Many system administrators change the port on which JBoss/Tomcat listens for HTTP requests from 8080 to 80. This makes LiveCycle URLs simpler because if the server listens on port 80, you don't have to specify that to the browser.
However, a manual change has to be made for Content Services ES. Otherwise, you will get the following error messages in the server log:
ERROR [WSClient] ALC-CSV-001-000-Checking Server status at http://10.20.50.40:8080/contentspace/faces/jsp/login.jsp
INFO [HttpMethodDirector] I/O exception (java.net.ConnectException) caught when processing request: Connection refused: connect
INFO [HttpMethodDirector] Retrying request
1) Login to the LiveCycle AdminUI, and navigate to Services->Applications and Services->Service Management
2) Filter on the 'Content Services' category
3) Click on Document Management Service
4) In the Configuration tab, change HTTP Port to 80 (or whatever port JBoss/Tomcat is configured to listen on) and save.
5) Re-start JBoss
6) After re-start, login to the LiveCycle AdminUI and navigate to Services->LiveCycle ContentServices ES2 and make sure that the page loads. In the server log, you should see entries such as these:
ERROR [WSClient] ALC-CSV-001-000-Checking Server status at http://10.20.50.40:80/contentspace/faces/jsp/login.jsp
ERROR [WSClient] ALC-CSV-001-000-Query server at http://10.20.50.40:80/contentspace/faces/jsp/login.jsp is successful
Please ignore the 'ERROR' designation - it is a known problem which is being fixed.
The IBM "Garbage Collection and Memory Visualizer" is an excellent tool for analyzing the behavior of IBM J9 JVMs used by WebSphere. What is less known is the fact that it can be used for analyzing the behavior of Sun HotSpot JVMs used by JBoss and WebLogic also.
You can get the IBM "Garbage Collection and Memory Visualizer" by downloading the IBM Support Assistant Workbench" which is based on Eclipse. It is a collection of several diagnostic tools. It is free but you need a "universal IBM user ID". During the installation, make sure you choose "IBM Monitoring and Diagnostic Tools for Java - Garbage Collection and Memory Visualizer".
Once started, the tool can be pointed to the GC log of your J9 or HotSpot JVM. To make the Sun HotSpot JVM log garbage collection details, you need to add the following JVM arguments to the JBoss or WebLogic startup script (change it to fit your environment):
rem ----------------------------------
rem Enable garbage collection logging
rem ---------------------------------
set JAVA_OPTS=%JAVA_OPTS% -verbose:gc
set JAVA_OPTS=%JAVA_OPTS% -Xloggc:C:\Programs\jboss_4.2.1\server\lc_mysql\log\gc.log
set JAVA_OPTS=%JAVA_OPTS% -XX:+PrintGCDetails
set JAVA_OPTS=%JAVA_OPTS% -XX:+PrintGCTimeStamps
set JAVA_OPTS=%JAVA_OPTS% -XX:+PrintHeapAtGC
We recently published a technical guide regarding deploying LiveCycle ES on virtualized hardware environments with particular emphasis on VMware Virtual Infrastructure 3 (VI3) and vSphere 4. You can get it here.
VI3 and its newer version vSphere 4 are management/deployment technologies built on top of VMware ESX Server, VMware's hypervisor-based virtualization technology. For a general discussion about hardware virtualization in the x86 world, please see Anandtech's excellent article titled "Hardware Virtualization: The Nuts and Bolts".
We ran LiveCycle ES on advanced hardware at VMware's Independent Software Vendor (ISV) Lab in Palo Alto, California. Our goal was to ascertain whether and how LiveCycle ES would leverage such VI3/vSphere 4 technologies as vMotion, Distributed Resource Scheduler (DRS), High Availability (HA) and Fault Tolerance (FT). FT is new in vSphere 4.
Due to time constraints, we only tested ES short-lived orchestrations (ES2 was not tested because it was not GA at the time we conducted the tests). However, please note that Adobe supports short-lived as well as long-lived orchestrations on VMware ESX. ES2 is also supported on VMware ESX.
LiveCycle ES is supported on three J2EE application server platforms - IBM WebSphere, Red Hat JBoss, and Oracle WebLogic. IBM has its own JDK implementation called J9 which it uses for WebSphere on all supported operating system except Solaris and HP-UX.
On Solaris, IBM actually uses Sun's HotSpot JDK, not its own J9. This is a little-known fact that has caused problems for people who have tried to tune WebSphere's HotSpot JDK on Solaris with tuning arguments that only apply to the J9 JDK. You can verify this by running the command java -version. You will see no mention of J9 in the output - you will see HotSpot instead.
For WebLogic Server on Solaris, Oracle (previously BEA) also uses the Sun HotSpot JDK by default, instead of its own JRockit JDK.
In ES2, LiveCycle PDF Generator ES is capable of converting Microsoft Office 2007 XML formats such as .docx, .xlsx, and .pptx to the PDF format on Linux (Red Hat as well as Novell SUSE) using OpenOffice 3.1 However, an additional configuration step is required.
The default filetype setting for OpenOffice only has the following filetypes configured:
prj,odt,odp,ods,odg,odf,sxw,sxi,sxc,sxd,bmp,gif,jpeg,jpg,tif,tiff,png,jpf,jpx,jp2,j2k,j2c,jpc,xls,ppt,doc,rtf,txt,wpd,psd.
1) Login to the LiveCycle AdminUI (http://your_server:your_server_port/adminui)
2) Navigate to Services->LiveCycle PDF Generator->File Type Settings
3) Click 'New'
4) Expand the 'OpenOffice' node by clicking on it
5) In the 'Filename extensions' field, type in docx,xlsx,pptx
6) Click 'Save'. You'll be asked for a new name for this Filetype Setting.
7) Name it something like 'Custom OpenOffice'
To verify, try 'CreatePDF' in the AdminUI. Upload a .docx, .xlsx or pptx file. Choose the new FileType setting you just created.
Rights Management ES belongs to the "Information Assurance" category of LiveCycle modules. There are several extra steps involved in getting it to work in your environment.
CREATE USER WITH 'RIGHTS MANAGEMENT USER' ROLE
-------------------------------------------------------------------
Using the LiveCycle AdminUI, create a local user with the role "LiveCycle Rights Management User"
ENSURE HTTPS ACCESS TO THE RIGHTS MANAGEMENT WEBUI
------------------------------------------------------------------------------------
Please note that the 'Administrator' user cannot login to Rights Management by default.
If the server is using a self-signed certificate, import the certificate to the local Windows certificate store. If this is not done, Acrobat will throw this error:
"Unable to connect to the service. SSL protocol error. Certificate is either invalid or common name or authority are not recognized."
Launch your browser. Point it to the SSL over HTTP URL of the server such as follows:
https://lces2.adobe.com:9443/edc/Login.do
In IE8, you will get a message that says "There is a problem with this website's security certificate."
1) Click "Continue to this website (not recommended)."
2) At the top, to the right of the URL field, there shoul be a button that now says "Certificate Error".
3) Click it. Then click the link "View Certificates".
4) Click the button 'Install Certificate"
5) Let the wizard guide you through the install. Choose "Automatically select the certificate store based on the type of certificate".
6) If everything went fine, you should get a message that says "The import was successful".
7) Click OK
8) Load the same URL again (https://lces2.adobe.com:9443/edc/Login.do). This time you should not get a certificate error. Instead, the Rights Management login page should load.
In Windows Vista, instead of letting IE choose the certificate store based on the type of certificate, choose the radiobutton 'Place all certificates in the following store', click 'Browse' and then choose 'Trusted Root Certification Authorities'.
For Firefox, you choose the link "Add an exception". Click 'Get Certificate" and then "Confirm Security Exception".
CONFIGURE ADOBE READER OR ADOBE ACROBAT
--------------------------------------------------------------------
- Choose the menu option Advanced->Security Settings
- Highlight "Adobe LiveCycle Rights Management Servers" and click 'New'
- Put something useful in the name field such as "Test Adobe RM".
The Server Name should be the fully resolvable DNS name of your server, or that of the Reverse Proxy.
- Change port from 443 to the SSL port of the appserver instance that hosts LiveCycle. This can also be the port on which SSL is configured for the Reverse Proxy (usually 443). In our example, it is 9443.
- Click "Connect to this Server"
CONFIGURE BASE URL FOR POLICIES
--------------------------------------------------
Login to the LiveCycle AdminUI. Navigate to Services->LiveCycle Rights Management->Configuration->Server Configuration. Change the 'Base URL' to a valid URL such as https://lces2.adobe.com:9443. This URL is a CRITICAL part configuration. If this URL becomes invalid at a later time due to domain registration expiry, corporate acquisitions, server certificate expiry etc, all of the documents published up to that point with this URL will be become totally useless.
For more details on PDF security, follow the "Security Matters" blog and read the whitepaper titled "Digital Signatures and Rights Management in the Acrobat Family of Products"
In the ES2 release, it is possible to configure the Global Document Storage (GDS) to be persisted in the database rather than on a server or network-shared (for clusters) filesystem. Although there is a performance penalty, this option is worthy of serious consideration given the fact that backup and restore procedures will become much simpler.
If the GDS is persisted on a filesystem, backups of the filesystem as well as the database would have to be time-synchronized which is problematic in large organizations.
You get to choose your GDS option while running the LiveCycle Configuration Manager (LCM) following the install.
Please note that for LiveCycle Content Services ES, there is no option to persist the Content Storage Root in the database. It still has to be backed up time-synchronized with a DB backup.
Also note that you still need to define a folder for the GDS since it is still needed for persisting things like Workbench 'Record and Playback' sessions etc.
One of the common questions that routinely come up relate to what APIs are available to LiveCycle developers at companies who have only licensed a subset of all of the LiveCycle ES2 modules available.
Here's a document that provides a table that maps licensable modules to API sets.
To see which LiveCycle modules are included in which edition of LiveCycle ES2, see this entry in the 'Ask The Experts' blog. The editions are:
- Business Transformation Edition
- Enterprise Forms Edition
- Secure Content Services for Office Edition.
LiveCycle Production Print does not include LiveCycle Foundation. Even though Production Print can be orchestrated using LiveCycle Workbench, customers have to license at least one other core LiveCycle ES2 module in order to do so.
If you plan to use the Apache Portable Runtime for Tomcat/JBoss with SSL, you have to use the OpenSSL cryptographic library to create the server's private key, and if needed, a self-signed certificate.
1) Download OpenSSL for Windows. Choose the zip file for "Binaries". Unzip it to your Programs folder.
2) Create a configuration file (openssl.cnf) for OpenSSL and save it in the OpenSSL folder. You can use this sample.
3) Create a private key for the server. From a command prompt, change directory to the \bin folder of OpenSSL and run a command such as this:
openssl genrsa -out C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem 1024
The command will create a 1,024-bit RSA key and save it in the file rsa-private-key.pem
Verify the private key with the command:
openssl rsa -check -in C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem
4) Create a self-signed certificate valid for 10 years. Use a command such as this:
openssl req -config C:\Programs\openssl-0.9.8h-1-bin\openssl.cnf -new -x509 -nodes -sha1 -days 3650 -key C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem -out C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem
You will be prompted for several responses. The most important one is the full DNS name of the server (eg: server.company.com). The -nodes argument causes the key to be not encrypted.
Once complete, verify the self-signed certificate with a command such as this:
openssl x509 -noout -subject -issuer -enddate -in C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem
In the output:
- the "subject" field's value should be the full name of the server
- the "issuer" field's value should also be the full name of the server since this is a self-signed certificate
- the "notAfter" field's value will be the expiry date of the certificate (10 years from the date of its creation)
More OpenSSL commands available here.
5) Edit %JBOSS_HOME%\server\<jboss_configuration_name>\deploy\jboss-web.deployer\server.xml
6) Make sure that the APR Listener's SSLEngine attribute is set to "on"
7) Uncomment the SSL HTTP/1.1 Connector
8) Change the protocol to org.apache.coyote.http11.Http11AprProtocol
9) Add two additional attributes to the Connector, SSLCertificateKeyFile and SSLCertificateFile (these paths would be different for you).
SSLCertificateKeyFile="C:\Programs\jboss_4.2.1\server\lc_mysql\conf\rsa-private-key.pem"
SSLCertificateFile="C:\Programs\jboss_4.2.1\server\lc_mysql\conf\self-signed-cert.pem"
10) Save server.xml and re-start JBoss
11) Make sure that you can now connect to the LiveCycle AdminUI https://server.company.com:8443/adminui
The browser will complain about the fact this is a self-signed certificate.
Test connecting to the server using SSL from a command line with this command:
openssl s_client -showcerts -connect server.company.com:8443
Ctrl-C will terminate the connection and return you to the command prompt.
Recent Comments