Oct 12th, 10
Time again for another adventure in upgrading ApplicationXtender… this time to the much awaited 6.x release family. Although not a revolutionary release, it is much welcome owing to the following architecture changes:
- Support for Server 2008 and Server 2008 R2 OS platforms (and thus, support for 64-bit operating systems).
- Integrated Adobe PDF 9.x libraries, solving compatibility problems with Adobe Reader.
- Web Access component now compiled in ASP.NET 2.0 (instead of the retired ASP.NET v1).
- Web Access Thumbnail viewer is now a Silverlight control instead of a Java applet (a dubious improvement).
- The DiskXtender image repository now implements (and AX now supports) the use of Authenticated RPC calls, instead of the unforgivable unauthenticated and unencrypted RPCs used in previous versions of the software. However, this “improvement” not withstanding, we will be discontinuing the use of DiskXtender with this upgrade. When you look at actual implementation details, use of CIFS/SMB2 offers us equivalent security (or more security, if implemented in conjunction with IPsec) at a lower cost, and with more configuration options.
- Oracle 11g databases are now supported, for what that is worth (we will be using 10g R2 for a bit longer).
I am not going to go though a step-by-step here, but I will note the most significant configuration quirks that either were not documented in the deployment guides, or that were inadequately documented. These settings are necessary if running AX in the “least privilege” mode, instead of the moronic “make all of your service accounts domain admins” mode:
- All AX components (except licensing) are all still 32-bit applications. As a result, they require the availability of 32-bit libraries for interacting with external (third party components). As a result, we cannot expect 64-bit Oracle database clients to be of any use. We have developed 32-bit only Oracle InstantClient v18.104.22.168 installers for use with this product.
- If installing the license service on a 64-bit host, be aware that EMC has released a new version of the license server specifically for 64-bit computers. You should not use the version that ships with the initial 6.5 release.
- The license service has been rewritten since AX 5.4… it now requires client access to TCP port 9251 only. Fortunately, we no longer need to muck with DCOM component security settings to get licensing to work.
- After installing the WebAccess.NET components into IIS, be sure to grant the Service Account rights to .NET framework temp files directory (In “%windir%\.NET Framework\v2.xxxxx\.NET Framework Temporary Files” (I think that is the correct path)).
- After installing the AX Rendering service, you need to make the following additional changes:
- In the properties of the Rendering service (services.msc control panel), you must clear the “Allow Service to Interact with Desktop” option.
- You must grant the service account read/write access to the Rendering service installation directory in “%ProgramFiles%\XtenderSolutions”.
- After installing the Indexing Server (if you are using it), and before configuration, you must ensure that your Indexing service account has a password that is fewer than 24 characters in length. The configuration utility will not complain that your password is too long, but it will truncate your password before encrypting it for storage, and the service will then fail to start (silently, and without generating any useful log information… aargh!).
Jun 30th, 09
Previously I documented a rough outline of the AX 5.30 Infrastructure installation process:
With support for 5.30 expiring today, I think it high time we got our infrastructure up to date up to the most current version that is supported for use with SunGard Banner.
- Uninstall all previously existing AX components. Purge any residual files from the IIS publishing directories, “Program Files”, “Application Data”, and the registry.
- Set security for the global impersonation account according to the table on page 210 of the “concepts and planning guide”.
- Note that the account does not have to be a local administrator!
- However, the security accounts will have to have privileges to the resources accessed by the services (i.e. NTFS filesystems rights, shared folder access).
- Rendering Service -
- When granting rights to the DX data store, plan ahead. Permissions could take a long time to apply.
- Requires Local Security Policy “Replace a Process Level Token” and “Adjust memory quotas for a process” rights. Also, the “Allow service to interact with the desktop” box must be deselected in the “Log On” tab of the Rendering service properties.
- WebAccess.NET Services -
- Global Account needs only “Log on as a service” Local Security Policy assignment. You can clear out all “legacy” security permissions as they are not needed for WebAccess!
- Install AX Desktop, installing all administration tools:
- msiexec /i “ApplicationXtender Desktop.msi” /qb ADDLOCAL=DocumentManager,AppGen,ConfigurationTools,ManagementTools
- Install the new License Server and install license file:
- Install the “ApplicationXtender License Server.msi” (FlexNet License Manager)
- Drop the .LIC license file into C:\Program Files\XtenderSolutions\Content Management\License Server
- Configure the Login identity of the “ApplicationXtender License Client Components” COM+ application to use the global impersonation account. This component must be shut down to be reconfigured. Details in EMC PowerLink solution esg92864.
- Restart the “ApplicationXtender License Service” Service.
- Install the “EMC License Server” (Proprietary License Server, to support DiskXtender)
- Install all current patches to the service
- Run the “License Server Administrator” GUI.
- Go to “Tools”, then “New License Wizard” to install the DiskXtender License.
- Install DiskXtender
- Install DiskXtender patches, in sequence
- When prompted for the DX service account, you must provide an account that has local “administrator” rights, and the ability to “log on as a service”.
- Verify and/or re-establish RPC partition maps – See the “Core Components” guide for instructions.
- Consider switching to DCOM security model, which will require modifying the “AE_PATHS” table in each data source db. See page 160 of the “Desktop Install Guide” for details.
- This is not actually practical to do since it will break AX Desktop on any system that is not joined to the CAMPUS domain (and why would they not be joined, I wonder?)
- Launch AX Admin
- See “ApplicationXtender Desktop Installation Guide” for details
- Log in as SYSOP and perform the database upgrade, if prompted.
- Verify global settings:
- Add license server configuration: see “Core Components” guide for details.
- Web Access .NET must use Global credentials since we are using and Oracle database with Oracle security.
- Save the configuration and exit
- Launch AppGen, and verify functionality.
- Connect to each defined data source, one at a time.
- Perform database upgrades if prompted (this should be safe, but can take several minutes to complete).
- Set IIS web site root to use ASP.NET 2.0.
- Install AX Web Services, making sure to install the required “Utility Services” component. “AX Web Services” and “Workflow” components are optional.
- See “AppXtender Core Components Admin Guide” for installation and config details.
- Choose IIS installation option, and install into “Default Web Site” (which should be the only site present)
- Ensure that “Default.aspx” is listed as an accepted default page for the “AppXtender” IIS web application.
- Install AX Web Access .NET
- Install AX Rending Server
- Run the Component Setup Wizard for all installed components
- Outside of my control:
- BannerXtender updates need to be applied to production Banner systems.
- DocSend and ECopy stations need to be upgraded to 5.40 AX Desktop releases
- DocAccel server needs 5.40 AX Desktop upgrade
- All AX desktop clients need updates, too.
- Anyone using WX WebAccess.NET ActiveX controls will need to upgrade these components.
- Test Test Test!