Post-Installation

This section contains post-installation steps.

This page discusses:

3DCompass URL Registration in 3DPassport

If the 3DPassport service is up and running before installing 3DSpace, this step is not necessary since it is managed automatically by the 3DSpace installer.

If the 3DPassport service is not reachable at 3DSpace installation time, this step is mandatory.

Each time a user updates a 3DPassport account (for example, when changing the first name or last name attributes), the changes need to be registered in the 3DCompass app so they are updated throughout the entire 3DEXPERIENCE platform. Consequently, the 3DCompass URL needs to be registered in 3DPassport.

When you install 3DSpace using the dedicated 3DSpace installer, the 3DSpaceRegistrationIn3DPassport.bat or 3DSpaceRegistrationIn3DPassport.sh script is executed automatically, which registers the 3DCompass URL in 3DPassport. If the script fails, after the installation is completed, you must run the script manually.

Note: The 3DPassport service must be running before launching this command.

To do so on Windows, go to:

<3DSpaceInstallPath>/win_b64/code/command

and run the command:

3DSpaceRegistrationIn3DPassport.bat

and on Linux:

<3DSpaceInstallPath>/scripts or <3DSpaceInstallPath>/linux_a64/code/command

and run the shell 3DSpaceRegistrationIn3DPassport.sh.

The value for the 3DCompass URL is indicated by the MYAPPS_URL variable.

Note: The command does not require additional parameters, as all inputs are written inside the script.

Setting a security key for 3DCompass

You can secure the communication with 3DPassport using a generated secret key.

Note: To finalize the 3DEXPERIENCE platform installation, you have to run the script to setup the secret key for the given credential.

For more information about the secret key generation, see Installation and Setup: 3DEXPERIENCE Platform: 3DEXPERIENCE Platform Administration: 3DPassport: Configuring Security Settings: Configuring 3DPassport APIs

After you generate the secret key, retrieve it:

  • For Windows: go to <3DSpaceInstallPath>/win_b64/code/command and run myapps_register_passport_secret.bat –u creator –p CreatorPassword–c {Client ID} –s {Secret Key}
  • For Linux: go to <3DSpaceInstallPath>/scripts and run myapps_register_passport_secret.sh –u CreatorPassword –c {Client ID} –s {Secret Key}

The configuration will be stored (encrypted) inside the database, and will be used for each interaction with 3DPassport API.

Restart TomEE to take into account the new configuration.

If the Secret Key or Client ID is no more valid or removed from 3DPassport, getting user information will not work anymore, and invite, update of the user will no more work inside 3DCompass.

Securing access to creator file

Following 3DSpace scripts need to connect the server as creator through mql utility

3DSpaceRegistrationIn3DPassport.{sh|bat}

FullTextSearch_partial_indexation.{sh|bat}

FullTextSearch_PostInstall.{sh|bat}

To avoid having creator password in plain text in these scripts, an encrypted password file is generated during the installation: <3DSpace install path>/credentials/creator

The script files then connect the server using this pattern:

<3DSpace install path>/scripts/mql -t -c “set context user creator filename <3DSpace install path>/credentials/creator ; the mql command”

Using this file allows to connect as creator in mql without knowing the password. Therefore, for security reasons, you must secure the access to this file : <3DSpace install path >/credentials/creator

In case this does not fit your security policy, remove the creator file and modify the three script files mentioned above files in order to use another method of authentication, for example "set context user creator password xxx".

Core Users

The following users are not counted as active/inactive users: creator, guest, Test Everything, User Agent, Corporate. Hence, the login using these users to 3DSpace default FCS URL is restricted.

Methodology for Creating Platform Users and Assigning Roles

The admin_platform user, by default, needs the following licenses:

  • IFW (provides access to the 3DEXPERIENCE platform)
  • CSV (for connection to web apps). It is required typically by end users connecting to native apps. It also provides access to the Collaboration and Approvals menu.

There are two methods of creating platform users and assigning roles:

by inviting them as a Platform Manager in the Platform Management Dashboard.

See, Installation and Setup: 3DEXPERIENCE Platform: 3DEXPERIENCE Platform Administration :Platform Management: Members and Roles: Managing Members: Inviting Members: Inviting Members one by one or Installation and Setup: 3DEXPERIENCE Platform: 3DEXPERIENCE Platform Administration :Platform Management: Members and Roles: Managing Members: Inviting Members: Inviting Members Using a .csv File.

After the platform administrator has created the invitations and sent them, the platform users are created and assigned to the Common Space collaborative space. They are not yet activated but visible if you search for them, for example using the Collaboration and Approvals > Experience Configuration > Manage P&O and Content command and unchecking the Active option.

Inviting members assigns at least the licenses IFW and CSV by default. If, for example, MDG is assigned, CSV will also be assigned.

The users will have to register or log in (If they already exist for 3DPassport) using the links available in the invitation email.

In all cases, when the user logs in with the 3DPassport, the user is automatically synchronized with 3DDashboard, 3DSpace and 3DSwym.

When the user logs on to 3DDashboard, the IFW and CSV licenses are consumed. The user is then activated in 3DSpace.

You can also assign users to the appropriate collaborative space: users belong to the default Common Space collaborative space.

by creating the users in 3DPassport, then using legacy platform administration tools.

See Create Users in 3DPassport From Scratch.

You can also use the Manage P&O and Content to create users manually or using the VPLMPosImport.sh (.bat) script.

To migrate Db Upgrade as the users are already present in 3DSpace. See Synchronize Platform Users with All Platform Services.

Create Users in 3DPassport From Scratch

Platform users need to be created in 3DPassport. To do so, you can either create user accounts using the 3DPassport GUI tool, or import the users using the same file as the one you used with the VPLMPosImport command.

Then, the administrator creates the same users, this time using platform administration tools, for example a GUI tool such as Manage P&O and Content, or in batch mode by importing a file containing the P&O data generated using the 3DSpace VPLMPosExport utility as explained in the following section in the online documentation: Installation and Setup : Configure: People & Organizations and Content: Advanced Configuration: Importing and Exporting P&O and Security Data: Running the VPLMPosExport Batch Tool.

Note: If a platform user already exists, but does not exist in 3DPassport, anyone able to create a 3DPassport account can impersonate this user.

To import the users into 3DPassport:

  1. Move the file to the machine running the 3DPassport service.
  2. On the machine running the 3DPassport service, go to the following directory:

    3DPassport_install_directory/<OS>/code/command

    then run the following command:

    PassportUserImport.sh (.bat) -url passportUrl 
                         -admin_username
                         -admin_password
                           -file enoviaExportFile
                           [-users commaSeparatedListOfUsersToImport]
                           [-action register or update (register by default)]
                           [-default_country country]
                           [-default_password password]
                           [-disable_email_notification true: false]

    where:

    • admin_username (mandatory) is the username of any user account with admin role in 3DPassport
    • admin_password (mandatory) is the password of any user account with admin role in 3DPassport
    • enoviaExportFile (mandatory) is the name of the imported file containing the existing users.

      The following list specifies the mandatory attributes required for 3DPassport import that must be present in the file:

      • First Name
      • Last Name
      • Email address
      • Country
      • Username

      You can optionally specify the following field:

      • Password

      For example:

      *PERSON wkr;Company Name
      +ATTRIBUTE First Name;Anoop
      +ATTRIBUTE Last Name;KR
      +ATTRIBUTE Email Address;wkr@3dplmsoftware.com
      +ATTRIBUTE Country;IND
      +PASSWORD Dassault1

    • passportUrl (mandatory) is the 3DPassport service endpoint
    • -users (mandatory): lists the users you want to import from the input file. If this option is specified, only the listed users will be imported. The list must contain the usernames separated by a comma, for example: -users alice,bob,eve.
    • -default_country: sets a default country for all your users or the user list you have set (where country field is empty). For example: -default_country FRA -users user1, user2
    • -default_password: sets a default password for all your users or the user list you have set (where password field is empty). For example: -default_password Password1_
    • -action (mandatory): specifies the action you want to perform with the imported file: register or update.

      For example: -action update updates user attributes if you have changed attributes in your imported file.

    • -disable_email_notification: specifies whether you want to enable or disable e-mail notifications sent to end-users if the send email notification feature is enabled in 3DPassport. Values are true or false.

Note the following syntax rules for imported data:

  • Firstname, Lastname: any characters except : < > ( ) { } [ ] & ;
  • for e-mail addresses, the format is as follows:

    [Local part]@[Domain name].[Domain extension]

    where:

    • Local part must contain at least one character, and only alphanumeric or the following special characters:: . _ % + -
    • Domain name must contain at least one character, and only alphanumeric or the following special characters: . -
    • Domain extension must contain at least two characters and at most four, only alphanumeric.
  • Country: To specify the country, you must use ISO 3166-1 alpha-3 three-letter country codes, for example USA for the United States of America.
  • Usernames must contain a minimum of two characters, a maximum of 64-char, and only alphanumeric or the following special characters: _ and .
  • Password: the password depends on your configured password policy, which is by default:

  • A user is created or updated by the utility if and only if:
    • a password is assigned: explicitly from the input file or, by default, thru the -default_password directive of the utility if specified, providing a non-empty value.
    • a country is assigned: explicitly from the input file or, by default, thru the - default_country directive of the utility if specified, providing a non-empty value.

Migrate Existing Users Created in an Earlier Release

This section explains how to import users created in an earlier release into 3DPassport.

If you installed an earlier release (for example, V6R2014x or earlier), you need to migrate your existing users and declare them in 3DPassport.

Since the authentication mode has changed, the previous user/password will not be recognized anymore. You must re-create existing platform users in 3DPassport. The user creation method depends on your 3DPassport implementation, in other words, whether or not you are using LDAP.

Note: If a platform user exists, but does not exist in 3DPassport, anyone able to create a 3DPassport account can impersonate this user.

If you are using LDAP, connect to your company's LDAP as explained in the section "Managing Repositories" in the 3DPassport Installation Guide, then synchronize as explained in Synchronize Platform Users with All Platform Services.

If you are NOT using LDAP, export your existing users using the VPLMPosExport tool provided with 3DSpace, then import them into 3DPassport using a special-purpose command as follows:

  1. Export your existing users as explained in the following section in the online documentation: Installation and Setup - Configure - People & Organizations and Content - Advanced Configuration- Importing and Exporting P&O and Security Data - Running the VPLMPosExport Batch Tool.

    The export tool creates a text file containing the P&O data from the repository.

  2. Move the file to the machine running the 3DPassport service.
  3. On the machine running the 3DPassport service, go to the following directory:

    3DPassport_install_directory/<OS>/code/command

    then run the following command:

    PassportUserImport.sh (.bat) -url passportUrl 
                         -admin_username
                         -admin_password
                           -file enoviaExportFile
                           [-users commaSeparatedListOfUsersToImport]
                           [-action register or update (register by default)]
                           [-default_country country]
                           [-default_password password]
                           [-disable_email_notification true: false]

    where:

    • admin_username (mandatory) is the username of any user account with admin role in 3DPassport
    • admin_password (mandatory) is the password of any user account with admin role in 3DPassport
    • enoviaExportFile (mandatory) is the name of the imported file containing the existing users.

      The following list specifies the mandatory attributes required for 3DPassport import that must be present in the file:

      • First Name
      • Last Name
      • Email address
      • Country
      • Username

      You can optionally specify the following field:

      • Password

      For example:

      *PERSON wkr;Company Name
      +ATTRIBUTE First Name;Anoop
      +ATTRIBUTE Last Name;KR
      +ATTRIBUTE Email Address;wkr@3dplmsoftware.com
      +ATTRIBUTE Country;IND
      +PASSWORD Dassault1

    • passportUrl (mandatory) is the 3DPassport service endpoint
    • -users (mandatory): lists the users you want to import from the input file. If this option is specified, only the listed users will be imported. The list must contain the usernames separated by a comma, for example: -users alice,bob,eve.
    • -default_country: sets a default country for all your users or the user list you have set (where country field is empty). For example: -default_country FRA -users user1, user2
    • -default_password: sets a default password for all your users or the user list you have set (where password field is empty). For example: -default_password Password1_
    • -action (mandatory): specifies the action you want to perform with the imported file: register or update.

      For example: -action update updates user attributes if you have changed attributes in your imported file.

    • -disable_email_notification: specifies whether you want to enable or disable e-mail notifications sent to end-users if the send email notification feature is enabled in 3DPassport. Values are true or false.

Note the following syntax rules for imported data:

  • Firstname, Lastname: any characters except : < > ( ) { } [ ] & ;
  • for e-mail addresses, the format is as follows:

    [Local part]@[Domain name].[Domain extension]

    where:

    • Local part must contain at least one character, and only alphanumeric or the following special characters:: . _ % + -
    • Domain name must contain at least one character, and only alphanumeric or the following special characters: . -
    • Domain extension must contain at least two characters and at most four, only alphanumeric.
  • Country: To specify the country, you must use ISO 3166-1 alpha-3 three-letter country codes, for example USA for the United States of America.
  • Usernames must contain a minimum of two characters, a maximum of 64-char, and only alphanumeric or the following special characters: _ and .
  • Password: the password depends on your configured password policy, which is by default:

  • A user is created or updated by the utility if and only if:
    • a password is assigned: explicitly from the input file or, by default, thru the -default_password directive of the utility if specified, providing a non-empty value.
    • a country is assigned: explicitly from the input file or, by default, thru the - default_country directive of the utility if specified, providing a non-empty value.

Synchronize Platform Users with All Platform Services

When users are created using legacy platform administration tools after being created in , they will be ready for 3DSwym,3DDashboard, and other platform services, only if the services are correctly referenced in 3DSpace and were running when the users were created.

Under certain circumstances, this may not be the case. For example, if only the 3DDashboard service was running, you may not be able to log onto 3DSwym.

In this case, you must use the user synchronization batch tool that synchronizes platform users the other services individually or for the whole database, with scenarios such as migration from V6R2014x and earlier to 3DEXPERIENCER2022x and after.

The batch must be uploaded and run on the server that needs to be upgraded.

To launch this batch on Windows, go to:

<3DSpaceInstallPath>/win_b64/code/command

and launch the command:

OnPremisesSynchroUser.bat

and on Linux:

<3DSpaceInstallPath>/scripts or <3DSpaceInstallPath>/linux_a64/code/command

and run the shell OnPremisesSynchroUser.sh

as follows

OnPremisesSynchroUser.bat (or .sh) -login <User> -pwd <UserPwd> -users User1,User2

where:

  • -login: the admin_platform user in 3DSpace
  • -pwd: the admin_platform user password (admin_platform by default)
  • -users: coma-separated list of users to synchronize; these users must be existing platform users

For example:

OnPremisesSynchroUser.bat -login admin_platform -pwd admin_platform -users alice,bob,eve

where alice,bob,eve are platform users.

The first two arguments are mandatory. If the final argument is missing, all users in the database will be synchronized.

The batch gives a status for each user:

  • 0: synchronization is successful
  • -1: synchronization failed
  • -2: user does not exist in database; code -2 only occurs if you specified a list of users as input, but one of the users does not exist in database.

Setting Up Web Application Timeout

Increase the session-timeout parameter as follows:

  1. Edit the file:

    <3DSpaceInstallPath>\$OS\resources\warutil\fragment\ENOLiveCollaborationServer.liveCollaborationServer.web.xml.part

  2. Change the session-timeout parameter from the default value of 30 to 120 (unit minutes).
  3. Rebuild the J2EE archive using the war_setup utility.

Setting Up Reverse Proxy Support

The official solution is the FCS URL Solver.

Please refer to the chapter Configuring FCS Routing in the MQL Users Guide for further information.

Install the File Collaboration Server (FCS) in a Dedicated Web Server

The 3DSpace server uses CAS authentication. However, the File Collaboration Server does not support CAS. Consequently, you must install a File Collaboration Server in a dedicated web server where CAS authentication is not deployed. After the installation, you must specify a URL for the FCS and the store.

The FCS installation generates a .war file and the user has to use the same file. CAS changes are within the .war file and not with the application server (only TomEE is supported).

HTTPS/HTTP Converter for FCS (Multi-Site)

For the default FCS (managed by the 3DSpace Installer):

  • 3DSpace manages the default FCS URL (https://machinename:443/internal) in https mode only
  • Reverse proxy settings are the same as for the 3DSpace server and defined in: <3DSpaceInstallPath>/<OSDS>/templates/3DSpace_httpd_fragment.conf.
    Note: Logging in to this URL from web is restricted for all users.

If you use a separate FCS installation (see Installation and Setup: 3DEXPERIENCE Platform: 3DEXPERIENCE Platform Installation: Installing 3DEXPERIENCE Platform Services for the First Time: Installing Services One-by-One: 3DSpace: File Collaboration Server: Installing File Collaboration Server):

You must install an HTTPS/HTTP converter in front of the Apache TomEE FCS. It can be placed either on each FCS, or before the load-balancing, or anywhere between the end-point and the TomEE.

Note: If you have set the 3DSpace endpoint with a non-standard HTTPS port, it is this port that should be set here.

Change installation Parameters

You may need to change parameters defined during the latest services installation.

Using the reconfiguration tool, you can modify these parameters without reinstalling the whole service.

For more information, see Installation and Setup: 3DEXPERIENCE Platform: 3DEXPERIENCE Platform Installation: Reconfiguring the 3DEXPERIENCE Platform Installation

Configure the 3DEXPERIENCE platform with a single FQDN

To install the 3DEXPERIENCE platform with a single FQDN, you must have one cookie name per service to handle session affinity, and avoid getting some service cookies overridden by other cookies. In that case, you need to update the configuration after the 3DSpace service installation, to send the cookie name to the shared configuration.

For Linux, use one of these paths:

  • External TomEE+: <externalTomEEInstallPath>/webapps/3dspace/WEB-INF/web.xml
  • Embedded TomEE+: <3DSpaceInstallPath>/linux_a64/code/tomee/webapps/3dspace/WEB-INF/web.xml

For Windows, use one of these paths

  • External TomEE+: <externalTomEEInstallPath>\webapps\3dspace\WEB-INF\web.xml
  • Embedded TomEE+:<3DSpaceInstallPath>\win_b64\code\tomee\webapps\3dspace\WEB-INF\web.xml

Add 2 Context-param (ids need to be unique)

<context-param id="ContextParam_13">
<param-name>serverIdCookieName</param-name>
<param-value>3DSPACESERVERID</param-value>
</context-param>

<context-param id="ContextParam_14">
<param-name>serverIdParamName</param-name>
<param-value>3dspaceserverid</param-value>
</context-param>
Note:

You can also do the change before execution of war util (BuildDeploy3DSpace_CAS.[sh/bat]) in :

Linux: <3DSpaceInstallPath>/linux_a64/resources/warutil/fragment/ENOLiveCollaborationServer.liveCollaborationServer.web.xml.part

Windows: <3DSpaceInstallPath>\win_b64\resources\warutil\fragment\ENOLiveCollaborationServer.liveCollaborationServer.web.xml.part

Restart the Apache TomEE+ CAS server.

Configure the header name used for the session affinity

x-dsp-client-node is the default header name and is hardcoded in the code of the filters.

If you want to change the name of this header, you need to proceed as explained below:

  1. In 3DSpace, add the following lines in both the CAS Authentication and CAS Validation filters section of your web.xml:

    For Linux, use one of these paths:

    • External TomEE+: <externalTomEEInstallPath>/webapps/3dspace/WEB-INF/web.xml
    • Embedded TomEE+: <3DSpaceInstallPath>/linux_a64/code/tomee/webapps/3dspace/WEB-INF/web.xml

    For Windows, use one of these paths

    • External TomEE+: <externalTomEEInstallPath>\webapps\3dspace\WEB-INF\web.xml
    • EmbeddedTomEE+: <3DSpaceInstallPath>\win_b64\code\tomee\webapps\3dspace\WEB-INF\web.xml
    <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        …
        <init-param>
        <param-name>originalClientNodeHeaderName</param-name>
        <param-value>[YOUR_NEW_HEADER_NAME]</param-value>
        </init-param>
        </filter>
    <filter>
        <filter-name>CAS Validation Filter</filter-name>
        …
        <init-param>
        <param-name>originalClientNodeHeaderName</param-name>
        <param-value>[YOUR_NEW_HEADER_NAME]</param-value>
        </init-param>
    </filter>
    

    Note: you can also do the change before executing war util (BuildDeploy3DSpace_CAS.[sh/bat]) in :

    Linux: <3DSpaceInstallPath>/linux_a64/resources/warutil/fragment/ENOLiveCollaborationServer.liveCollaborationServer.web.xml.part

    MS Windows: <3DSpaceInstallPath>\win_b64\resources\warutil\fragment\ENOLiveCollaborationServer.liveCollaborationServer.web.xml.part

  2. Restart the Apache TomEE+ CAS server.

Use the Diagnosing tool

Once the 3DEXPERIENCE platform has been installed, you can use the Diagnosis tool to check that the services have been correctly installed and configured.

For more information, see Installation and Setup: 3DEXPERIENCE Platform: 3DEXPERIENCE Platform Installation: Diagnosing the 3DEXPERIENCE Platform Installation