Symantec EV GUide

Symantec Enterprise Vault

Content Management Connector for EMC Documentum Retention Policy Services

Installation, Configuration, and Administration

1.0

2

2

3

Symantec Enterprise Vault Integration to Documentum Installation, Configuration, and Administration

Copyright 2006 Symantec Corporation. All rights reserved. Symantec Enterprise Vault Integration to Documentum Symantec, the Symantec logo, and Enterprise Vault are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THIS DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software and commercial computer software documentation as defined in FAR Sections 12.212 and DFARS Section 227.7202. Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 www.symantec.com

4

Third-party legal notices

Third-party software may be recommended, distributed, embedded, or bundled with this Symantec product. Such third-party software is licensed separately by its copyright holder. All third-party copyrights associated with this product are listed in the accompanying release notes.

Documentum, Documentum Content Server, and Documentum Retention Policy Services are registered trademarks of EMC Corporation.

Technical support For technical assistance, visit http://www.symantec.com/enterprise/support

and select phone or email support. Use the Knowledge Base search feature to access resources such as TechNotes, product alerts, software downloads, hardware compatibility lists, and our customer email notification service.

5

Preface........................................................................................................................... 7

Formats available.................................................................................................. 7 Accessing the Support Web site ....................................................................... 7

Introduction................................................................................................................. 11 Logical components ........................................................................................ 11 Physical components....................................................................................... 12

Section I. Installation .................................................................................................. 14 Before installing 1................................................................................................ 15

Enterprise Vault requirements ............................................................................ 15 Documentum requirements................................................................................. 15 Microsoft Exchange requirements ...................................................................... 16

Installing the Documentum extensions 2............................................................. 17 Store plug-in installation..................................................................................... 17

Creating the plug-in and store......................................................................... 18 Setting up authentication for AuthHttpPlugin ................................................ 22

DocApp installation ............................................................................................ 23 WDK overlay installation ................................................................................... 23 Documentum web services installation .............................................................. 24 Post-installation tasks.......................................................................................... 25

Installing Enterprise Vault extensions 3 .............................................................. 27 The Vault extension wizard ................................................................................ 27

Silent install .................................................................................................... 31 Installing Microsoft Exchange extensions 4 ........................................................ 33

File installation ................................................................................................... 33 Creating the COM+ application.......................................................................... 34 Installing the Exchange event sink into COM+.................................................. 37

Section II. Configuration ............................................................................................ 40 Configuring the Documentum extensions 5 ........................................................ 41

AppConfig.xml ................................................................................................... 41 Required configuration ................................................................................... 41 Optional configuration.................................................................................... 42

Configuring the Enterprise Vault extensions 6.................................................... 44 Modifying configuration settings........................................................................ 44

6

Specifying the folder synchronization email message........................................ 45 Toggling logging from the Message Sync Filter ................................................ 45

Configuring the Microsoft Exchange extensions 7.............................................. 47 Common configuration tasks 8 ............................................................................ 48

Updating the Vault service account credentials.................................................. 48 Updating the Documentum integration admin credentials ................................. 49 Changing the active Documentum application server ........................................ 49 Changing the active Enterprise Vault server ...................................................... 49 Changing the managed message retention category ........................................... 49

Section III. Administration ......................................................................................... 51 User administration 9........................................................................................... 52

User mapping ...................................................................................................... 52 Folder administration 10 ...................................................................................... 53

Creating retained message folders in Documentum ........................................... 53 Synchronizing retained message folders to Exchange........................................ 54 Folder security settings ....................................................................................... 58

Folder permissions and selective folder synchronization ............................... 58 Folder permissions and user access to retained messages .............................. 59

7

Preface This book discusses the procedures required to install, configure, and administer the Symantec Enterprise Vault Content Management Connector for EMC Documentum Retention Policy Services. The first two sections of this book, Installation and Configuration, are targeted towards system administrators. These sections assume an administrative knowledge of Enterprise Vault, Microsoft Exchange Server, and EMC Documentum. The third section of this book, Administration, is targeted towards Documentum administrative users and assumes working knowledge of Documentum Content Server, Documentum Administrator, and Documentum Retention Policy Services.

Formats available

This book is available as an Adobe Acrobat (PDF) file on the Enterprise Vault CD-ROM. If you have yet to install the free Adobe Reader, you can download it from the Adobe Web site at http://www.adobe.com.

Getting help

Symantec offers you a variety of support options: Accessing the Support Web site Subscribing to Symantec Email Notification Service Accessing Symantec telephone and fax support

Accessing the Support Web site

The Symantec Support Web site enables you to: Contact the Symantec Support staff and post questions to them. Download the latest patches, upgrades, and utilities. View the Enterprise Vault Frequently Asked Questions (FAQ) page. Search the Knowledge Base for answers to technical support questions. Subscribe to automatic email notice of product updates. Find out about Enterprise Vault training. Read current Enterprise Vault white papers, tech notes, and selected documentation. The address of the Support Web site is:

8

http://www.symantec.com/techsupp/enterprise/

Subscribing to Symantec Email Notification Service

Subscribe to the Symantec Email Notification Service to be informed of software alerts, newly published documentation, Beta programs, and other services. Go to http://www.symantec.com/techsupp/enterprise/, select a product, and then click Email Notifications on the right side of the page. Your customer profile ensures you receive the latest Symantec technical information pertaining to your specific interests.

Accessing Symantec telephone and fax support

Telephone support for Enterprise Vault is only available with a valid support contract. To contact Symantec for technical support, dial the appropriate phone number listed on the Support Guide included in the product box and have your product license information ready for quick navigation to the proper support group. The Symantec telephone support directory is available at the Support site. Go to http://www.symantec.com/techsupp/enterprise/ and enter your product.

Related documentation

The following guides, along with the online help, comprise the Enterprise Vault

documentation set: Table 1-1 Enterprise Vault documentation set

Guide title File name

Release Notes ReadMeFirst.htm on the CD-ROM and in

the Enterprise Vault installation folder

Introduction and Planning Introduction_and_Planning.pdf Introduction_and_Planning.chm

9

Installing and Configuring Installing_and_Configuring.pdf Installing_and_Configuring.chm

Administrator's Guide Administrators_Guide.pdf Administrators_Guide.chm

Registry Values Registry_Values.chm

Enterprise Vault Help EV_Help.chm

Administration Console Help Admin_Console_Help.chm

Utilities Utilities.pdf Utilities.chm

In addition to this Enterprise Vault documentation, the following EMC Documentum documentation may be helpful:

Table 1-2 EMC Documentum documentation set

Guide title File name

Content Server Installation Guide Content_Server_53_SP3_Installation_Guide.pdf

Content Server Administrators Guide Content_Server_53_admin.pdf

Application Builder User Guide Application_Builder_53_SP1_user.pdf

Retention Policy Services Release Notes RPS_5.3_SP3_Release_Notes.pdf

Retention Policy Services User Guide RPS_53_SP3_User_Guide.pdf

10

Web Development Kit and Applications Install Guide

WDK_Applications_53_SP3_installation.pdf

Related resources

There is an Enterprise Vault Web page at: http://www.symantec.com/enterprisevault There is an EMC Documentum Web page at: http://software.emc.com/solutions/business_need/content_management/index.htm

11

Introduction The Enterprise Vault integration to Documentum enables Documentum users to perform in-place retention management of Exchange Server email messages stored in Enterprise Vault Essentially, Documentum-based retention policies are applied to content that lives solely in Enterprise Vault:

As with standalone Enterprise Vault, the primary user interface for the integrated system is Microsoft Outlook. Once messages are in the integrated system, users of native Documentum and Enterprise Vault clients can browse and search for messages managed by the system.

The integration simulates external management of retention policies by creating objects in Documentum that reference archived messages in Enterprise Vault. These Documentum objects are then controlled by standard Documentum Retention Policy Services policies, which age objects through configured retention lifecycles and ultimately delete objects as they reach expiration. When a retained message is deleted within Documentum, the integration ensures that the corresponding archived message is removed from Enterprise Vault.

An important feature of the integration is that it selectively chooses which messages to synchronize to Documentum. It selects only those messages that reside in retained message folders within each users Microsoft Exchange mailbox. Retained message folders are created by the integration when an administrator performs folder administration. Folder administration is the process of creating a folder hierarchy in Documentum to manage Enterprise Vault messages and synchronizing that hierarchy to users Exchange mailboxes. For more information about folder administration, please see Chapter 10, Folder Administration.

This integration currently only supports Exchange Server user mailbox archiving.

Logical components The Enterprise Vault integration to Documentum comprises three logical components that are each responsible for a key activity in the system. These components are:

1. Folder Synchronization This component is used by administrators to synchronize retained message folders from Documentum to Microsoft

12

Exchange. Retained message are those folders that contain message objects that reference archived messages in Enterprise Vault.

2. Message Synchronization This component is responsible for creating message objects in Documentum each time a message is archived from a managed folder and each time an Enterprise Vault shortcut is filed into a managed folder. A managed folder is a folder within a users mailbox that was initially created by the integration during folder synchronization. Each managed folder maps back to a specific retained message folder in Documentum.

3. Retained Message Disposition This component notifies Enterprise Vault that a message should be expired when the corresponding object in Documentum reaches the terminal retention phase

These logical components communicate with multiple physical components of the integrated system. These communication paths are summarized by the following diagram:

Physical components Because some logical components need to interact with multiple physical systems, there are more physical components than logical components. These physical components are deployed across four physical systems:

Documentum Content Server o DocApp This component encapsulates the schema, bootstrap

data, and business logic that needs to be installed into Documentum.

o Store Plug-in DLL This component enables Documentum to stream content from Enterprise Vault.

Documentum Application Server o WDK Overlay This component includes customizations and

extensions to the standard Documentum Retention Policy Services (RPS) web application.

13

o Web Services This component includes the web services that allow Enterprise Vault to communicate with Documentum.

Enterprise Vault o ECM API Web Services This component makes the Enterprise

Vault Enterprise Conent Management API available to Documentum by wrapping it with web services.

o Folder Administration Web Services This component publishes services that allow Documentum to create managed folders within users mailboxes.

o Custom Filter The custom filter examines messages being archived by Enterprise Vault and initiates processing in Documentum when messages are archived from managed folders.

Microsoft Exchange o Event Listener This component notifies Documentum when an

already-archived message has been moved into a managed folder.

The following diagram summarizes where the physical components are deployed:

14

Section I. Installation This section contains the following chapters:

Chapter 1, Before installing Chapter 2, Installing the Documentum extensions Chapter 3, Installing the Enterprise Vault extensions Chapter 4. Installing the Microsoft Exchange extensions

15

Before installing 1 Read this chapter to find out about the prerequisites needed before you can install the Documentum integration:

Enterprise Vault requirements Documentum requirements Microsoft Exchange requirements

Enterprise Vault requirements The Enterprise Vault components of the Enterprise Vault integration to Documentum must be installed on a system hosting Enterprise Vault 7.0. This Enterprise Vault installation ,must be configured for Exchange Server archiving. Please refer to the Enterprise Vault document Installing and Configuring Guide for instructions on setting up Enterprise Vault for Exchange Server archiving.

Documentum requirements The documentum environment must be properly set up and configured and must include at least the following components:

Documentum Content Server 5.3 sp3, Windows platforms only Documentum Retention Policy Services 5.3 sp3 Documentum Administrator 5.3 sp3 Documentum Application Installer 5.3 sp3 Documentum Web Services Framework 5.3 sp3

These components may be installed on a single machine or across multiple systems in accordance with Documentum installation guidelines. For information about setting up these Documentum components, please refer to the EMC documentation about these products.

Note: Documentum Application Installer has a dependency on the Microsoft ActiveX Control Pad control, which is often missing from Documentum installations. Follow these steps to determine if your machine has the control installed:

1. Open an Explorer window and navigate to %WINDIR%\System32, where %WINDIR% is your Windows installation directory.

2. Look for the file named mscomctl.ocx in this folder. 3. If the file exists, the control is installed.

If the control is not present on the machine, it can be downloaded directly from Microsoft from

16

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/cpad.asp.

Microsoft Exchange requirements The Microsoft Exchange Server must be Microsoft Exchange 2003 with service pack 2 or later.

17

Installing the Documentum extensions 2 Read this chapter to find out:

How to use the EvdmSecurityUtil.exe utility to create authentication tokens How to install the Documentum extensions.

Creating the Integration Administrator account Before installing the Documentum extensions, it is important to create a Documentum account that the extension services will use. This Integration Administrator account will be used by the integration to access, create, modify, and delete objects in Documentum.

Follow these steps to create this user account:

1. Login to Documentum Administrator as a user with permissions to create other users (e.g., an administrative or superuser account).

2. Navigate to Administration User Management Users in the left-hand navigation control.

3. Create a new user by selecting File New User from the menubar. 4. Select Superuser when prompted for the users privileges. 5. Fill out the other fields as appropriate, and click OK to create the user.

After creating the user, you must also add it to the dm_retention_manager role. Follow these steps to add your Integration Administrator to this role:

1. Login to Documentum Administrator as a user with permissions to edit groups (e.g., an administrative or superuser account).

2. Navigate to Administration User Management Roles in the left-hand navigation control.

3. Click on the role named dm_retention_manager. 4. Select File Add Member(s) from the menubar. 5. Select the user you created in the previous step.

Your Integration Administrator is now properly setup.

Store plug-in installation The store plug-in enables Documentum Content Server to stream content directly from Enterprise Vault. Installing the plug-in consists of two steps: 1) Creating the plug-in and store objects within Documentum using Documentum Administrator, 2) Creating an authentication token and storing it in the Windows registry.

18

Creating the plug-in and store Follow these steps to create the required plug-in and store objects within Documentum:

1. Log in to Documentum Administrator using an account with Superuser privileges.

2. Navigate to Administration Storage in the navigation tree. 3. In the right-hand pane, select the menu item File New Plug-in.

4. Name the plug-in AuthHttpPlugin and select DLL (Windows) as the plug-in

type.

5. Click OK to create the plug-in object. 6. In the right-hand pane, find the plug-in object you just created. If your

plug-in is not visible on the page, you may need to navigate to another set of objects using the Page controls at the top of the pane. You may also search for your plug-in using the Starts with filter at the top of the pane.

19

7. Select the plug-in object by clicking its checkbox.

8. From the File menu, select Import Content.

9. Click Browse and navigate to

\DocumentumIntegration\Documentum\Plugin from the Enterprise Vault

20

install CD. Select the file named EvdmHttpReader.dll.

10. Click OK. The Documentum content transfer applet will initialize to upload

the file to the Documentum Content Server. If you are prompted to accept a certificate from Documentum, select Yes.

11. Once the DLL has been uploaded, you can confirm that the upload was successful by verifying the size of the objects content is larger than 1 KB.

12. Unselect the plug-in by clicking its checkbox. This is necessary to enable

the correct menu items for the next step.

21

13. In the right-hand pane, select the menu item File New External URL Store.

14. Name the external URL store AuthHttpStore, select the option to execute

the plug-in On Server, and next to the Windows label, select the name of the plug-in you just created (AuthHttpPlugin).

15. Click OK to create the store object.

22

Setting up authentication for AuthHttpPlugin Note: The authentication key generation utility requires that the Microsoft .NET v1.1 framework be installed on the computer upon which the utility is run. If the Documentum machine does not have the .NET framework installed, you may run the utility (steps 1-3 below) on a different machine to generate the authentication token. Simply copy this text string onto the Documentum system to complete the setup process (steps 4-7 below).

Follow these steps to register the authentication token for the plug-in:

1. Log on to the system hosting Documentum using an account that can modify system registry settings.

2. Open a command prompt. 3. Change the working directory to \DocumentumIntegration\Tools on the

Enterprise Vault CD.

4. Execute the EvdmSecurityUtil.exe utility using the following command line:

EvdmSecurityUtil.exe --reader --user= --pass=

where domain is the domain of the vault service account, username is the vault service account name, and password is the password for the vault service account. You will need to capture the output from this utility. You can do this either by copying directly from your shell window, or by directing the output of this utility to a file that you can later open in a text editor:

EvdmSecurityUtil.exe --reader --user=domain\vaultadmin --pass=foo > c:\auth.out

5. Copy the file register-plugin.reg from \DocumentumIntegration\Documentum\Plugin on the Enterprise Vault CD to a local directory on your install machine. This can be a temporary directory.

6. Open the file in a text editor. 7. Replace the text ENTER_AUTHORIZATION_TOKEN_HERE with the string

created by EvdmSecurityUtil.exe in step 3.

8. Save the file. 9. Open a Windows Explorer window and navigate to the copy of

register-plugin.reg you edited.

10. Double click on the file, and select Yes when you are prompted to add the information from the file to the registry.

These steps create the key HKEY_LOCAL_MACHINE \SOFTWARE

23

\KVS \EnterpriseVault \EVDM Adapter

if it does not already exist, and add a single string value, AuthorizationToken, to the key.

If more than one Documentum Content Server is being used (for example, in a federated deployment), this registry entry will need to be added to each Content Server system.

DocApp installation The DocApp contains the default schemas and data, and contains the business logic and services (TBOs and SBOs) that the integration requires. To install the DocApp, follow these steps:

1. Log on to the system hosting Documentum using an account that can modify system registry settings.

2. Navigate to DocumentumIntegration\Documentum\DocApp on the Enterprise Vault CD.

3. Extract the contents of SymantecEnterpriseVault.zip into a directory on the Documentum Content Server machine.

4. Install the DocApp using Documentum Application Installer. Please refer to the Documentum documentation on Documentum Application Installer if you need assistance running this program.

WDK overlay installation The WDK overlay contains extensions and customization to the default Documentum Retention Policy Services web application. The WDK overlay enables Documentum Retention Policy Services to create and manage managed folders.

To install the WDK overlay, follow these steps:

1. Log on to the system hosting Documentum using an account that can write to the RPS web application directory (e.g., C:\tomcat5\webapps\rpsa).

2. Navigate to DocumentumIntegration\Documentum\WDK on the Enterprise Vault CD.

3. Extract the contents of the zip archive wdk-distributionsp3.zip into the RPS web application directory. For example, if RPS is installed in C:\tomcat5\webapps\rpsa, you would extract the contents of the archive into this directory.

4. Restart the application server hosting RPS.

24

You can verify the successful installation of the WDK overlay by logging into RPS and selecting the Cabinets node in the navigation hierarchy. You should see a cabinet named Enterprise Vault Folders and a new menu named Enterprise Vault.

Documentum web services installation The Documentum web services expose service methods to Enterprise Vault and Microsoft Exchange so that those applications can notify Documentum when a new managed email message object must be created.

To install the Documentum web services, follow these steps:

1. Log on to the system hosting Documentum using an account that can write to the Documentum Web Services web application directory (e.g., C:\tomcat5\webapps\ws).

2. Login to Documentum Administrator or Documentum Retention Policy Services as a superuser.

3. In the navigation tree, navigate to Cabinets System Applications SymantecEnterpriseVault.

25

4. Select ws.war by checking its checkbox.

5. From the menu bar in the right-hand pane, select File Export. 6. Choose a location on the system and export the file. 7. Navigate to the exported file and check the file name. If the file name is

ws.war.war, rename it to ws.war.

8. Deploy this file to the Documentum application server. For most application servers, you can simply copy this file to the root of the web applications directory. Some application servers may require a restart.

You can verify successful installation of the web services by:

1. Open a new browser window. 2. Navigate to the ws application on the Documentum application server

(e.g., http://dctm_appserver:8080/ws).

3. Click the View link. 4. Verify that MessageSynchronizationService is listed and verify that

you can access its WSDL by clicking on the link.

Post-installation tasks After installing the Documentum components, you still need to configure the application by editing the AppConfig.xml file checked into the docbase. Please see

26

Chapter 5 Configuring the Documentum extensions for instruction on how to configure the Documentum components.

27

Installing Enterprise Vault extensions 3 Read this chapter to find out:

How to install the Enterprise Vault extensions. Before installing the Enterprise Vault extensions, do the following:

Using the Enterprise Vault Administration Console, create a new retention category that will be applied to messages being managed by Documentum. Set the retention period for 1 day, and select the checkbox to lock the retention category. Remember the name you give this category, as you will need the name to configure the extensions.

Stop the Mailbox Archiving Task on the target machine. This can be done

through the Vault Administration Console.

The Vault extension wizard The Enterprise Vault extensions comprise two web services and an Enterprise Vault custom filter. All three components can be installed and configured using the provided Windows installer.

Follow these steps to install the Enterprise Vault extensions:

1. Navigate to \DocumentumIntegration\Vault on the Enterprise Vault CD.

28

2. Double-click the file named EvdmVaultExtensions.msi. If you are prompted with a dialog asking whether you want to run this file, select Open. You should see the first screen of the installation wizard:

3. Click Next. You will be presented with the license agreement. Read the

agreement, accept it, and click Next again.

4. You will be presented with a screen prompting for settings about your Exchange Server. Fill in these fields as follows:

Exchange Server Name The name of the Microsoft Exchange server the integration should use to administer user mailboxes.

Exchange Server Domain The domain of the Exchange server. Vault Mailbox The mailbox created for use by the Exchange

Server archiving tasks. This mailbox must have permissions to open all other users mailboxes.

29

Click Next after entering values in all the fields.

5. You will be presented with a screen prompting for settings about your Enterprise vault installation. Fill in these fields as follows:

Encoded Authorization String This is the token used to authenticate communication between Documentum and Enterprise Vault. The token can be generated using the EvdmSecurityUtil.exe tool found in the \DocumentumIntegration\Tools folder on the Enterprise Vault CD. To generate the token, run the tool from a command prompt using the --server and --pass parameters. You can provide any password you like at this point. Be sure to remember the password, as you will need this password to later configure the Documentum extensions (see Chapter 5.

Vault Retention Category This is the name of the retention category you set up for the integration prior to running the wizard.

Vault Fully Qualified Domain Name The full name of the Enterprise Vault machine. For example, vault1.demodomain.com.

Vault Service Account Name The name of the Vault service account. It is used to populate the identity of the IIS application pool created to host the integration web services.

Vault Service Account Password The password for the Vault service account.

30

Click Next after entering values for all the fields.

6. You will be presented with a screen prompting for settings about your Documentum installation. Fill in these fields as follows:

Documentum Credentials Service URL This is the URL to the Documentum Credentials web service. This is typically http:///ws/services/DocbaseCredentials for a standard Documentum installation.

Documentum Message Service URL This is the URL to the Message Synchronization web service on the Documentum server. With a standard installation of the EVDM Documentum extensions, this URL is typically http:///ws/services/MessageSynchronizationService.

Documentum Docbase Name The name of the docbase into which the Documentum extensions were installed.

Documentum Administrator Name The name of the integration administrator created before installing the Documentum extensions.

Documentum Administrator Password The password for the integration administrator.

31

Click Next after entering values for all the fields.

7. You will be presented with a screen notifying you that the wizard has collected all of its input and is ready to install the extensions. Click Next to proceed.

8. Once the installation is finished, use the Vault Administration Console to re-start the Mailbox Archiving Task.

You can verify that the Enterprise Vault extensions have been installed correctly by performing the following tasks:

1. Open a browser to http://vault_machine/EvAdminService/ContentManagementService.asmx. You should receive an IIS web service description page.

2. Open a browser to http://vault_machine/ExchangeAdminService/FolderService.asmx. You should receive an IIS web service description page.

3. Verify that the log file EvdmMessageSyncProxy.log exists in the root directory of the drive upon which Enterprise Vault is installed.

4. Examine the Enterprise Vault log using the system Event Viewer. Verify that there are no errors related to the EvdmMessageSyncFilter.

Silent install You can launch the Vault extensions installer in a silent mode using the following command line:

msiexec /i EvdmVaultExtensions.msi /q PROP1=prop 1 value PROPN=prop n value

32

where PROP1PROPN are the property names and values that you need to provide to the installer. These properties correspond to each of the fields you would otherwise complete when installing with the user interface. These properties are:

IIS_USER_NAME The domain and user name (in domain\username format) of the Vault service account.

IIS_USER_PASS The password for the Vault service account. AUTH_STRING This is the encoded authentication string for

authenticating between Enterprise Vault and Documentum. See step 5 above for instruction on generating this string.

RETENTION_CATEGORY This is the name of the retention category you set up for the integration prior to running the wizard.

EXCHANGE_SERVER The name of the Exchange server machine used for administering user mailboxes.

EXCHANGE_DOMAIN The domain of the Exchange server. EXCHANGE_ADMIN_MAILBOX The mailbox created for use by the

Exchange Server archiving tasks. This mailbox must have permissions to open all other users mailboxes.

VAULT_FQDN The fully qualified domain name of the Enterprise Vault server.

DCTM_WS_CREDENTIALS_URL The URL to the Documentum credentials web service.

DCTM_WS_MESSAGE_SYNC_URL The URL to the message synchronization service hosted on the Documentum application server.

DCTM_DOCBASE The name of the Documentum docbase in which the extensions are installed.

DCTM_ADMIN_USER The name of the integration administrator created before installing the Documentum extensions.

DCTM_ADMIN_PASS The password for the integration administrator. Please note that all of these properties must be specified on the command line for a successful installation.

33

Installing Microsoft Exchange extensions 4 Read this chapter to find out:

How to install the Microsoft Exchange extensions. Installing the Microsoft Exchange extensions consists of three activities:

1. Installing files on the Exchange server. 2. Creating a new COM+ application. 3. Installing an Exchange event sink in the new COM+ application.

This chapter will walk you through these steps.

File installation The first step in installing the Microsoft Exchange extensions is to copy the Exchange extensions files onto the Exchange server and register them as appropriate in the Windows and .NET registries.

Follow these steps to install the files onto the Exchange server:

1. Log on to the system hosting Microsoft Exchange using an account with full Administrator privileges.

2. Navigate to \DocumentumIntegration\Exchange on the Enterprise Vault CD. 3. Copy the EVDM folder to the %WINDIR%\System32 directory,

where %WINDIR% is your Windows installation directory.

4. Open a command prompt, and navigate to the %WINDIR%\System32\EVDM directory.

5. Edit the file eventHook.config, setting the properties as follows: EVDM_MESSAGE_SYNC_SOURCE Do not change from the default.

This should always be set to exchange.

EXCHANGE_DOMAIN_NAME The domain of the Exchange server. DCTM_DOCBASE_CREDENTIALS_SERVICE_URL The URL to the

Documentum credentials service hosted on the Documentum application server.

DCTM_MESSAGE_SYNC_SERVICE_URL The URL to the message synchronization service hosted on the Documentum application server.

DCTM_DOCBASE_NAME The name of the Documentum docbase in which the extensions are installed.

DCTM_DOCBASE_USERNAME The name of the integration administrator created before installing the Documentum extensions.

34

DCTM_DOCBASE_PASSWORD The password for the integration administrator.

Ensure there is a element for each MAPI message class the event sink should listen to. For example:

6. Run the install.bat batch script to register the DLLs. You can verify the correct registration of these files by monitoring the output of the batch script. You should observe a dialog box notifying you of the successful registration of NVDMArchiveWatcher.dll, and you should see the messages Assembly successfully added to cache and Types registered successfully output to your command window.

Creating the COM+ application The COM+ application acts as a container for the Exchange event sink that enables Exchange to communicate with the event handler logic.

Follow these steps to create the COM+ application:

1. Log on to the system hosting Microsoft Exchange using an account with full Administrator privileges.

2. From the Windows Start menu, select Programs Administrative Tools Component Services. This will launch the Component Services Administration Console.

3. In the left-hand tree control, navigate to Component Services Computers My Computer.

35

4. Right click on the folder named COM+ Applications and select New Application.

5. The COM+ Application Install Wizard will open. Click Next, and then select

Create an empty application.

36

6. Enter a name for the application (EvdmMessageHandler is a good choice), ensure Server application is selected, and click Next.

7. For application identity, select This user and enter the credentials for the

Vault service account. Click Next.

8. You will now see the Add Application Roles screen. You do not need to add

any additional application roles, so just click Next.

9. You will now see the Add Users to Roles screen. You do not need to add any users to any roles, but you should verify that the Vault service account has

37

been given the CreatorOwner role. Click Next to continue.

10. Click Finish to complete the wizard.

You can verify that the COM+ application was successfully created by navigating to the new application in the tree control.

Installing the Exchange event sink into COM+ Now that you have created the container COM+ application, you need to install the Exchange event sink.

Follow these steps to install the event sink:

38

1. In the Component Services Administration Console, navigate to the COM+ application you created.

2. Right click on the Components folder and select New Component. This will launch the COM+ Component Install Wizard.

3. Select Install new components.

39

4. Select Add and then browse to the directory where you installed the files (%WINDIR%\System32\EVDM). Select NVDMArchiveWatcher.dll.

5. Click Next and then click Finish to complete the wizard.

The Microsoft Exchange extensions are now installed.

40

Section II. Configuration This section contains the following chapters:

Chapter 5, Configuring the Documentum extensions Chapter 6, Configuring the Enterprise Vault extensions Chapter 7, Configuring the Microsoft Exchange extensions Chapter 8, Common configuration tasks

41

Configuring the Documentum extensions 5 Read this chapter to find out:

How to configure the Documentum extensions.

AppConfig.xml The Documentum extensions retrieve configuration data from a document checked into the docbase in which the extensions are installed. By default, the DocApp installs AppConfig.xml into Cabinets System Applications SymantecEnterpriseVault AppConfig.xml. Modifying the configuration consists of the following four steps:

1. Login to Documentum Administrator as a user that has access to write inside the System cabinet.

2. Check out AppConfig.xml. 3. Edit the file in a text editor or XML editor. 4. Check AppConfig.xml back in. 5. Restart the application server(s) hosting RPS and the Documentum web

services.

Required configuration After installing the Documentum extensions, some required configuration must be performed before the system is operational. The following elements in AppConfig.xml need to be updated with the appropriate values:

This element identifies the integration administration user to Documentum. The value for the name attribute must be the name of the integration administrator created prior to installation of the Documentum extensions (see Chapter 2).

This element stores the encrypted authentication token Documentum uses to authenticate with the Enterprise Vault web services. The value for authToken is generated using the EvdmSecurityUtil utility. (Note: Do not use the token created during Documentum setup in Chapter 2. You must create a new token using the steps below.)

1. Navigate to the \DocumentumIntegration\Tools folder on the Enterprise Vault CD.

2. Run EvdmSecurityUtil with the following command line:

EvdmSecurityUtil.exe --client --pass=

42

where is the same password used to set up the Vault extensions (Chapter 3).

3. Copy the encrypted credential string into AppConfig.xml.

This element contains the connection information that enables Documentum to connect to the Folder Administration Web Services on the Enterprise Vault machine. The value for wsdlUrl should be a full URL to the service WSDL (e.g., http://enterpriseVault/ExchangeAdminService/FolderService.asmx?wsdl.). Please note that URL is different than the URLs setup during configuration of the Enterprise Vault . extensions

The wsdlUrl attribute must be updated to point to the WSDL for FolderService. The name attribute should not be changed.

This element contains the connection information that enables Documentum to connect to the ContentManagementService web service on the Enterprise Vault machine. The value for wsdlUrl should be a full URL to the service WSDL (e.g., http://enterpriseVault/EvAdminService/ContentManagementService.asmx.asmx?wsdl.). Please note that URL is different than the URLs setup during configuration of the Enterprise Vault extensions.

The wsdlUrl attribute must be updated to point to the WSDL for ContentManagementService. The name attribute should not be . changed

java_date_format_string This element configures the Java date format used to interpret dates coming into the system from Outlook clients. It is important that the format string specified here matches the format used by the Outlook clients. Otherwise, dates may be interpreted incorrectly. Some examples of common date format strings include:

MM/dd/yyyy HH:mm:ss (US) dd/MM/yyyy HH:mm:ss (EU/UK) yyyy/MM/dd HH:mm:ss (Japan) For more information about date format strings, please see the Java API documentation regarding the java.text.DateFormat class.

Optional configuration In addition to the required configuration items, there are also three optional configuration elements:

43

This element specifies the path to the root of the managed message hierarchy in Documentum. If you modify this value, you must ensure that the path points to a valid location and that the Documentum type of the target object is either an EV Message Folder (sym_ev_message_folder) or an EV Message Cabinet (sym_ev_message_cabinet). The default value for this parameter is /Enterprise Vault Folders.

This element specifies the path to the root of the managed message hierarchy within Outlook. This path is relative to the root of each users mailbox (i.e., the parent of Inbox). When folders are synchronized from Documentum to Microsoft Exchange, the Documentum folder specified in the element maps to the Outlook/Exchange folder specified in . The default value for this parameter is /Retained Messages.

44

Configuring the Enterprise Vault extensions 6 Read this chapter to find out:

How to change the configuration settings specified at install time. How to specify an email message to be sent to users during folder

synchronization.

Toggling logging from Message Synchronization Filter.

Modifying configuration settings You can modify most of the configuration settings collected during installation by directly editing the configuration files. These configuration files reside in three places:

1. %EVDIR%\Documentum\EvAdminService\Web.config 2. %EVDIR%\Documentum\ExchangeAdminService\Web.config 3. %EVDIR%\Documentum\MessageSyncFilter\evdm-message-sync-config.xml

These configuration files contain documentation inside them to guide you in making modifications. For more information on performing common configuration tasks, please see Chapter 8 Common configuration tasks.

The only configuration activity that cannot be modified by editing one of these configuration files is updating the credentials for the Vault service account in IIS. If you need to update the Vault Service account credentials, follow these steps:

1. Open up IIS Manager by clicking on the Windows Start menu and navigating to Programs Administrative Tools Internet Information Services (IIS) Manager.

2. Expand the Application Pools folder in the tree control. 3. Right-click on the application pool named EvdmAppPool and select

Properties from the context menu.

45

4. Select the Identity tab and enter the updated credential information.

5. Click OK to close the dialog.

Specifying the folder synchronization email message

The system can send an email message out to users each time their mailboxes are synchronized with the retained folder hierarchy in Documentum. By sending out the message each time folder synchronization occurs, the system can alert users when new managed folders are available.

By default, the system sends out the message located at %EVDIR%\Documentum\ExchangeAdminService\EnableMailboxForDocumentumRetention.msg. You may edit this message to suit your needs, or you may specify a different message to send upon folder synchronization.

To specify a different message, you only need to set the INTRO_EMAIL_PATH property in %EVDIR%\Documentum\ExchangeAdminService\Web.config to point to the message you would like sent out.

Toggling logging from the Message Sync Filter By default, the message synchronization filter logs its activity to a file named EvdmMessageSyncProxy.log in the root directory of the drive upon which Enterprise Vault is installed. You can toggle this logging on and off by following these steps:

1. Open %EVDIR%\Documentum\MessageSyncFilter\evdm-message-sync-config.xml in a text editor or XML editor.

2. Find the property named TRACE_ENABLED.

46

3. Set the value of the property to true if you want to enable tracing and false if you want to disable tracing.

4. Save the file and exit the editor. 5. Using Enterprise Vault Administration Console, restart all Mailbox

Archiving tasks.

47

Configuring the Microsoft Exchange extensions 7 All configuration for the Microsoft Exchange extensions can be performed by editing the file %\System32\EVDM\eventHook.config.

Please see Chapter 4, Installing the Microsoft Exchange extensions for details on editing this file.

48

Common configuration tasks 8 Read this chapter to find out how to perform common configuration tasks such as:

Update the credentials for the Vault service account Update the credentials for the Documentum integration administrator

account

Changing which Documentum server is active in the integration Changing which Enterprise Vault server is active in the integration Changing the retention category assigned to managed messages in

Enterprise Vault

This chapter makes multiple references to various configuration files. For later reference, here is the complete list of the configuration files with their locations:

EvAdminService: Vault machine. %EVDIR%\Documentum\EvAdminService\Web.config

ExchangeAdminService: Vault machine. %EVDIR%\Documentum\ExchangeAdminService\Web.config

MessageSyncFilter: Vault machine. %EVDIR%\Documentum\MessageSyncFilter\evdm-message-sync-config.xml

ExchangeEventSink: Exchange machine. %WINDIR%\System32\EVDM\eventHook.config

AppConfig: Documentum machine. /System/Applications/SymantecEnterpriseVault/AppConfig.xml

Updating the Vault service account credentials You will need to update the integration configuration if you change the Vault service account credentials or if you want to use a different Vault service account.

These are the items in the integrated system that you need to modify to update the Vault service account credentials:

1. You will need to update the authentication token for the Documentum plug-in. Please see the section Setting up authentication for AuthHttpPlugin in Chapter 2 for instructions detailing how to set the authentication token.

2. You will need to update the identity credentials for the EvdmAppPool application pool in IIS on the Enterprise Vault machine. Please see the section Modifying configuration settings in Chapter 6 for instructions on modifying these application pool settings.

49

Updating the Documentum integration admin credentials

You will need to update the integration configuration if you change the Documentum integration administrator credentials or if you want to use a different account.

These are the items in the integrated system that you will need to modify to update the Documentum integration administrator:

1. You will need to update the Documentum credentials in the MessageSyncFilters configuration. You will need to update DCTM_DOCBASE_USERNAME and/or DCTM_DOCBASE_PASSWORD.

2. You will need to update the Documentum credentials in the Exchange event sink configuration. Please see the section File installation in Chapter 4 for instructions on updating this configuration.

3. If you change the name of the integration administrator, you will also need to update the element in the AppConfig.xml configuration file in the docbase (see Chapter 5).

Changing the active Documentum application server

To change which Documentum application server is responding to web services requests, you will need to update the web services URLs in the MessageSyncFilter and ExchangeEventSink configurations.

Changing the active Enterprise Vault server To change which Enterprise Vault server is responding to web services requests, you will need to update the web services URLs in AppConfig.xml.

Note: It is not possible to change which Enterprise Vault server responds to content streaming requests from Documentum.

Changing the managed message retention category If you change the name of the retention category configured in the system or if you want to use a different retention category, you will need to update the references to the retention category name in the MessageSyncFilter and ExchangeAdminService configurations.

50

Tuning the Message Synchronization Filter The rate at which the Message Synchronization Filter sends requests to Documentum can be tuned by modifying parameters in the Message Synchronization Filter configuration file (%EVDIR%\Documentum\MessageSyncFilter\evdm-message-sync-config.xml). Adjusting these parameters is recommended in order to get the best possible performance out of the integrated system. The two parameters that impact filter performance are:

100 This parameter controls how many messages are synchronized to Documentum per transaction. Increasing this value may improve performance.

30000 This parameter controls the interval between message synchronization transactions initiated by the queue timer thread. Decreasing this value may improve performance.

Performance Caveats If the Message Synchronization Filter is tuned to send messages to the Documentum server at too high a rate (i.e., the SYNC_QUEUE_MAX_MESSAGES_PER_TRANSACTION is too high and/or the SYNC_QUEUE_TIMER_INTERVAL is too low), the Documentum server may be unable to keep up with the transaction load. If this happens, some messages may not successfully synchronize to Documentum. This can be checked by examining the Documentum logs (typically found in %Documentum%\logs) for errors. If errors are found, the filter should be throttled back by reducing the value for SYNC_QUEUE_MAX_MESSAGES_PER_TRANSACTION and/or increasing the value for SYNC_QUEUE_TIMER_INTERVAL. A good measure to take note of is the average CPU load on the Documentum server during heavy message synchronization. A good target for achieving optimum performance and reliability is 75% to 80% CPU utilization.

51

Section III. Administration This section contains the following chapters:

Chapter 9, User administration Chapter 10, Folder administration

52

User administration 9 Read this chapter to find out how to associate Documentum users with Enterprise Vault and Microsoft Exchange users.

User mapping The integration uses the user_os_name and user_os_domain attributes of dm_user to map Documentum users to Microsoft Exchange users.

No special steps are required when performing user administration within either system to associate these user entities with one-another.

53

Folder administration 10 Read this chapter to find out how to:

Create retained message folders in Documentum Synchronize retained message folders to users Exchange mailboxes

Creating retained message folders in Documentum When the integration is first installed, there are no retained message folders in the system. In order to enable Documentum retention policies to apply to Vault-based messages, a hierarchy of retained message folders must be created. This hierarchy must reside under the path specified in the element of AppConfig.xml. This path defaults to /Enterprise Vault Folders.

To create a retained message folder, follow these steps:

1. Log into RPS using an account that has permissions to create folders under the retained message root.

2. Navigate to a location under the retained message root.

3. On the File menu in the right-hand pane, select File New Folder.

54

4. On the first screen of the New Folder wizard enter a name, and select Retained Message Folder (sym_ev_message_folder) as the folder type.

5. You may now click on another tab to set properties on the folder or modify

the permissions for the folder, or you may now click Finish to create the folder with default properties and access permissions. Please see the section below about folder security for information about how folder permissions affect the behavior of retained message folders.

6. After creating the folder, you may associate one or more retention policies with it. Please refer to the Documentum documentation for creating and applying retention policies.

Synchronizing retained message folders to Exchange

Once you have created retained message folders, you can synchronize the retained message folder hierarchy with users mailboxes in Microsoft Exchange.

The hierarchy is always synchronized in its entirety. This ensures that there are no discrepancies caused in users mailboxes due to incorrect selection of folders to synchronize.

Note that this does not necessarily mean that every folder in the hierarchy is created in each users mailbox. Rather, folders are selectively created in users mailboxes according to the permissions set on the each folder in Documentum. For

55

more information about how permissions affect folder synchronization, see the section below about security and folders.

To synchronize folders, follow these steps:

1. Navigate to the retained message root in the right-hand pane and select the root folder. This will enable the Synchronize Folders action on the Enterprise Vault menu.

2. You will now be presented with the Folder Synchronization screen. This

gives you the opportunity to select specific users to synchronize or

56

synchronize folders for all users.

3. If you click the link select individual users, you will be redirected to a

user-picker dialog to select the users whose mailboxes you want to synchronize with the retained message folder hierarchy.

57

4. Upon selecting users and clicking OK, you will be returned to the Folder Synchronization screen. This time note that the names of the users you selected in the user picker are displayed on the bottom section of the screen.

At this point you may click the user selection link again to change your user selection, you may click OK to synchronize folders with the selected users, or you can re-check the Synchronize folders for all users checkbox and then click OK to synchronize folders for all users in the system.

5. After clicking OK, you will be presented with a summary of your synchronization request. If there were any errors during synchronization,

58

they will be displayed at this time.

6. Click OK to dismiss the dialog. Synchronization is complete. Once synchronization is complete, each user whose mailbox was synchronized could log into Outlook and begin filing messages into the managed folders. These messages ultimately get synchronized back into Documentum so that retention policies can be applied to them.

Folder security settings In addition to providing standard Documentum access controls, security settings in retained message folders serve two other purposes:

1. They drive which folders are synchronized to each users mailbox. 2. They define the permissions settings for the message objects that get

created inside each folder.

Folder permissions and selective folder synchronization The general rule for Documentum folder permissions and the synchronization service is:

If a user can browse to a folder in Documentum, that user will be able to access the synchronized folder from Outlook.

59

This means that Documentum administrators can easily define how folders are synchronized simply by manipulating standard Documentum permissions.

As with other Documentum applications, it is recommended to use groups over individual users whenever possible when specifying permissions. This keeps the ACL count low and helps improve performance.

Note: This folder synchronization policy does not mean that every retained message folder a user can access in Documentum gets synchronized to the users mailbox. In Documentum, it is possible for a user to be able to access a given folder but not be able to access the folders parent. In this system, the user needs to be able to directly browse from the root of the retained message hierarchy down to a folder in order for the folder to be synchronized. Enabling synchronization for sub-folders for which the user may have access would create orphaned folders and would complicate the user experience in Outlook.

Folder permissions and user access to retained messages Folder permissions also dictate access for retained messages contained within retained message folders. Typically, the only users that can access a retained message are the message owner (the recipient of the message), and the integration administrator. Therefore, when browsing through the retained message hierarchy, a user sees only his/her messages.

An administrator can provide users with access to all messages in a given folder by granting write access on the folder to those users. This enables an administrator to create semi-public folders of retained messages within Documentum.

There are two important details about this behavior:

1. The access grants only pertain to messages directly contained within the folder. (They do not recurse to sub-folders.)

2. When folder permissions are modified, the permissions of all of the messages directly contained in the folder are also updated. Note that this has the effect of overwriting any individual permission modification that may have occurred on a given message.