argument before sending the connection
request to the DMCL.
When you want to use a plug-in to authenticate a particular user regularly, set the User Source
property of that user account to the plug-in identifier.

Defining a plug-in identifier


Plug-in identifiers are defined as the return value of the dm_init method in the interface of the plug-in
module. A plug-in identifier must conform to the following rules:
It must be no longer than 16 characters.
It cannot contain spaces or non-alphanumeric characters.
It cannot use the prefix dm_. (This prefix is reserved for Documentum.)
For example, the following are valid identifiers:
myauthmodule
authmodule1
auth4modul
To include a plug-in identifier in a connection request, the application must prepend the following
syntax to the password argument:
DM_PLUGIN=plugin_identifier/

238

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Plug-in identifiers are accepted in all methods that require a password.

Using the RSA plug-in


The EMC RSA Plugin for Documentum allows Content Server to authenticate users based on RSA
ClearTrust single sign-on tokens instead of passwords.
EMC Documentum Webtop and WebPublisher, and other Documentum WDK-based applications,
support the RSA plug-in, with some configuration required. The configuration requirements are
described in the Web Development Kit and Client Application Development Guide.
The Content Server installation procedure stores the plug-in in the %DM_HOME%\install\external_
apps\authplugins\RSA ($DM_HOME/install/external_apps/authplugins/RSA) directory. There is a
README.txt file that describes how to install the plug-in. Table 63, page 239 lists the files for the
plug-in on the supported platforms.
Table 63. RSA plug-in modules

Platform

Plug-in module

Windows

dm_rsa.dll

Solaris, Linux, and AIX

dm_rsa.so

HP-UX PA-RISC

dm_rsa.sl

HP Itanium

dm_rsa.so

Using the CA SiteMinder plug-in


Documentum provides an authentication plug-in supporting authentication against a CA SiteMinder
Policy Server. The plug-in enables validation of CA SiteMinder tokens sent to Content Server
by Web-based clients.
Note: The CA SiteMinder plug-in is not supported on the HP Itanium platform.
EMC Documentum Webtop supports the CA SiteMinder Plug-in, with some configuration required.
The configuration requirements are described in the Web Development Kit Deployment Guide.
The Content Server installation procedure stores the plug-in in the %DM_HOME%\install\external_
apps\authplugins ($DM_HOME/install/external_apps/authplugins/) directory. There is a
README.txt file that describes how to install the plug-in. Table 64, page 239, lists the files for the
plug-in on the supported platforms.
Table 64. CA SiteMinder plug-in files

Platform

File

Windows

dm_netegrity_auth.dll

EMC Documentum Content Server Administration and Configuration 6.7 Guide

239

Security and Authentication

Platform

File

Solaris, Linux, and AIX

dm_netegrity_auth.so

HP-UX on PA-RISC

dm_netegrity_auth.sl

The directory also includes the CA Siteminder header files and libraries, to allow you to rebuild
the plug-in.
To use the plug-in after you install it, include the plug-in identifier in connection requests or set the
user_source property in users to the plug-in identifier. (Identifying a plug-in, page 238, contains
more information.)
The plug-in identifier for the CA SiteMinder plug-in is dm_netegrity.
Note: The dm_netegrity plugin user authentication fails when the SiteMinder WebAgent uses NTLM
authentication instead of BasicPassword authentication to protect a web resource, such as Webtop.
The dm_netegrity plug-in is currently unable to match the user distinguished name (DN).

Implementing a custom authentication plug-in


You can write and install custom authentication plug-ins. On a Windows platform, the plug-in must
be a DLL. On a UNIX platform, the plug-in must be a shared library.
Authentication plug-ins that require root privileges to authenticate users are not supported. If you
want to write a custom authentication mechanism that requires root privileges, use a custom external
password checking program.
Caution: This section outlines the basic procedure for creating and installing a custom
authentication plug-in. Documentum provides standard technical support for plug-ins that are
created and provided with the Content Server software, as part of the product release. For
assistance in creating, implementing, or debugging a custom authentication plug-in, contact
Documentum Professional Services or Documentum Developer support.

To implement a custom authentication plug-in:


1.

Write the plug-in, as described in Writing the authentication plug-in, page 240.

2.

Install the plug-in, as described in Plug-in scope, page 237.

3.

Enable the plug-in, as described in Identifying a plug-in, page 238.

4.

Restart Content Server to load the new plug-in.

Writing the authentication plug-in


To write an authentication plug-in, you must implement the following interface:
dm_init(void *inPropBag, void *outPropBag)
dm_authenticate_user(void *inPropBag, void *outPropBag)
dm_change_password(void *inPropBag, void *outPropBag)
dm_plugin_version(major, minor)
dm_deinit(void *inPropBag, void *outPropBag)

240

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

The inPropBag and outPropBag parameters are abstract objects, called property bags, used to pass
input and output parameters. The methods have the following functionality:
dm_init
The dm_init method is called by Content Server when it starts up. The method must return the
plug-in identifier for the module. The plug-in identifier should be unique among the modules
loaded by a server. If it is not unique, Content Server uses the first one loaded and logs a warning
in the server log file.
dm_authenticate
The dm_authenticate_user method performs the actual user authentication.
dm_change_password
The dm_change_password method changes the password of a user.
dm_plugin_version
The dm_plugin_version method identifies the version of the interface. Version 1.0 is the only
supported version.
dm_deinit
The dm_deinit method is called by Content Server when the server shuts down. It frees up
resources allocated by the module.
the dmauthplug.h header file contains detailed comments about each of the interface methods. The
header file resides in the %DM_HOME%\install\external_apps\authplugins\include\dmauthplug.h
($DM_HOME/install/external_apps/authplugins/include/dmauthplug.h) directory. All authentication
plug-ins must include this header file.
Additionally, all plug-ins must link to the dmauthplug.lib file in the %DM_HOME%\install\external_
apps\authplugins\include ($DM_HOME/install/external_apps/authplugins/include) directory. On
Solaris, the dmauthplug.lib file is named dmauthplug.a.

Internationalization
An authentication plug-in can use a code page that differs from the Content Server code page. To
enable that, the code page must be passed in the output property bag of the dm_init method. If the
code page is passed, Content Server translates all parameters in the input property bag from UTF-8 to
the specified code page before calling the dm_authenticate_user or dm_change_password methods.
The server also translates back any error messages returned by the plug-in. A list of supported code
pages is included in the header file, dmauthplug.h.

Tracing authentication plug-in operations


Plug-ins are responsible for writing their own trace files. The trace level is determined by the
DM_TRACE_LEVEL parameter in the input property bag. The initial value of the parameter is taken
from the server start up flag -otrace_authentication. However, if a user issues a SET_OPTIONS
administration method that changes the trace authentication level, the new level will be reflected
in the plug-in tracing.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

241

Security and Authentication

The suggested location of the trace file is defined by the DM_LOGDIR_PATH parameter in the
dm_init method.

Managing encrypted passwords


Content Server and many of the internal jobs that manage repository operations use passwords
stored in files in the installation. These passwords are stored in encrypted format by default. The
passwords are encrypted using the AEK during Content Server installation or job creation. Table 65,
page 242, lists the password files whose content is encrypted by default. All the files are found in
%DOCUMENTUM%\dba\config\repository_name ($DOCUMENTUM/dba/config/repository_name).
You must be the installation owner to access or edit these files.
Table 65. Password files encrypted by default

File

Description

dbpasswd.txt

This file contains one line with the database password used by
Content Server to connect to the RDBMS. (This is password for the
repository owner.)

docbase_name.cnt

The file contains one line with the password used by an object
replication job and the distributed operations to connect to the
repository as a source or target repository.
If this file is present, the dm_operator.cnt file is not.

dm_operator.cnt

The file contains one line with the password used by an object
replication job and the distributed operations to connect to
repositories.
If this file is present, docbase_name.cnt files are not used.

federation.cnt

Contains the information, including passwords, used by a


governing repository server to connect to member repositories.
The file is stored with the governing repository.
The format of the files content is:
member_repository_name:user_name:password:[domain]

ldap_object_id.cnt

Contains the password used by Content Server to bind to an LDAP


server.

Using encryptPassword
Use encryptPassword to encrypt any password that you want to pass in encrypted form to the one of
the following methods:
IDfSession.assume
Authenticate in IDfSessionManager, IDfSession, or IDfClient

242

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

A method to obtain a new or shared session.


IDfPersistentObject.signoff
IDfSession.changePpassword
Passwords encrypted with encryptPassword cannot be decrypted explicitly by an application or user.
There is no method provided to perform decryption of passwords encrypted with encryptPassword.
DFC decrypts those passwords internally when it encounters the password in the arguments of
one of the above methods.
Passwords encrypted with encryptPassword are prefixed with DM_ENCR_PASS.
For complete information about using this method, refer to the Javadocs.

Using clear text passwords


If you do not want to use an encrypted password for a particular operation, use a text editor to edit
the appropriate file listed in Table 65, page 242. Remove the encrypted password and replace it
with the clear text password.

Changing an encrypted password


If you find it necessary to change one of the encrypted passwords described in Table 65, page 242, use
the dm_encrypt_password utility to do so. This utility takes an unencrypted password, encrypts
it, and writes it to a specified file. If the file is one of the password files maintained by Content
Server, the utility replaces the current encrypted password in that file with the new password. You
must be the repository owner to use this utility.
To encrypt or change a password in a password file maintained by Content Server, use the following
syntax:
dm_encrypt_password [-location AEK_location][-passphrase [passphrase]]
-docbase repository_name -remote remote_repository_name | -operator
| -redbms [-encrypt password]

To create or change an encrypted password in a file that you have created, use the following syntax:
dm_encrypt_password [-location AEK_location][-passphrase [passphrase]]
-file file_name [-encrypt password]

The arguments have the following meanings:


-location AEK_location

Identifies the location of the AEK file to


be used to encrypt the password. If this
argument is not set, the environment variable
DM_CRYTPO_FILE must be set.

-passphrasepassphrase

Specifies the passphrase used to protect the AEK


file.
If the argument is included without a
passphrase, the utility prompts for a passphrase.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

243

Security and Authentication

If the argument is not included, the utility


attempts to use the default passphrase. (The
default passphrase can be defined when the
dm_crypto_boot utility is run to set up the AEK.)
If a default passphrase is not defined, the utility
checks the shared memory location, based on
the location argument or the default location,
for an AEK or passphrase. If neither is found in
shared memory, the utility exits with an error.
-docbase repository_name

Identifies the repository for which the password


is being encrypted.
Do not include this argument if you include the
-file argument.

-remote remote_repository_name

Identifies the file to operate on as


%DOCUMENTUM%\dba\config\repository_
name\remote_repository_name
You must include the -docbase argument if you
include -remote.

-operator

Identifies the file to operate on as


%DOCUMENTUM%\dba\config\repository_
name\dm_operator.cnt
You must include the -docbase argument if you
include -operator.

-rdbms

Identifies the file to operate on as


%DOCUMENTUM%\dba\config\repository_
name\dbpasswd.txt
You must include the -docbase argument if you
include -rdbms.

-file file_name

Identifies the file on which to operate.


Do not include this argument if you include the
-docbase argument.

-encrypt password

Defines the password to encrypt. If specified,


the password is encrypted and written to the file
identified in the -file argument. If unspecified,
the utility encrypts the first line found in the file
and writes it back to the file.

For example, executing the utility with the following command line replaces the database password
used by the Content Server in the engineering repository to connect with the RDBMS:
dm_encrypt_password -docbase engineering -passphrase jdoe -rdbms
-encrypt 2003password

244

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

The AEK location is not identified, so the utility reads the location from the DM_CRYPTO_FILE
environment variable. The passphrase jdoe is used to decrypt the AEK. The utility encrypts the
password 2003password and replaces the current RDBMS password in dbpasswd.txt with the newly
encrypted password.
This next example identifies a user-defined file as the target of the operation.
dm_encrypt_password -passphrase jdoe
-file C:\engineering\specification.enc -encrypt devpass

The AEK location is not identified, so the utility reads the location from the DM_CRYPTO_FILE
environment variable. The password jdoe is used to decrypt the AEK. The utility encrypts the
password devpass and writes the encrypted value to the file C:\engineering\specification.enc.

Implementing signature support


Content Server provides administration tasks that support using an electronic signature feature in
applications. There are three options for electronic signatures:
Electronic signatures using addESignature
Electronic signatures are implemented through Content Server and provide rigorous
accountability. This option requires a Trusted Content Services license. For information on using
and customizing electronic signature support, refer to Customizing electronic signatures, page
246. Electronic signatures are supported on all platforms.
Electronic signatures using addDigitalSignature
Electronic signatures are implemented in client applications, using third-party software. No
additional Content Server license is needed. For instructions on supporting electronic signatures,
refer to Supporting electronic signatures, page 249.
Simple signoffs
Simple signoffs are the least rigorous way to enforce an electronic signature requirement. No
additional Content Server license is needed. For instructions on using and customizing simple
signoffs, refer to Customizing simple signoffs, page 250.

Using electronic signatures


The default signature template is a form field based PDF template (Figure 4, page 246). You must
have Adobe Acrobat installed on your system to use this template. Content Server version 6.6 and
later supports publishing only static information on the signature template. Static information, such
as a company logo, can be converted to a form field based template using Adobe LiveCycle Designer.
Note: We recommend that you backup any existing custom templates before upgrading to a new
template.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

245

Security and Authentication

Figure 4. Default signature template

Customizing electronic signatures


There a variety of options for customizing the default signature template for electronic signatures:
Adding or removing properties from the template page
Changing the property delimiters on the page
Changing the look of the template by adding, removing, or rearranging elements on the page or
changing the font and point size of the properties
Defining separate templates for different document types
Configuring the number of signatures allowed on a version of a document and whether the
signature page is added to the front or end of the content.
A signature in non-PDF format requires a custom signature creation method. A custom method
can use a custom signature page template, but it is not required. The signature can be in any form
that the method implements.

Configuring the number of allowed signatures


By default, each signature page can have 6 signatures. Additional signatures are configured using the
esign.signatures.per.page property in the esign.properties file. The esign.properties file resides in the
%DOCUMENTUM%\jbossx.x.x\server\DctmServer_MethodServer\deploy\ServerApps.ear\APPINF\classes directory, where x.x.x denotes the installed jboss version.

246

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

The following table describes configuration parameters in the esign.properties file.


Table 66. Configuration parameters in esign.properties file

Property

Description

esign.server.language=en

Indicates the locale of the Content Server.

esign.server.country=US

Indicates the country code.

esign.date.format = MM/dd/yyyy HH:mm:ss

Indicates the date format on the signature


page. If the date format is not provided in the
esign.properties file, the date format of the
Content Server is used.

esign.signatures.per.page

Indicates the number of signatures per signature


page.

Creating custom signature creation methods and associated signature page


templates
If you do not want to use the default functionality, you must write a signature creation method. Using
a signature page template is optional.
This section outlines the basic procedure for creating and installing a user-defined signature creation
method. Documentum provides standard technical support for the default signature creation method
and signature page template installed with the Content Server software. For assistance in creating,
implementing, or debugging a user-defined signature creation method or signature page template,
contact Documentum Professional Services or Documentum Developer Support.

To create a custom signature-creation method:


1.

Write the method program.

2.

Create a dm_method object that references the method program.

Use the following guidelines when writing the method:


The method should check the number of signatures currently defined for the object to ensure that
adding another signature does not exceed the maximum number of signatures for the document.
The method must return 1 if it completes successfully or a number greater than 1 if it fails. The
method cannot return 0.
If the trace parameter is passed to the method as T (TRUE), the method should write trace
information to standard output.
To use the custom method, applications must specify the name of the method object that represents
the custom method in the addESignature arguments. The following table describes the parameters
passed by the addESignature method.
Table 67. Parameters passed by the addESignature method

Parameter

Description

docbase

Name of the repository.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

247

Security and Authentication

Parameter

Description

user

Name of the user who is signing.

doc_id

Object ID of the document.

file_path

The name and location of the content file.

signature_properties

A set of property and value pairs that contain


data about the current and previous signatures.
The information can be used to fill in a signature
page. The set includes:
sig.requester_0...n
sig.no_0...n
sig.user_id_0...n
sig_user_name_0...n
sig.reason_0...n
sig.date_0...n
sig.utc_date_0...n
The number at the end of each parameter
corresponds to the number of the signature to
which the information applies.

application_properties

User-defined set of property names and values


specified in the Addesignature command line.

trace

If tracing is turned on for SysObjects, this


parameter is passed as T (TRUE).

passThroughArgument1

User-defined information specified in the


addESignature command line.

passThroughArgument2

User-defined information specified in the


addESignature command line.

If you decide to create a new signature template page, you can define the format, content, and
appearance of the page. You can store the template as primary content of an object or as a rendition.
For example, you can create an XML source file for your template and generate an HTML rendition
that is used by the custom signature creation method. If you store the template as a rendition, set the
template page modifier to dm_sig_template. Setting the page modifier to dm_sig_template ensures
that the Rendition Manager administration tool does not remove the template rendition.

Publishing dynamic information


Content Server supports publishing dynamic information on custom signature templates at the page
level. The dynamic information is passed through the app_properties parameter while executing
the addESignature method.

248

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Custom field names in custom signature templates must be added with a Ecustf_ prefix, using the
following syntax:
'ECustF_Attribute_name1 = ''attr1_value'

Tracing electronic signature operations


You can trace the addESignature method and the default signature creation method by setting the
trace level for the DM_SYSOBJECT facility to 5 (or higher).
The tracing information for the addESignature and verifyESignature methods is recorded in the
session log file. The tracing information for the signature creation method is recorded in the server
log file.
If you are using a custom signature creation method, trace messages generated by the method written
to standard out are recorded in the server log file if tracing is enabled.
Note: When tracing is enabled, the addESignature method passes the trace parameter set to T (TRUE)
to the signature creation method.
Set the DM_DEBUG_ESIGN_METHOD environment variable to 1 to log additional information
about electronic signatures generated by addESignature to the repository log file. You must restart
Content Server after setting this variable.

Setting the Java memory allocation


To avoid performance issues while adding signatures to the document for files greater than 30 MB, it
is recommended to increase the JVM memory according to availability. For, example, set the value as
-Xms1024m -Xmx1024m in the JMS startup file.

Supporting electronic signatures


Digital signatures, like electronic signoffs, are a way to enforce accountability. Digital signatures are
obtained using third-party client software and embedded in the content. The signed content is then
stored as primary content or a rendition of the document. For example, you can implement digital
signing using based on Microsoft Office XP, in which case the signature is typically embedded in the
content file and stored in the repository as primary content for the document.
The implementation and management of electronic signatures is almost completely within the context
of the client application. The only system administration task is registering the dm_adddigsignature
event for signature by Content Server. This is an optional task. When an application issues the
addDigitalSignature method to record a digital signoff in an audit trail entry, that entry can itself be
signed by the Content Server. To configure signing by the server, an explicit registration must be
issued for the dm_adddigsignature event. For information about how Content Server signatures on
audit entries are implemented and how to configure their use, refer to Audit properties, page 277.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

249

Security and Authentication

Customizing simple signoffs


Simple signoffs are implemented using a IDfPersistentObject.signoff method and a signature
validation program. Documentum provides a default signature validation program that authenticates
a user based on the user authentication name and password passed as arguments in the signoff
method. If the authentication succeeds, Content Server creates an audit trail entry of event type
dm_signoff that records what was signed, who signed it, and some information about the context of
the signing. The audit trail entry is not signed by Content Server.
You can customize the simple signoff feature by:
Creating an alternate validation program that uses the user authentication name and password
to validate the user.
Passing data other than a password through signoffs password argument and creating a custom
validation method to authenticate the user with that data.
For example, you can pass some biometric data and then validate that using a custom validation
program.
Use an argument in a registration method to force Content Server to sign the dm_signoff events or
to add additional information to the entries.
Note: EMC Documentum provides standard technical support for the default signature validation
method installed with the Content Server software. For assistance in creating, implementing, or
debugging a customized signature validation program or a user-defined signature validation method,
contact Documentum Professional Services or Documentum Developer Support.

Customizing the signature validation program


Use the following procedure to create and implement a customized simple signoff.

To use a custom signature validation program:


1.

Create a custom signature validation program.


The program must accept two arguments: the user name and the signature data passed using the
user-password argument of the signoff method. If the personal data is binary, you can use the
uuencode program to convert the data to a string. Data passed in the user-password argument
cannot be longer than 127 bytes.
The validation program must return 0 if it succeeds; otherwise, it must return 1.

2.

Create a location object that identifies where the program is installed.

3.

Modify the signature_chk_loc property in the server config object to point to the location object
created in Step 2.
The signature_chk_loc property identifies the location of the signature validation program to
Content Server.

250

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Registering for notification


Users can register the dm_signoff event so that when the signoff method is executed, the server sends
mail notifications to users. You do not need to register a separate audit event, because the server
always generates an audit trail for signoff executions.

Querying the audit trail for signoffs


To return a collection of document objects signed by a specific user within a certain time frame, use
a DQL statement like the following:
SELECT "audited_obj_id" FROM "dm_audittrail" WHERE
"event_name" = 'dm_signoff' AND
"user_name" = 'tom' AND
substr ("audited_obj_id", 1, 2) = '09'AND
"time_stamp" >= DATE('01/01/1998', 'dd/mm/yy') AND
"time_stamp" <= DATE(TODAY)

To find everyone who signed off a specific object whose ID is xxx, use the following DQL statement:
SELECT "user_name" FROM "dm_audittrail" WHERE
"audited_obj_id" = 'xxx' AND
"event_name" = 'dm_signoff'

Managing encryption keys


In each Content Server software installation contains one master key, called the Administration
Encryption key, or AEK. Additionally, each repository contains one repository encryption key.

The AEK
There is one AEK in each Content Server software installation. It is created and installed during the
Content Server software installation procedure or when an existing repository is upgraded from a
version. The AEK is used to encrypt:
The repository keys
EMC Documentum passwords, such as those used by Content Server to connect to the RDBMS, an
LDAP directory server, or other repositories
The AEK is itself encrypted using a default passphrase provided by EMC Documentum. You can
change the passphrase to a custom passphrase using a utility provided by Documentum. Using a
custom passphrase is recommended. Changing a passphrase, page 255, has instructions for changing
the passphrase.
The AEK is installed in the following location:
On Windows:
%DOCUMENTUM%\dba\secure\aek.key

On UNIX:

EMC Documentum Content Server Administration and Configuration 6.7 Guide

251

Security and Authentication

$DOCUMENTUM/dba/secure/aek.key

The file is a read only file. You cannot change the AEK file.
Content Server and all server processes and jobs that require access to the AEK use the following
algorithm to find it:
1.

If a location is explicitly passed, look for the AEK in that location.

2.

If the AEK is not found in the specified location or a location is not passed, use the location
defined in the DM_CRYPTO_FILE environment variable.

3.

If the DM_CRYPTO_FILE environment variable is not available, assume that the location is
%DOCUMENTUM%\dba\secure\aek.key ($DOCUMENTUM/dba/secure/aek.key).

Sharing the AEK or passphrase


If there are multiple Documentum products installed on one host, the products can use different
AEKs or the same AEK.
If the products use different AEKs, they can use the same passphrase. If you want that passphrase
to be a custom passphrase, perform the following procedure after you install the Content Server
software.

To implement the same passphrase for multiple products:


1.
2.

Shutdown Content Server if it is running.


Run the dm_crypto_change_password to change the passphrase to a custom passphrase.
Refer to Changing a passphrase, page 255, for instructions.

3.

Run the dm_crypto_boot utility using the -all argument.


Refer to Using dm_crypto_boot, page 254, for instructions.

4.

Restart Content Server.

5.

Install the remaining products on the host machine.

If the products use one AEK, they must use the same passphrase. Also, it is recommended that
you set the DM_CRYPTO_FILE environment variable to the location of the AEK and configure
each product to reference the location defined in the environment variable. (Refer to the individual
product documentation for instructions.)

The AEK and distributed sites


If your repository is a distributed repository, all servers at all sites must be using the same AEK. After
you install the remote sites, you must copy the AEK from the primary site to the same location in
each the remote site.
In multiple-repository distributed sites, each repository maintains its own AEK. When users work
across the repositories, the servers in each repository take care of any encryption or decryption
requirements locally.

252

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

Backing up the AEK


It is strongly recommended that you back up the AEK file separately from the repository and
content files. Backing up the AEK and the data it encrypts in different locations helps prevent a
"dictionary-based" attack on the AEK.

Repository encryption keys


A repository encryption key is created for a repository when the repository is created. The key is
encrypted using the AEK and stored in the i_crypto_key property of the docbase config object. This
property cannot be changed after the repository is created.
Content Server uses the repository encryption key to create the signature on audit trail entries. The
server also uses the repository encryption key to encrypt file store keys.

Encryption utilities
There are three utilities that are used to manage the AEK:
dm_crypto_boot
Use this utility if you are protecting the AEK with a custom passphrase. Use it to:
Install an obfuscated AEK or passphrase in the host machines shared memory after you
define a custom passphrase.
Reinstall an obfuscated AEK or passphrase in the host machines shared memory if you stop
and restart a server host machine.
(Windows only) Reinstall an obfuscated AEK or passphrase in the host machines shared
memory if you log off the host machine after you stop Content Server.
Clean up the shared memory used to store the obfuscated AEK and passphrase.
It is not necessary to use this utility if you are protecting the AEK with the default, Documentum
passphrase. Refer to Using dm_crypto_boot, page 254, for more details and instructions on using
the utility.
dm_crypto_create
This utility is run automatically, during the Content Server installation process, to create and
install the AEK. You can use this utility to determine if an AEK exists at a specified location and
can be decrypted with a specified passphrase. Refer to Troubleshooting with dm_crypto_create,
page 254, for instructions.
dm_crypto_change_passphrase
The dm_crypto_change_passphrase utility changes the passphrase used to encrypt an AEK. Refer
to Changing a passphrase, page 255, for instructions.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

253

Security and Authentication

Using dm_crypto_boot
The dm_crypto_boot utility obfuscates the AEK or the passphrase used to decrypt the AEK and
puts the obfuscated AEK or passphrase in shared memory. The utility is only used when you are
protecting the AEK with a custom passphrase. It is not necessary if you are using the Documentum
default passphrase. If you are protecting the AEK with a custom passphrase, you must run the utility
in the following situations:
When you stop and restart the host machine
After you stop a host machine, run this utility after restarting the host and before restarting the
product or products that use the AEK.
After you install the Content Server software and before you install the remaining products
You can also use this utility to clean up the shared memory region used to store the AEK.
To run this utility, you must be a member of the dmadmin group and you must have access to the
AEK file.
The syntax for the utility is:
dm_crypto_boot[-passphrase passphrase] -location location|-all
[-remove][-help]

The -passphrase argument identifies the passphrase used to encrypt the AEK. If you do not include
the argument or if you include the argument keyword but not its value, the utility prompts for the
passphrase. (If the user is prompted for a passphrase, the passphrase is not displayed on screen
when it is typed in.)
You must include either the -location or -all argument. Use -location if only one product is
accessing the AEK. Using -location installs an obfuscated AEK in shared memory. The -location
argument identifies the location of the AEK in the installation. If you do not include the argument,
the utility looks for the location defined in DM_CRYPTO_FILE. If that environment variable
is not defined, the utility assumes the location %DOCUMENTUM%\dba\secure\aek.key
($DOCUMENTUM/dba/secure/aek.key).
Use the -all argument if there are multiple products on the host machine that use the same passphrase
for their AEKs. If you include -all, the utility obfuscates the passphrase and writes it into shared
memory instead of the AEK. Each product can then obtain the passphrase and use it to decrypt
the AEK for their product.
To clean up the shared memory used to store the obfuscated AEK or passphrase, execute the utility
with the -remove argument. You must include the -passphrase argument if you use -remove.
The -help argument returns help information for the utility. If you include -help, you cannot include
any other arguments.

Troubleshooting with dm_crypto_create


You can run the dm_crypto_create utility with the -check argument to determine whether an AEK
exists at a specified location and whether a particular passphrase can be used to decrypt it. The
syntax is:
dm_crypto_create [-location location][-passphrase passphrase|noprompt] -check [-help]

254

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

The -location argument identifies the location of the AEK whose existence you wish to
determine. If you do not include the argument, the utility looks for location defined in
DM_CRYPTO_FILE. If that environment variable is not defined, the utility assumes the location
%DOCUMENTUM%\dba\secure\aek.key ($DOCUMENTUM/dba/secure/aek.key).
The -passphrase argument identifies the passphrase whose use you wish to check. If you do not
include the -passphrase argument, the utility assumes the default passphrase but prompts you
for confirmation. Consequently, if you are checking the default passphrase and wish to avoid the
confirmation request, include the -noprompt argument. (The -passphrase and -noprompt arguments
are mutually exclusive.)
If the AEK file does not exist at the specified location, the utility returns 0. If the AEK exists but
decryption fails, the utility returns 1. If the AEK exists and decryption succeeds, the utility returns 2.
The -help argument returns help information for the utility. If you include -help, you cannot include
any other arguments.

Changing a passphrase
Use dm_crypto_change_passphrase to change the passphrase used to encrypt the AEK in the
installation. Installing the Content Server software installs the AEK encrypted using a default
passphrase. It is strongly recommended that you change the default to a custom passphrase of
your choosing. Use this utility, also, if business rules or a security breach require you to change the
passphrase. All Documentum products that use the affected AEK must be stopped before running
the utility.
The syntax is:
dm_crypto_change_passphrase [-location location][-passphrase [old_passphrase]][newpassphrase [new_passphrase]][-noprompt][-help]

The -location argument identifies the location of the AEK whose passphrase you wish
to change. If you do not include the argument, the utility looks for location defined in
DM_CRYPTO_FILE. If that environment variable is not defined, the utility assumes the location
%DOCUMENTUM%\dba\secure\aek.key ($DOCUMENTUM/dba/secure/aek.key).
The -passphrase argument identifies the current passphrase associated with the AEK. The
-newpassphrase argument defines the new passphrase you wish to use to encrypt the AEK. Both
phrases interact in a similar manner with the -noprompt argument. The behavior is described
in Table 68, page 255.
Table 68. Interaction of dm_crypto_change_passphrase arguments

-noprompt included

-noprompt not included

-passphrase argument not


included

Utility prompts for a


passphrase

Utility assumes the


Documentum default
passphrase

-passphrase keyword is
included but no value

Utility prompts for a


passphrase

Utility assumes the


Documentum default
passphrase

EMC Documentum Content Server Administration and Configuration 6.7 Guide

255

Security and Authentication

-noprompt included

-noprompt not included

-newpassphrase argument not


included

Utility prompts for a new


passphrase

Utility assumes the


Documentum default
passphrase

-newpassphrase keyword is
included but no value

Utility prompts for a new


passphrase

Utility assumes the


Documentum default
passphrase

You must include a value for at least one of the passphrases. You cannot be prompted for both
values or allow both values to default.
To illustrate the use of this utility, here are some examples. The first example changes the passphrase
for the Content Server host AEK from the Documentum default to "custom_pass1". The -passphrase
argument is not included and the-noprompt is included, so the utility assumes that the current
passphrase is the default passphrase.
dm_crypto_create -location %DOCUMENTUM%\dba\secure\aek.key
-newpassphrase custom_pass1 -noprompt

This next example changes the passphrase from one custom passphrase to another:
dm_crypto_create -location %DOCUMENTUM%\dba\secure\aek.key
-passphrase genuine -newpassphrase glorious

This final example changes the passphrase from a custom passphrase to the default:
dm_crypto_create -location %DOCUMENTUM%\dba\secure\aek.key
-passphrase custom_pass1 -noprompt

Because the new passphrase is set to the Documentum default passphrase, it isnt necessary to include
the -newpassphrase argument. The utility assumes that the new passphrase is the default if the
argument is not present and the -noprompt argument is present.
The -help argument returns help information for the utility. If you include -help, you cannot include
any other arguments.

Managing the login ticket key


The login ticket key is used to generate and validate login tickets and application access control
tokens. The key is installed automatically when a repository is created. Each repository has one
login ticket key.

Exporting and importing a login ticket key


If you are using global login tickets or global application access control tokens, both the repository
generating the ticket or token and the repository accepting the ticket or token must be using the same
login ticket key. When you install a repository, the installation configures a login ticket key for the
repository. However, each key is unique. Consequently, to use global login tickets or tokens, you
must export a login ticket key from one repository among those that will be exchanging global login
tickets or tokens and import that key into the other repositories exchanging global tickets or tokens.

256

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

To export a login ticket key, use the EXPORT_TICKET_KEY administration method, as described
in EXPORT_TICKET_KEY, page 316. To import the key, use IMPORT_TICKET_KEY, as described
in IMPORT_TICKET_KEY, page 318. These methods are also available as DFC methods
(exportTicketKey and importTicketKey) in the IDfSession interface.
You must restart Content Server after importing a login ticket key to make the new login ticket
key take effect.

Resetting a login ticket key


Resetting a login ticket key replaces the current login ticket key with a newly generated key. You
need to reset a login ticket key if the current key is compromised. If you reset the login ticket key, the
repositorys server does not accept any login tickets generated using the old key.
To reset a login ticket key, execute the RESET_TICKET_KEY method. You can also use the DFC
method, resetTicketKey, in the IDfSession interface.
You must restart Content Server after resetting a login ticket key.

Kerberos support
Kerberos authentication
Kerberos SSO, as supported in Documentum Content Server, provides a secure Single-Sign-On (SSO)
solution using Windows Integrated Authentication. In Documentum 6.6, Kerberos is supported on
Content Server using the Microsoft Active Server Domain Services for Kerberos Key Distribution
Center (KDC) services. A client interface to Kerberos is provided for Documentum Foundation
Services (DFS) clients.
The Kerberos authentication plug-in that enables Kerberos support for KDC services is automatically
installed with Content Server. All additional steps required to enable Kerberos SSO on the Content
Server have to be completed subsequent to Content Server installation.
Note: Kerberos SSO authentication is not supported on ACS and BOCS servers.

Determining the Kerberos Service Principal Name (SPN)


A Kerberos Service Principal Name (SPN) uniquely identifies a service that uses Kerberos
authentication. The SPN format that we recommend for registering a repository on the KDC service
is as follows:
SPN=service-name/docbase-name@domain

Where service-name is the service which is constant for Content Server. For example:
CS/REPO1@MYDOMAIN.COM

EMC Documentum Content Server Administration and Configuration 6.7 Guide

257

Security and Authentication

Where &ldquo;CS&rdquo; is the service, &ldquo;REPO1&rdquo; is repository name and


&ldquo;MYDOMAIN.COM&rdquo; is the domain in which the Content Server SPN is registered.
This convention permits each SPN to be unique across all repositories.

Registering the SPN on the Active Directory and


generating the Keytab file
Using Kerberos SSO requires registering a Service Principal Name (SPN) on Active Directory using
the Windows Server Ktpass utility. This procedure can be used for registering an SPN for Content
Server, or for DFS services.
The Ktpass utility enables an administrator to configure a service as a security principal in Active
Directory. This procedure produces a keytab file, which contains name/value pairs consisting of an
SPN and a long-term key derived from a password. Both the service and the KDC service must have
knowledge of the keytab file. The name of the file uses the following format:
<repo_name>.<xxxx>.keytab

Where <repo_name> is name of repository for which the SPN is registered. <xxxx> can any string that
makes the file name unique, and is required because the Content Server can be registered in multiple
trusted domains. The length of the keytab filename depends on the OS filename limitation.
Note: Note that in the following procedures a user is registered on the KDC service to act as the
service principal for the service. This user maps to the SPN itself and is distinct from users who need
to be authenticated to use the service.
There are two recommended procedures for registering the SPNs. The simplest approach is to create a
single SPN mapped to an Active Directory user. This allows you to set a single password for the SPN.

To create a single SPN mapped to a user:


1.

Log on to the machine that runs the KDC service.

2.

Create a user in the Active Directory.

3.

Set an SPN and create a keytab file using ktpass utility with the user created in the preceding
step, using the following syntax:
ktpass /pass <password>
-out <keytab-file>
-princ <SPN>
-crypto DES-CBC-MD5 +DumpSalt
-ptype KRB5_NT_PRINCIPAL +desOnly /mapOp set /mapUser <user-name>

4.

Copy the keytab file to the $DOCUMENTUM/dba/auth/Kerberos/ folder on the Content Server.
This folder is created during Content Server installation.

An alternate approach is to register multiple SPNs mapped to a single Active Directory user.

To create multiple SPNs mapped to a single user:


1.

Logon to the machine that runs the KDC service.

2.

Create a user in Active Directory.

3.

Set an SPN and create a keytab file using ktpass utility with the user created in the preceding
step, using the following syntax:

258

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Security and Authentication

ktpass /pass <password>


-out <keytab-file>
-princ <SPN>
-crypto DES-CBC-MD5 +DumpSalt
-ptype KRB5_NT_PRINCIPAL +desOnly /mapOp set /mapUser <user-name>

4.

Set another SPN using the setspn utility and set <user-name> to the user created in step 2.
setspn -A <SPN> <user-name>

5.

Run the ktpass utility for the second SPN without setting the user created in step 2. Use the salt
and key version number (kvno) that were created in step 3, using the following syntax:
ktpass /pass <password>
-out <keytab-file>
-princ <SPN>
-crypto DES-CBC-MD5 +DumpSalt
-ptype KRB5_NT_PRINCIPAL +desOnly /mapOp set +RawSalt <salt>
-in <keytab-file>
-kvno <number>

6.

Copy the keytab file to the $DOCUMENTUM/dba/auth/Kerberos/ folder on Content Server. This
folder is created during Content Server installation.

Reinitializing the Content Server


The re-initialize server function initializes the Kerberos plug-in, which reloads the SPNs from the
repositorys keytab file. The command enables you to update the Kerberos system without restarting
Content Server. Reinitialization is required if a new SPN has been registered and copied to the
repository, but is not required for a password change on an existing SPN.
Administrators can invoke the re-initialize server function using Documentum Administrator by
selecting the Re-Initialize Server option on the Info tab of the Server Configuration Properties
dialog box. For more information about the server configuration properties, refer to Modifying
general server configuration information, page 57.

Creating Kerberos users in the repository


There are two options for creating Kerberos users in the repository.
Create the user manually, both in Active Directory and in the repository. For each user in the
repository, set the User Source property to dm_krb or leave it blank. Setting the User Source
property to dm_krb is optional.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

259

Security and Authentication

For information about creating and modifying user accounts, refer to Creating or modifying
users, page 181 .
Synchronize the users from Active Directory using LDAPSynchronization, then modify the
User Login Domain in the LDAP configuration object, as described in Configuring LDAP
synchronization for Kerberos users, page 157.

260

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 11
Logging and Tracing

It includes the following topics:


Introduction, page 261
Content Server logging and tracing, page 261
DFC logging, page 265
DFC tracing, page 265

Introduction
EMC Documentum supports tracing and logging facilities for both Content Server and DFC
operations. The logging facilities record information generated automatically by Content Server
or DFC, including error, warning, and informational messages. Logging errors, warnings, and
informational messages occurs automatically.
The tracing facility records information that is explicitly requested by user or an application. Enabling
or disabling tracing requires system administrator or superuser privileges.

Content Server logging and tracing


Content Server logging and tracing provides information about Content Server operations. Content
Server records logging information and tracing information, with a few exceptions, in the following
files:
Repository log file
Contains information about root server activities. This file is also sometimes referred as the
Content Server log file.
Session log files
Contains all informational, warning, error, and fatal error messages and, by default, all SQL
commands generated from DQL commands.
Session log files are stored in the %DOCUMENTUM%\dba\log\hex_repository_id\username
($DOCUMENTUM/dba/log/hex_repository_id/username) directory, where hex_repository_id is the

EMC Documentum Content Server Administration and Configuration 6.7 Guide

261

Logging and Tracing

repository ID expressed as a hexadecimal value and username is the account under which the
session is running. The server creates a separate session log for each new connection.
Some features, such as jobs, record tracing and logging information in log files specific to those
features. The sections that describes those features contain more details about the associated log files.

Tracing from the startup command line


A variety of tracing operations can be initiated from the Content Server startup command line.
To start tracing at server start-up, specify the trace flags for the options with the -o option on the
command line. The name of the option must immediately follow the -o. No space is allowed between
the -o and the option name. On Windows platforms, add the -o option to the command line by
editing the Content Server service entry.
The following table describes the trace flags for the -o option at server start-up. The generated trace
information is recorded in the repository log file.
Table 69. Server start-up trace options

Option name

Description

debug

Session shutdown, change check, launch and fork information.

docbroker_trace

Connection broker information.

i18n_trace

Session locale and client code page usage.

lock_trace

Windows locking information.

net_ip_addr

IP addresses of client and server for authentication.

nettrace

Turns on RPC tracing (traces Netwise calls, connection ID, client


host address, and client host name).

rpctrace

Turns on tracing of RPC calls.

sqltrace

SQL commands sent to the underlying RDBMS for subsequent


sessions, including the repository session ID and the database
connection ID for each SQL statement.
This option is turned on by default when a server starts.

ticket_trace

Traces import and export operations for login ticket keys and
operations using single-use login tickets.

trace_authentication

Detailed authentication information.

trace_complete_launch

UNIX process launch information.

trace_workflow_agent

Trace messages generated by the workflow agent.

To stop tracing from the command line, you must remove the trace flag from the server command line
and then stop and restart the server.

262

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Logging and Tracing

Using the setServerTraceLevel method


The setServerTraceLevel method is defined for the DFC IDfSession interface. The method takes
two arguments, a trace level, defined as an integer value, and a facility name. The following table
describes the trace levels for the setServerTracelLevel method.
Table 70. Trace level severity values

Severity level

Meaning

No messages, tracing is turned off. Use this value to turn off


tracing for the specified facility.

Level 1 trace messages

Level 2 trace messages

Level 3 trace messages

Level 4 trace messages

Dump and load object information

10

Timing information

The severity levels are additive. For example, if you specify tracing level 10, you also receive all the
other messages specified by the lower levels in addition to the timing information.
The following table describes the facilities for the setServerTraceLevel method.
Table 71. Valid facilities for setServerTraceLevel

Facility

Description

ALL

Traces all available trace facilities.

DM_CONTENT

Traces content operations. The information is recorded in


the session log file.

DM_DUMP

Traces dump operations. The information is recorded in the


session log file.

DM_LOAD

Traces load operations. The information is recorded in the


session log file.

DM_QUERY

Traces query operations. The information is recorded in the


session log file.

SQL_TRACE

Traces generated SQL statements. The information is


recorded in the session log file.
Tracing for this facility is turned on by default. Turning it off
is not recommended by Documentum Technical Support.

DM_SYSOBJECT

Traces SysObject operations. The information is recorded


in the session log file.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

263

Logging and Tracing

Using the SET_OPTIONS method


The SET_OPTIONS administration method controls wide range of Content Server tracing options,
including tracing EMC Centera and NetApp SnapLock storage area operations, digital shredding
operations, and connection broker information. For a complete list of the trace options for the
SET_OPTIONS method, refer to SET_OPTIONS, page 337.
The method can be executed from Documentum Administrator or using the DQL EXECUTE
statement or an IDfSession.apply method.
Turning tracing on and off using SET_OPTIONS affects only new sessions. Current sessions are
not affected.

Examples of server tracing


The following example describes a section from the server log for DM_LOAD tracing:
Fri Aug 14 16:02:27 1998 569000 [DM_LOAD_I_PROGRESS]info:
"For load object 310007b680000101 in phase 2, processed 54 of 66 objects;
last object processed was 090007b680000238"
Fri Aug 14 16:02:27 1998 710000 [DM_LOAD_I_PROGRESS]info:
"For load object 310007b680000101 in phase 2, processed 55 of 66 objects;
last object processed was 060007b680000118"
Fri Aug 14 16:02:27 1998 720000 [DM_LOAD_I_PROGRESS]info:
"For load object 310007b680000101 in phase 2, processed 56 of 66 objects;
last object processed was 270007b680000165"

The following example describes a log file section for query tracing. The example assumes that
the following query is issued:
SELECT "user_os_name" FROM "dm_user" WHERE "user_name"='zhan'

The corresponding server log:


Fri Aug 14 15:31:29 1998 608000 [DM_QUERY_T_SELECT_COMPLETE]info:
"SELECT statement semantic checking and setup is complete."
Fri Aug 14 15:32:20 1998 942000 [DM_QUERY_T_SYNTAX_BEGIN]info:
"Begin syntactic parse (call yacc)."
Fri Aug 14 15:32:20 1998 942000 [DM_QUERY_T_SYNTAX_COMPLETE]info:
"Syntactic parse is complete."
Fri Aug 14 15:32:20 1998 942000 [DM_QUERY_T_SELECT_BEGIN]info:
"Begin SELECT statement."
Fri Aug 14 15:32:20 1998 942000 [DM_QUERY_T_SQL_SELECT]info:
"SELECT statement generated by the query is:
select all dm_user.user_os_name from dm_user_sp dm_user where
(dm_user.user_name='zhan').
Begin Database processing."
Fri Aug 14 15:32:22 1998 434000 [DM_QUERY_T_SELECT_COMPLETE]info:
"SELECT statement semantic checking and setup is complete."

Determining active tracing options


To determine whether a particular Content Server tracing option is enabled, use an
IDfSession.isServerTraceOptionSet method with the name of the option as the method argument. For

264

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Logging and Tracing

example, to determine if the docbroker_trace tracing option is enabled, specify the option name as
the method argument.
You cannot specify a facility name with the isServerTraceOptionSet method.

DFC logging
DFC logging and the location of the log file is controlled by the log4j.properties file. The default
location is ${user.dir}/documentum/logs/documentum.log.
Refer to the standard Java documentation for information about the configurable logging options.
To record debug information generated by specific packages or classes, we recommend to use the DFC
trace file, rather than the log4j log file, as described in Directing categories to the trace file, page 271.

DFC tracing
DFC supports a set of tracing configuration options for DFC operations, such as tracing for individual
users, individual threads, and methods. The trace file format can be configured as well, such as
timestamps within the file and how to record method entrances and exits.
All DFC tracing is configured in the dfc.properties file. The entries are dynamic. Adding, removing,
or changing a tracing key entry is effective immediately without having to stop and restart DFC or
the application.

Enabling DFC tracing


DFC tracing options are configured in the dfc.properties file.

To enable DFC tracing:


1.

Open the dfc.properties file in a text editor.

2.

Modify the tracing properties by changing the key values, as desired.

3.

Change the dfc.tracing.enable key to true to start tracing:


dfc.tracing.enable=true

Trace log file names have the following format:


file_prefix[.identifier].timestamp.log
Where file_prefix is a string that is prepended to the beginning of the name of each trace file
generated by DFC and timestamp records when the file was created. An identifier is included in the
file name only if you are generating log files for individual users or threads. The identifier is the
user name, if the logs are generated for individual users or the thread name, if logs are generated
for individual threads.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

265

Logging and Tracing

Enabling tracing creates a logger and a logging appender that record the entries in the trace log
file. The logging appender determines the name, location, and format of the trace file. For more
information, refer to Logging appender options, page 266.

Logging appender options


The logging appender controls various trace file options, such as the name, location, and format of
the trace file. The following table describes the appender options.
Table 72. Logging appender configuration options

Key

Option

Description

dfc.tracing.date_format

Date format for timestamp

Defines a date format if


dfc.tracing.timing_style, in
dfc.properties, is set to date.
For more information, refer
to Defining the trace file
timestamp format , page 267.

dfc.tracing.dir

Location of file

The directory where the trace


file is stored.
he default location is
${dfc.data.dir}/logs.
Valid values for this property
are any valid directory path.

dfc.tracing.file_creation_mode

Creation mode

Controls whether trace


information is logged in
one file or multiple files. For
more information, refer to
Defining file creation mode,
page 267.

dfc.tracing.file_prefix

File name prefix

Defines the base name of the


trace file. The default value is
dfctrace.

dfc.tracing.max_backup_index

Maximum number of backups


for the file

A positive integer value that


defines the number of back-up
files the logger retains for the
log file. When the maximum
number is reached, the oldest
backup is destroyed when a
new back-up is created.
The default value is 1.

dfc.tracing.max_file_size

266

Maximum file size

An integer value that defines


the maximum size of a trace file

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Logging and Tracing

Key

Option

Description
before it is rolled over. Valid
values are any string accepted
by log4j as MaxFileSize.
If no unit of measure is
specified, the integer value is
interpreted as bytes.
The default size is 100MB.

Defining file creation mode


The dfc.tracing.file_creation_mode key controls whether the log entries are recorded in one or several
log files. By default all DFC trace entries are recorded in one log file. The following table describes all
valid values for dfc.tracing.file_creation_mode key.
Table 73. Valid values for the dfc.tracing.file_creation_mode key

Value

Description

standard

All log entries are recorded in one log file. This is the default.

thread

DFC creates a log file for each thread in the following format:
file_prefix.threadname.timestamp.log

Tracing by thread is only recommended in combination with the


dfc.tracing.thread_name_filter key.
user

DFC creates a log file for each user in the following format:
file_prefix.username|default.timestamp.log

If the a user cannot be determined for a particular call, the trace is


logged in a separate default log file.
Tracing by user is only recommended in combination with the
dfc.tracing.user_names_filter key.

Defining the trace file timestamp format


Each entry in a log file has a timestamp. If the file is recorded in compact mode, there are two
columns for the timestamp. The first column records the entry time and the second column records
the duration of the method call, the difference between method entry and method exit time. If the
log file is recorded in standard mode, there is one column for the timestamp in the entry. The value
recorded is either the entry time or the exit time, depending on whether the log entry is recording the
method entry or exit.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

267

Logging and Tracing

By default, timestamps are expressed in seconds. You can configure the timestamp display
using the dfc.tracing.timing_style key. The following table describes the valid values for
dfc.tracing.timing_style.
Table 74. Valid values for dfc.tracing.timing_style

Value

Description

nanoseconds

The timestamp value is expressed in nanoseconds.


Whether the timestamp values are actually returned in
nanoseconds depends on the underlying operating system.
The values cannot be correlated to absolute time.

milliseconds

The timestamp value is expressed in milliseconds.

milliseconds_from_start

The timestamp is recorded as the number of milliseconds


from the start of the JVM process.

seconds

The timestamp value is displayed as the number of seconds


from the start of the process. The value is a float.
This is the default timing style.

date

The timestamp value is displayed as a date string. The


default format is:
yyyy/MM/dd-HH:mm:ss.S

(Refer to the Javadocs for the SimpleDateFormat class for


details.)
The date setting is only used if dfc.tracing.mode is set to
standard. If you set dfc.tracing.timing_style to date and the
mode is compact, the timing style defaults to milliseconds.
If the timing style is set to date, you can also set dfc.tracing.
date_format key and dfc.tracing.date_format_width key to
define an alternate date format, as described in Defining the
date format, page 268t.

Defining the date format


There are three keys that determine the date format in a trace file:
dfc.tracing.timing_style
If the key value is date, the date format and column width can be specified in the
dfc.tracing.date_format and dfc.tracing.date_column_width keys.
dfc.tracing.date_format
Specifies a date format that is different from that default format. The specified format specify must
conform to the syntax supported by the Java class java.text.SimpleDateFormat.
dfc.tracing.date_column_width

268

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Logging and Tracing

This key specifies the column width as a positive integer value. The default column width is 14. If
the format specified in dfc.tracing.date_format is wider than 14 characters, modify the column
width to the required number of characters.

Configuring method tracing


The following keys control method tracing:
dfc.tracing.max_stack_depth
This key controls the depth of tracing into the DFC call stack. The default value for this key is 1,
meaning only the first method call in a DFC stack is traced. A value of -1 means that all levels
of method calls are traced.
dfc.tracing.mode
This key controls how the method entry and exit is recorded in the log file. Valid values are:
compact: DFC adds one line to the file that records both entry and exit and return value for a
method. The methods are logged in the order of method entrance. DFC buffers the log entries
for a sequence of method calls until the topmost method returns.
standard: DFC creates one line in the file for a method entry and one line for a method exit.
The log entries for exit record the return values of the methods.
The default value is compact.
dfc.tracing.method_name_filter[n]
This key specifies tracing for packages, classes, and methods. The key is a repeating key, that
allows multiple entries in the dfc.properties file. Each entry has one value, specifying a package,
class or method. Like repeating repository properties, each dfc.tracing.method_name_filter entry
is referenced using a square-bracketed integer, with the first entry beginning with zero. For
example:
dfc.tracing.method_name_filter[0]=value
dfc.tracing.method_name_filter[1]=value
dfc.tracing.method_name_filter[2]=value

Where value is one or more string expressions that identify what to trace. The syntax of the
expression is:
([qualified_classname_segment][*]|*)[.[method_name_segment][*]()]

For example, the value com.documentum.fc.client.DfPersistentObject traces all methods on


DfPersistentObject and any lower level calls made within the context of those methods

Tracing users by name


The dfc.tracing.user_name_filter key traces users. The key is a repeating key that allows multiple
entries in the dfc.properties file. Each entry specifies one regular expression that identifies the user or
users to trace. Each dfc.tracing.user_name_filter entry is referenced using an integer in brackets, the
first entry beginning at zero.
For example:

EMC Documentum Content Server Administration and Configuration 6.7 Guide

269

Logging and Tracing

dfc.tracing.user_name_filter[0]=expression
dfc.tracing.user_name_filter[1]=expression
dfc.tracing.user_name_filter[2]=expression

The expression is a regular expression, using the syntax for a regular expression as defined
in the Java class java.util.regex.Pattern. DFC traces activities of the users whose login names
(dm_user.user_login_name) match the specified expression. The log entries contain the user name.
By default, dfc.tracing.user_name_filter key empty, which means that all users are traced.
The tracing output does not necessarily include all DFC calls made by a particular user. For some
calls, it is not possible to identify the user. For example, most methods on the DfClient interface are
unrelated to a specific session or session manager. Consequently, when tracing is constrained by
user, these method calls are not traced.
When tracing by user, DFC cannot identify the user until one of the following occurs:
A method call on an object that derives from IDfTypedObject (if the session associated with that
object is not an API session).
A method call that takes an IDfSession or IDfSessionManager.
Amethod call that returns an IDfSession or IDfSessionManager.
An IDfSessionManager method call that sets or gets an IDfLoginInfo object.

Tracing threads by name


To trace specific threads, set the dfc.tracing.thread_name_filter key. The key is a repeating key, which
means you can put multiple entries for the key into the file. Each entry has one value, identifying
a thread or threads to be traced. Each dfc.tracing.thread_name_filter entry is referenced using an
integer in brackets, the first entry beginning at zero.
For example:
dfc.tracing.thread_name_filter[0]=expression
dfc.tracing.thread_name_filter[1]=expression
dfc.tracing.thread_name_filter[2]=expression

Each dfc.tracing.thread_name_filter entry is set to a regular expression that identifies a thread or


threads you want to trace. The regular expression must use the syntax for a regular expression
defined in the Java class java.util.regex.Pattern.
The key is not set by default, which means that all methods in all traced threads are traced by
default. Setting the key is primarily useful for standalone DFC-based applications that may spawn
DFC worker threads.
Note: You can use dfc.tracing.file_creation_mode to further sort the entries for each thread into
separate files. For information, refer to Defining file creation mode, page 267.

Including the session ID


By default, log entries contain the user name associated with the logged operation. To include a
session ID with each entry, enable the dfc.tracing.include_session_id. key by setting the Boolean value
to true. By default, the key is disabled. Enabling the key instructs DFC tracing to add the session ID

270

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Logging and Tracing

and the identity hash code of the associated session manager to the log entries. The session ID has the
format sn, where s is an abbreviation for session and n is the session number.

Tracing RPC calls


There are two keys that control RPC call tracing:
dfc.tracing.include_rpc_count
This Boolean key instructs DFC to add an additional column to each log file entry that records
the current RPC call count for the associated session. The logged value is N/A if DFC cannot
determine the session. If the mode is set to compact, the logged RPC count is the count at the
time the method exits. The default value for the key is false.
dfc.tracing.include_rpcs
This Boolean key instructs DFC to include a separate line in the trace file for each executed RPC
call. The default value for this key is false.

Including stack trace for exceptions


By default, the DFC tracing facility only logs exception names and messages. Typically, the stack
trace can be determined from the trace file. To obtain an exact stack trace for an exception, enable the
dfc.tracing.print_exception_stack key by setting the key value to true.
If the key is enabled, the tracing facility logs the entire stack trace for the exception. The stack trace is
recorded immediately following the line that logs the exit of the method that caused the exception.
The trace is indented and prefixed with exclamation marks.
The default value for this key is false.

Setting verbosity
The dfc.tracing.verbosity key determines what set of classes are traced. By default, the key is disabled
(false) and traces a standard set of classes. When enabled (true) the key traces and additional set of
low-level classes. Tracing these classes greatly increases the number of entries in the trace file and can
noticeably slow down the system. Turning on verbose mode is only recommended when suggested
by EMC Documentum Support.

Directing categories to the trace file


In a log4j.properties file, categories can be defined as the target of logging operations. For DFC, a
category specification would typically be a class or package. However, it is recommended to record
that information in the trace file generated by the dfc.properties tracing facility, especially, when
tracing a DFC class or package at the DEBUG level.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

271

Logging and Tracing

The following dfc.properties keys can be used to redirect the trace:


dfc.tracing.log.category
This key specifies the category that are traced. The key is a repeating key that can have multiple
entries in the dfc.properties file. Each entry has one value that specifies a category. Each
dfc.tracing.log.category entry is referenced using an integer in brackets, with the first entry
beginning at zero. For example:
dfc.tracing.log.category[0]=class_or_package_name
dfc.tracing.log.category[1]=class_or_package_name

dfc.tracing.log.level
This key specifies the level of tracing. The dfc.tracing.log.level key defaults to DEBUG if not
specified.
dfc.tracing.log.additivity
This key is the additivity setting for the category. The dfc.tracing.log.additivity key defaults to
false if not specified.
The dfc.tracing.log.level and dfc.tracing.log.additivity keys are also repeating keys, and the values
across one index position in the entries for the keys are the settings for category identified at the
corresponding index position in dfc.tracing.log.category.

Log file entry format


The log files store trace information in the following format:
timestamp [method_duration] [threadname]
<username|sessionID|session_mgr_id> (RPCs=count) [entry_exit_designation]
stack_depth_indicator qualified_class_name@object_identity_hash_code.
method(method_arguments) ==>return_value|exception

The following table describes the entries in a log file.


Table 75. Log entry components

Component

Description

timestamp

The timestamp of the entry. The format dependents on the tracing


configuration, as defined in the dfc.tracing.timing_style key.

method_duration

The total length of time to execute the method. This value is only
included if the dfc.tracing.mode key value is compact.

threadname

Name of the thread associated with the entry.

username

Name of the user associated with the entry.

sessionID

Identifies the session associated with the entry. This entry is only
included if the dfc.tracing.include_session_id key enabled (true).

session_mgr_id

The hash code identity of the session manager associated with the
entry. This entry is only included if the dfc.tracing.include_session_id
key is enabled (true).

272

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Logging and Tracing

Component

Description

RPCs=count

Total number of RPC calls at the time the entry was logged. This is
only included if dfc.tracing.include_rpc_count is set to true.

entry_exit_designation

Keyword that identifies source of the log entry. The keyword is


only included if the dfc.tracing.mode key value is standard. Valid
values are:
ENTER: The entry records a method entry.
EXIT: The entry records a method exit.
!EXC!: The entry records a call that results in an exception.
RPC_ENTER: The entry records an RPC call entry.
RPC_EXIT: The entry records an RPC call exit.

stack_depth_indicator

Indicates the depth of call stack tracing. The stack depth indicator is
a series of dots (for example, ...).

qualified_class_name

Fully qualified name of the class being traced.

object_identity_hash_code

Hash code of the object on which the method is being called. If the
method is static, this element does not appear in the log entry.

method

Name of the traced method.

method_arguments

Arguments to the specified method.

return_value

The value returned by the method. This entry is included if the


dfc.tracing.mode value is compact or if the entry records the method
exit.

exception

The exception name and message, if any, of the exception thrown


by the method.

The values in each column in an entry are separated by spaces, not tabs.

Trace file examples


The following examples describe trace files generated by various combinations of property settings.
Due to space limitations on the page, the individual entries are line-wrapped in these examples.
Example 11-1. Settings are: dfc.tracing.enable=true
1158701543173 <user1>
[Thread-0] [ENTER]
.............com.documentum.fc.client.DfTypedObject@28821120.getData()
1158701543173 <user1>
[Thread-0] [EXIT]
.............com.documentum.fc.client.DfTypedObject@28821120.getData==>
com.documentum.fc.client.impl.typeddata.ITypedData@150ed68
Example 11-2. Settings are: dfc.tracing.enable=true; dfc.tracing.timing_style=millis_from_start
1141125 <user4>
[Thread-5] [EXIT]
........com.documentum.fc.client.impl.session.Session@4889213

EMC Documentum Content Server Administration and Configuration 6.7 Guide

273

Logging and Tracing

.incrementReferenceCountIfNonZero

==> 2

Example 11-3. Settings are: dfc.tracing.enable=true; dfc.tracing.thread_name_filter=Thread[45]


1158718491103 <user4>
[Thread-4] [ENTER]
..........com.documentum.fc.client.DfTypedObject@25700470.getData()
1158718491103 <user4>
[Thread-4] [EXIT]
..........com.documentum.fc.client.DfTypedObject@25700470.getData
==> com.documentum.fc.client.impl.typeddata.ITypedData@618b08
1158718491150 <user5>
[Thread-5] [EXIT]
..........com.documentum.fc.impl.util.io.MessageChannel@15999328.readSocket
==> <void>
1158718491166
[Thread-5] [EXIT]
..........com.documentum.fc.impl.util.io.MessageChannel@15999328
.readLength ==> 18
Example 11-4. Settings are: dfc.tracing.enable=true; dfc.tracing.include_rpc_count=true;
dfc.tracing.include_session_id=true
1158702906324 <user5|s4|SM@25116828>
[Thread-6] [ENTER] (RPCs=3269)
....com.documentum.fc.client.impl.connection.docbase.DocbaseConnection
@17535609.waitForCorrectTransactionContext()

274

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 12
Audit Management

This chapter contains the following topics:


Auditing, page 275
Auditing by object type, page 278
Auditing by object instance, page 280
Auditing by events selected for all objects in the repository, page 282
Search audit, page 282
Audit policies, page 284
Registering audits, page 285
Adding, modifying, or removing audits, page 287
Verifying or purging audit trails, page 287

Auditing
Auditing is a security feature for monitoring events that occur in a repository or application.
Auditing an event creates an audit trail, a history in the repository of the occurrence of the event.
Audit information can be used to:
Analyze patterns of access to objects.
Monitor when critical documents change or when the status of a critical document changes.
Monitor the activity of specific users.
Record all occurrences of a particular event on a given object or given object type
Record all occurrences of a particular event in the repository, regardless of the object to which it
occurs
Record all workflow-related events in the repository
Record all occurrences of a particular workflow event for all workflows started from a given
process definition
Record all executions of a particular job
Record all events in the repository

EMC Documentum Content Server Administration and Configuration 6.7 Guide

275

Audit Management

Note: Audit management requires extended user privileges.


Auditing is managed on the Audit Management page, which can be accessed by selecting
Audit Management. The Audit Management page contains links to the
Administration >
following auditing features:
Auditing by object type, page 278
Auditing by object instance, page 280
Auditing by events selected for all objects in the repository, page 282
Search audit, page 282
Audit policies, page 284

Audit events
An event is something that happens to an object in the repository or an operation defined as an event
by a user-written application. There are two types of events:
System events
System events are events that Content Server recognizes and can audit automatically. For
example, checking in a document can be an audited system event.
Content Server provides automatic auditing for any system event. When an audited system event
occurs, Content Server automatically generates the audit trail entry. Documentum provides a
large set of system events that are associated with API methods, lifecycles (business policies),
workflows, and jobs. For a complete list of auditable system events, refer to Appendix A, System
Events.
Application events
Application events are events that are recognized and audited by client applications. For example,
a user opening a particular dialog can be an audited application event. To audit application
events, an application must recognize when the event occurs and create the audit trail entry
programmatically. Application events are not recognized by Content Server.

Audit trails
An audit trail is a recorded history of event occurrences that have been marked for auditing. Each
occurrence is recorded in one audit trail record. The server stores audit trail records as objects
in the repository. Depending on the event, the objects are dm_audittrail, dm_audittrail_acl, or
dm_audittrail_group objects. Auditing an event stores pertinent data in the audit trail object, such as
when the event occurred and what object was involved.
Audit trail entries are generated after auditing is set up and can consume considerable space in the
repository. Therefore audit trail entries should be removed from the repository periodically.

276

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Audit properties
Object properties are audited if the properties are registered for auditing. After the properties are
registered, the property name and new value are recorded in the attribute_list property of the
audit trail entry. Old property values are only included automatically if the audit_old_values
property in the docbase config object is enabled. The property name and old value are recorded in
the attribute_list_old property of the audit trail entry. The audit_old_values property is enabled by
default. If the audit_old_values property is disabled, the audit trail entry does not record changes to
properties unless they are specifically registered for auditing when the event is registered.
Aspect attributes can also be audited. Aspect attribute audits record the aspect attribute changes
attached to an object along with the object type attributes. Auditing is available for aspect attributes
attached to SysObject, user, group, and acl objects, and any of their associated subtypes. Auditing
aspect attributes requires that auditing is also enabled for the object type or subtype.
Note: For repositories created on RDBMS platforms with a page size of less than 8K, the
audit_old_values property is always disabled and cannot be enabled.

Events audited by default


Content Server audits the following events by default:
dm_audit and dm_unaudit
All executions of methods that register or unregister events for auditing.
dm_signoff
All executions of a IDfPersistentObject.signoff method.
dm_adddigsignature
All executions of an addDigitalSignature method. By default, audit trail entries created for the
dm_adddigsignature event are not signed by Content Server. To sign those entries, register the
event explicitly for auditing and set the argument to require signing.
dm_addesignature and dm_addesignature_failed
All executions, successful or unsuccessful of an addESignature method. The audit trail entries for
the dm_addesignature event are signed by Content Server automatically.
dm_purgeaudit
Removal of an audit trail entry from the repository. A dm_purgeaudit event is generated
whenever a destroy method is executed to remove an audit trail entry from the repository or a
PURGE_AUDIT administration method is executed. All dm_purgeaudit events are audited.
User login failure
dm_default_set
A default set of events on objects of type dm_document and its subtypes. This event is registered
against the docbase config object, and Content Server audits the events in the set for dm_document
type and its subtypes.Table 76, page 278, describes the events that are included in this set.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

277

Audit Management

Table 76. Events audited by the dm_default_event

Object type

Audited events

dm_docbase_config
dm_archive

dm_checkin

dm_restore

dm_assemble

dm_checkout

dm_save

dm_bp_attach

dm_destroy

dm_setfile

dm_bp_demote

dm_freeze

dm_signoff

dm_bp_promote

dm_link

dm_unfreeze

dm_bp_resume

dm_lock

dm_unlink

dm_bp_suspend

dm_mark

dm_unlock

dm_branch

dm_prune

Disabling or modifying default auditing


With the exception of user login failure and the dm_default_set events, default auditing cannot be
disabled because there are no default registry objects for these events. Turning off auditing of the
dm_default_set event for the docbase config type turns off auditing of all events represented by the
dm_default_set event.
Default auditing can be modified by registering against the events audited by default. Content
Server creates the audit trail entry based on the criteria that are defined for the event and target.
When the registration is removed, Content Server returns to creating the default audit trail entry for
the event and target.

Auditing by object type


Auditing by object type creates audit trails for events for all objects of a particular type. Use these
instructions to select the types, restrict the set of objects on which audit trails are created, and select
the events.
You can set audits only for one object type at a time. Complete these instructions for each object
type you audit.
You must have Config Audit privileges to use this function.

To add, modify, or delete auditing by object type:


1.

Connect to the repository and navigate to Administration > Audit Management.


The Audit Management list page is displayed.

2.

278

Click Manage Auditing by Object Type.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

The Choose a type page is displayed. The objects locator displays the aspect types along with
the existing standard types. To audit the object instances with aspect attributes, register the
related aspect type for auditing.
3.

Select a type to audit, then click OK.


The Register Audit page displays with the selected object type.

4.

Do one of the following:


To add an audit, click Add Audit.
A more detailed Register Audit page displays. Specify the audit criteria and audit events for
the object, as described in Table 77, page 279.
To edit an audit, select the object name and click Edit.
A more detailed Register Audit page displays. Specify the audit criteria and audit events for
the object, as described in Table 77, page 279.
To remove an audit, select the object name and click Unaudit.

5.

Click OK to save your changes.

Table 77. Object auditing properties

Field

Description

Application Code

Enter the application code to audit only objects with a particular


application code.
The application code is a property set by the client application that creates
the object. For example, an application sets the application code to the
value Internal. To audit objects of the type you selected with application
code Internal, type Internal in the Application Code field.
You cannot enter a value in the field if you previously selected a dm_user,
dm_acl, or dm_group object type.

Lifecycle

Records objects that are attached to a lifecycle. Click Select Lifecycle to


access the Choose a lifecycle page.Select the correct lifecycle and then
click OK.

State

Records only those objects attached to the lifecycle and in a particular


state. Select a state from the drop-down list.

Attributes

Records the values of particular properties of the object in the audit trail.
Click Select Attributes to access the Choose an attribute page.
Select the properties whose values you want to record, click >, then click
Add. To remove any properties, select them on the right-hand side of
the page and click <.
Click OK when you are finished.

Has signature
manifested

Select to sign the audit trail.

Include all subtypes

Select to include all subtypes of the audited object type.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

279

Audit Management

Field

Description

Authentication
required

Select to require authentication for custom (user-defined) events that


are audited.

Add

Click to access the Choose an event page and select the events you want
to register.
Select one or more events to audit and click > to move the events to the
Selected Items column. To remove any events, select them in the Selected
Items column and click <. Click OK when you are finished.
To unregister any events, select them in the Event Name list and click
Remove.

Choosing a type
On this page, select a type and then click OK to accept the type or Cancel to cancel the action.

Auditing by object instance


Auditing by object instance creates audit trails for events for a particular object in the repository. You
can set audits only for one object type at a time.
Aspect attributes can be audited if they are attached to SysObject, user, group, and acl objects, and
any of their associated subtypes. Auditing aspect attributes requires that the related aspect type is
registered for auditing.
You must have Config Audit privileges to audit object instances.

To add, modify, or delete auditing by object instance:


1.

Connect to the repository and navigate to Administration > Audit Management.


The Audit Management list page displays.

2.

Click Manage Auditing by Object Instance.


The Choose Objects page displays.

3.

Select one or more objects to audit, then click >.


By default, the Choose Objects page displays the cabinets in the repository. Click cabinet names
and folder names within cabinets to browse to the correct documents.

4.

Click OK.
The Register Audit page displays with the selected object instances listed.
If you click the Select link at the top of the page, the objects you already selected are replaced by
the objects you select now.

5.

Do one of the following:


To edit an audit, select the object instance and click Edit.

280

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

A more detailed Register Audit page displays. Specify the audit criteria and audit events
for the object instances as described in Table 78, page 281.
To remove an audit, select the object instance and click Unaudit.
6.

Click OK.

Table 78. Object instance auditing properties

Field

Description

Application Code

Enter the application code to audit only objects with a particular


application code.
The application code is a property set by the client application that creates
the object. For example, an application sets the application code to the
value Internal. To audit objects of the type you selected with application
code Internal, type Internal in the Application Code field.
You cannot enter a value in the field if you previously selected a dm_user,
dm_acl, or dm_group object type.

Lifecycle

Records objects that are attached to a lifecycle. Click Select Lifecycle to


access the Choose a lifecycle page.Select the correct lifecycle and then
click OK.

State

Records only those objects attached to the lifecycle and in a particular


state. Select a state from the drop-down list.

Attributes

Records the values of particular properties of the object in the audit trail.
Click Select Attributes to access the Choose an attribute page.
Select the properties whose values you want to record, click >, then click
Add. To remove any properties, select them on the right-hand side of
the page and click <.
Click OK when you are finished.

Has signature
manifested

Select to sign the audit trail.

Include all subtypes

Select to include all subtypes of the audited object type.

Authentication
required

Select to require authentication for custom (user-defined) events that


are audited.

Add

Click to access the Choose an event page and select the events you want
to register.
Select one or more events to audit and click > to move the events to the
Selected Items column. To remove any events, select them in the Selected
Items column and click <. Click OK when you are finished.
To unregister any events, select them in the Event Name list and click
Remove.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

281

Audit Management

Auditing by events selected for all objects in


the repository
Use these instructions to add or remove auditing events for all objects in the repository.
You must have Config Audit privileges to use this function.

To add or remove auditing by events:


1.

Connect to the repository and navigate to Administration > Audit Management.


The Audit Management list page displays.

2.

Click Manage Auditing by events selected for all objects in the repository.
The Register Audit page displays.
Any events already selected for repository-wide auditing are listed. The following fields are
disabled:
Application Code
Lifecycle
State
Attributes
Has signature manifested
Include all subtypes
Authentication Required
These fields are enabled only for auditing by object type.

3.

Do one of the following:


To add an event, click Add.
The Choose an event page displays. Select the events to audit, then click
events to the Selected Items column. Click OK to save your changes.

to move the

To remove an event, select the event, then click Remove.


4.

Click OK.

Search audit
The Search Audit feature lets you search and view audit trails. You must have View Audit extended
privileges to search for and view existing audit trails.

To search and view audit trails:


1.

Connect to the repository and navigate to Administration > Audit Management.


The Audit Management list page is displayed.

2.

282

Click Search Audit.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

The Search Criteria page is displayed.


3.

Enter the search criteria, as described in Table 79, page 283.

4.

Click OK.
The audit trails matching the DQL query or selection criteria are displayed.
You can sort the audit trails by clicking the Object Name, Event Name, User Name, or Date
Created column.

5.

To view the properties of an audit trail, select the audit trail, then click View > Properties > Info.

6.

To return to the Audit Management list page, click the Audit Management link at the top of
the page.

Table 79. Audit search properties

Field

Description

Search By

Indicates whether to use the criteria specified on the search page


or a DQL query to search for the audit trail.
Do one of the following:
Select the Search criteria defined below option and enter the
search criteria.
Select the DQL option and enter a DQL query in the Where
Clause field. Click OK to display the query results.

Events

Restricts the search by events. Click Select and select one or more
events and click OK.

Object Name

Restricts the search by object names. Select Begins With, Contains,


or Ends With and type in a string.

Versions

Restricts the search by version. Type in a version.

Look In

Restricts the search to a particular folder. Click Select Folder and


select the folder.

Audit Dates

Restricts the search by time. Click Local Time or UTC, then type
or select a beginning date in the From field and an ending date for
the search in the Through field.

Type

Restricts the search to a particular type. Click Select Type and select
the type. To include subtypes of the type, click Include Subtype.

Lifecycle

Restricts the search to objects attached to a lifecycle. Click Select


Lifecycle and select a lifecycle.

Application Code

Restricts the search to objects with an application code. Type the


application code. To restrict the search to those audit trails that
are signed, select Has Signature.

Controlling Application

Restricts the search to objects with a controlling application. Type


the name of the application.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

283

Audit Management

Audit policies
An audit policy ensures that only the users or groups that are specified in the purge policy can
delete an audit record. If an unauthorized user or group attempts to delete the audit record, Content
Server throws an error message. If there are multiple policies for same user, the policy with the
highest permissions is in effect.
Audit policies specify which user, group, or role can purge audit trails. You must be an Install Owner
to access and manage audit policies. Other users can only view the list of audit policies.
Audit policies are managed on the Audit Policies page. Select Administration >
Audit
Management to display the Audit Management page, then click the Audit Policies link to display the
Audit Policies page. Table 80, page 284 describes the information on the Audit Policies page.
Table 80. Audit Policies page information

Column Name

Description

Name

The name of the audit policy.

Accessor Name

The name of the user, group, or role that are assigned this audit policy.

Is Group

Indicates whether the user specified in the Accessor Name column is


belongs to a group.

For information about creating or modifying an audit policy, refer to Creating, modifying, or deleting
an audit policy, page 284.

Creating, modifying, or deleting an audit policy


You must be the Install Owner to create, modify, or delete an audit policy.

To create, modify, or delete an audit policy:


1.

Connect to the repository and navigate to Administration > Audit Management.


The Audit Management page displays.

2.

Click Audit Policies.


The Audit Policies page displays.

3.

Do one of the following:


To create an audit policy, click File > New > Audit Policy
The New Audit Policy page displays. Enter the policy information as described in Table 81,
page 285.
To modify an audit policy, select the audit policy, then select View > Properties > Info.
The Audit Policy Properties page displays. Modify the policy information as described in
Table 81, page 285.
To remove an audit policy, select the audit policy, then select File > Delete.
To save a copy of an audit policy, select the audit policy, then select File > Save As ....

284

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

4.

Click OK to save your changes.

Table 81. Audit policy information

Field

Description

Name

The name of the audit policy.

Accessor Name

The user, group, or role to which this audit policy is assigned.

Audit Policy Rules

Specifies the policy rules, as follows:


Click Add to add a rule. The Create/Edit Rule page displays. Select
an attribute and enter a value for the attribute.
Select an attribute name, then click Edit to modify the rule. The
Create/Edit Rule page displays. Modify the attribute.
Select an attribute name, then click Remove to delete the rule.
There must be at least one rule or condition to save the audit policy.

Audit Policy example


The following audit policy example specifies the Test purge policy that enables user1 to purge the
audit record for the object_type attribute type1 and the is_archived attribute T.
Table 82. Audit policy example values

Field

Description

Name

Test

Accessor Name

user1

Audit Policy Rules


Attribute Name

Attribute Value

object_type

type1

is_archived

The policy described in this example only protects audit records that satisfy the policy. For example,
the policy does not protect audit records that have the is_archived attribute set to F. Any user with
purge audit extended privilege can delete those records.

Registering audits
The Register Audit page specifies the properties that are audited for an object or object instance.
Select the properties as described in Table 83, page 286 to define the audited properties and register
the object or object instance for auditing.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

285

Audit Management

Table 83. Object and object instance auditing properties

Field

Description

Application Code

Enter the application code to audit only objects with a particular


application code.
The application code is a property set by the client application that creates
the object. For example, an application sets the application code to the
value Internal. To audit objects of the type you selected with application
code Internal, type Internal in the Application Code field.
You cannot enter a value in the field if you previously selected a dm_user,
dm_acl, or dm_group object type.

Lifecycle

Records objects that are attached to a lifecycle. Click Select Lifecycle to


access the Choose a lifecycle page.Select the correct lifecycle and then
click OK.

State

Records only those objects attached to the lifecycle and in a particular


state. Select a state from the drop-down list.

Attributes

Records the values of particular properties of the object in the audit trail.
Click Select Attributes to access the Choose an attribute page.
Select the properties whose values you want to record, click >, then click
Add. To remove any properties, select them on the right-hand side of
the page and click <.
Click OK when you are finished.

Has signature
manifested

Select to sign the audit trail.

Include all subtypes

Select to include all subtypes of the audited object type.

Authentication
required

Select to require authentication for custom (user-defined) events that


are audited.

Add

Click to access the Choose an event page and select the events you want
to register.
Select one or more events to audit and click > to move the events to the
Selected Items column. To remove any events, select them in the Selected
Items column and click <. Click OK when you are finished.
To unregister any events, select them in the Event Name list and click
Remove.

286

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Adding, modifying, or removing audits


Register Audit page lists object instances or an object type that you selected for auditing, as well as
the audited criteria and events. On this page, you can add, edit, or remove audits.
To add an audit, select the object name, then click Add Audit.
To modify an audit, select the object, then click Edit.
To remove an audit, select the object, then click Remove.

Verifying or purging audit trails


Audit trails are displayed on the Audit Trails page after a search query has been issued, as described
in Search audit, page 282.
On the Audit Trails page, you can
View audit trail properties by selecting an audit trail, then selecting View > Info > Properties.
Verify an audit record by right-clicking an audit trail and selecting Tools > Verify Audit Record.
Only signed audit trails can be verified.
Purge an audit record by right-clicking an audit trail and selecting Tools > Purge Audit Record(s).
To purge more than one audit record, select the audit trails, then Tools > Purge Audit Record(s).
You must have Purge Audit privileges to purge audit records. If the audit record is protected
by an audit policy, you can only purge the record, if the purge policy is assigned to you or a
group of which you are a member.
To navigate back to the Audit Management list page, click Audit Management at the top of the page.

Interpreting audit trails of DFC method,


workflow, and lifecycle events
Audit trail entries for DFC method, workflow, and lifecycle events are stored in the repository as
audit trail objects. Each audit trail object records one occurrence of a particular event. The audit trail
object properties describe the event.
The properties that have a common purpose for entries generated by Content Server include all the
properties other than the string_x and id_x properties. An audit trail object also has five ID-datatyped
properties and five string properties. These properties are named generically, id_1 to id_5 and
string_1 to string_5. In audit trail entries for workflows and lifecycle events, Content Server uses
these properties to store information specific to the particular kinds of events. Some of the events
generated by methods other than workflow or lifecycle-related methods use these generic properties
and some do not. A user-defined event can use these properties to store any information wanted.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

287

Audit Management

Audit trails for events generated by non-workflow or


lifecycle methods
The following table describes how Content Server uses the generic string and id properties in audit
trails generated by methods other than workflow or lifecycle methods. Only those events that use the
generic properties are listed. If an event is not listed in this table, Content Server does not use the
generic properties in audit trails generated by that event.
Table 84. Usage of generic properties by API events

Event

Generic property use

Adddigsignature

string_1, User name provided as an argument to the method


or the name of the connected user if the user argument was
not specified
string_2, Reason for the signing

Addesignature (success)

string_1, User who signed the object


string_2, Justification text
string_3, The number of the signature, the name of the
method used to generate the signature, and the pre-signature
hash argument. For example: 2/PDFSign/pre-signature
hash_argument
string_4, Hash of the primary content (page number 0)
string_5, Hash of the signed content. Note that if the signed
content is the primary content (rather than a rendition), this
value is the same as the hash in string_4.

Addesignature (failure)

string_1, User who signed the object


string_2, Error message indicating why the failure occurred
string_3, The number of the signature, text
indicating the reason for the audit entry, and
the pre-signature hash argument. For example:
2/ENTRY_F0R_FAILED_ESIGN_OPERATION/pre-signature
hash_argument

Addnote

id_1, Object ID of document to which the note is attached


id_2, Object ID of the note

Addrendition

id_1, Object ID of the content object


string_1, Format of the rendition
string_2, Either "Replace Old Rendition" or "Save New
Rendition", depending on whether the added rendition
replaces an existing rendition or is a new rendition.

288

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Event

Generic property use

Addretention

id_1, Object ID of the retainer object

Appendcontent

See Setfile

Appendfile

See Setfile

Appendpart

id_1, Object ID of the virtual document to which you are


appending the component
id_2, Object ID of the component
id_3, Object ID of the containment object that links the
virtual document and the component
string_1, The version label of the component
string_2, The use_node_ver_label setting
string_3, The follow_assembly setting
string_4, The copy_child setting

Assume

string_1, The success or failure of the user authentication

Audit

string_1, The audited operation

Authenticate

string_1, The success or failure of the user authentication

Bindfile

See Setfile

Checkin

id_1, Object ID of the version from which the new version


created by the checkin was derived

Connect

string_1, Identifies the authentication mechanism used to


authenticate the user. Values are:
ticket, for ticketed login
trusted, for trusted login
unified, for Windows unified login
OS password, for OS password authentication
plugin password, for plugin authentication
LDAP password, for LDAP authentication
OS external, for authentication with OS password by an
external password checking program
LDAP external, for authentication by an external password
checking program that uses LDAP
string_4, Host name of the client machine from which the
user connected
string_5, IP address of the client machine from which the
user connected

Destroy

Destroy uses the generic properties only when the object


to be destroyed is a dm_audittrail object or a subtype of
dm_audittrail. For details, see the Purge Audit entry in
this table.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

289

Audit Management

Event

Generic property use

Getcontent

See Getfile

Getfile

id_1, Object ID of the content object for the content file

Getlogin

id_1, Object ID of the user object representing the user


identified in string_1.
string_1, Name of the user for whom the ticket was
requested

Getpath

See Getfile

Insertcontent

See Setfile

Insertfile

See Setfile

Insertpart

id_1, Object ID of the virtual document to which you are


inserting the component
id_2, Object ID of the component
id_3, Object ID of the containment object that links the
virtual document and the component
string_1, The version label of the component
string_2, The use_node_ver_label setting
string_3, The follow_assembly setting
string_4, The copy_child setting

Kill

id_1, Session ID of the terminated session

Link

id_1, Object ID of the folder to which the object is linked.


id_2, Object ID of the linked object
string_1, Name of the folder to which the object is linked
string_2, Name of the linked object

Logon Failure

string_1, User_name value


string_2, User name as entered by the user
Note: string_1 is empty if the user enters an invalid user
name. If the user enters a valid user name, string_1 and
string_2 are the same value.

Mark

string_1, Name of the version label


Note: One audit trail entry is created for each label assigned
in the Mark method.

290

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Event

Generic property use

Move Content

string_1, Name of the storage area from which the content


was moved
string_2, Name of the storage area to which the content
was moved.
id_1, Object ID of the SysObject containing the moved
content file.

Purge Audit

string_1, the time_stamp value of the first deleted audit trail


entry in the transaction
string_2, the time_stamp value of the last deleted audit trail
entry in the transaction
string_3, the actual number of audit trail entries deleted
in the transaction
string_5, the list of arguments defined in the method
command line
id_1, the object ID of the first audit trail entry deleted by
the transaction
id_2, the object ID of the last audit trail entry deleted by
the transaction

Removecontent

id_1, Object ID of the content object representing the content


file removed from the SysObject.
string_1, The page that was removed.

Removenote

id_1, Object ID of the object to which the note was attached


id_2, Object ID of the note

Removepart

id_1, Object ID of the virtual document from which you


are removing the component
id_2, Object ID of the component
id_3, Object ID of the containment object that links the
virtual document and the component
string_1, If specified, the order_no that identifies the
component to be removed

Removerendition

id_1, Object ID of the content object representing the


renditions content file
string_1, Rendition format

Removeretention

id_1, Object ID of the retainer object

Setcontent

See Setfile

EMC Documentum Content Server Administration and Configuration 6.7 Guide

291

Audit Management

Event

Generic property use

Setfile

id_1, Object ID of the content object for the content file


string_1, Name of the API
string_2, Name of the file (unused for Appendcontent,
Bindfile, Inserttcontent, Setcontent)
string_3, Page number of the content file
string_4, Format of the content file

Setpath

See Setfile

Setoutput

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Activity sequence number
string_2, Activity name
string_5, Output port name

Setretentionstatus

string_1, Original status of the retainer


string_2, New status of the retainer

Unaudit

string_1, Name of the operation from which auditing was


removed

Unlink

id_1, Object ID of the folder to which the object is linked.


id_2, Object ID of the linked object
string_1, Name of the folder to which the object is linked
string_2, Name of the linked object

Unmark

string_1, Name of the version label.

Updatepart

id_1, Object ID of the virtual document into which you are


inserting the component
id_2, Object ID of the component
id_3, Object ID of the containment object that links the
virtual document and the component
string_1, The version label of the component
string_2, The use_node_ver_label setting
string_3, The follow_assembly setting
string_4, The copy_child setting, if specified
string_5, The order_no if specified

292

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Lifecycle audit trails


The following table describes how Content Server uses the generic string and id properties in audit
trails generated by lifecycle events.
Table 85. Usage of generic properties by lifecycle events

Event

Generic property use

Attach

id_1, Object ID of the business policy


string_1, State to which object is being attached

Demote

id_1, Object ID of the business policy


string_1, State from which object was demoted
string_2, State to which the object was demoted

Install

Does not use the generic properties.

Promote

id_1, Object ID of the business policy


string_1, State from which object was promoted
string_2, State to which object was promoted

Resume

id_1, Object ID of the business policy


string_1, State to which the object is returned

Suspend

id_1, Object ID of the business policy


string_1, The objects business policy state at the time
of suspension

Uninstall

Does not use the generic properties.

Validate

string_1, Number of states in the business policy.

Workflow audit trails


The following table describes how Content Server uses the generic string and id properties in audit
trails generated by workflow events.
Table 86. Usage of generic properties by workflow events

Event

Generic property use

Abort workflow (dm_abortworkflow)

id_1, Object ID of the workflow

EMC Documentum Content Server Administration and Configuration 6.7 Guide

293

Audit Management

Event

Generic property use

Add attachment (dm_addattachment)

id_1, Object ID of the workflow


id_5, Object ID of the attached object
string_5, Name of the attached object

Add note (dm_addnote)

id_1, Object ID of the workflow


id_5, Object ID of the note object
string_1, Activity sequence number
string_2, Activity name
string_5, Value of the notes keep_permanent flag

Add package (dm_addpackage)

id_1, Object ID of the workflow


id_2, Object ID of the work item (used only if
addPackage is called with the work item referenced
in the arguments)
id_5, Object ID of the document in the package.
If there are multiple documents, there are a
corresponding number of audit trail entries, each
with a different value in id_5.
string_1, Activity sequence number
string_2, Activity name
string_3, Names of the components identified in the
componentIds argument. This is only set if package
control is not enabled.
string_5, Package name

Auto Delegation of Activity Failed


(dm_wf_autodelegate_ failure)

id_1, Object ID of the workflow


string_1, Activity sequence number
string_2, Activity name

Auto Transition of Activity (autotransactivity)

id_1, Object ID of the workflow


string_1, Activity sequence number
string_2, Activity name
string_5, Index position of the TRUE condition in the
dm_cond_expr object examined for the transition.

294

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Event

Generic property use


(This event is supported for backwards compatibility.
The Portselect event provides additional or more
current information about an automatic transition.)

Change activity instance state


(dm_changedactivity instancestate)

id_1, Object ID of the workflow


id_2, Object ID of the work item
id_5, Value in the r_exec_results property of the
work item
string_1, Activity sequence number
string_2, Activity name
string_5, Value of the return_value property of the
work item

Change process state (dm_changestateprocess)

string_3, Previous state

Change supervisor (dm_changeworkflow


supervisor)

id_1, Object ID of the workflow

string_4, New state

string_4, New supervisor name


string_5, Old supervisor name

Change workflow state (dm_


changestateworkflow)

id_1, Object ID of the workflow


string_3, Previous state
string_4, New state

Change work item priority (dm_


changepriorityworkitem)

id_1, Object ID of the workflow that contains the


work item
id_2, Object ID of the work item
string_1, Sequence number of the activity that
generated the work item
string_2, Name of the activity
string_3, Old priority value
string_5, New priority value

EMC Documentum Content Server Administration and Configuration 6.7 Guide

295

Audit Management

Event

Generic property use

Completed work item (dm_


completedworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
id_5, For automatic work items: Object ID of the
document containing the results of the execution.
(This is the value in the r_exec_results property.)
string_1, Activity sequence number
string_2, Activity name
string_3, Comma-separated list of work item
properties and their values. The properties are:
user_time, user_cost, a_wq_name, a_wq_flag,
and a_wq_doc_profile. (a_wq_name and
a_wq_doc_profile are enclosed in double quotes)
string_5,Value in the return_value property of work
item

Create workflow (dm_createworkflow)

id_1, Object ID of the workflow


string_4, Supervisor name
string_5, Name of the workflow

Delegated work item (dm_delegatedworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Activity sequence number
string_2, Activity name
string_3, Activity type (Manual or Automatic)
string_4, Name of the workqueue, if any, to which
the task is assigned
string_5, Name of the user to which the task is
delegated

Finish workflow (dm_finishworkflow)

id_1, Object ID of the workflow

Install workflow or activity definition


(dm_install)

Does not use the generic properties.

Invalidate workflow or activity definition


(dm_invalidate)

Does not use the generic properties.

296

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Event

Generic property use

Pause work item (dm_pauseworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Activity sequence number
string_2, Activity name

Port select (dm_portselect)

id_1, Object ID of the workflow


string_1, Activity sequence number
string_2, Activity name
string_5, Selected output port. If multiple ports
are selected, a corresponding number of audit trail
entries are created, each with a different value in
string_5.

Pseudo-completed work item


(dm_pseudocompletedworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Sequence number of the activity
string_2, Name of the activity
string_3, State of the work item prior to
pseudo-completion
string_5, Name of the task owner

Remove attachment (dm_removeattachment)

id_1, Object ID of the workflow


id_5, Object ID of the attached object that was
removed
string_5, Name of the attached object that was
removed

Remove note (dm_removenote)

id_1, Object ID of the workflow


id_5, Object ID of the note object. If the remove note
event is triggered by a remove package event that
removes a package with multiple notes attached to
its components, there are multiple remove note audit
trail entries, each with a different id_5 value.
string_1, Activity sequence number
string_2, Activity name

EMC Documentum Content Server Administration and Configuration 6.7 Guide

297

Audit Management

Event

Generic property use

Remove package (dm_removepackage)

id_1, Object ID of the workflow


id_5, Object ID of the document in the package.
If there are multiple documents, there are a
corresponding number of audit trail entries, each
with a different value in id_5.
string_1, Activity sequence number
string_2, Activity name
string_5, Package name

Repeat work item (dm_repeatworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Activity sequence number
string_2, Activity name

Resume work item (dm_resumeworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Activity sequence number
string_2, Activity name

Save a workqueue (dm_save_workqueue)

id_1, Object ID of the workqueue


id_2, Value of the wq_policy_id property of the
workqueue object
string_1, Name of the workqueue
string_2, Number of users in the workqueue

Save a workqueue policy (dm_save_


workqueuepolicy)

id_1, Object ID of the workqueue policy object


string_1, Name of the workqueue policy
string_2, Maximum threshold of the policy

Selected work item (dm_selectedworkitem,


a work item has been acquired)

id_1, Object ID of the workflow


id_2, Object ID of the work item
string_1, Activity sequence number
string_2, Activity name
string_4, Name of the workqueue, if any, to which
the task is assigned

298

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

Event

Generic property use

Sign off work item (dm_signoff)

id_1, Object ID of the workflow


id_2, Object ID of the work item
id_5, Object ID of the document in the package.
If there are multiple documents, there are a
corresponding number of audit trail entries, each
with a different value in id_5.
string_1, For Windows, the users domain and user
name (used to validate signature)
string_5, Text provided by reason argument in
Signoff method.

Started work item (dm_startedworkitem)

id_1, Object ID of the workflow


id_2, Object ID of the work item
id_5, For automatic activities, the object ID of the
dm_method object for the method executed by the
activity. For manual activities, this is null.
string_1, Activity sequence number
string_2, Activity name
string_3, Comma-separated list of work item
properties and their values. The properties are:
r_priority, a_wq_name, and a_wq_doc_profile.
a_wq_name and a_wq_doc_profile are enclosed in
double quotes.
string_4, Name of the performer of the work item
string_5, Value in the dependency_type property of
the corresponding queue item object.

Start workflow (dm_startworkflow)

id_1, Object ID of the workflow

Suspend workqueue task (dm_


suspendedworkqueuetask)

id_1, Object ID of the workflow


id_2 Object ID of the work item
string_1, Activity sequence number
string_2, Activity name
string_4, Workqueue name

Uninstall workflow or activity definition


(dm_uninstall)

Does not use the generic properties.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

299

Audit Management

Event

Generic property use

Unsuspend workqueue task


(dm_unsuspendedworkqueuetask)

id_1, Object ID of the workflow


id_2 Object ID of the work item
string_1, Activity sequence number
string_2, Activity name
string_4, Workqueue name

Validate workflow or activity definition


(dm_validate)

Does not use the generic properties.

Generate report on an activity if at least


one package has been defined accordingly
(dm_wf_business_data)

id_1, Object ID of the workflow


id_2 Object ID of the work item
string_1, Activity sequence number
string_2, Activity name
string_3, Process name
string_4, User name
There is always a dmi_audittrail_attrs
object associated with the audit trail of
the dm_wf_business_data event. The
dmi_audittrail_attrs object has the following
entries:
audit_obj_id: Object ID of corresponding audit trail
object.
attribute_list: An XML string containing data from
all packages.

Interpreting ACL and group audit trails


Audit trail entries generated when ACLs are created, changed, or destroyed are recorded in
dm_audittrail_acl objects. Entries generated when groups are created, changed, or destroyed are
recorded in dm_audittrail_group objects. The dm_audittrail_acl and dm_audittrail_group object
types are subtypes of the dm_audittrail type.
The properties defined for the dm_audittrail_acl object type store information about an audited ACL.
The properties identify the event (dm_save, dm_saveasnew, or dm_destroy), the target ACL, the
ACL entries or changes to the entries. For example, suppose you create an ACL with the following
property values:
r_object_id:451e9a8b0001900
r_accessor_name
[0]:dm_world
[1]:dm_owner

300

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Audit Management

[2]:John Doe
[0]:6
[1]:7
[2]:3
r_accessor_xpermit [0]:0
[1]:0
[2]:196608
r_is_group
[0]:F
[1]:F
[2]:F
r_accessor_permit

The audit trail acl object created in response has the following property values:
r_object_id:<audit trail acl obj ID>
audited_obj_id
:451e9a8b0001900
event_name
:dm_save
string_1
:Create
accessor_operation[0] :I
[1] :I
[2] :I
accessor_name
[0] :dm_world
[1] :dm_owner
[2] :John Doe
accessor_permit
[0] :6
[1] :7
[2] :3
accessor_xpermit [0] :0
[1] :0
[2] :196608
application_permit [0]:
[1]:
[2]:
permit_type
[0]:0
[1]:0
[2]:0
is_group
[0] :F
[1] :F
[2] :F

The event_name records the repository event, a save method, that caused the creation of the audit
trail entry. The string_1 property records the event desciption, in this case, Create, indicating the
creation of an ACL. The accessor_operation property describes what operation was performed on
each accessor identified at the corresponding index position in accessor_name. The accessor_permit
and accessor_xpermit properties record the permissions assigned to the user (or group) identified in
the corresponding positions in accessor_name. Finally, the is_group property identifies whether the
value in accessor_name at the corresponding position represents an individual user or a group.
Now suppose you change the ACL. The changes you make are:
Add the Sales group
Remove John Doe
Change the worlds access to None
The resulting audit trail acl object has the following properties:
r_object_id
audited_obj_id
event_name
string_1
accessor_operation

accessor_name

[0]
[1]
[2]
[0]

:<audit trail acl obj ID>


:451e9a8b0001900
:dm_save
:Save
:U
:I
:D
:dm_world

EMC Documentum Content Server Administration and Configuration 6.7 Guide

301

Audit Management

accessor_permit

accessor_xpermit

application_permit

permit_type

is_group

[1] :Sales
[2] :JohnDoe
[0] :0
[1] :2
[2] :3
[0] :0
[1] :0
[2] :196608
[0]:
[1]:
[2]:
[0]:0
[1]:0
[2]:0
[0] :F
[1] :T
[2] :F

dm_world is found in accessor_name[0]. Consequently, the values in the corresponding position in


the accessor_operation, accessor_permit, and accessor_xpermit properties identify the changes made
to dm_world. In this case, the operation is U, meaning update. The values in accessor_permit and
accessor_xpermit show the updated permissions for dm_world.
Sales is found in accessor_name[1]. The value in accessor_operation[1], I, shows that an entry for
Sales was added (inserted) into the ACL. The values in accessor_permit and accessor_xpermit show
the permissions assigned to Sales.
JohnDoe is found in accessor_name[2]. The value in accessor_operation[2], D, indicates that the
entry for JohnDoe was removed from the ACL. The values in the corresponding positions in
accessor_permit and accessor_xpermit identify the permissions previously assigned to JohnDoe.
Audit trail group objects are interpreted similarly. The values in the corresponding index
positions in users_names and users_names_operations represent one individual user who is a
member of the audited group. The values in the corresponding positions in groups_names and
groups_names_operation represent one group that is a member of the audited group. The operations
property defines what operation was performed on the member at the corresponding names property.

302

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Chapter 13
Methods and Jobs

This chapter contains the following topics:


Methods, page 303
Method execution agents, page 311
Administration methods, page 311
Jobs, page 341

Methods
Methods are executable programs that are represented by method objects in the repository. The
program can be a Docbasic script, a Java method, or a program written in another programming
language such as C++. The associated method object has properties that identify the executable and
define command line arguments, and the execution parameters.
Methods are executed by issuing a DO_METHOD administration method from the command line
or using a job. Using a DO_METHOD allows you to execute the method on demand. Using a job
allows you to schedule the method for regular, automatic execution. For information about creating
jobs, refer to Jobs, page 341.
The executable invoked by the method can be stored in the file system or as content of the
method object. If the method is executed by the Java method server, the entire custom or xml
app jar must be stored in the $DOCUMENTUM_SHARED\jboss4.2.0\server\DctmServer_
MethodServer\deploy\ServerApps.ear\DmMethods.war\WEB-INF\lib directory. For workflow
methods, the .jar files must be placed under the Process Engine deployment in the $DOCUMENTUM_
SHARED/jboss4.2.0/server/DctmServer_MethodServer/deploy/bpm.ear/bpm.war/WEB-INF/lib
directory.
By default, all repositories contain methods used by Content Server. All methods with object names
that begin with dm_ are default methods.

Creating or modifying methods


The executable invoked by the method can be stored in an external file or as content of the method
object. All other programs, except Java programs, are stored on the Content Server file system or in
the repository as the content of the method object.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

303

Methods and Jobs

If the program is a Java method and you want to execute it using the Java method server, install the
method on host file system of the application server. Only the application server instance installed
during Content Server installation can execute Java methods. Do not store the program in the
repository as the content of the method object.
Creating methods requires superuser privileges.

To create or modify a method:


1.

Connect to the repository where you want to create the method and navigate to Administration >
Job Management > Methods.
The Methods list page displays.

2.

Do one of the following:


To create a new method, select File > New > Method.
The Info tab on the New Method page displays. You must have superuser privileges to create
a method.
To modify a method, select the method and then select View > Properties > Info.
The Info tab on the Method Properties page displays.
To edit the method content, refer to Editing method content, page 309.

3.

Enter or modify the method information as described in Table 87, page 304 and the optional
Table 88, page 306.

4.

Click OK to save your changes.

If you want to store the program as the content of the method object, you must import the content
after the method is created, as described in Importing method content, page 307.
Table 87. Method Info tab properties

Field label

Description

Name

The method name.


Do not use the format dm_methodname to name the method. This
naming convention is reserved for default Documentum objects.

Verb

The method verb, including arguments.


The method verb is the command-line name of the procedure or
the name of the interpretive language that executes the program
file.
You can specify a full path, a relative path, or no path for the
method verb. If you do not specify a path, the server searches the
directories in the search path of the user.
To store the program as the content of the method object, you must
import the content after you created the method, as described in
Importing method content, page 307.

304

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

Field label

Description

Method Type

Specifies the programming language of the method. Valid values


are:
dmbasic: The method is written in Docbasic.
dmawk: The method is written in dmawk.
java: The method is written is Java and executed on the Java
Method Server.
program: The method is writing in a programming language,
such as C or C++.
If the method is executed using Content Server or the dmbasic
method server, and the executable is stored as content for the
method, setting the method type to dmawk or dmbasic, directs
the server to add -f in front of the filename. The server passs
all arguments specified on the DO_METHOD command line to
the program.

Arguments

Specifies method arguments. Click Edit to add arguments.

Method Success Codes

Specifies method success codes. Click Edit to add success codes.

Method Success Status

Specifies the valid value for current status in the completed job. If
this option is selected, the current status property value of the job
must match the success status value after the job completes. The
property is ignored if the option is not selected.

Timeout Minimum

The minimum timeout that can be specified on the command line


for this procedure. The minimum timeout value cannot be greater
than the default value specified in the timeout default field.

Timeout Default

The default timeout value for the procedure. The system uses
the default timeout value if no other time-out is specified on the
command line.
The default timeout value is 60 seconds and cannot be greater
than the value specified in the timeout maximum field.

Timeout Maximum

The maximum timeout that can be specified on the command line


for this procedure. The default is 300 seconds.

Launch Direct

Specifies whether the program is executed by the system call


or exec API call. When the launch direct option is selected, the
server uses the exec call to execute the procedure. In this case, the
method verb must be a fully qualified path name.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

305

Methods and Jobs

Field label

Description

Launch Asynchronously

Specifies whether the server runs the method asynchronously


or not.
If this option is selected and the method is launched on the
application server, setting SAVE_RESPONSE on to TRUE on the
command line is ignored.
If this option is select and the method is launched on the method
server or Content Server and SAVE_RESULTS is set to TRUE on
the command line, the method is always launched synchronously.

Run As Owner

Specifies whether to run method to run as the installation owner


account, with the privileges of the installation owner. If this
option is not selected, the method runs with the privileges of the
method user.
This option must be selected to execute a method on the method
server or application server.

Trace Launch

Specifies whether to save internal trace messages generated by


the method to the session log.

Use Method Server

Specifies whether to use the dmbasic method server or Java


method server to execute a dmbasic or Java method.

Restartable

Specifies whether the method can be restarted, if the Java Method


Server (JMS) crashes or fails to respond.
This option is only available for non-system Java methods.

Failover Awareness

Specifies whether the method is enabled for failover, if the server


is associated with more than one Java Method Server.
This option can only be configure for non-system Java methods.

Table 88. SysObject Info tab properties

Field label

Description

Title

A descriptive title for the method.

Subject

A subject associated with the method.

Keywords

One or more keywords that describe the method. Click Edit to


add keywords.

Authors

One or more method authors. Click Edit to add authors.

Owner Name

The name of the method owner. Click Edit to select a different


owner.

Version Label

The current version label of the method. Click Edit to change the
version label.

Checkout Date

The date when the method was checked out last.

Checked Out by

The name of the user who checked out the method.

306

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

Field label

Description

Created

The date and time when the method was created.

Creator Name

The name of the user who created the method.

Modified

The date and time when the method was last modified.

Modified By

The name of the user who last modified the method.

Accessed

The time and date when the method was last accessed.

Importing method content


If the program that a method is running is a script that requires an interpretive language to run it,
store the program as the content of the associated method object. Use the instructions in this section
to import the content into the method object after you create the method itself. Use the instructions in
Creating or modifying methods, page 303 to create the method.

To import method content:


1.

Navigate to Administration > Job Management > Methods.


The system displays the Methods list page.

2.

Select the method for which you are importing content and then select File > Import Method
Content.

3.

Type the full path of the script or click Browse, locate the script, and click Open in the dialog box.
The path of the script appears in the Content File Name field.

4.

Click OK.
The content is imported.

Running methods
Use the instructions in this section to manually run a method.
To run the method periodically, create a job to execute the method on a schedule.
If you run a default Documentum method from the Run Method page, select Run as server unless
you are logged in as the installation owner.

To run a method:
1.

Navigate to Administration > Job Management > Methods.


The system displays the Methods list page.

2.

Locate the method and then select Tools > Run Method.
The system displays the Run Method page.

3.

Enter information on the Run Method page:


a.

Arguments: Type any arguments required by the method.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

307

Methods and Jobs

b. Timeout: Type a time-out interval.


c.

Save Results: Select to save the results.

d. Launch Direct: Select to launch the method directly.


This controls whether the program is executed by the operating systems system or exec API
call. If checked, the server uses the exec call to execute the procedure. In such cases, the
method_verb must be a fully qualified pathname. If unchecked, the server uses the system
call to execute the procedure.
e.

Launch Async: Select to launch the method asynchronously.

f.

Run as Server: Select to run the method as the application owner.


If selected, it indicates that you want the method to run as the installation owner account. If
you run a default Documentum method from this page, select the checkbox unless you are
logged in as the installation owner. The checkbox is cleared by default.
Run as Server must be selected to execute a method on the method server or application
server.

g. Trace Launch: Select to save method execution messages to the server log.
4.

Click OK.
If you did not select Launch Asynchronously, the following method results appear:
The result returned, if any
Any document IDs that result
The process ID
Whether the method launched successfully
The return value, if any
Whether there were errors on the operating system from running the method
Whether the method timed out
The method time-out length

5.

Click OK.
The system displays the Methods list page.

Viewing the results of a method


The results of a method are displayed only after you run a method from Documentum Administrator.
After you run the method, the following method results appear:
The result returned, if any
Any document IDs that result
The process ID
Whether the method launched successfully
The return value, if any

308

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

Whether there were errors on the operating system from running the method
Whether the method timed out
The method timeout length
Click OK to exit the results page and return to the Methods list page.

Exporting method content


Use the instructions in this section to view a script imported into a method object.

To export method content:


1.

Locate the correct method.


The method must have a script stored in the method object. The methods name is a clickable link.

2.

Click the method name.


The content is exported and displayed in a text editor.

Editing method content


Use these instructions to edit the content of a method.

To edit method content:


1.

Navigate to Administration > Job Management > Methods.


The system displays the Methods list page.

2.

Select the appropriate method and then select File > Edit.
The method must have a script stored in the method object. For such methods, the method name
is a clickable link. The script is checked out and displayed in a text editor.

3.

Edit the script, save, and close it.

4.

Select File > Check In.

5.

Optionally modify the properties:


Version Label
This is a symbolic label for the version.
Description
Format
Whether to full-text index the script
The method content must be checked in as the same version.

6.

To display other editable properties, click More Options and make appropriate changes.
To keep the file checked out, select Retain Lock.
To keep a local copy on the file system after check in, select Keep a local copy after check in.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

309

Methods and Jobs

To subscribe to the file, select Subscribe to this file.


To substitute a different file for the one being checked in, select Check in from file, browse the
file system, and select a different file.
The version checked in is always the CURRENT version. You cannot clear the Make this the
current version checkbox.
7.

Click OK.
The file is checked in.

Checking in method content


You see this page only when you check in a checked-out script that is method content.

To check in method content:


1.

Optionally modify the properties:


To check in the file as the same version, click Save as (same version).
Version Label
This is a symbolic label for the version.
Description
Format
Whether to full-text index the script

2.

To display other editable properties, click More Options and make any desired changes.
Select Retain Lock to keep the file checked out
Clear the Make this the current version checkbox if you do not want the checked-in
document to be current.
To keep a local copy on the file system after check in, select Keep a local copy after check in.
To subscribe to the file, select Subscribe to this file.
To substitute a different file for the one being checked in, select Check in from file, browse the
file system, and select a different file.

3.

Click OK.
The file is checked in.

Deleting methods
Use these instructions to delete a method.
1.

Navigate to Administration > Job Management > Methods.


The system displays the Methods list page.

310

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

2.

Locate the appropriate method.

3.

Select the method name and then select File > Delete.
The most recent version of the method is deleted.

4.

To delete the method completely, repeat step 3 until the method disappears from the list page.

Method execution agents


The execution agents are the server processes that execute methods. There are three execution agents:
The dmbasic method server
The dmbasic method server is a separate process that is installed with Documentum Content
Server and resides on the same host. It is enabled by default. After it is started, it runs
continuously. The method server uses connection pooling, regardless of whether connection
pooling is enabled for the Content Server.
The dmbasic method server uses a method execution queue to manage methods submitted for
execution. When you direct a method to the method server, Content Server places a method
execution request on the bottom of the method execution queue. The method server reads the
queue and executes the request at the top of the queue. The method server has a configurable
number of worker threads to execute requests. The maximum number of requests the queue can
contain is the number of threads times 100. For example, if the method server is configured to use
5 threads, then the method execution queue can contain 250 requests.
Java method server
The Java method server is a third-party application server, installed as a component of Content
Server installation. For more information about the Java method server, refer to Java Method
Servers, page 135.
Documentum Content Server
The Content Server is the default execution agent for a method if the method is not configured to
execute on the method server or Java method server.

Administration methods
Administration methods are methods that perform a variety of administrative and monitoring
tasks, in categories such as process management, content storage management, full-text indexing,
and database methods. Use Documentum Administrator to execute the administration methods
interactively.
Click the links below for information and instructions on:
Viewing administration methods, page 312
Running administration methods, page 312
There are links to instructions for running all administrations methods in Running administration
methods, page 312. The Help topic for each method lists the permissions you must have to run the
method, the results returns, and any arguments you must supply to run the method.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

311

Methods and Jobs

Viewing administration methods


To view a list of administration methods, Navigate to Administration > Job Management >
Administration Methods. The system displays the Administration Methods list page.

Running administration methods


The following instructions provide a general procedure for running administration methods. The
instructions are followed by a list of all administration methods. Click the method name for more
information about the method, including the permissions you must have to run it, the method
arguments, and the results it returns.

To run an administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click the method you want to run.

3.

Provide any parameters required by the method.

4.

Click Run.

For information on each administration method, click the method name.


The following sections provide more information about content methods:
CAN_FETCH, page 313
CLEAN_LINKS, page 314
DELETE_REPLICA, page 314
DESTROY_CONTENT, page 315
EXPORT_TICKET_KEY, page 316
GET_PATH, page 316
IMPORT_REPLICA, page 317
IMPORT_TICKET_KEY, page 318
MIGRATE_CONTENT, page 318
PURGE_CONTENT, page 323
REPLICATE, page 324
RESTORE_CONTENT, page 325
SET_STORAGE_STATE, page 326
The following sections provide more information about database methods:
DB_STATS, page 327
DROP_INDEX, page 327
EXEC_SQL, page 328

312

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

FINISH_INDEX_MOVES, page 328


GENERATE_PARTITION_SCHEME_SQL, page 329
MAKE_INDEX, page 331
MOVE_INDEX, page 332
The following sections provide more information about full-text indexing methods.
ESTIMATE_SEARCH, page 333
MARK_FOR_RETRY, page 333
MODIFY_TRACE, page 334
The following sections provide more information about trace methods:
GET_LAST_SQL, page 335
MODIFY_TRACE, page 334
LIST_RESOURCES, page 335
LIST_TARGETS, page 336
SET_OPTIONS, page 337
The following section provides more information about the workflow method:
RECOVER_AUTO_TASKS, page 338
WORKFLOW_AGENT_MANAGEMENT, page 339

CAN_FETCH
Any user can run the CAN_FETCH administration method to determine whether the server can
fetch a specified content file.
CAN_FETCH returns TRUE if the fetch is possible or FALSE if it is not.

To run the CAN_FETCH administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click CAN_FETCH.
The system displays the Parameters page.

3.

Type a comma-delimited list of the content object IDs of the content files to be fetched.

4.

If you do not know the content object ID of the content file to be fetched, click Select Object(s).
The system displays the Select Object(s) page.
a.

Select an object type from the Select From drop-down list.

b. To further restrict the search, provide a Where clause.


c.

To display all versions, select Use all versions.

d. Click Go.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

313

Methods and Jobs

e.

Select the checkboxes next to the objects whose content object IDs you want and click Add.

f.

To remove an object from the list, select the checkbox next to its name and click Remove.

g. Click OK to return to the Parameters page.


The content object IDs are displayed in the Content Id field.
h. Click Run.
The results are displayed.
5.

Click Close.
The system displays the Administration Methods list page.

CLEAN_LINKS
The CLEAN_LINKS administration method removes linked_store links not associated with sessions,
unnecessary dmi_linkrecord objects, and auxiliary directories.
CLEAN_LINKS returns TRUE if the operation succeeds or FALSE if it fails.
You must have superuser privileges to run CLEAN_LINKS.

To run the CLEAN_LINKS administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click CLEAN_LINKS.

3.

To clean both active and inactive sessions, select the Clean All (active and inactive) Sessions
checkbox.
The default is to clean only inactive sessions.

4.

Click Run.
The results are displayed.

5.

Click Close.
The Administration Methods page is displayed.

DELETE_REPLICA
The DELETE_REPLICA administration method removes a content file from a component area of
a distributed storage area.
DELETE_REPLICA returns TRUE if the operation succeeds or FALSE if it fails.
You must have superuser privileges to run DELETE_REPLICA.

To run the DELETE_REPLICA administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

314

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

2.

Click DELETE_REPLICA.
The system displays the Parameters page.

3.

Type a comma-delimited list of the content object IDs of the content files whose replicas are to
be deleted.

4.

If you do not know the content object ID of the content file whose replicas are to be deleted,
click Select Object(s).
The system displays the Select Object(s) page.
a.

Select an object type from the Select From drop-down list.

b. To further restrict the search, provide a Where clause.


c.

To display all versions, select Use all versions.

d. Click Go.
e.

Select the checkboxes next to the objects whose content object IDs you want and click Add.

f.

To remove an object from the list, select the checkbox next to its name and click Remove.

g. Click OK to return to the Parameters page.


The content object IDs are displayed in the Content ID field.
5.

Select a file store from the Store Name drop-down list.

6.

Click Run.
The results are displayed.

7.

Click Close.
The system displays the Administration Methods list page.

DESTROY_CONTENT
The DESTROY_CONTENT method removes content objects from the repository and their associated
content files from storage areas.
DESTROY_CONTENT returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to run DESTROY_CONTENT.

To run the DESTROY_CONTENT administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click DESTROY_CONTENT.
The system displays the Parameters page.

3.

Type in a comma-delimited list of the content object IDs of the content files to be destroyed.

4.

Click Run.
The results are displayed.

5.

Click Close.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

315

Methods and Jobs

The system displays the Administration Methods page.

EXPORT_TICKET_KEY
The EXPORT_TICKET_KEY administration method encrypts and exports a login ticket from the
repository to a client machine.

To run the EXPORT_TICKET_KEY administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The Administration Methods list page displays.

2.

Click EXPORT_TICKET_KEY.
The Parameters page displays.

3.

Depending on the type of encryption software you are using, type an encryption key or password
in the Encrypt key field.
The server uses the encryption key or password to encrypt the login ticket before exporting it.
The same encryption key is required for decrypting when the login ticket is imported.

4.

Click Run.
A dialog displays, prompting you to save the login ticket file.

5.

Save the login ticket file to any desired location.


The system runs the method and displays the Results page informing you that the login ticket
was exported successfully.

GET_PATH
The GET_PATH administration method returns the directory location of a content file stored in
a distributed storage area.
Any user can run GET_PATH.

To run the GET_PATH administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click GET_PATH.
The system displays the Parameters page.

3.

Type in a comma-delimited list of the content object IDs of the content files whose paths you want.

4.

If you do not know the content object IDs, click Select Object(s).
The system displays the Select Object(s) page.
a.

Select an object type from the Select From drop-down list.

b. To further restrict the search, provide a Where clause.

316

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

c.

To display all versions, select Use all versions.

d. Click Go.
e.

Select the checkboxes next to the objects whose content object IDs you want and click Add.

f.

To remove an object from the list, select the checkbox next to its name and click Remove.

g. Click OK to return to the Parameters page.


The content object IDs are displayed in the Content ID field.
5.

Optionally, select a store name from the drop-down list.


If you do not select a store name, the method looks in the local component of the distributed
storage area. If the file is not found in the local component, the method tries to create a replica of
the file in the local area and returns the path of the local replica.

6.

Click Run.
The results are displayed.

7.

Click Close.
The system displays the Administration Methods page.

IMPORT_REPLICA
The IMPORT_REPLICA administration method imports files from one distributed storage area
into another distributed storage area.
The IMPORT_REPLICA method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to use the IMPORT_REPLICA method.

To run the IMPORT_REPLICA administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click IMPORT_REPLICA.
The system displays the Parameters page.

3.

Type a comma-delimited list of the content object IDs of the content files whose replicas you
are importing.

4.

If you do not know the content object IDs, click Select Object(s).
The system displays the Select Object(s) page.
a.

Select an object type from the Select From drop-down list.

b. To further restrict the search, provide a Where clause.


c.

To display all versions, select Use all versions.

d. Click Go.
e.

Select the checkboxes next to the objects whose content object IDs you want and click Add.

f.

To remove an object from the list, select the checkbox next to its name and click Remove.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

317

Methods and Jobs

g. Click OK to return to the Parameters page.


The content object IDs are displayed in the Content ID field.
5.
6.

Select a store name from the drop-down list.


Click Select File.
The system displays the Choose a file on the server filesystem page.

7.

Select a server-side file for import and click OK to return to the Parameters page.

8.

Click Run.
The results are displayed.

9.

Click Close.
The system displays the Administration Methods page.

IMPORT_TICKET_KEY
The IMPORT_TICKET_KEY administration method decrypts a login ticket from a client machine and
imports the ticket into the repository.

To run the IMPORT_TICKET_KEY administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The Administration Methods list page displays.

2.

Click IMPORT_TICKET_KEY.
The Parameters page displays.

3.

Type the decryption key in the Decrypt key field.


The decryption key is used to decrypt the login ticket before it is imported into the repository.
You must provide the same key that was used to encrypt the login ticket.

4.

Type the path to the login ticket in the Ticket location field or browse for the ticket location.

5.

Click Run.
The system runs the method and displays the Result page. The Results page displays an error
message if the login ticket is corrupted, the decryption key is invalid, the login ticket is invalid,
the login ticket file does not exist, or if the login ticket times out.

6.

Restart the Content Server after successfully importing the login ticket to make your changes
take effect.

MIGRATE_CONTENT
The MIGRATE_CONTENT administration method migrates content files from one storage area
to another.

318

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

The MIGRATE_CONTENT method requires superuser privileges to migrate:


Single content objects.
Single sysobjects.
Sets of content objects qualified by a DQL predicate against dmr_content.
Set of content objects qualified by a DQL predicate against dm_sysobject or its subtypes.
All content in a file store.
Use the MIGRATE_CONTENT administration method to move content from file stores, retention
type stores, blob stores, and distributed stores to file stores, retention type stores, and distributed
stores. Documentum Administrator 6.5 SP2 and later supports migration from external stores. You
cannot move files to a blob store. The storage areas can be online, offline, or read-only.
Before running MIGRATE_CONTENT:
Ensure that all objects to be migrated are checked in to the repository. If you migrate any
checked-out objects, check-in fails because of mismatched versions.
Ensure that the file store to which you migrate objects has sufficient disk space for the migration.
Before you migrate a file store, use the SET_STORAGE_STATE administration method to mark it
READ-ONLY. If the source file store has associated full-text indexes, the target file store must
also have full-text indexes. Documentum Administrator does not allow you to select a target
file store without full-text indexes.
The MIGRATE_CONTENT method returns an integer indicating the number of objects migrated
successfully.
Regardless of the mode in which MIGRATE_CONTENT is run, the original content file can be
removed or left in the source file store. If you do not have the file removed, you must specify the
path to a log file that logs the path of the source content file. Those files can be removed at another
time using Dmfilescan.

To migrate a single object:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MIGRATE_CONTENT.
The system displays the Parameters page.

3.

Specify the parameters for moving the single object, as described in Table 89, page 319.

4.

Click Run.

Table 89. Parameters for moving a single object

Field

Description

Migrate

Select A single object from the drop-down list.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

319

Methods and Jobs

Field

Description

Content

Click Select Object, then select an object type from the Select From
drop-down list.
Specify a limiting Where clause, or leave the Where field blank to
select from all objects in the repository. To display all object versions,
select the Use all versions checkbox and then click Go.
Select the objects to migrate and click Add.
Select Remove the original source to remove the original content
file. The Remove the original source option cannot be edited, if the
selected object belongs to an external store.

Path

Click Select Path and select a location on the server file system for
the log file path.

Target

Select a target file store from the drop-down list.

Source Direct Access

Specifies whether the content files in the source store can be directly
accessed through a full file path.
This option is only available if the Source is an external store and the
Target is either a file store or a ca store.

Migrate With

Specifies whether the source content is copied or moved to the target


store during migration. Direct Move is applicable to file stores only.
This option is only available if the Source is an external store and the
Target is either a file store or a ca store.

Update Only

This option is used only in conjunction with the Direct Copy or Direct
Move option. When selected, move or copy commands are written to
the log file specified in the Command File Name field.
This option is only available if the Source is an external store and the
Target is either a file store or a ca store.

Command File Name

A string that specifies a file path to a log file.


This option is only available if the Source is an external store and
the Target is either a file store or a ca store and if the Update Only
option is selected.

To migrate all content files in a file store:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MIGRATE_CONTENT.
The system displays the Parameters page.

3.

Specify the parameters for moving the content, as described in Table 90, page 321.

4.

Click Run.

320

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

Table 90. Parameters for moving all content in a store

Field

Description

Migrate

Select All content in a filestore from the drop-down list.

Source

Select a source file store from the Source drop-down list.


Select Remove the original source to remove the original content
file. The Remove the original source option cannot be edited, if
the selected object belongs to an external store.

Path

Click Select Path and select a location on the server file system
for the log file path

Target

Select a target file store from the drop-down list.

Maximum

Specifies the maximum number of objects to migrate.


The default is to migrate all objects.

Batch Size

Specifies the number of objects migrated in a single transaction.


The default value is 500. Multiple transactions are run until the
maximum number of objects to migrate is reached.

Content Migration Threads

Specifies the number of internal sessions used to execute the


method.
The default value is 0, indicating that the migration executes
sequentially. The value cannot exceed the Maximum Content
Migration Threads value in the server configuration object.
This option is only available if a Content Storage Services license
is enabled on the Content Server.

Source Direct Access

Specifies whether the content files in the source store can be


directly accessed through a full file path.
This option is only available if the Source is an external store and
the Target is either a file store or a ca store.

Migrate With

Specifies whether the source content is copied or moved to the


target store during migration. Direct Move is applicable to file
stores only.
This option is only available if the Source is an external store and
the Target is either a file store or a ca store.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

321

Methods and Jobs

Field

Description

Update Only

This option is used only in conjunction with the Direct Copy or


Direct Move option. When selected, move or copy commands are
written to the log file specified in the Command File Name field.
This option is only available if the Source is an external store and
the Target is either a file store or a ca store.

Command File Name

A string that specifies a file path to a log file.


This option is only available if the Source is an external store and
the Target is either a file store or a ca store and if the Update
Only option is selected.

To migrate objects selected by a query:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MIGRATE_CONTENT.
The system displays the Parameters page.

3.

Specify the parameters for moving the content, as described in Table 91, page 322.

4.

Click Run.

Table 91. Parameters for moving content selected by a query

Field

Description

Migrate

Select All content satisfying a query from the drop-down list.

Select Object Type to Migrate

Specify the object type to migrate.


If you select dm_sysobject or its subtype, click Select to access
the Choose a type page to select a subtype of dm_sysobject.

Select r_object_id from


dmr_content where

Specify the DQL query.

Path

Click Select Path and select a location on the server file system
for the log file path

Target

Select a target file store from the drop-down list.

Maximum

Specifies the maximum number of objects to migrate.

Select Remove the original source to remove the original content


file. The Remove the original source option cannot be edited, if
the selected object belongs to an external store.

The default is to migrate all objects.


Batch Size

Specifies the number of objects migrated in a single transaction.


The default value is 500. Multiple transactions are run until the
maximum number of objects to migrate is reached.

322

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

Field

Description

Content Migration Threads

Specifies the number of internal sessions used to execute the


method.
The default value is 0, indicating that the migration executes
sequentially. The value cannot exceed the Maximum Content
Migration Threads value in the server configuration object.
This option is only available if a Content Storage Services license
is enabled on the Content Server.

Source Direct Access

Specifies whether the content files in the source store can be


directly accessed through a full file path.
This option is only available if the Source is an external store and
the Target is either a file store or a ca store.

Migrate With

Specifies whether the source content is copied or moved to the


target store during migration. Direct Move is applicable to file
stores only.
This option is only available if the Source is an external store and
the Target is either a file store or a ca store.

Update Only

This option is used only in conjunction with the Direct Copy or


Direct Move option. When selected, move or copy commands are
written to the log file specified in the Command File Name field.
This option is only available if the Source is an external store and
the Target is either a file store or a ca store.

Command File Name

A string that specifies a file path to a log file.


This option is only available if the Source is an external store and
the Target is either a file store or a ca store and if the Update
Only option is selected.

If the MIGRATE_CONTENT method fails with an error, the entire batch transaction is rolled back. If
the destination has content files that were created from the successful migrations within the batch,
you can clean up those files running the Dmfilescan job, as described in Dmfilescan (dm_DMfilescan),
page 347.

PURGE_CONTENT
The PURGE_CONTENT administration method marks a content file as offline and deletes the file
from its storage area. The method does not back up the file before deleting it; ensure that you have
archived the file before running PURGE_CONTENT on it.
The PURGE_CONTENT method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to use the PURGE_CONTENT method.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

323

Methods and Jobs

To run the PURGE_CONTENT administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click PURGE_CONTENT.

3.

Type a comma-delimited list of the content object IDs of the content files you want to purge.

4.

If you do not know the content object IDs, click Select Object(s).
The system displays the Select Object(s) page.
a.

Select an object type from the Select From drop-down list.

b. To further restrict the search, provide a Where clause.


c.

To display all versions, select Use all versions and click Go.

d. Select the checkboxes next to the objects whose content object IDs you want and click Add.
e.

To remove an object from the list, select the checkbox next to its name and click Remove.

f.

Click OK to return to the Parameters page.


The content object IDs are displayed in the Content ID field.

5.

Click Run.
The results are displayed.

6.

Click Close.
The Administration Methods list page is displayed.

REPLICATE
The REPLICATE administration method copies content files from one component of a distributed
storage area to another. This task is normally performed by the Content Replication tool or by the
Surrogate Get feature. Use the REPLICATE administration method as a manual backup to Content
Replication and Surrogate Get.
The REPLICATE method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to use the REPLICATE method.

To run the REPLICATE administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click REPLICATE.
The system displays the Parameters page.

3.

Select a file store that is a component of a distributed store.


This is the store to which the copies are replicated.

4.

324

Optionally, select the type of the documents you want replicated from the Type Name drop-down
list.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

5.

Type an expression that would be a valid DQL WHERE clause in the DQL Query Predicate field.

6.

Click Run.

7.

Click Close.
The system displays the Administration Methods list page.

RESTORE_CONTENT
The RESTORE_CONTENT administration method restores an offline content file to its original
storage area. It operates on one file at a time. If you need to restore more than one file at a time,
use the API Restore method.
You can use RESTORE_CONTENT only when one server handles both data and content requests. If
your configuration uses separate servers for data requests and content file requests, you must issue a
Connect method that bypasses the Content Server to use RESTORE_CONTENT in the session.
The RESTORE_CONTENT method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to use the RESTORE_CONTENT
method.

To run the RESTORE_CONTENT administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click RESTORE_CONTENT.
The system displays the Parameters page.

3.

Type the content object ID of the content file you want to restore.

4.

If you do not know the content object ID, click Select Object(s).
The system displays the Select Object(s) page.
a.

Select an object type from the Select From drop-down list.

b. To further restrict the search, provide a Where clause.


c.

To display all versions, select Use all versions and then click Go.

d. Select the checkbox next to the object whose content object IDs you want and click Add.
e.

To remove an object from the list, select the checkbox next to its name and click Remove.

f.

Click OK to return to the Parameters page.


The content object ID is displayed in the Content ID field.

5.

Click Select Path to access the Choose a file on the server filesystem page.
a.

Navigate to the correct location on the file system.

b. Select the checkbox next to the correct location.


c.

Click OK to return to the Parameters page.


The selected path appears in the Server-Side File for Restore field.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

325

Methods and Jobs

6.

Click Run.
The results are displayed.

7.

Click Close.
The system displays the Administration Methods list page.

SET_STORAGE_STATE
The SET_STORAGE_STATE administration method changes the state of a storage area. A storage
area is in one of three states:
On line
An on-line storage area can be read and written to.
Off line
An off-line storage area cannot be read or written to.
Read only
A read-only storage area can be read, but not written to.
You can use SET_STORAGE_STATE only when one server handles both data and content requests. If
your configuration uses separate servers for data requests and content file requests, you must issue a
Connect method that bypasses the content file server to use SET_STORAGE_STATE in the session.
The SET_STORAGE_STATE method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to use the SET_STORAGE_STATE
method.

To run the SET_STORAGE_STATE administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click SET_STORAGE_STATE.
The system displays the Parameters page.

3.

Select a storage area from the Store drop-down list.


The current state of the storage area and the states to which it can be moved are displayed.

4.

To change the storage areas state, click the radio button for the correct state.
Which radio buttons appear depends on whether the storage area is online, offline, or read-only.

5.

Click Run.
The method runs and the results are displayed.

6.

Click Close.
The system displays the Administration Methods page.

326

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

DB_STATS
The DB_STATS administration method displays statistics about database operations for the current
session. The statistics are counts of the numbers of:
Inserts, updates, deletes, and selects executed
Data definition statements executed
RPC calls to the database
Maximum number of cursors opened concurrently during the session
Any user can run the DB_STATS method.

To run the DB_STATS method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click DB_STATS.
The system displays the Parameters page.

3.

To clear the statistical counters, select Clear the counters.

4.

Click Run.
The method runs and the results are displayed.

5.

Click Close.
The system displays the Administration Methods list page.

DROP_INDEX
The DROP_INDEX administration method destroys a user-defined index on an object type.
The DROP_INDEX method returns TRUE if the operation succeeds or FALSE if it fails.
You must have superuser privileges to run the DROP_INDEX administration method.

To run the DROP_INDEX administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click DROP_INDEX.
The system displays the Parameters page.

3.

Select an index from the Index drop-down list.

4.

Click Run.
The method runs and the results are displayed.

5.

Click Close.
The system displays the Administration Methods list page.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

327

Methods and Jobs

EXEC_SQL
The EXEC_SQL administration method executes SQL statements, with the exception of SQL Select
statements.
The EXEC_SQL method returns TRUE if the operation succeeds or FALSE if it fails.
You must have superuser privileges to run the EXEC_SQL method.
Note the following restrictions on how the method works:
If you use the Apply method to execute the method and the query contains commas, you must
enclose the entire query in single quotes.
In an EXECUTE statement, character-string literals must always be single-quoted.

To run the EXEC_SQL administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click EXEC_SQL.
The system displays the Parameters page.

3.

Type a SQL statement.


The statement must not include a Select clause.

4.

Click Run.
The method runs and the results are displayed.

5.

Click Close.
The system displays the Administration Methods list page.

FINISH_INDEX_MOVES
The FINISH_INDEX_MOVES administration method completes unfinished object type index moves.
The FINISH_INDEX_MOVES method returns TRUE if the operation succeeds or FALSE if it fails.
You must have superuser privileges to run the FINISH_INDEX_MOVES administration method.

To run the FINISH_INDEX_MOVES administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click FINISH_INDEX_MOVES.
The system displays the Parameters page.

3.

Click Run.
The method runs and the results are displayed.

4.

Click Close.
The system displays the Administration Methods list page.

328

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

GENERATE_PARTITION_SCHEME_SQL
The GENERATE_PARTITION_SCHEME_SQL administration method is available to administrators
and superusers. These additional restrictions apply:
The method is available only on version 6.5 repositories.
The method is not available for DB2 or Sybase repositories.
Running the method generates a script, which can then be run to partition the repository. The
GENERATE_PARTITION_SCHEME_SQL administration method has three options:
DB_PARTITION (Database Partition)
Generate a script to upgrade or convert a non-partitioned repository to a Documentum 6.5
partitioned repository.
ADD_PARTITION (Add Partition)
Add a partition to a partitioned type.
EXCHANGE_PARTITION (Exchange Partition)
Generate a script for bulk ingestion by loading data from an intermediate table into a new
partition of a partitioned table.

To run the GENERATE_PARTITION_SCHEME_SQL administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click GENERATE_PARTITION_SCHEME_SQL.
The system displays the Parameters page.

3.

Enter parameters for the method, as described in Table 92, page 329.

4.

Click Run to execute the method.


The GENERATE_PARTITION_SCHEME_SQL method creates a script object in the /Temp
folder in the repository when the method successfully completes. The partition script is not
automatically executed; you must execute it separately.

5.

Click Close to return to the Administration Methods list page.

Table 92. GENERATE_PARTITION_SCHEME_SQL parameters

Parameter

Description

Operation

Select an operation from the dropdown list box to define the


subcommand. The options are:
DB_PARTITION: Generates a script to upgrade or convert a
repository to a 6.5 partitioned repository. If selected:
Select Partition Type or Table Name.
If Table Name is defined, optionally define the Owner Name.
Include object type is optional. Select to apply the partition
operation to the dmi_object_type table.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

329

Methods and Jobs

Parameter

Description
Last Partition and Last Tablespace are optional.
In the Partitions section, Partition Name, Range, and Tablespace
are required.
ADD_PARTITION: Generates a script to add a partition to a
partitioned type. If selected:
Select Partition Type or Table Name.
If Table Name is defined, optionally define the Owner Name.
Include object type is optional. Select to apply the partition
operation to the dmi_object_type table.
In the Partitions section, Partition Name, Range, and Tablespace
are required.
EXCHANGE_PARTITION: Generates a script for bulk ingestion by
loading data from an intermediate table into a new partition of a
partitioned table. If selected:
Partition Type and Table Name are mutually exclusive.
If Table Name is defined, optionally define the Owner Name.
Include object type is optional. Select to apply the partition
operation to the dmi_object_type table.
Partition Name, Range, and Tablespace are required.
Temp Table Suffix is optional.

Partition Type

Select a partition type from the dropdown list box, which displays a
list of the partition types available for the repository. Allis the default
for DB_PARTITION and ADD_PARTITION, but is not available for
EXCHANGE_PARTITION. If you select Partition Type, then you
cannot select Table Name.

Table Name

Type a table name. If you select Table Name, then you cannot select
Partition Type.

Include object type

Optionally, select to apply the partition operation to the


dmi_object_type table.

Owner Name

Type an owner name. This field is enabled only if Table Name is


selected.

Last Partition

Optionally, type a name for the last partition. This field appears only
when DB_PARTITION is selected as the operation.

Last Tablespace

Optionally, type a tablespace name for the last partition. This field
appears only when DB_PARTITION is selected as the operation.

330

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

Parameter

Description

Partition Name

Type a name for the partition. For DB_PARTITION and


ADD_PARTITION operations, you must first click Add in the
Partitions section to add information for each partition.

Range

Type the upper limit for the partition key range. For DB_PARTITION
and ADD_PARTITION operations, you must first click Add in the
Partitions section to add information for each partition.

Tablespace

Type the partition tablespace name. If not specified, the default


tablespace is used. For DB_PARTITION and ADD_PARTITION
operations, you must first click Add in the Partitions section to add
information for each partition.

Temp Table Suffix

Type a temporary table suffix. This field is enabled and optional only if
EXCHANGE_PARTITION is selected as the operation.

MAKE_INDEX
The MAKE_INDEX administration method creates an index for any persistent object type. You can
specify one or more properties on which to build the index. If you specify multiple properties, you
must specify all single-valued properties or all repeating properties. Also, if you specify multiple
properties, the sort order within the index corresponds to the order in which the properties are
specified in the statement. You can also set an option to create a global index.
If the MAKE_INDEX method succeeds, it returns the object ID of the dmi_index object for the new
index. If the method fails, MAKE_INDEX returns F. If the specified index already exists, the method
returns 0000000000000000.
You must have superuser privileges to run the MAKE_INDEX administration method. To run an
index space query, you must have sufficient privileges in the database.

To run the MAKE_INDEX administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MAKE_INDEX.
The system displays the Parameters page.

3.

Enter information on the Parameters page:


a.

Type Name: Select a name type from the drop-down list box.

b. Attribute Name: Select a property name from the drop-down list box.
c.

Unique: Select if the values in the index must be unique.

d. Index Space: Select a specific tablespace or segment in which to place the new index.
e.

Global Index: Select to create a global index.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

331

Methods and Jobs

The Global Index option:


Is available only on version 6.5 repositories.
Is available only for partitioned types.
Is not available for DB2 or Sybase repositories.
If selected, the global index is applied to all partitions.
4.

To identify a specific tablespace or segment in which to place the new index, select the tablespace
or segment from the Index Space drop-down list.
You must have sufficient privileges in the database to do this.

5.

Global Index:

6.

Click Run.
The method runs and the results are displayed.

7.

Click Close.
The system displays the Administration Methods list page.

MOVE_INDEX
The MOVE_INDEX administration method moves an existing object type index from one tablespace
or segment to another. The method is not supported for servers running against DB2.
The MOVE_INDEX method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to run the MOVE_INDEX administration
method.

To run the MOVE_INDEX administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MOVE_INDEX.
The system displays the Parameters page.

3.

Select an index from the Index Name drop-down list.

4.

Select the index space to which you want to move the index.

5.

Click Run.
The method runs and the results are displayed.

6.

Click Close.
The system displays the Administration Methods list page.

332

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

ESTIMATE_SEARCH
The ESTIMATE_SEARCH administration method returns the number of results matching a particular
full-text search condition.
ESTIMATE_SEARCH returns one of the following:
The exact number of matches that satisfy the SEARCH condition, if the user running the method
is a superuser or there are more than 25 matches.
The number 25 if there are 0-25 matches and the user running the method is not a superuser.
The number -1 if there is an error during execution of the method.
Errors are logged in the session log file.
Any user can execute this method. However, the users permission level affects the return value.
The ESTIMATE_SEARCH administration method is not available, if the connected repository is
configured with the xPlore search engine.

To run the ESTIMATE_SEARCH administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click ESTIMATE_SEARCH.
The system displays the Parameters page.

3.

Select an index from the Index Name drop-down list.

4.

Select a name type from the Type Name drop-down list.

5.

Type in the string for which you want to search.

6.

Click Run.
The method runs and the results are displayed.

7.

Click Close.
The system displays the Administration Methods list page.

MARK_FOR_RETRY
The MARK_FOR_RETRY administration method finds content that has a particular negative
update_count property value and marks such content as awaiting indexing. Use MARK_FOR_RETRY
at any time to mark content that failed indexing for retry. Note that MARK_FOR_RETRY does
not take the update_count argument.
When the UPDATE_FTINDEX method fails, it changes the update_count property for the content
object associated with the bad content to the negative complement of the update_count value in
the fulltext index object. For example, if the update_count of the full-text index object is 5, the
update_count property of the bad content object is set to -5 (negative 5). For more information, refer
to the section in the DQL Reference Manual on MARK_FOR_RETRY.
The MARK_FOR_RETRY method returns TRUE if the operation succeeds or FALSE if it fails.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

333

Methods and Jobs

You must have system administrator or superuser privileges to run the MARK_FOR_RETRY
administration method.

To run the MARK_FOR_RETRY administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MARK_FOR_RETRY.
The system displays the Parameters page.

3.

Select an index from the Index Name drop-down list.

4.

Type a value in the Update Count Value field.


This can be any negative number.

5.

Click Run.
The method runs and the results are displayed.

6.

Click Close.
The system displays the Administration Methods list page.

MODIFY_TRACE
The MODIFY_TRACE administration method turns tracing on and off for full-text indexing
operations.
The MODIFY_TRACE method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to run the MODIFY_TRACE
administration method.

To run the MODIFY_TRACE administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click MODIFY_TRACE.
The system displays the Parameters page.

3.

Select a tracing level from the drop-down list.


Options are:
None: Select to turn tracing off.
All: Select to log both Content Server and Verity messages.

4.

Click Run.
The method runs and the results are displayed.

5.

Click Close.
The system displays the Administration Methods list page.

334

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

GET_LAST_SQL
The GET_LAST_SQL administration method retrieves the SQL translation of the last DQL statement
issued.
Any user can run GET_LAST_SQL.

To run the GET_LAST_SQL administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click GET_LAST_SQL.
The system displays the Parameters page.

3.

Click Run.
The method runs and the last SQL statement is displayed.

4.

Click Close.
The system displays the Administration Methods list page.

LIST_RESOURCES
The LIST_RESOURCES administration method lists information about the server and the servers
operating system environment.
You must have system administrator or superuser privileges to run the LIST_RESOURCES
administration method.

To run the LIST_RESOURCES administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click LIST_RESOURCES.
The system displays the Parameters page.

3.

Select Reset to reinitialize the file handle and heap size counters.

4.

Click Run.
The method runs and the results are displayed:
file_handles_in_use

The number of file handles in use by the


current child process.

file_handles_max

The configured limit at the operating-system


level on the number of file handles the process
can open.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

335

Methods and Jobs

file_handles_new

A counter that indicates how many file


handles have been created or destroyed since
the last LIST_RESOURCES with RESET =
T. If the number is negative, it means that
there are fewer handles open than there were
at the last LIST_RESOURCES call. (Issuing
LIST_RESOURCES with RESET=T reinitializes
file_handles_new to zero.)

session_heap_size_max

How much, in bytes, of the currently allocated


heap (virtual memory) is in use by the session.

current_heap_size_max

Maximum size of the threads session


heap. This reflects the value that was in
session_heap_size_max when the session was
started, and is the size of the heap available
to the session.

session_heap_size_in_use

The size, in bytes, of the session heap.

session_heap_size_new

A count of the bytes that the heap has grown


or shrunk since the last LIST_RESOURCES
call.
Issuing LIST_RESOURCES with RESET=T
reinitializes heap_size_new to zero.

5.

root_heap_size_in_use

How much, in bytes, of the main server


threads heap is in use.

root_heap_size_new

A count of the bytes that the heap has grown


or shrunk since the last LIST_RESOURCES
call.

max_processes

The maximum number of processes that can


be created by the account under which the
server is running.

server_init_file

The full path to the servers server.ini file.

initial_working _directory

The full path to the directory containing the


server executable.

Click Close.
The system displays the Administration Methods list page.

LIST_TARGETS
The LIST_TARGETS administration method lists the connection brokers to which the server is
currently projecting. Additionally, it displays the projection port, proximity value, and connection
broker status for each connection broker, as well as whether the connection broker is set (in server.ini
or the server config object).
Any user can run LIST_TARGETS.

336

EMC Documentum Content Server Administration and Configuration 6.7 Guide

Methods and Jobs

To run the LIST_TARGETS administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click LIST_TARGETS.
The system displays the Parameters page.

3.

Click Run.
The method runs and the projection targets and other information are displayed.

4.

Click Close.
The system displays the Administration Methods list page.

SET_OPTIONS
The SET_OPTIONS administration method turns tracing options on or off. You can set the following
options:
Option

Action

clean

Removes the files from the server common area.

debug

Traces session shutdown, change check, launch


and fork information.

docbroker_trace

Traces connection broker information.

i18n_trace

Traces client session locale and codepage. An


entry is logged identifying the session locale and
client code page whenever a session is started.
An entry is also logged if the locale or code page
is changed during the session.

last_sql_trace

Traces the SQL translation of the last DQL


statement issued before access violation and
exception errors.
If an error occurs, the last_sql_trace option
causes the server to log the last SQL statement
that was issued prior to the error. This tracing
option is enabled by default.
It is strongly recommended that you do not turn
off this option. It provides valuable information
to Technical Support if it ever necessary to
contact them.

lock_trace

Traces Windows locking information.

net_ip_addr

Traces the IP addresses of client and server for


authentication.

EMC Documentum Content Server Administration and Configuration 6.7 Guide

337

Methods and Jobs

Option

Action

nettrace

Turns on RPC tracing. Traces Netwise calls,


connection ID, client host address, and client
hostname.

sql_trace

Turns on RPC tracing. Traces Netwise calls,


connection ID, client host address, and client
hostname.

trace_authentication

Traces detailed authentication information.

trace_complete_launch

Traces Unix process launch information.

trace_method_server

Traces the operations of the method server.

The SET_OPTIONS method returns TRUE if the operation succeeds or FALSE if it fails.
You must have system administrator or superuser privileges to run the SET_OPTIONS administration
method.

To run the SET_OPTIONS administration method:


1.

Navigate to Administration > Job Management > Administration Methods.


The system displays the Administration Methods list page.

2.

Click SET_OPTIONS.
The system displays the Parameters page.

3.

Type the name of an option.

4.

To turn the option on, select On; to turn the option off, clear the checkbox.

5.

Click Run.
The method runs and the results are displayed.

6.

Click Close.
The system displays the Administration Methods list page.

RECOVER_AUTO_TASKS
Run the RECOVER_AUTO_TASKS administration method to recover workflow tasks that have been
claimed, but not yet processed by a workf