Opentext™ Appworks™ Gateway: Installation and Administration Guide
Opentext™ Appworks™ Gateway: Installation and Administration Guide
This guide does not replace the guides for OpenText products
that include AppWorks Gateway as part of their deployment,
such as eDOCS InfoCenter, Content Server Mobile and Tempo
Box. The installation guides for these products are available in
their respective product directories at OpenText My Support
(https://knowledge.opentext.com). These guides may include
additional or modified steps for installing the AppWorks
Gateway.
OTAG210300-IGD-EN-1
OpenText™ AppWorks™ Gateway
Installation and Administration Guide
OTAG210300-IGD-EN-1
Rev.: 2021-June-23
This documentation has been created for OpenText™ AppWorks™ Gateway CE 21.3.
It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product,
on an OpenText website, or by any other means.
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: https://support.opentext.com
For more information, visit https://www.opentext.com
One or more patents may cover this product. For more information, please visit https://www.opentext.com/patents.
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
Table of Contents
1 OpenText AppWorks Gateway Overview ................................ 7
The OpenText AppWorks Gateway (OTAG) engine component is the single point of
contact between all clients and your production server, for example, Content Server.
It forwards all incoming operation requests, queues data requests to reduce server
load, and handles notifications to all registered client applications.
During the installation process, you connect the AppWorks Gateway to a database
such as Microsoft SQL Server or Oracle, and to OpenText Directory Services (OTDS)
to manage and authenticate your users. As a final step, you connect to your
production server and install the applications, components, and services in the
AppWorks Gateway.
Mobile Client
Apache Tomcat
(OpenText AppWorks Gateway)
OpenText Directory
Active Directory/LDAP
Services
Active Directory/LDAP
The Active Directory or LDAP server that you may be using to manage your
users. This is optional.
Apache Tomcat
The server hosting Apache Tomcat, with AppWorks Gateway deployed and
configured, and your apps installed and enabled.
Mobile Client
An Apple® or Android™ device.
Desktop Client
A computer running a Windows or macOS® operating system.
2.1 Prerequisites
Before you start, review theAppWorks Gateway Release Notes, available from My
Support (https://knowledge.opentext.com/knowledge/llisapi.dll/open/58916144) The
Release Notes contain important information about supported environments and the
compatibility of AppWorks Gateway with OpenText products, such as Content
Server.
Important
Install the AppWorks Gateway and Apache Tomcat on a dedicated server.
Do not install OTDS, or an OpenText product, such as Content Server on
the same server as the AppWorks Gateway.
• A database to connect to. Create a schema and an associated schema admin user
in your Microsoft SQL Server, MySQL, Oracle, Oracle RAC, PostgreSQL, or SAP
HANA database.
• An OTDS installation. OTDS centralizes user and group identity information and
manages single sign on (SSO) between OpenText components.
1. Ensure you have installed the required software. For details, see “Prerequisites”
on page 10.
4. Double-click the Tomcat executable file, for example, Tomcat9w.exe and do the
following:
5. Start the Apache Tomcat service to make sure your Tomcat installation starts
correctly with these new settings.
Important
The AppWorks Gateway installation package includes modified versions
of the server.xml and context.xml files. If you have customized the
server.xml or context.xml files, and you want to retain those changes,
you must add them to the versions of the files supplied by the AppWorks
Gateway.
5. Optional If you plan on running SSL, comment out or remove the following tag in
the server.xml file.
<Listener className="org.apache.catalina.core.AprLifeCycleListener" SSLEngine="on"/>
Important
After you have specified a database and completed the installation, you cannot
choose a different database for AppWorks Gateway. Therefore, ensure that you
are connecting to the database you intend to use for your environment.
To connect to a database:
2. From the Select Database Vendor drop down, choose from the following
database options:
• MySQL – In the MySQL Workbench, select the Options File from the
Navigator panel and choose the Networking tab. Locate the max_allowed_
packet_length variable and change to 1024 MB. You may need to install the
JDBC driver (Connector/J) and place it in your <Tomcat_Home>\lib folder.
After adding the driver, restart the Apache Tomcat service.
• Oracle – You may need to download a JDBC driver JAR file and place it in
your <Tomcat_Home>\lib folder. After adding the driver, restart the Apache
Tomcat service.
• Oracle RAC – You may need to download a JDBC driver JAR file and place
it in your <Tomcat_Home>\lib folder. After adding the driver, restart the
Apache Tomcat service.
• PostgreSQL – To connect the AppWorks Gateway to a PostgreSQL database,
you need to add the following line to the C:\Program Files\PostgreSQL\
11\data\pg_hba.conf file.
# TYPE DATABASE USER ADDRESS METHOD
host all all 0.0.0.0/0 md5
• SAP HANA
• Custom Connection String
Caution
The Custom Connection String option is intended for experienced
database administrators only and must be used with caution.
3. In the Username and Password boxes, type the credentials for an admin user of
your database.
• In the Load Balance area, choose if you would like to enable client side load
balancing.
• In the Cluster Host box, type the virtual cluster name that you chose when
you created the RAC database.
• In the Port box, type the port. The default port for Oracle is 1521.
• In the Service Identifier box, type the virtual service name that you chose
when you created the RAC database.
5. Click Configure Database Connection and wait for a confirmation that the
connection is established.
Important
• Once you have defined the connection to OTDS, you cannot make changes
to it. This means that you cannot switch from one OTDS instance to
another.
• We recommend that you do not install OTDS on the same server as
AppWorks Gateway. Also, OTDS should be on a separate server to an
OpenText product such as Content Server or eDOCS DM.
• OTDS server url – The URL of the Tomcat server that is running OTDS. Do
not use http://localhost:8080.
• OTDS Administrative Account Username and Password – The credentials
for an OTDS Admin user.
• Resource Name and Gateway User Partition Name – Creates an AppWorks
Gateway Resource and User Partition in OTDS with the names provided.
The default values are OTAG and otag respectively.
3. Click Configure OTDS. The configuration is complete when you are prompted
to sign in to the AppWorks Gateway.
Before you sign in, open a second browser window and go to the Directory
Services web client at http://<Tomcat_Host>:<port>/otds-admin/.
6. For the otag partition, select View Members from the Actions menu. Next,
select the Groups tab.
7. Select the otagadmins group, then select Edit Membership, and click Add
Member.
8. Search for the [email protected] member and from the search results box,
click Add Selected to add the member to the otagadmins group.
If you deployed the AppWorks Gateway in a non-SSL environment, you will see the
following error in the gateway.log file in the <Tomcat_Home>\logs folder:
** HTTP 403 encountered during resource authentication. This is
likely to be because OTDS is not configured to permit
authentication traffic across unsecured (non-SSL/TLS) transports.
If this is a development environment, you may work around this
security feature by ensuring OTDS has the System Attribute
"directory.auth.EnforceSSL=false". **
3. Click Add.
4. Type directory.auth.EnforceSSL in the Name field, and false in the Value field.
5. Click Save.
You can upgrade to AppWorks Gateway 21.3 from all previous 16.x and 21.x
versions.
If your AppWorks Gateway installation is prior to 16.0, for example, 1.2.1, there is no
migration procedure to preserve your current environment. You must remove
AppWorks Gateway 1.2.x, then install AppWorks Gateway 21.3. For further details,
see “Upgrading from AppWorks Gateway 1.2.x” on page 22.
After upgrading to 21.3 from AppWorks Gateway 1.2.x, you may want to ensure
that users continue to access any configured services with the URL they used prior
to the upgrade. For further details see “Adding a URL Rewrite to AppWorks
Gateway 16.x” on page 23.
Note: When upgrading to AppWorks Gateway 21.3, from 16.x,or 21.x you
must decrypt then re-encrypt the opentext.properties file in the
<Tomcat_Home>\conf folder. The steps to do this are described in the following
procedures.
1. Stop the Apache Tomcat service that hosts the AppWorks Gateway installation.
• work\Catalina\localhost
• temp
• tmp
• logs
6. Open the webapps folder and remove any folders and .war files that belong to
AppWorks Gateway services. For example, if there is an AppWorks Gateway
service named gateway-service, delete the /webapps/gateway-service
folder, and the /webapps/gateway-service.war file if it exists.
After completing the upgrade, when you start the AppWorks Gateway, the
folders and .war files for the services will be recreated.
If you have made any custom modifications or if any custom configuration files
exist in the /webapps/<service>/ folders, these must be manually recreated
from the /webapps folder that you backed up in Step 3.
If you do not complete this step when upgrading, you will see a message
indicating that app migration has failed in the gateway-otag.log file. To
resolve this, you must undeploy then redeploy the service. To do this:
a. In the AppWorks Gateway that is running the service, click the Services
section of the Admin Menu.
b. Disable, then re-enable the service.
You can download the .zip service deployment file from the AppWorks
Gateway prior to disabling it.
9. If you have made custom changes to the server.xml file, use the server.bak
back up file to retain those changes in your upgraded installation.
10. Encrypt the opentext.properties file in the <Tomcat_Home>\conf folder,
using the Database Encryption Tools available from My Support (https://
knowledge.opentext.com/knowledge/llisapi.dll/open/58916144). The opentext.
properties file in the <Tomcat_Home>\conf folder stores the details of the
database for the AppWorks Gateway Installation. Proceed as follows:
• If you are upgrading from AppWorks Gateway 16.x, use the Database
Decryption tool in the 16.7 software folder in My Support. If you are
upgrading from 21.1, use the Database Decryption Tool in the 21.1
folder in My Support.
• Use the Database Encryption Tool in the 21.3 software folder in My
Support.
c. Decrypt the opentext.properties file using the decrypter.jar file in the
Database Decryption Tool, as follows:
Note: When you upgrade from AppWorks Gateway 1.2.x to 21.3, you cannot
reuse the existing values for Resource Name, Gateway User Partition Name,
Gateway Admin Username and OTDS Administrative Account Username.
Step 2: OTDS Configuration of the installation of AppWorks Gateway 21.3
will not complete and you will need to repeat the process, supplying new
values.
• Sign in to your database management tool, and create a new database schema
for AppWorks Gateway 21.3.
2. The safest way to uninstall the AppWorks Gateway 1.2.x is to reinstall Apache
Tomcat. If you reinstall Apache Tomcat, make sure you reconfigure Tomcat for
the AppWorks Gateway 21.3. For details, see “Configuring Apache Tomcat for
the AppWorks Gateway” on page 10. However, if you have other software
running Tomcat and you would prefer not to uninstall it, do the following:
This is a change from AppWorks Gateway 1.2.x, where users were taken to /
webaccess from https://[appworksurl]/, from where they could access the
services that were configured there, for example, Tempo Box or Tempo Social.
When upgrading to 16.xfrom AppWorks Gateway 1.2.x, you may want to ensure
that users continue to access any configured services with the URL they used prior
to the upgrade. To do this, you can use URL rewriting to perform a URL redirect to
the /content folder. The following steps describe how to redirect your users
from http://host.opentext.com to http://host.opentext.com/content by
downloading and configuring a Java Web filter for the Apache Tomcat installation.
Note: The UrlRewriteFilter must be the first filter in the web.xml file.
1. Download the latest version of the Apache Tomcat 9.0.x Service Installer for
Windows from https://tomcat.apache.org/download-80.cgi.
2. Stop the Apache Tomcat service via the Windows Services Control Panel.
3. Run the downloaded Tomcat 9.0.x Windows Installer to install the updated
version of Tomcat as a Windows Service.
Notes
4. Set the required JAVA_OPTIONS for the new Tomcat service. See
“Configuring Apache Tomcat for the AppWorks Gateway” on page 10 for
details.
6. Copy the following folders and or files from the existing <Tomcat_Home> folder
to the new <Tomcat_Home> installation folder:
– awg-keystore
– awg-node.properties
– server.xml
– opentext.properties
• From the existing <Tomcat_Home> folder, copy the entire webapps\ folder to
the new <Tomcat_Home>. When asked, accept to merge the directories.
• From the existing <Tomcat_Home> copy the entire gateway\ folder to the
new <Tomcat_Home> location.
Note: If you have made any edits to your existing server.xml, for
example for SSL connectors, copy across your key store and update the
path in the server.xml in the new Tomcat install location.
7. Start the Apache Tomcat service and examine the logs for successful startup.
9. Once your regression testing has been successfully completed, uninstall the old
Tomcat service and delete the old <Tomcat_Home> folder structure along with
the backups taken during the above process.
1. Download the latest version of the Apache Tomcat 9.0.x Service Installer for
Linux from https://tomcat.apache.org/download-80.cgi.
– otag-tomcat-listener-16.<x>.jar
• docs/
• manager/
• ROOT/
• examples/ (if installed)
• host-manager/ (if installed)
7. Copy the following directories from the temporary directory of the new Tomcat
to the following directories:
• bin/
• lib/
• webapps/
9. Copy the saved files from the lib/ directory into the <Tomcat_Home>/lib/
directory.
11. Start the Apache Tomcat service and examine the logs for successful startup.
Important
The following description does not include any steps to back up the installation
you are removing. When you take these steps you are removing the AppWorks
Gateway, the otag partition in OTDS, and any AppWorks data in the database
that you created for use with the installation.
4. Navigate to the <Tomcat_Home>\temp folder and delete all of the files in the
folder.
5. Navigate to the <Tomcat_Home>\tmp folder and delete all of the files in the
folder.
9. Delete the otag partition. This is the default partition name. You may have
supplied a different name when you installed the AppWorks Gateway.
10. Delete the database schema that you created for use with the AppWorks
Gateway.
The AppWorks Gateway can be run in debug mode. Debug mode allows for more
detailed error information to be returned to clients. The AppWorks Gateway should
not be left running in debug mode during production use, to avoid the
communication of detailed error messages.
When troubleshooting the AppWorks Gateway, you can adjust the logging level to
debug or trace. See “Frequently Asked Questions“ on page 87.
Always terminate the AppWorks Gateway with SSL/TLS at the Apache Tomcat
connector layer.
Without SSL/TLS at the Tomcat layer, the Want Secure Cookies setting will not
work correctly. If the Want Secure Cookies setting is enabled, cookies issued by the
AppWorks Gateway will contain the “secure” flag if possible, providing SSL/TLS
termination is performed on the Tomcat connection. The Want Secure Cookies is on
the General Settings page (Settings > General Settings).
Follow industry best practices for securing the Apache Tomcat server. Consider the
following resources:
• https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
• https://www.owasp.org/index.php/Securing_tomcat
• https://geekflare.com/apache-tomcat-hardening-and-security-guide
Protection against malicious file upload must use a layered approach – the
environment and the application must be protected. Protection should be enforced
on the server side and – very importantly - on the client side of the application. At
infrastructure level, ensure the following:
• Client systems are using a supported browser with the latest updates. Older
browsers have fewer protections. To protect against issues with file locking
OpenText recommends that you use the following settings:
Important
In this procedure we are using Active Directory Certificate Services (ADCS).
ADCS allows you to build, in-house, a public key infrastructure, with public
key cryptography, digital certificates, and digital signature capabilities, using
Microsoft technology. There are many alternative services that you can use,
and which may be more appropriate for your organization. The use of ADCS
here is for the purpose of providing an “end-to-end” example to explain the
procedures for enabling the AppWorks Gateway for HTTPS. There is no
requirement to use ADCS. The implementation and maintenance of security
protocols at your organization can be complex and should only be attempted
by experienced personnel.
1. Start KeyStore Explorer, click File > New and select JKS for the keystore type.
2. Click OK.
3. Click Tools > Generate Key Pair, and select RSA for the encryption algorithm.
4. Click OK.
5. In the Generate Key Pair Certificate dialog box, select the required Validity
Period.
8. Click OK.
9. In the Subject Alternative Name Extension dialog box, click and do the
following:
10. Click the Edit Name button and complete the Name dialog box with
details relevant to your Active Directory Certificate Server.
11. Click OK until you are prompted for an alias name. You can leave the alias
name unchanged and click OK.
12. In the New Key Pair Entry Password dialog box, type a password.
You now have a functioning keystore for your required host. Next, you need to
generate a Certificate Signing Request (CSR) that you can submit to your Certificate
Authority (CA) for signing.
1. Right-click on the generated key pair, and select Generate CSR to create a
certificate signing request file.
2. In the Generate CSR dialog box, select the Add certificate extensions to
request check box.
3. Click Browse and choose a name and location for the CSR file and click Save.
The next step is to sign the CSR that you have created, and this guide describes how
to do this using Active Directory Certificate Services. This process can be used if you
are building an internal system and do not have access to an external CA, such as
VeriSign. If you submit the CSR to an external CA, you should receive both the
signed certificate for your server and also the root CA certificate from the Certificate
Authority that was used to sign the new certificate. If the CA uses intermediate
chain certificates, you will also need these.
Caution
It is crucial that you have the full chain of certificates used to sign your new
certificate. Without the complete chain, SSL communication will fail.
1. In a text editor, open the certreq.csr file that you created in the previous
section.
3. Copy and paste the contents of the CSR file from your text editor into the Saved
Request box for Base-64–encoded certificate request (CMC or PKCS #10 file or
PKCS #7).
4. Click Submit.
5. In the Certificate Issued page, click Download certificate chain and save the
file to your hard disk.
6. Return to KeyStore Explorer, right-click on the generated key pair and select
Import CA Reply > From File.
3. On the AppWorks Gateway server, navigate to the cacerts file in the <Java_
Home>\lib\security folder.
4. Open the cacerts file in KeyStore Explorer. The default password for the
cacerts file is “changeit”.
8. Copy the cacerts file back into the <Java_Home>\lib\security folder on the
AppWorks Gateway server.
By following these steps, your Apache Tomcat server can still run in normal mode at
the same time on port 8080 with HTTP.
5. Uncomment the property and add the name of the JKS keystore file, and the
password you provided when you created it. The following is the new section
with the additional line highlighted:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE style
configuration. When using the APR/native implementation, the OpenSSL style
configuration is required as described in the APR/native documentation -->
6. Save and close the file, and then restart the Apache Tomcat server.
Apps may rely on an associated service. Therefore, you need to make sure all of the
services are installed and enabled in the AppWorks Gateway. If you want to prevent
your users from accessing a particular app, you must disable the app in the
AppWorks Gateway. If you disable a service and not the associated app, users will
still be able to see the app on their mobile device or desktop computer. However,
users will not be able to use the app.
Components offer additional functionality for apps. For example, with ECM
Everywhere, the Object Details Viewer component allows users the ability see the
properties, categories, and audit information for objects in the Enterprise Workspace
app.
Each app, component, and service in the AppWorks Gateway shows summary,
settings, statistics, and history details. Altering the settings might negatively impact
performance. Only experienced administrators should modify these settings.
4. Click Browse and navigate to the app, component, service, or product bundle.
Tip: You can also drag and drop the file onto the indicated region.
5. Click Install Package and follow the on-screen instructions. By default, all apps,
services, and components are disabled. In order to give your users access to an
app, you need to enable the app as well as the associated service.
• In the AppWorks Gateway, select one of the following from the Admin Menu:
• Click Apps in the Installed section, and then click Enable for the apps you
want your users to have access to. When an app is disabled, users will not
see the app in the runtime client on their mobile devices.
• Click Desktop Apps in the Installed section, and then click Enable for the
apps you want your users to have access to. When an app is disabled, users
will not see the app in the runtime client on their desktop computers.
• Click Components in the Installed section, and then click Enable for all of
the components you installed.
• Click Services in the Installed section, and then click Enable for all of the
services that you installed. When a service is disabled, your users will not be
able to access their content. If the associated app is still enabled, users will
still see the app in the runtime client on their mobile devices. However, it
will be unusable.
• Click Connectors in the Installed section, and then click Enable for all of the
connectors that you installed.
• To enable all the apps, services, components and connectors that you have
installed, click All from the Installed section of the Admin Menu, and then
click Enable All at the top of the page.
1. In the Admin Menu, click the required type from the Installed section, for
example, Apps or Components.
2. Click the Show settings for this app icon for the item.
3. Click the Summary, Settings or Audience tabs to display relevant information,
as follows:
• Summary – View the version number, installed date, and the date the
feature was last updated.
You can also download the feature by clicking the Download link. Some
apps have associated components and services that you also need to
download for the app to work in another AppWorks
Gateway. Click Components or Services in the Admin Menu and verify if a
service or component is present. Based on the name and description of the
component or service, it may not be obvious if they affect the downloaded
app.
• Settings – These are settings that are specific to the app or service. Use
caution when changing and always check the documentation for the app or
service.
• Audience – Filter the app based on runtime, user, or group. For details, see
“Filtering the Runtime and User Audience” on page 39.
2. Click the Show settings for this app icon for the app that you want to filter.
3. Click the Audience tab and do one of the following:
• To display the app in all runtimes installed on the user’s client, select the
Available in all runtimes check box.
• To display the app in a certain runtime client only, clear the Available in all
runtimes check box and select the check box next to the appropriate
runtime.
• To display the app in a runtime that is not displayed, click Runtimes from
the Management section of the Admin Menu. Complete the displayed fields
and click Add. Repeat steps 2 – 3, only this time select the check box next to
the new runtime.
4. Click Save.
2. Click the Show settings for this app icon for the app that you want to filter.
• To display the app in the runtimes of all users, select the Available to all
users check box.
• To display the app in the runtimes of a specific user, group or partition, clear
the Available to all users check box. In the Search for Users/Groups/
Partitions box, type the first few letters of the name of the user, group or
partition. Select one or more check boxes for the users, groups or partitions
that you want to be able to access the app.
5. Click Save.
Note: AppWorks Gateway 21.3 requires the 16.6 versions of the iOS and
Android mobile clients. The 16.6 mobile clients are compatible with 16.x
versions of the AppWorks Gateway. However, push notifications, including
remote wipe, are only available when both the AppWorks Gateway and the
mobile clients are on release 16.5 or later. This is due to the replacement of
Google Cloud Messaging (GCM) with Firebase Cloud Messaging (FCM).
AppWorks Gateway 16.5 and later supports FCM only.
2. In the Admin Menu, click Mobile Client Distribution from the Management
section.
3. In the Send Distribution Email region, select a runtime that will be included in
the email.
4. In the same region, you can choose to send an email to one or more groups in
OTDS, to specific users by entering their email address, or to a list of users that
are in a CSV file.
2. Confirm that you have read the OpenText End User License Agreement, and
click Next to display the Custom Setup dialog.
3. Click Next to confirm that you want to install the Desktop Client and the
Desktop Client shortcuts in the default location, or click Browse to choose an
alternative location.
5. Click the OpenText AppWorks Gateway shortcut from the Windows Start menu
to display the Setup page, and define the following:
6. Click Save.
You can run the Desktop Client Windows installer silently from a Command Prompt
program, passing the filename in a Command Prompt line option. The Command
Prompt must be run with administrator level privileges, also known as an elevated
prompt.
1. From the Command Prompt, navigate to the location of the MSI installer that
you have downloaded.
2. The following command will silently install the AppWorks Gateway Desktop
Client for Windows, and set the Server Address to http://localhost:8080.
3. Drag the AppWorks Gateway Desktop App file to your Applications folder.
4. Launch the OpenText AppWorks Gateway Desktop Client to display the Setup
page. Define the Server Address, Enable SSO and Debug Mode fields, as
described above.
5. Click Save.
If you receive an Unable to connect error message, when the desktop connects to the
AppWorks Gateway Server URL, you can troubleshoot the issue by taking the
following steps:
1. On the machine where the desktop client is installed, or on a mobile device, open
a browser and navigate to http://<appworks-server-url:port>/v3/admin/
auth/loginurl.
2. The response displays a value for loginUrl. This is the URL that the desktop
client must be able to resolve to, for the InfoCenter Desktop client to connect to
the AppWorks Gateway.
3. Enter the loginUrl value in a browser on the desktop or mobile device and check
the response. You should get the OpenText login page proxied via the
AppWorks Gateway. If the OpenText login page is not displayed, check the
format of the AppWorks Gateway Server URL, and change to be a fully qualified
domain name.
The steps to enable the desktop client for HTTPS are as follows:
Note: The process for installing the desktop client for specific OpenText
products may differ from the steps shown here. Refer to the installation guide
for each product to check for additional or modified steps.
1. Open Firefox and navigate to the HTTPS address of the AppWorks Gateway
login page at https://<Tomcat_Host>:<port>/gateway. In “Securing the
AppWorks Gateway“ on page 29 you enabled the AppWorks Gateway server
for HTTPS.
3. Click the chevron icon to the right of the web site address.
4. Click More Information and in the Security tab, click View Certificates.
5. In the Details tab, examine the certificate chain in the Certificate Hierarchy box.
1. Open a command prompt window and navigate to the location of the root CA
CRT file that you exported in “Export the Root CA Certificate of the AppWorks
Gateway Server” on page 46.
2. Type the following OpenSSL command to convert the CRT file to a DER file.
Replace the CRT input and DER output values in the example below with your
file names.
openssl x509 -in appworks-AW-EXAMPLE-CA-2.crt -out appworks-AW-EXAMPLE-CA-2.der -
outform DER
3. Type the following OpenSSL command to convert the DER input file to a PEM
output file. Replace the DER input value with your file name.
openssl x509 -in appworks-AW-DEV-OTDS2-CA-2.der -inform DER -out ca.cert.pem -
outform pem
Important
The output file must be called ca.cert.pem.
4. Open the desktop client and ensure that the server address in the Settings page
is the HTTPS address of your AppWorks Gateway server.
5. Restart the client. The OpenText login page is now displayed over HTTPS.
Notes
• For Windows 8.1, navigate to Programs and Features, select the OpenText
AppWorks Desktop application and click Uninstall.
• For Windows 10, navigate to Apps & features, select the OpenText
AppWorks Desktop application and click Uninstall.
2. Open Windows Explorer, navigate to the following folder and delete the
contents:
C:\Users\<your user name>\AppData\Roaming\appworks-desktop\standard
Note: For the eDOCS InfoCenter desktop client, navigate to the following
folder and delete the contents:
C:\Users\<your user name>\AppData\Roaming\appworks-desktop\edocs-infocenter
1. Drag the Application from the Applications folder to the Trash folder.
2. Use the Finder or Terminal to navigate to the following folder and delete the
contents:
~/Library/Application\ Support/appworks-desktop/standard
Note: For the eDOCS InfoCenter desktop client, navigate to the following
folder and delete the contents:
~/Library/Application\ Support/appworks-desktop/edocs-infocenter
Both the Renderer process and the Main process must make outgoing HTTP
connections. The Renderer process uses HTTP connections provided by the
Chromium framework, while the Main process uses HTTP connections provided
under the NodeJS framework.
To pick up HTTP forward proxy configuration, the Renderer process uses the built-
in proxy configuration of the host operating system. The Main process picks up its
HTTP configuration from HTTP_PROXY and HTTPS_PROXY environment
variables. You must ensure that both configuration methods are employed at the
same time to configure the AppWorks Desktop Client to use an HTTP proxy.
This chapter describes the settings that are available for the following categories:
• General – Specify the URL of the AppWorks Gateway server and the OTDS
server, and choose from various authentication options.
• MDM – Specify the settings for mobile device management, for example,
whether to enable or disable client tracking.
• Mail – Specify the SMTP settings to use when sending emails from the Gateway.
• Temp File – Specify where to store temporary data files, and how long to leave
files on the system.
• Notifications – Determine the settings to use when sending messages to client
applications.
• AppWorks Gateway Server URL – The URL that clients and providers use
to reach this server. Use the fully qualified host name of the server. Do not
use http://localhost:8080. This URL is also needed for links in external
invitations and for auto-configuration of the OTSync Connector. The
OTSync Connector provides a connection, authentication handling, proxy
mappings and trusted provider key registration for OpenText Tempo Box.
Note: If you change the AppWorks Gateway Server URL, stop and
restart the Apache Tomcat service.
• Want Secure Cookies – When enabled, cookies issued by the AppWorks
Gateway will have their “secure” flag set. This setting has no effect for
responses on a non-secure transport, for example HTTP. The Want Secure
Cookies setting is selected by default.
• Session Token Cleanup Interval (s) – Timed out OTAG session tokens will
be cleared from memory periodically given this duration.
• Session Token Timeout (s) – Session tokens generated by the OTAG layer
will become invalid after this period of inactivity.
• Auto Sign-Out Inactivity Period (s) – Users will be automatically signed out
after this period of inactivity. Enter a value in seconds of at least 120. The
value must not have a decimal point, for example 900.5. The value must be
less than the period entered in the Session Token Timeout (s) field. A
period of inactivity is where the user makes no input into the
Administration User Interface by keyboard or mouse. One minute before the
user’s session is due to end, a dialog box is displayed enabling the user to
extend the session.
• OpenText Directory Services (OTDS) URL – The URL of the OTDS service
that is used by OTAG for authentication and identity information. When
you installed AppWorks Gateway, you connected to an OTDS service. You
cannot change to a different OTDS service after installation, and this field is
therefore read-only.
• Do Not Proxy OTDS – The proxy server will not be used by the client to
obtain an OTDS login URL. Instead, the client will use the URL specified in
the AppWorks Gateway.
• Cookie Domain for Generated OTDS Cookies – Enter a cookie domain for
generated OTDS cookies generated by OTAG to be used across subdomains.
For example, enter “.example.com” to allow subdomain app2.example.com
to use cookies generated for subdomain app1.example.com.
– AppWorks Suite
– Tempo Box
• Client Tracking Enabled – If enabled, you can track the clients that a user
has used and perform a remote wipe of any applications on the mobile
client.
• Remote Wipe Timeout (s) – An email is sent to the recipients in the Remote
Wipe Failure Email Recipients field if a remote wipe was not successful
before the timeout period expires.
• Remote Wipe Failure Email Recipients – The email addresses listed in this
field will be emailed if a remote wipe action did not occur before the Remote
Wipe Timeout (s) period expires. If you receive a remote wipe email failure
notification, the wipe did not take place and you must reset the user
password to prevent the user from signing into their account.
• Permit Storage of Password (On Device) – After a user signs in for the first
time, this setting allows your users to close and reopen the app without
typing their password. This functionality is only available when the mobile
clients are using the default oAuth 2.0 flow.
Notes
– If the user signs out of the app, they must re-enter their password to
sign back in.
– If you set a value in seconds in he Password on Device Expiry (s)
field, the user must sign back in to the app if the duration is
exceeded.
• Password on Device Expiry (s) – The duration in which a password is
stored on a device.
• Permit Offline Access on Device – When selected, users can access
information on a device when it is offline.
• Notify Devices of Offline Policy Change – When selected, users will be
notified if the value of the Permit Offline Access on Device field changes.
a. In the Send Test Email section, enter an email address in the To field.
• Notification Purge Interval (s) – The interval at which the notifications table
will be purged of notification records.
• Maximum Notifications Table Size – The maximum number of notification
records retained before a purge is triggered by the table monitor.
• Back-channel Stale Connection Cleanup Period (s) – The interval at which
back-channel connections will be checked for freshness and stale connections
discarded.
• Notification Refresh Interval (s) – The interval at which fresh notification
sequence data is published to clients. This affects how often a client will ask
for new notifications based on the last known sequence value.
• Back-channel Timeout (ms) – The time in which a client long poll
connection for notifications will remain open.
• Max Long-poll Connections per User – This is used to prevent DoS attacks.
When a user connects more than this number of clients simultaneously, the
oldest connection will be dropped.
• Back-channel Stale Connection Cleanup Age (s) – Back-channel
connections will be cleared from memory when they have been idle for at
least this long.
Note: Logging the push notification activity results in a large log file
that must be actively managed.
1. Select the Use Cutoff Date check box and enter a date.
2. Click Send Purge Request to remove notifications that were created before the
Use Cutoff Date.
If you have not entered a cutoff date, the current, completed notifications will
be purged. The number of notification is shown next to Current notifications
row count. This value is updated after the period specified in the Notification
Purge Interval (s).
2. Select the check boxes next to the settings you require. The settings are grouped
under a main heading, for example, Authentication, Runtimes and so on. You
can deselect the main heading to choose more specific settings. For example,
you might want to identify when a runtime is created or deleted, but not when
a runtime is updated, or when the list of runtimes is displayed in the
Administration User Interface.
3. Click Update Settings. Only the actions that you have specified will be reported
in the otagaudit table.
In the Proxy Settings page, complete the details for any proxy rules that you want to
create for AppWorks Gateway. OpenText supplies various template proxy rules for
use with OpenText products such as eDOCS InfoCenter and Content Server.
Creating a proxy rule for your OpenText product is part of the installation process
for the product, and further details are available in the specific installation
documentation.
Note: The proxy is intended as an API proxy for AppWorks services and apps,
and is not to be seen as a general purpose replacement for another proxy
service, such as mod_proxy for the Apache HTTP Server.
3. Click New Rule or New Rule From Template. The New Rule From Template
option provides some default settings for when you are installing the
AppWorks Gateway with other OpenText products. For example, the OpenText
eDOCS RestAPI template includes URL mappings and Whitelist details that
help you to install OpenText eDOCS with InfoCenter.
4. Select the Continue check box, next to the URL Mappings fields to execute the
URL rewrite in a top-to bottom order. For any matched URL rewrite rule, the
Continue option signifies whether to stop at this match, or continue applying
the rules below it.
5. In the Configure Rule page, complete the required fields and click Save Rule.
The AppWorks Gateway uses the public Firebase Cloud Message (FCM) service to
enable native push notifications. Push notifications are configured for each mobile
runtime using the Google developer console. A Firebase Project model is used for
working with Firebase projects in the AppWorks Gateway.
• Project Private Key File – A service account JSON file also used to call
Firebase APIs.
• Project ID – A globally unique identifier for the project
• Server Key – A key to authorize AppWorks Gateways calls against the
Firebase APIs
• Sender ID – The ID used by the AppWorks Gateway for itself as a sender of
push notifications, push clients ask to be sent notifications from a sender
• Web Push Certificate Public Key – A public key used by, the now
supported, in browser push clients.
• Web Push SDK Configuration – A JSON configuration String to allow in-
browser web clients to easily make use of the Firebase JavaScript client
library, see here (https://github.com/firebase/firebase-js-sdk).
The following section assumes you have a valid Google developer account and can
access the console at https://console.firebase.google.com. Select the cog wheel in the
left-hand menu at the Project Overview level, and select Project settings to view the
Firebase Project Settings.
This tabbed view provides access to the general project's details and the cloud
messaging configuration, which includes any number of apps and their access files
(google-services.json, GoogleService-Info.plist), and service accounts.
Project ID
The general project identifier found on the General tab under Settings.
Server Key
A server key that authorizes our app server, the AppWorks Gateway, to access
Google services. It is available on the Cloud Messaging under Settings.
• Web Push Certificate Public Key – The public key of any Web Push
certificate generated in the Web Configuration found at the bottom of the
Cloud Messaging tab under Settings for the project.
• Web Push SDK Configuration – The public configuration code block for a
JavaScript app that will use the FCM client exposed by the AppWorks
Gateway. The value can be copied directly from the Firebase console as
described below. JavaScript applications may use the Firebase JavaScript
SDK to receive push notifications in the browser. From the Firebase projects
overview page, do the following:
1. Click + Add App below the project name.
2. Select the web application, depicted by angled brackets.
3. Copy the content of the config variable is JSON block out of the provided
<script> tags, for example:
{
apiKey: "AIzaSyBgXYFblWR5_IE2zfYeARydmjVdTLXljGI",
authDomain: "a-customer-project.firebaseapp.com",
databaseURL: "https://a-customer-project.firebaseio.com",
projectId: "a-customer-project",
storageBucket: "a-customer-project.appspot.com",
messagingSenderId: "944462086369"
}
4. Paste the JSON block into the Web Push Notifications field in the
AppWorks Gateway:
6. In the Username/First Name/Last Name field, search for the user to whom you
want to send this notification.
8. Click Send.
3. Click Add User and provide the user information. Passwords are based on the
Directory Services global password policy. The default policy requires at least 8
characters in length with at least one capital letter and one number. The title,
email, phone, and location fields are not required.
To add an AppWorks Gateway administrative user, click Administrative User.
2. Type the username, first name, last name or group name in the Search for users
and groups box and press ENTER.
3. Next to the user or group whom you want to edit, click the Edit icon ,
edit the information, and then click Update user.
Notes
• You cannot update the OTDS Administrator user information from this
page. You need to update this user information in the Directory Services
web client at <http://Tomcat_Host>:<port>/otds-admin/.
• You cannot update any users that were added using OTDS. You need to
update these users in the Directory Services web client.
• You cannot delete users from this page. You also need to perform this
action in the Directory Services web client.
2. Locate the otag user. This is the default user name. You may have supplied a
different name when you installed the AppWorks Gateway.
4. Click General and update the information for User ID, First Name, Last Name,
and so on.
5. Click Save.
2. Locate the otag user. This is the default user name. You may have supplied a
different name when you installed the AppWorks Gateway.
3. Click Actions and then Reset Password for the otag user.
4. Type the new password in the fields provided and click Reset Password.
2. If you added users using the AppWorks Gateway, locate the otag partition. This
is the default partition name. You may have supplied a different name when
you installed the AppWorks Gateway.
4. Select the check box next to the user whom you want to delete and then click
Delete.
Important
Do not delete the otag or otdsadmin users.
Using Client Management, you can see and wipe the runtimes from your user’s
devices that your users have used to access their account. Wiping deletes all local
copies of server data from the runtime and prevents the user from signing in. If the
runtime was accidentally wiped, the user can re-enter the AppWorks Gateway URL,
sign in and continue to access their account. The user will need to reinstall all of the
apps and download their favorite files again. Assuming the wipe was intentional,
you should change the user's password or delete their account altogether to prevent
the user from signing in again.
2. In the Admin Menu, click Client Management from the Management section.
3. Type the username, first name, or last name of a user and then press ENTER.
Tip: If you are unable to search for a user, verify that Client Tracking
Enabled is selected on the MDM Settings page.
You will see the username, runtime, device information, and connection times
for every client the user has used to access their account.
1. In the Admin Menu, click Client Management from the Management section.
2. Type the username, first name, or last name of a user and then press ENTER. If
you are unable to search for a user, verify that Client Tracking Enabled is
selected on the MDM Settings page.
3. Click the Wipe link for the client that you want to wipe.
4. Click Ok to confirm the action. The next time the user attempts to access their
account using the client ID you wiped, the runtime wipe will take place.
You can deploy and configure additional AppWorks Gateway servers to use an
existing AppWorks Gateway database. Any applications, services, and components
that are installed on one node in the cluster are automatically installed on all of the
other nodes. All settings changes are also propagated to all of the nodes. You do not
need to perform any manual steps on any other node or restart the Apache Tomcat
service. However, you must restart the Apache Tomcat service if you change any of
the following settings in the AppWorks Gateway:
• On the General Settings page, changes to the Session Token Cleanup Interval
(s) and the Session Token Timeout (s) will only take effect once the current
interval elapses or when the Apache Tomcat servers are restarted.
• On the Temp File Settings page, changes to the Temporary Directory Path
should be made when the servers are off-line, because some services may lose
temporary data. Changing the Temporary Directory Path may leave old
temporary files in the former location. The Temporary Directory Path location
must exist on disk before changing the path in the AppWorks Gateway. The
location on disk must be the same on all nodes in the cluster. The default location
is C:\Program Files\Apache Software Foundation\Tomcat 9.0\tmp.
Clients that are connected to one node can also switch to another node and continue
functioning.
1. Install Apache Tomcat on the new node. For details, see “Installing the
OpenText AppWorks Gateway“ on page 9.
5. Complete the database configuration steps to connect to the database you are
using for all nodes in the cluster.
Note: Repeat this procedure at any time to add nodes to the cluster. They
must also be added to the load-balancer.
3. In the List of Tenants field, type one or more tenants. Tenant names can include
the characters 'a' to 'z', and '0' to '9'. Upper case characters are not valid.
4. Click Update Settings. A URL is created for each tenant name. For example, if
you type "tenant001" in the List of Tenants field, the URL http://host:port/
awtenant/tenant001/ is created.
5. To complete the installation, enter the URL for the tenant into a browser address
bar. A configuration page appears with options to specify a database and an
OTDS instance. This is the same page that you use to complete the configuration
of any AppWorks Gateway installation.
7. For Step 2: OTDS Configuration, enter the OTDS server details that you used
for your primary AppWorks Gateway installation.
8. For each tenant, provide details for the Gateway Admin Username/Password,
and OTDS Administrative Account/Username. You can use the same
administrator as your primary installation, or you can create different
administrators for each tenant.
9. For each tenant, provide a Resource Name and Gateway User Partition Name.
• Reduce the high operating costs to develop, manage and maintain on-premises
applications
• Avoid end user adoption issues caused by slow performance and lengthy
deployment timelines
• Gain access to extensive resources to support enterprise information
management applications
• Deploy enterprise information management applications and grow as needed to
scale to your business needs
Note: Apache Tomcat and OpenJDK are installed as part of the AppWorks
Gateway container deployment. You do not have to install this software
separately. OTDS and PostgreSQL require separate installations.
A PostgreSQL installation
The AppWorks Gateway container deployment process connects to the database
and creates a database instance.
Helm
Helm is used to deploy the Docker images.
Docker
You tag the Docker image files and push them to your registry.
Kubernetes
You use Kubernetes to run various commands during the deployment of the
AppWorks Gateway containers. Normally, you should have a local installation
of Kubernetes, but it is also possible to run Kubernetes commands on certain
cloud platforms. For example, on the Google Cloud Platform, you can use the
Google Cloud Shell to run Kubernetes commands.
1. Go to My Support (https://knowledge.opentext.com/knowledge/llisapi.dll/open/
58916144) and download the docker-compose.zip file.
5. In the env folder, update the pg.env file with the details of the PostgreSQL
installation, for example, hostname, port and so on.
6. In the .env file, enter the details for the following sections:
9. Run docker container ls to list the docker containers, and check that the
container is available and running. The name of the container is docker-
compose_otawg_1.
11. To view the logs run the command docker logs container <container name>
—f.
12. To remove the container deployment, run the command docker-compose down.
• The appworks-gateway.zip file containing Helm charts. You download this from
My Support.
• Access to the AppWorks Gateway container image: This installs the AppWorks
Gateway software. This image is available from the OpenText Container
Repository.
• Access to the PostgreSQL container image: This creates a database with a name
you have supplied in your PostgreSQL installation.
• An AppWorks init container image: This initializes the AppWorks Gateway
container. By default no mobile or desktop apps are installed with the container.
You can customize init container to include the mobile and desktop apps that
you want to include with the AppWorks Gateway deployment. This image is
available from the OpenText Container Repository.
1. Go to My Support (https://knowledge.opentext.com/knowledge/llisapi.dll/open/
58916144) and download the appworks-gateway.zip file.
2. Extract the appworks-gateway.zip file to a location, for example,
C:\OpenTextCE\appworks-gateway. The contents of the appworks-gateway
folder are as follows:
1. The image section of the values.yaml file contains the registry and
repository details of the AppWorks Gateway and PostgreSQL images in the
OpenText Container repository. See “Updating the Image Settings” on page 79.
2. Confirm that you can access the repository by entering the registry address in a
browser. You must supply credentials to view the contents of the repository.
Check with your Customer Support Representative for details.
Note: You can choose to deploy an AppWorks Gateway container without any
desktop or mobile apps. See “Deploying the AppWorks Gateway Container”
on page 78.
• apps: This is the folder in which you place the desktop and mobile apps that
you want to deploy with the AppWorks Gateway
• Dockerfile: You modify this file to include the names of the apps that you
want to deploy
• README: This text file provides an explanation of the environment variables
and exit codes used by the init container.
3. Edit the Dockerfile to add the names of the apps that you added to the apps
folder. For example, if your apps are called starterApp1_0.0.1.zip, and
starterApp2_0.0.2.zip, then the Dockerfile will be as follows, with a
separate Copy command for each file: Dockerfile:
FROM artifactory.otxlab.net/otag/awg:21.3.0-22122020010729
MAINTAINER OpenText Corp.
ENV AWG_UNATTENDED_SETUP="true"
ENV WG_EXIT_ON_SETUP_COMPLETE="true"
7. Run the docker image ls command to check that the container has been built:
8. Provide a tag number for the image, using the following command:
docker tag <imagename> <registryname>/<repositoryname>/awg-init-
container:<imagename>.<tagnumber>
where <registryname>/<repositoryname> are the details of your own
registry.
9. Run the docker image ls command to check that the tagging has been
successful.
10. Run the following command to push the new image to your registry:
docker push <registryname>/<repositoryname>/awg-init-
container:<imagename>.<tagnumber>
1. Locate the values.yaml file that you extracted from the appworks-gateway.
zip file. See “Deploying AppWorks Gateway with Helm” on page 76 for details.
3. Open a PowerShell administrator session and navigate to the root directory, for
example, C:\OpenTextCE.
6. Open a browser and access the AppWorks Gateway using the URL specified in
the values.yaml file. If you have enabled ingress, use the value you entered in
the host setting.
7. Sign in to the AppWorks Gateway using the Username and Password details
that you supplied in the awg section of the values.yaml file.
8. Check the Installed section of the Admin Menu to confirm that the desktop and
mobile apps that you included in your deployment are present.
pullpolicy, imagepullsecrets
OpenText recommends that you do not modify these settings. If the images are
not available locally they will be deployed from the OpenText registry according
to the settings for registry, repository and tag.
The cloud deployment is available for the Amazon Relational Database Service
(Amazon RDS). For the cloud deployment you must first create the database in
Amazon RDS, as follows:
server
Enter the server host and port details of an on premises PostgreSQL database
or a PostgreSQL database in Amazon RDS.
admin
Enter the user, password and database details for the database that will be
created by pgInitContainer. You can keep the defaults or update with new
values.
appworksdb
Enter a username, password, and database name. For an on premises
PostgreSQL database, deploying the container will create an instance with these
credentials in the PostgeSQL installation. Make sure that the username and
database details are in lower case characters.
• If useSSL is true and trustDbCerts is false, place the certificate inside the
appworks-gateway\trustCertificates folder to connect over SSL.
partition, resource
Enter the names of the OTDS partition and resource to be used for the
AppWorks Gateway container deployment.
admin
Enter values for the newadminuser and newadminpassword. You use these
values to sign in to the AppWorks Gateway Administration User Interface.
externalurl
Enter the URL that will be used to access the AppWorks Gateway
Administration User Interface.
logging
The default setting for logging is info. You can change to trace, debug, warn or
error.
settings
This section enables you to determine the values for the General, MDM and Mail
settings that are available in the AppWorks Gateway Administration User
Interface. If the setting is not specified here. you can update it in the
Administration User Interface. If you choose to set a value for a setting here, you
cannot update it in the Administration User Interface of the deployed
AppWorks Gateway. To update a setting, after you have deployed AppWorks
Gateway as container, see “Upgrading a Deployed AppWorks Gateway
Container” on page 84.
The following table lists the settings. For an explanation of each setting, see
“AppWorks Gateway Settings“ on page 51.
Table 13-1: General, MDM and Mail Settings
readiness probe
OpenText recommends that you leave the readiness probe settings
unchanged. They relate to the Kubernetes architecture and perform checks to
determine when a container is ready to start accepting traffic.
liveness probe
OpenText recommends that you leave the liveness probe settings unchanged.
They relate to the Kubernetes architecture and perform checks to determine
when to restart a container.
service
OpenText recommends that you leave the service settings unchanged.
ingress
Ingress provides load balancing functionality where you have deployed
multiple pods by setting replicaCount to a number greater than 1. Update the
enabled setting for load balancing. Also, if you want to access multiple
AppWorks Gateway pods with a single URL, set enabled to true and enter a
URL in the host setting.
tls
To use HTTPS, set enabled to true, then provide values for the secretName
settings.
resources
OpenText recommends that you leave the default settings unchanged. However,
if you want to provide customer settings, uncomment the lines for limits and
requests, and enter your preferred values.
1. Update the settings in the values.yaml file, as required. A setting that you
specify in the values.yaml file cannot be altered in the AppWorks Gateway
Administration User Interface.
3. Run the following command to delete the pod. You must run the command for
all pods in the cluster. The pod is automatically recreated.
kubectl delete pod <pod name>
Tip: The command kubectl get pods -w displays the pod name and the
status of the pod.
To check the status of a deployed AppWorks Gateway container, use the following
commands.
If the deployment fails to initialize pginit container, the status shows 1/2 Error.
Run the following command to see the log files:
If the deployment fails to initialize init container, the status shows Error or
CrashloopBack. Run the following command to see the log files:
Run the following command to show the standard container log files:
The following FAQs provide advice on additional setup options, and basic
troubleshooting information.
To set the log level to a higher level, for example, debug, take the following steps:
Important
When debug-level or trace-level logging is enabled, sensitive configuration
data may be written to the log files. Debug-level and trace-level logs should be
securely disposed of when they are no longer required. Return the log level to
its lower level when you have completed any troubleshooting tasks.
The AppWorks Gateway proxy also logs information in the gateway.log file when
the log level is set to debug.
For debugging, first check the Catalina log for errors, and if necessary check the
localhost-access_logs.<date>.txt because they record each request. This
allows you to confirm timing and response codes for each request when nothing
appears in the logs.
Beyond initial configuration of the AppWorks Gateway, there are very few error
scenarios that would be indicated in the logs. The primary issue that can occur
relates to authentication errors. If the user has entered a correct password, but
cannot authenticate, these issues will not be captured in the log files. The following
steps are recommended to troubleshoot authentication errors.
1. Review the AppWorks Gateway node information to verify the database and
OTDS connections. Sign in to the AppWorks Gateway and click Overview from
the About section of the Admin Menu.
2. Double check that the credentials and server URL were typed correctly. This is
often the problem.
4. Try using the fully qualified name. For example. <username>@otag for internally
created users, <username>@<domain> for OTDS synced users.
5. Sign in to the Directory Services web client and check that the user’s account has
not expired or been locked.
6. Add a new user in the AppWorks Gateway. Then, sign in to the Directory
Services web client and verify that the new user was added to the otag partition.
A good example of this is for the routing of Firebase Cloud Messaging (FCM)
communications when the environment within which the Gateway is installed only
permits outbound HTTP communication to the public Internet via an HTTP proxy.
The example settings shown below are from a Linux installation of the AppWorks
Gateway.
Where:
We must NOT proxy requests via the HTTP Forward Proxy to:
Tips
If you do not set the environment variables, then the authentication request from the
AppWorks Desktop Client to OTDS will fail.
Note: For further details of the AppWorks platform and technologies, see the
Technical White Paper, available from the AppWorks Quick Start page of the
AppWorks Developer web site (https://developer.opentext.com).
The message “Can’t create a user. Consult OTDS logs” is displayed when creating
users in the User Management section of the AppWorks Gateway.
Note: The issue is not present when you perform a clean install of AppWorks
Gateway 21.3 with any supported version of OTDS, including 16.4.3.
1. In the OTDS Administration UI, search for the OTAG partition. This is
automatically created by the AppWorks Gateway installation process, when you
connect the AppWorks Gateway to an instance of OTDS.
4. In Member Selection, search for the OTAG partition and add the resource
principle for the OTAG resource.
By default, the AppWorks Gateway adds an OAuth client to OTDS, with the Grant
refresh token (when protocol permits) check box selected. When you upgrade
OTDS to 16.6, we recommend that you confirm that the Grant refresh token (when
protocol permits) check box is still selected. If the check box is not selected a desktop
or mobile client does not receive the refresh token on login and the user will
therefore be asked to log in again, once they have logged out.
To check the Grant refresh token (when protocol permits) setting, do the following:
3. Select the Grant refresh token (when protocol permits) check box and click
Save.
For further information, see the chapter on OAuth Clients in the OpenText Directory
Services - Installation and Administration Guide (OTDS-IWC).