Installation Guide 2.0

Technical Documentation
Installation Guide
SE Suite 2.0 - Windows

DC TE .E N 00020
Rev 20
SoftExpert Excellence Suite (SE Suite) is the most comprehensive corporate solution for integrated management
of excellence and business compliance.
SoftExpert Excellence Suite (SE Suite) offers a set of multilingual modules that are natively integrated and fully
Web-based to automate the processes required to improve and optimize the different business areas at
organizations. This boosts the quality of management, cuts operating costs and facilitates compliance with the
main market norms and regulations.
The solution also supplements and enhances the use of corporate management systems and is integrated with
main market ERPs through connectors that may be developed based on the company’s specific needs.
The information contained herein is subject to change without notice. If you find inconsistent information, please
report it in writing to our support.
The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise
noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted in examples herein are fictitious. No association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
C omplying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of SoftExpert.
SoftExpert may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
SoftExpert, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
This software and documentation may provide access to or information on content, products, and services from
third parties. SoftExpert is not responsible for and expressly disclaim all warranties of any kind with respect to
third-party content, products, and services. SoftExpert will not be responsible for any loss, costs, or damages
incurred due to your access to or use of third-party content, products, or services.
C opyright © 2018 SoftExpert Software SA. All rights reserved.

Table of Contents
.......................................................................................................................................... 5
1 - Introduction
..........................................................................................................................................
2 - Installation overview 6
2.1 - Installation plan
.......................................................................................................................................... 7
..........................................................................................................................................
3 - Pre-required activities 8
3.1 - SE Suite..........................................................................................................................................
update 9
3.2 - Network configuration
.......................................................................................................................................... 10
3.3 - E-mail ..........................................................................................................................................
server configuration 11
3.4 - Windows configuration
.......................................................................................................................................... 12
3.4.1 - User creation on Windows Server
.......................................................................................................................................... 13
3.4.2 - Java JRE installation
.......................................................................................................................................... 16
3.4.3 - IIS installation
.......................................................................................................................................... 18
3.4.4 - Apache Tomcat installation
.......................................................................................................................................... 19
3.5 - Database configuration
.......................................................................................................................................... 22
3.5.1 - Microsoft SQL Server
.......................................................................................................................................... 23
3.5.2 - Oracle
.......................................................................................................................................... 26
3.5.3 - PostgreSQL
.......................................................................................................................................... 32
..........................................................................................................................................
4 - Installation activities 42
4.1 - Installation packages preparation
.......................................................................................................................................... 43
4.2 - SE Suite installation
.......................................................................................................................................... 44
4.3 - System..........................................................................................................................................
configuration 47
4.3.1 - SSL configuration
.......................................................................................................................................... 48
4.3.2 - Java Security Extension package
.......................................................................................................................................... 49
4.3.3 - Database configuration
.......................................................................................................................................... 50
4.3.4 - Starting the services
.......................................................................................................................................... 55
5 - Deletion..........................................................................................................................................
activity 56
..........................................................................................................................................
6 - Additional procedures 57
6.1 - Post-installation activities
.......................................................................................................................................... 58
6.1.1 - SE Risk conversion
.......................................................................................................................................... 61
6.2 - Single ..........................................................................................................................................
Sign-On with AD 65
6.2.1 - Kerberos authentication
.......................................................................................................................................... 66
6.2.2 - SAML authentication
.......................................................................................................................................... 74
6.2.3 - SE-Identity - Integration of Microsoft AD users with SE Suite
.......................................................................................................................................... 92
6.3 - File Manager server
.......................................................................................................................................... 101
6.4 - Scale..........................................................................................................................................
service (SE Asset) 108
6.5 - PDF ..........................................................................................................................................
conversion 109
6.5.1 -..........................................................................................................................................
OpenOffice PDF conversion service 110
6.5.2 -..........................................................................................................................................
Conversion to PDF with Microsoft Office 112
6.6 - Workstations configuration
.......................................................................................................................................... 114
6.6.1 -..........................................................................................................................................
Internet Explorer configuration 115
6.6.2 -..........................................................................................................................................
Firefox configuration 117
6.6.3 -..........................................................................................................................................
OpenOffice automation 118
6.6.4 -..........................................................................................................................................
MSI installation 119
6.7 - Remote access configuration
.......................................................................................................................................... 120
6.8 - External access configuration
.......................................................................................................................................... 121
6.9 - Troubleshooting
.......................................................................................................................................... 123
6.9.1 -..........................................................................................................................................
Requirements check 124
6.9.2 -..........................................................................................................................................
Index server 129
6.9.3 -..........................................................................................................................................
System version 133
6.9.4 -..........................................................................................................................................
Single Sign-On 134
6.10 - Database - Good practices
.......................................................................................................................................... 136
..........................................................................................................................................
7 - Document history 137
Introduction 5
Chapter I
Introduction
The installation should be performed by IT professionals knowledgeable about Windows Server, network
infrastructure, and database. In addition to that, it should be in accordance with the requirements defined in
the SE Suite - System Requirements document.
All efforts were made to offer complete installation instructions. New versions of this guide will be distributed
periodically. Check for new available versions.
About this document
This document applies to SE Suite Installer TOOL-2.0 and to SE Suite 2.0 or superior. It describes all the
procedures required for installing SE Suite on a Windows environment.
Who should read this document
Any IT professional who needs to know the process of installing SE Suite on a Windows environment, for the
planning of either implementation or support activities.
ATTENTION
Although providing support for recent versions of third-party software packages and patches, SoftExpert has no control
over those software updates and, thus, cannot ensure compatibility with their products. In any case, contact the
supplier for product specifications and further details about compatibility.
Installation Guide — SE Suite 2.0 - Windows

Installation overview 6
Chapter II
Installation overview
This topic covers the installation process overview. See below the diagram that exemplifies the steps that will
be covered in this documentation:
SE Suite installation steps diagram
§ Pre-requisite activities: This step covers the activities that must be executed and finished before the SE
Suite installation, because among them are activities to prepare the environment where SE Suite will be
installed, in addition to the installation of third-party software required by SE Suite.
§ Installation activities: This step covers the installation packages preparation activities and the installation
itself. In the package preparation step, the installer package, which must be decompressed, and the
installation package, which must be saved in an uncompressed folder of the installer, are involved. After
preparing the packages, it will be possible to execute the SE Suite installation. When executing the installer,
it will allow installing, updating, and removing SE Suite. When selecting the installation option, the
installation tool will check whether the environment meets the installation predefined requirements. If an
error occurs, it is possible to view the error screen by double-clicking the step presenting the error. After
that, the installer will ask for the necessary information to configure IIS. The installer will extract the files and
install the complementary tools. During the installation, the system will ask for the data to add the
database(s). At the end of the installation, the services will be restarted and it will be necessary to configure
SE Suite.
§ Additional procedures: This step contains the activities that are executed after the SE Suite installation.
Among them, find the post-installation activities that include the SE Suite initial configuration and activation.
Find also in this step the configurations of some SE Suite functions, such as the directory service
configuration on an external server. The workstation configuration activities must be performed in the
browsers that will access SE Suite, such as unblocking SE Suite domain pop-ups and the configurations in
the browsers to use single sign-on.

Installation overview 7
2.1 - Installation plan
1. Refer to the SE Suite - System Architecture Overview document to define the architecture to be used by
SE Suite in your environment.
2. View the SE Suite - System requirements document to define the installation environment, in addition to
determining which third-party software is compatible and which are required for the installation and the
correct execution of the SE Suite. All information contained in this document assumes you have met all
requirements.
3. Review and perform all prerequisite activities: Network Configuration, Windows Configuration, and
Database Configuration, so that the environment can be prepared for the SE Suite installation to run.
4. Familiarize yourself with the tasks to be executed when configuring SE Suite by reading the following
topics:
§ Installation activities
§ Post-installation activities
§ Workstation configuration
5. For better planning of the SE Suite installation in your environment, see below whom the activities are
usually assigned to:
§ Activities to be executed by the network and operating system manager:
o Network configuration
o Windows configuration
§ Activities to be executed by the database manager:
o Database configuration
§ Activities to be executed by the e-mail manager:
o E-mail server configuration
The documentation mentioned above may be found at the customer center: www.softexpert.com/sac

Pre-required activities 8
Chapter III
Pre-required activities
The activities in this section describe how to prepare the environment for the SE Suite installation. Do not start
the installation step until all relevant prerequisites have been met and all activities in this section have been
executed.
This section covers the following topics:
§ SE Suite update
§ Network configuration
§ E-mail server configuration
§ Windows configuration
§ Database configuration

3.1 - SE Suite update
Considering the major requirement changes incorporated into SE Suite version 2.0, compared to version 1.3,
we suggest installing version 2.0 on a new server, where version 1.3 was never installed. Such procedure will
allow the use of new Tomcat and Java versions, and other requirements automatically installed by the
installation process.
Nevertheless, if the organization wishes to use the same server, version 1.3 must be previously removed
using the 1.3 version removal tool. Additionally, the following steps must be executed manually:
1. Open the ISS administration console. For that, click on the Start menu and type "inetmgr", or access the
Administrative tools, in the Control panel, and double-click on "Internet Information Services".
2. Select the server where version 1.3 was installed and, on the right page, open the FastCGI settings
option.
3. Select the PHP used by SE Suite 1.3 from the list and remove it through the actions panel, located on the
right side.
4. Go back to the home page and select again the server where version 1.3 was installed. And, on the
page on the right, open the ISAPI and CGI Restriction option.
5. Select the "seredirect" item and remove it by using the action panel located on the right side.
6. Select the server where version 1.3 was installed, select the site created, and remove it. If you wish to
use the same site, check, in the SE Suite installation section, the "Web Site" configuration, in item 7.
Note that the HTTPS port must be set for the SSL configuration.
7. Uninstall Tomcat version 6, because, in SE Suite version 2.0, Tomcat version 6 is no longer supported.
For further details, Refer to the SE Suite - System requirements document.

3.2 - Network configuration
The requirements of this activity refer to the network where SE Suite will be installed.
Configure the network
Synchronize the time and date on all servers. The system users may have trouble if one or more servers are
not synchronized with the rest of the system.
In version 2.0, the use of HTTPS is mandatory to increase the security while using the solution. We suggest
the use of a valid digital certificate, issued by certifying authorities. If the organization has no available valid
digital certificate, a certificate self-signed by IIS may be generated; however, security warnings may be issued
to the users while using SE Suite.
SE Suite supports multiple databases. To configure this functionality, create a different DNS for each
connection with the database, pointing to the same webserver. There should be a DNS pointing to the same
webserver for each connection with the database.

3.3 - E-mail server configuration
Create an e-mail account to be used to configure the sending of to-do task e-mails for SE Suite to be able to
send such e-mails to the final user. The necessary information includes:
§ E-mail account name;
§ E-mail account password;
§ E-mail server name;
§ Port to the e-mail server (if the SMTP protocol is being used).
These configurations must be executed by the e-mail manager.

3.4 - Windows configuration
This section covers the necessary configurations for the environment to be prepared for the SE Suite
installation execution. See, in the topics below, how to proceed to create a user and install and configure the
main SE Suite dependencies:
§ User creation on Windows Server
§ Java JRE installation
§ IIS installation
§ Apache Tomcat installation
In this Installation Guide are only covered the requirements for the installation of the SE Suite, view the SE Suite -
System Requirements document to verify the other requirements that should be on the SE Suite server for the system
to work correctly.

3.4.1 - User creation on Windows Server
SE Suite needs a local user. To create it on Windows Server 2008 or 2012, execute the following steps:
1. Click on the Windows Start menu;
2. Right-click on My computer and click on the Manage option;
3. On the left side, in the hierarchical tree, find Local Users and Groups;
§ On the Windows Server 2008, go to Server Manager Configuration Local Users and Groups;
§ On Windows Server 2012, go to Server Manager Tool Computer Management Local Users and Groups;
4. Expand Local Users and Groups and right-click on the Users folder;
5. Click on the New user... option. Fill in the following fields on the screen that will be displayed:
§ User name: Fill this field in with the name of the user being created;
§ Full name: Fill this field in with the full name of the user being created;

§ Description: Enter, in this field, the description of the user being created;
§ Password: Enter a password for the user;
§ Confirm password: Retype the password to confirm it;
§ User must change password at next logon: Uncheck this option if checked;
§ User cannot change password: Check this option;
§ Password never expires: Check this option.
§ The maximum size for the user name (User name field) is 20 characters (upper or lower case), except for the
following characters: \ / " [ ] : | < > + = ; , ? * @. The name may not contain periods (.) or blank spaces
either.
§ It is not allowed to use | and & characters in the user password.
6. After filling in the required fields, click on Create and then on Close;
7. Right-click the newly created user and select Properties;
8. On the user properties screen, select the Mem ber Of tab;
9. Click on Add;
10. On the Select Groups screen, click on Advanced;
11. Click on Find Now. At this point, you will see a list of groups in the search results section, search for
and select the Guests and IIS_IUSRS groups and click on OK;
12. The group selection screen will look like the image below. Click on OK on this screen


3.4.2 - Java JRE installation
To install Java JRE, execute the following steps:
1. Download Java on the site: http://www.java.com;
See the SE Suite - System Requirements document to verify the version of Java.
2. Execute the Java installation file and proceed with the installation;
JAVA_HOME environment variable configuration
3. After installing Java, click on the Windows Start menu;
4. Right-click on My Computer and select Properties;
5. Select the Adv anced tab and click on Environment;
6. In System Variables, click on New;
7. On the New System Variable screen, fill in the following fields:
§ Variable name: Enter JAVA_HOME;
§ Variable value: Enter the JAVA directory, for example: C:\Program Files\Java\jre8
8. Click OK;

9. In the System Variables list, select Path and click on Edit;
10 In the Variable v alue field, type: %JAVA_HOME%\bin before the first instruction, as shown in the image
below:
11. Click OK;
12. Click on OK to close the Env ironm ent v ariables window.

3.4.3 - IIS installation
To install IIS, execute the following steps:
1. Open the Server Manager e add the features to IIS:
§ On Windows Server 2008: Right-click on Roles (panel on the left side) and select the "Add Roles"
option. Go to the "Installation type" screen. Select the "Role based or feature..." option and advance.
Select the server.
§ On Windows Server 2012: Click on Manage (at the top right of the screen) and select the "Add Roles
and Features" option.
2. Check the "Web server (IIS)" option with the following items enabled:
Web Server (IIS)
Web Server
C ommon HTTP Features
Static C ontent
Default Document
HTTP Errors
HTTP Redirection
Security
Basic Authentication
Application Development
ISAPI Extensions
ISAPI Filters
C GI
Performance
Static C ontent C ompression
Dynamic C ontent C ompression
Management Tools
IIS Management C onsole
IIS Management Scripts and Tools
3. Click on Next in the other installer screens and wait for the installation to complete.

3.4.4 - Apache Tomcat installation
To install Apache Tomcat, execute the following steps:
1. Download Apache Tomcat from the site: http://tomcat.apache.org;
Refer to the "System Requirements" document to verify the Apache Tomcat version.
Make sure Java is installed before starting the Tomcat installation because Java JRE is a pre-requirement for the
Tomcat operation.
2. Execute the Tomcat installation file;
3. Select Norm al type for installation;
4. Choose a directory for the installation or keep the default path;
5. Enter a password or leave this field empty;
6. Select the path in which Java was installed in your system, for example: C:\Program
Files\Java\jre1.X_XX;
7. Uncheck the Run Apache Tom cat option and click on Finish;
Apache Tomcat service configuration
8. Access the Windows Start Run menu;
9. Type services.msc and click on OK;
10. Right-click the Apache Tomcat service;
11. Select Properties;

12. In Startup type, select Automatic and click on OK.
Verifying the memory available for Apache Tomcat
13. Access Tomcat Monitor.
14. At this point the Tomcat Setup screen is displayed, go to the Java tab and configure the values of the
following fields:
Java Options: At the end of this field add the following parameters, in case they do not exist:
-XX:MaxPermSize=512m
-Duser.language=en
-Duser.country=US
Initial memory pool: 512 MB
Maximum memory pool: 2048 MB
The values entered above are the minimum necessary for SE Suite to work correctly. If needed, assign values
greater than 1024m to these variables.

15. Click on [OK].

3.5 - Database configuration
See in this section how to configure the database server. This section covers the database creation and
configuration, necessary for SE Suite to work in the following DBMSs:
These configurations must be executed by the Database manager.
§ Microsoft SQL Server
§ Oracle
§ PostgreSQL
ATTENTION
SoftExpert is not responsible for the database management.

3.5.1 - Microsoft SQL Server
This section covers the procedure to create and configure the database in the SQL Server. See the steps
below:
This procedure assumes that SQL Server is properly installed.
1. Open SQL Server Management Studio;
2. Connect to the server;
3. Right-click on Databases and then in the New Database option;
4. On the left side, on the General page, enter a name in Database name;
Example: sesuite
5. On the left side, on the Options page, choose the 'collation' to be used and click OK;
The collations that may be used in western languages for the SE Suite database on the SQL Server are:
§ SQL_Latin1_General_CP1_CI_AS
§ SQL_Latin1_General_CP1_CI_AI
§ Latin1_General_CI_AS
§ Latin1_General_CI_AI
The CI (Case Insensitive) parameter of the collation must always be used. We recommend the use of the
AI (Accent Insensitive) parameter for new databases starting in 2.0. For eastern languages, contact SoftExpert's
Support.
6. In the hierarchical tree, expand the Security item;
7. Right-click on the Logins button;
8. Click on New Login;

9. On the left side, on the General, page in the Login name enter a name for the login;
Example: sesuite
10. Check the SQL Server authentication option;
11. In Password enter a password and confirm it in Confirm password;
12. Uncheck the Enforce password policy option;
13. In Default database select the database created in steps 3 to 5;
14. In Default language select the English language;
15. Click on the User Mapping page and in Users mapped to this login, select a database created in steps 3
to 5;
16. In the Database Role membership box, check the following options:
§ Public;
§ db_owner.
17. Click OK;
Network configuration
It is necessary to enable the TCP/IP connections in SQL Server Configuration Manager. See the steps below:
18. Open SQL Server Configuration Manager;
19. In the hierarchical tree, expand the SQL Server <v ersion> Network Configuration item;
20. Click on Protocols for MSSQLSERVER;
21. In the box on the right side, right-click on TCP/IP;

22. Click on "Properties";
23. In the Protocol tab, in Enable select the Yes value;
24. Access the IP Addresses tab;
25. In each existing IP, in Enable select the Yes value;
26. In each existing IP, check whether the port defined in TCP Port is 1433.
27. Click on OK and then restart the SQL Server.
If you do not need to configure another database, continue with the SE Suite installation from the Installation
activity section.

3.5.2 - Oracle
This section will cover the Oracle configuration. It will also cover the Oracle client configuration. This section
contains the following topics:
Oracle configuration
Oracle Client configuration

3.5.2.1 - Oracle configuration
This section covers the procedure to create and configure databases in Oracle. See the steps below:
This procedure assumes that Oracle is installed, with created instances, and that TNSNames is duly configured on the
server where SE Suite will be installed.
This procedure requires the Oracle Provider and OJDBC components to be installed on the server where SE Suite will be
installed.
1. Start the SQLPlus;
2. Connect to the server by using a DBA user;
Creating the tablespaces
3. Create a tablespace called SOFTEXPERT_DATA:
CREATE TABLESPACE SOFTEXPERT_DATA LOGGING DATAFILE

'<tablespaces_directory>\SOFTEXPERT_DATA.DBF' SIZE 2000M AUTOEXTEND ON NEXT
200M MAXSIZE UNLIMITED;
Substitute the <tablespaces_directory> for the path where the tablespace must be created on the
Oracle server.
2000M is the initial size recommended for the data tablespace.
4. Create a tablespace called SOFTEXPERT_INDEXES:
CREATE TABLESPACE SOFTEXPERT_INDEXES LOGGING DATAFILE

'<tablespaces_directory>\SOFTEXPERT_INDEXES.DBF' SIZE 200M AUTOEXTEND ON NEXT
50M MAXSIZE UNLIMITED;
Substitute the <tablespaces_directory> for the path where the tablespace must be created on the
Oracle server.
200M is the initial size recommended for the indexes tablespace.

Creating a user for SE Suite
5. To create a user for SE Suite and define the necessary permissions, execute the following steps:
6. Create a user for SE Suite:
CREATE USER <SESUITE> PROFILE DEFAULT IDENTIFIED BY <PASSWORD> DEFAULT

TABLESPACE SOFTEXPERT_DATA ACCOUNT UNLOCK;
Substitute <SESUITE> and <PASSWORD> for the user's name and password respectively.
7. Define the necessary Grants for the user created in step 5:
ALTER USER <user> QUOTA UNLIMITED ON SOFTEXPERT_DATA;

ALTER USER <user> QUOTA UNLIMITED ON SOFTEXPERT_INDEXES;
GRANT CREATE SESSION TO <user>;
GRANT CREATE TABLE TO <user>;
GRANT CREATE VIEW TO <user>;
GRANT CREATE SEQUENCE TO <user>;
GRANT CREATE PROCEDURE TO <user>;
GRANT CREATE TRIGGER TO <user>;
8. Exit the SQLPlus;
10. Right-click on My Computer and select Properties;
11. Select the Advanced tab and click on Environment;
12. In System Variables, click on New;
13. Fill in the Variable Name field with NLS_LANG.

14. Open the SQLPlus;
15. Type in the following commands to return the NLS parameters:
§ VALUE1:
SELECT VALUE FROM NLS_SESSION_PARAMETERS WHERE PARAMETER = 'NLS_LANGUAGE';
§ VALUE2:
SELECT VALUE FROM NLS_SESSION_PARAMETERS WHERE PARAMETER = 'NLS_TERRITORY';
§ VALUE3:
SELECT VALUE FROM NLS_DATABASE_PARAMETERS WHERE PARAMETER = 'NLS_CHARACTERSET';
16. Fill in the Variable Value field with the information returned by the SQLPlus in the order of the previous
step: VALUE1_VALUE2.VALUE3
Example:AMERICAN_AMERICA.WE8MSWIN1252
17. Click OK;
18. Click on OK to close the System properties screen;
19. Exit the SQLPlus.

3.5.2.2 - Oracle Client configuration
ATTENTION
§ For the proper operation of the application, 2 Oracle clients must be installed on the SE Suite server. A 64-bit version
for Java operation and a 32-bit version for PHP operation.
§ If the 32-bit Oracle Client is installed first and the 64-bit Oracle Client is installed after it, the environment variables must
be properly configured. Otherwise, it will be necessary to configure them again. Note that, after the installation of the
32-bit Oracle Client, there will probably be a service in execution and that will make it impossible to install the 64-bit
Client. For that, it is necessary to stop the OracleRemExecServiceV2 service.
§ In the PATH variable on Windows, the 64-bit Client must be first, then the 32-bit Client.
Run the following configuration to make sure that the Path variable is configured correctly:
2. Right-click on My Computer and select Properties.
3. Select the Advanced tab and click on Environment;
4. In the System Variables, locate the variable of the Path environment and click on Edit;
5. In the Variable value field, add the Oracle Client 64-bits and the Oracle 32-bits path. In that case, the
64-bit Oracle Client path must be the first parameter and the 32-bit Oracle Client must be the second
parameter, as shown in the image below:
6. Click OK and then click on OK to close the System properties screen;

7. Now it is necessary to configure the 64-bit Oracle Client and 32-bit Oracle installations. For this, click on
the Windows Start menu, type regedit.exe and press ENTER;
8. Locate and edit the following registry key:
§ Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORACLE\KEY_OraClient11g_home1
§ Record: ORACLE_HOME_KEY
§ Original Value: SOFTWARE\ORACLE\KEY_OraClient11g_home1
§ Correct Value: SOFTWARE\Wow6432Node\ORACLE\KEY_OraClient11g_home1
Only the path should be adjusted, by inserting Wow6432Node, leaving the rest as it is.
9. Click on OK to save the change.
If it is not necessary to configure another database, continue with SE Suite installation from the section Installation
activity on.

3.5.3 - PostgreSQL
This section covers the procedures for creating and configuring the database for PostgreSQL DBMS. First, it will
present the PostgreSQL and pgAdmin III installation procedures.
To use the SE Capture index service, after installing PostgreSQL, it will be necessary to install PostgreSQL Native OLEDB
Provider (pgoledb.msi) on the SE Suite server. After the installation, update the PATH environment variable with the
PostgreSQL Native OLEDB Provider installation directory.
Installing PostgreSQL
To install PostgreSQL, follow the steps below:
1. Download PostgreSQL on the site: http://www.postgresql.org;
2. Execute the PostgreSQL installation file;
3. On the Welcome to the PostgreSQL Setup Wizard screen, click Next;
4. In Installation Directory, choose a directory for the installation or keep the default path;
5. In Data Directory, enter the directory where the data will be stored. Click on Next;
6. Enter the password for the superuser of the database and the service account (postgre). Click on Next;
7. Enter the port where the service is listening on. Click on Next;
8. Use the default locale. Click on Next;
9. On the Read to install screen, click Next;
10 Uncheck the Launch Stack Builder at exit option;
11. Click on Finish;

Installing pgAdmin III
To install pgAdmin III, execute the following steps:
This procedure must be performed on the server where SE Suite will be installed.
12. Download pgAdmin III on the site: http://www.pgadmin.org/download;
13. Execute the installation file and follow the software instructions;
14. Open the pgAdmin III;
15. Click on the Add a connection to a server button to add a connection to the database server;
16. Connection name: Enter a connection name.
17. Enter the name of the database server host;
18. Port enter the PostgreSQL port. The default port is 5432;
19. Select the database for connection;
View all the databases only after the first connection.
20. Enter the user name and password;
21. Click OK;

Configuring the PostgreSQL network
This section covers the procedure to create and configure the database in PostgreSQL. To configure the
PostgreSQL Network, execute the following steps:
22. Access the PostgreSQL directory that contains the configuration files;
Example: C:\Program Files\PostgreSQL\8.x\data
23. Open the pg_hba.conf configuration file for editing;
24. Locate the 'IPv4 local connections' configuration block and add a new line with the network data of the
server where SE Suite is being installed:
# IPv4 local connections:

host all all 127.0.0.1/32 md5
host all all 192.168.200.55 255.255.255.0 md5
25. This configuration file can also be performed by pgAdmin III (menu File open pg_hba.conf), as
shown in the following image:

26. Save and close the configuration file;
27. Open the postgresql.conf configuration file for editing:
28. Locate the listen_addresses parameter and change its value as shown below:
listen_addresses = '*' # what IP address(es) to listen on;
29. This configuration file can also be performed by pgAdmin III (menu File open pg_hba.conf), as
shown in the following image:
30. Save and close the configuration file.
31. Restart the PostgreSQL service.

Creating the Tablespace folders
To create the Tablespace folders, execute the following steps:
32. Access the PostgreSQL directory where the folders will be created or use the PostgreSQL default Data
folder.
33. In the selected directory, create a new folder named SOFTEXPERT_DATA;
34. In the selected directory, create a new folder named SOFTEXPERT_INDEXES;
35. Right-click on the upper-level folder;
36. Select Properties;
37. Select the Security tab;
38. Select the PostgreSQL service user;
39. Set Full Control permission of the Allow column for this user;
40. Click OK;
Creating a user for SE Suite
To create a user, execute the following steps:

41. Open the pgAdmin III assistant;
42. On the left side, in the Object Browser menu, select the default server and connect to it;
43. Right-click on Login Roles and select the New Login Role;
44. On the New Login Role screen, on the screen that will be displayed, fill in the following fields:
§ Role name: Enter a name for the new user;
§ Password: Enter the password for the new user;
§ Password (again): Retype the password to confirm it;
§ Account expires: If needed, enter an expiration date for the account being created.

45. Still, on the user creation screen, access the Role privileges tab and select the Superuser;
46. Click OK;
Creating Tablespaces
To create a Tablespace, execute the following steps:
47. Right-click on Tablespaces;
48. Select New Tablespace and fill in the following fields on the screen that will be displayed:
§ Name: Type SOFTEXPERT_DATA for the tablespace name.
§ Location: Enter the directory for the SOFTEXPERT_DATA tablespace folder. Example: C:\Program
Files\PostgreSQL\8.x\data\SOFTEXPERT_DATA.
§ Owner: Select the user created for SE Suite. Example: sesuite.
49. Still, on the tablespace creation screen, access the Privileges tab;

50. Select the CREATE option and click on Add/Change;
51. Click OK;
Repeat this process to create the SOFTEXPERT_INDEXES tablespace.
Creating databases
To create a database, execute the following steps:
52. Right-click on Databases;

53. Select New Database, on the screen that will open up, fill in the following fields:
§ Name: Enter a name for the database.
§ Owner: Select the user created previously for the SE Suite.
§ Encoding: Select UTF8.
§ Tablespace: Select SOFTEXPERT_DATA to be the default tablespace.
The recommended database encoding is UTF-8 because it supports all languages.
54. Still, on the database creation screen, access the Privileges tab and select ALL;
55. Click on Add/Change;

56. Click OK;
57. Close pgAdmin III.

Installation activities 42
Chapter IV
Installation activities
This section will cover the obtainment and preparation of the packages required to install SE Suite and the
system. This section contains the following topics:
§ Installation packages preparation
§ SE Suite installation
§ System configuration

4.1 - Installation packages preparation
This section covers the obtainment and preparation of the packages required for the SE Suite installation.
1. To obtain the installation packages, access SoftExpert's website: http://www.softexpert.com;
2. Click on Customer Center and on the customer center page, click on Click here to access the Portal;
3. Enter your User and Password and click on Login;
4. Access the Distribution Center section at the top of the navigation bar.
5. Select the desired version (2.0) and download the installation tool for Windows.
6. After downloading the installation tool, download the "Install Files" package of the desired version.
7. After saving the packages, execute the SE Suite installation according to the procedure described in the
following topic.

4.2 - SE Suite installation
This section covers the steps to install SE Suite. At the end of the installation, the services will be restarted
and the process is finished with the installation activation. See the steps of the installation process below:
First, the SE Suite installer will check whether the environment meets the installation requirements. Because of that,
make sure to execute all the Pre-required activities.
1. Access the installation tool directory as described in the Preparing the installation packages topic and
execute the installation tool downloaded before.
§ During the installation process, we recommend disabling your Antivirus software.
§ The installation tool must be executed with administration permission. For that, right-click it and select the "Run
as administrator" option.
2. On the SE Suite installer welcome screen, click on Next.
3. On the "Operation Type" screen, click on the Install button to install SE Suite. If another instance was
started before the installation but was not closed, a message will be displayed when clicking install. If
you choose to continue the installation, it will continue from the step it was canceled in;
4. On the "Licence Terms" screen, check "I accept the terms of this agreement" and click Next.
5. On the "Environment Check" screen, the environment verification step is performed, i.e., the installation
tool will verify whether the environment meets the predefined installation requirements. If an error
occurs, it is possible to view the error screen by double clicking the pre-requirement presenting the error.
If no error occurs or if errors are corrected, click on Next.
If you need to stop the installation to correct an error on this screen, click on Cancel. After correcting the error,
execute the previous steps again.
6. On the "Select Package" screen, select the "Install Files" package downloaded during the Preparing
the installation packages step. For that, click on the Browse button and select the package. Wait for the
installer to validate the selected package; check the status on the progress bar on the screen.

When the validation ends, verify whether the installation directory will be the default directory "C:
\sesuite" selected automatically. In case, it is another directory, use the Browse button to choose
another. Click on Next.
The "Install Files" installation package must be entered.
7. On the "Setup Web Server" screen, fill in the following fields:
§ Username: Enter the name of the Windows user created for the SE Suite. We recommended the IIS
user to be a Guest group member.
§ Password: Enter the user password.
§ User Domain: Enter the domain, hostname or IP address. We recommend entering the domain in this
field because, if the IP is entered, it may not be changed (Static IP).
§ Web app name: It is the directory of IIS. By default, this field is filled in with "se". Update the field
according to your need.
§ Web Site: It is possible to use an existing website. For that, check the "Existing" option and select
the website in the field next to it. If you wish to create a new one, check the "Use new site" option
and fill in the Name and Port.
8. After filling in the fields above, click Next.
If the entered user does not belong to the Guests group, the installer will display the "The specified user is not a
member of the Guests group. It is recommended that the IIS User be a member of this group. Continue anyway?"
message. Click Yes to continue with the installation or No to wait on the previous screen for the user to be added
to the group.
9. On the "Setup Java Services" screen, verify, in the Tomcat Home Dir field, the Apache Tomcat
installation directory path. If you need to change it, click Search.
10. On the "Perform Installation" screen, several steps will be executed automatically, such as package
extraction, permission definition in files, service installation, among others. Wait for these steps to be
executed. If an error occurs, it is possible to view the error screen by double clicking the step presenting
the error. If no error occurs or if errors are corrected, click on Next.
If you need to stop the installation to correct an error on this screen, click on Cancel. After correcting the error,
when executing the installer again and selecting the option to continue the installation, it will return to the step
the installation was canceled in.

11. On the "Perform Final Task" screen, the last steps of the installation are executed automatically, such
as: synchronize, load and save services, and save the SE Suite application configurations. When this
step finishes, click Next.
12. On the SE Suite installation closing screen, two documents that must be viewed will be available. The
first document is an SSL configuration tutorial; follow all the steps in it carefully. The second document
contains the steps to configure the database; execute the configuration steps of your database
according to it. After setting the necessary configurations, click Finish.
The SE Suite activation process occurs after the license key is entered in the SE Configuration component. Refer
to Post-install activities to obtain more details.

4.3 - System configuration
See how to configure the database to be used by SE Suite and how to configure the SSL on the SE Suite
Server:
§ SSL configuration
§ Java Security Extension package
§ Database configuration
§ Starting the services

4.3.1 - SSL configuration
The use of a digital certificate on the web server allows all information traffic between the server and the client
to be encrypted. In version 2.0, the use of certificates is mandatory, since non-encrypted traffic may be easily
captured by hackers, causing the client information to be accessed.
We suggest the use of valid certificates, issued by certification entities (Verisign, Certisign, Thawte, among
others). If the organization chooses to use self-signed certificates, the system will work; however, during the
access, security messages may be issued by the navigator - without being controlled by SoftExpert.
For further details about how to configure certificates in IIS, we suggest reading and executing the procedures
released by Microsoft (https://technet.microsoft.com/en-us/library/cc732230(v=ws.10).aspx).

4.3.2 - Java Security Extension package
Due to an export rule in the USA, the Java JDK default installation has a restriction regarding encryption
capacity. Some system features that use encryption requires the extended Java encryption package.
The package is available in the "\tools\thirdparties\oracle\java\UnlimitedJCEPolicyJDK7.zip" folder of the

product installation directory. To install it, just follow the steps described below:
1. Unzip the UnlimitedJCEPolicyJDK7.zip file in the folder?

<sesuite_dir>\tools\thirdparties\oracle\java\
2. Copy the files with .jar extension.
3. Paste the files with .jar extension into the directory "<JAVA_HOME>\lib\security".

4.3.3 - Database configuration
The SE Configurator is a tool responsible for configuring connections to the database and associating it with a
domain (to be used by multiple databases). To configure the system, access the SE
Configurator(<sesuite_dir>/tools/configurator) folder and execute the run.bat file, at this moment the SE
Configurator screen will be displayed.
New database configuration
See how to configure a new database for SE Suite:
During the base configuration process, the system will request to configure the user's e-mail and password, which must
follow the following password strength rules:
§ Must have numbers;
§ Must have alphabetic character;
§ Must have uppercase and lowercase characters;
§ At least 6 characters;
The administrator's e-mail configuration is not mandatory, but it is highly recommended.
1. On the SE Configurator screen, access the Databases tab. Through this tab it is possible to add, update,
delete, and verify whether the databases were updated correctly:

2. To include a database, click on the button and fill out the following fields of the screen that will be
displayed:
§ Connection name: Enter a connection name.
§ Domain: Enter the domain that will be used to access the system. It must point to the domain where
SE Suite is installed.
§ JDBC Driver: By clicking the combobox will be shown all the database options that the SE Configurator
supports: Oracle, PostgreSQL and SQL Server. When you select one of the options, the screen is
updated according to the selected database and the Port field is filled in with the default value of the
database. Fill in the other fields with the data of the selected database.
3. After filling them out, click on the button. At this point, the SE Configurator will run a test with the
values entered in an attempt to create a connection to the database. If any of the tests fail, the
Previous button will be enabled to return to the connection screen and so make the correction:

4. If no error occurs at the end of the test of the SE Configurator, the Next button will be enabled, allowing
the user to finish creating the connection with the database.
5. At this point, the system will create, parameterize, and equalize the base. The SE Configurator will display
a message when this process is finished, click on OK. After that, click on Next.
6. SE Configurator will display the data of the configured database. Click on Finish. After the process
finishes, the created database will be displayed.

7. Click on and then on OK.
Base equalization/parameterization
See below how to configure an existing database. This procedure should be performed in a previously
configured base.
1. On the SE Configurator, access the Databases tab and select a base which will be equalized and activate
the "Check database" button:
2. At this point, the equalization process will start. In the message window, click OK.
3. When the equalization process is complete, click Next and then, click on OK.
4. To finish, click on and then, on OK.

Database deletion
See below the procedures to delete the database configuration:
1. On the SE Configurator screen, access the Databases tab. Select the database you wish to delete and
then click the "Delete" button:
2. Click on Yes to confirm the removal of the base.
3. At this point, the deletion process will start. When it finishes, click on Next.
4. To finish, click on and then, on OK.

4.3.4 - Starting the services
After installing SE Suite and configuring the database, start the services used by SE Suite:
§ During the SE Suite service start up, the system will perform a requirement check. If a requirement does not meet the
system use, the checker will display a message to indicate the configuration that needs to be solved. See the
Requirements check section for details on how to solve major configuration issues.
§ It is important to remember that, when restarting the database, it will be necessary to restart the SE Suite service as
well.
IIS service
1. Access the Start Run menu;
2. Type iisreset /start
3. Press Enter;
Tomcat service
4. Access the Start Run menu;
5. Type services.msc and press Enter;
6. Search for the Apache Tomcat service;
7. Right-click that service and click Start;
PDF Converter service
8. Go back to the services manager (services.msc) and search for the PDF Converter service;

Deletion activity 56
Chapter V
Deletion activity
If it is necessary to delete SE Suite version 2.0, check for customizations in the system.
For that, it is necessary to access the following folders and perform their backups.
<install_dir>/wwwroot/Custom_SRV
<install_dir>/include/Custom_SRV
Check your customization documentation for any doubts regarding the required specific files.

Additional procedures 57
Chapter VI
Additional procedures
This section contains the activities that will be executed after the SE Suite installation. Among them, find the
system configuration activities and the pop-up unblocking for the SE Suite domain in the browser of the
workstations that will access SE Suite.
This section covers the following topics:
§ Post-installation activities
§ Single Sign-On with AD
§ File Manager server
§ Scale service (SE Asset)
§ PDF conversion
§ Workstation configuration
§ Remote access configuration
§ External access configuration
§ Troubleshooting
§ Database - Good practices

6.1 - Post-installation activities

After installing SE Suite, some configuration activities will be required for SE Suite to be suitable for use, such
as the system configuration, access license, system activation, and e-mail configurations. Some of these
activities are described in the User's manual of the SE Configuration component. See below how to execute
these activities:
1. Access SE Suite. Once the page loads, a configuration screen will be displayed. Use it to configure, at
least, the name of the organization that acquired the system and the access password of the admin user.
For further information about how to proceed on this screen, refer to the SE Configuration component
documentation, in the Configuration System section.
2. Once the user admin is configured, enter the activation key. For more information about how to proceed
with this configuration, access the SE Configuration component documentation, in the Configuration
License key section.
After any changes in the license key, whether when switching the key or adding a new one, it will be necessary to
activate SE Suite.
If in the SE Configuration component (in the Configuration System menu) is selected the Enable automatic
activation option, it will not be required to perform the activation procedure described below.
SE Suite activation
3. If the automatic activation is not enabled, whenever there is any change in the system configurations, it
will be necessary to activate SE Suite manually. When that happens, the following screen will be
displayed:

4. To activate the system, click on the System activation button. The system will display a screen with a
brief description of the changes made:
5. Carefully follow the instructions on the system activation screen. Download the file (activation.hbl) and
access the Customer center. Enter your login and password. At this point, you will be redirected to the
activation page.
Note that the Customer center will be opened in a new tab in your browser. The tab displaying the SE Suite page
must not be closed, because, after generating the activation code, it will be necessary to return to it.
6. On the customer center activation page, Upload the file. After selecting the activation.hbl file in the
respective field, click on the UPLOAD button.
7. At this point, the system will display the screen with the activation code. Copy the generated code, return
to the SE Suite screen, and enter the activation code.

8. After that, click on the Activate button. The SE Suite page will be reloaded and now any already created
user may access the system.
Configure the e-mail server
For information on how to configure the e-mail server, refer to SE Configuration document, in the
Configuration E-mail server section.
Enable e-mail sending
For information on how to proceed with the email sending configuration, refer to the SE Configuration
document, in the Configuration Notification section.
Enable thumbnails
To enable the viewing of thumbnails, it will be necessary to install SE Preview on the SE Suite server.
SoftExpert makes available an MSI for the installation of SE Preview on the workstation. This MSI
(sepreview.msi) can be found, compressed, within the SE Suite server directory, in
<dir_installation_SE_Suite>\web\wwwroot\generic\app\viewer\ or can be downloaded via the
URL https://<domínio_SE_Suite>/se/generic/app/viewer/sepreview.zipof the SE Suite.
Decompress and perform the installation. Remember that, before executing the MSI, it is necessary to
uninstall SE Viewer.

6.1.1 - SE Risk conversion
The purpose of this section is to guide the SE Suite user on how to convert the data of SE Risk version 1.3 to SE Suite
version 2.0.
About the data conversion
This section will describe the main changes expected once the conversion process is finished. The SE Risk
component went through several changes to SE Suite version 2.0. From the structural point of view of the
system, we can highlight the new relational tables used in version 2.0, that have the "RI” suffix, instead of
"HA” in the old version, and the new ISOSYSTEM code of the component, which changed from 163 to 215. Only
the Object, Process and Project contexts of the SE Suite 1.3 will be converted, that is, the plans that are from
other contexts will not be considered. The control plans from SE Suite 1.3 will not be converted either since
they have been disabled from version 1.3 on. See below the changes between the versions.
Tokens
There will no longer be token customization by context, as in version 1.3. It is possible to customize a term in
SE Suite 2.0 through the Administration Configuration Customize Token (AD031) menu, which is valid for
the entire system.
Plan revision
In SE Suite 2.0, the plan revision is generic, that is, the same revision method is used for a Scorecard, Process,
etc., and, for a plan to go through revision, its type must be properly configured.
By default, after data conversion, plan types will not be configured to have a revision control. Therefore, the
user will have to do it by accessing the plan type data screen and, in the Revision tab, check the option to
control the revision as well as to fill in the fields.
All plans will be converted as being "not-default”, that is as if they were created from the Management Plan
planning (RI301) menu. Therefore, do not follow the associated object revision (Ex.: Process, Project,
Scorecard).
The SE Suite 1.3 plans that have a revision in execution, and another one in the analysis, will be converted as
follows:
§ The revision that was in execution will be finished (released revision).
§ The revision that was under analysis will be converted to planning (revision in the draft step).

Security
The revision permission in the plan type security of SE Suite 1.3 will no longer exist in SE Suite 2.0. The plan
security in SE Suite 2.0 works as a hierarchy of screens, that is, in the "plan security" tab, on the plan type
screen, the user configures the permissions of all the plans created in that type and, in the security tab, on the
plan data screen, the user configures the structure permissions of that plan. The plan type also has the type
security, where the permissions of that type are configured.
Executing the data converter
For the system to enable the conversion option, it is necessary to insert, in the database, a record in the
ADPARAMS table. The SQL ANSI command to insert the record into the database is:
INSERT INTO ADPARAMS (CDISOSYSTEM, CDPARAM, VLPARAM) VALUES(215, 99, 1);
After entering the record in the database, the user should access the General parameters screen of the
component through the Configuration General parameters (RI110) menu, as in the following image.
The data conversion process is performed in two steps, which must, necessarily, be executed in the following
order:
1. Records: Convert all records that understand the configuration and file menus of the system, that is,
attributes, checklist, teams, identification masks, dynamic navigator, all the types (plan type, risk type,
control type, etc.) and all the records (risk, control, treatment, etc.).

2. Plans: Convert all the records that encompass the management and execution menus of the system,
that is, risk plans, revisions, risk analysis and their evaluations, and control analysis and their evaluations.
When clicking the 1. Records button, a new screen will be displayed. On that screen, the system will execute a
conversion script, which may take a few seconds to finish. The "Processing" message will be displayed while
the screen remains open and, when the process finishes, a message will be displayed according to the image
below.
After executing the first conversion step (records), the user must go to the last part of the conversion through
the 2. Plans button. The process is similar to what was described in step 1.
After executing the two steps, the user may verify whether there are differences between the data of the two
versions of the system, by clicking on the Conversion status button.
The conversion status will show a list with all the tables that were converted. A success icon will be displayed
if all records of each table were converted. A failure icon will be displayed if at least one record was not
converted or if the number of records is different.
It is important to point out that there may be some differences between the number of converted records of a
table, caused by inconsistency in the information coming from the SE Risk component. The image below shows
the conversion status screen.

Finally, the purpose of the Remove all records is to erase all data from the SE Risks component of Suite 2.0
and should only be triggered if there is a problem in the conversion of the records. Records added from version
2.0 will also be deleted.
After the execution of the data converter
The risk and control analyses were converted having the user logged in SE Suite during conversion as the
party responsible for them. To receive the analysis tasks, the users must edit the responsible user.
The Dashboards of Suite 1.3, now called Portals, were not converted to SE Suite 2.0 because the widgets
change. To use them, the users must create them manually through the system Portals menu.
Since in SE Suite 2.0 there is a unification of the contexts of version 1.3, there may be situations in which the
ID # of type records (plan type, risk type, control type, etc.) and of other records (plan, risk, control, risk
source, etc.) are repeated. To overcome this situation, the converter adds a unique code at the end of each
record ID # to differentiate them.

6.2 - Single Sign-On with AD
SE Suite allows authenticating users through the LDAP, NTLM, Kerberos, and SAML protocols. See below how
to set the configuration for each one of these authentication modes.
AD integration
Active Directory is an implementation of the directory service in the LDAP protocol. It is a Microsoft software
used on Windows environments. To use AD integration, follow the following procedure:
1. Set the configuration of the LDAP server. For that, refer to the SE Configuration component manual, in the
Configuration Authentication Configuring an authentication section.
2. Select one of the options of single sign-on: Kerberos or SAML SSO.
3. See further details in the section that corresponds to the selected configuration:
§ Kerberos authentication
§ SAML authentication
§ SE-Identity - Integration of Microsoft AD users with SE Suite

6.2.1 - Kerberos authentication
Overview
The architecture used by the Kerberos protocol consists of three agents: SE Suite, as the service server, the
client's Active Directory, as the authentication server, and the client. The protocol works with the exchange of
signed messages between the agents to ensure connection security. If there is a difference between the
signature of the messages, the access to the desired resource is denied.
Architecture
The Kerberos protocol uses three different agents to implement security, and they must be in the same
network domain:
[1] When logging into the network, the users sign onto the authentication server by entering
their login and encrypted password. That is the only time the user password will be
transmitted through the network.
[2] After authenticating the user, the server returns an authentication key. In the Kerberos
traditional model, that key is called Ticket Granting Ticket (TGT). It will be used to identify the
user in the next accesses to the network resources.
Comment: These two steps occur whenever a user logs in to a domain controlled by the
authentication server, regardless of future access to a resource using the Kerberos protocol.

[3] When accessing the SE Suite ( https://<domain>/softexpert ) using secure environment, it is

sent the TGT obtained by the login process for Active Directory to verify if the user has
access.
[4] The authentication server is responsible for analyzing whether the user may access the
requested resource. At this point, is sent the TGT obtained by the login process and the ID #
of the resource to be accessed.
[5] If the client (user) may access the resource, the authentication server returns a new key to
the client, the Ticket Granting Service (TGS). This key will inform the services server the client
may be trusted.
[6] The TGS, just obtained, is sent to the service server, which will validate the key to avoid
accesses with expired keys.
[7] If the TGS sent contains a valid request, the desired resource is released to the client.
Kerberos authentication configuration
Three steps are necessary for the authentication using the Kerberos protocol to be configured in SE Suite. We
recommend obeying the following sequence for possible errors in the process to be avoided:
1. Configure the authentication server to answer the requests using the Kerberos protocol;
2. Configure SE Suite to use the Kerberos authentication method;
3. Configure the user browser.
Authentication server
The authentication server supported by SE Suite is Microsoft Active Directory. Below are the steps to prepare
the server to answer the authentication requests by using the Kerberos model:
1. Create a new user. The account type must be “User” and no other type may be used;
Example: User: Kerberos
Password: test!123
2. Select the This account supports Kerberos AES 128-bit encryption, This account supports Kerberos Kerberos
AES 256-bit encryption and Do not require Kerberos preauthentication options.
3. In the AD server, add the Service Principal Name (SPN) to the user created. For the following
configurations, 3 nomenclatures will be used:
§ URL_access: URL used to access SE Suite. Ex: sesuite.softexpert.com
§ hostname: Name of the computer. Ex: sesuiteserver

§ domain: Network domain. Ex: softexpert.local
setspn -S HTTP/<url_acess> <domain>\<account-name>
Example:
setspn -S HTTP/sesuite.softexpert.com softexpert.local\Kerberos
4. Add the ktpass command to define the Service Principal Name (SPN):
ktpass -princ HTTP/<hostname>.<domain>@<DOMAIN> -mapuser <account-

name>@<domain> -pass password -kvno 0 -crypto RC4-HMAC-NT -ptype
KRB5_NT_PRINCIPAL -out <keytab-file-name>
Example:
ktpass -princ HTTP/sesuiteserver.softexpert.local@SOFTEXPERT.LOCAL -mapuser

Kerberos@softexpert.local -pass test!123 -kvno 0 -crypto RC4-HMAC-NT -ptype
KRB5_NT_MAIN -out c:\kerberos.keytab
Important!
The SPN name must be defined in the format shown above, otherwise, Kerberos will not work.
5. Copy the 'kerberos.keytab' file to the SE Suite server.
6. After running the ktpass command, it is possible to observe that in the User Logon Name field, the
Kerberos user details changed to: HTTP/sesuiteserver.softexpert.local@SOFTEXPERT.LOCAL
SE Suite
Prerequisites
The SE Suite server must be on a machine other than the authentication server and the client workstations.
Otherwise, authentication with the Kerberos protocol will not work.
The authentication using the Kerberos protocol requires that the Java extended encryption package is installed. For more
details on how to perform the installation of this package, refer to the Java Security Extension package section.

1. Access the authentication configuration screen, SE Configuration Configuration Authentication. The

system offers three types of Single Sign On (SSO) authentication, they are: Kerberos SSO and SAML
SSO. Only one of them may be selected. Therefore, select the Kerberos SSO option:
2. In the configuration section of Kerberos authentication, enter in the Domain ID field the name of the
SPN (Service Principal Name) set in the configuration of the authentication server.
Example: HTTP/sesuiteserver.softexpert.local@softexpert.local.
3. Then, upload the certificate generated by the ktpass command executed on the configuration of the
authentication server. This file must be accessible to the SE Suite server.
4. Save the configuration.

Client workstations
The Kerberos SSO is supported in Internet Explorer, Google Chrome, and Mozilla Firefox, but the browser must
be enabled to answer to negotiation requests. If the browser does not return the header in the correct
format, an NTLM token will be generated, which will result in an authentication error. See further details for
each browser:
Internet Explorer and Google Chrome
1. In Control panel, access the Internet options menu. On the screen that will be displayed, access the
Security tab;
2. Select "Local Intranet" and then click the Sites button.
3. On the screen that will be displayed, select the options:
§ Include all local sites (intranet) not listed in other zones;
§ Include all sites that bypass the proxy server.
4. Click on Advanced. On the screen that will be displayed, add all related domains.
5. Click on Close.
Mozilla Firefox
1. On Firefox, enter about:config in the address bar and press Enter.
2. Click on "I'll be careful, I promise" when warned about the change in the advanced configurations.
3. Enter negotiate in the search box.
4. Click twice on network.negotiate-auth.delegation-uris and enter the values:
http://,https://

5. Click twice on network.negotiate-auth.delegation-uris and enter the values:
http://,https://
Intranet authentication
1. In Control panel, access the Internet options menu. On the screen that will be displayed, access the
Security tab;
2. Select "Local intranet" and, then, click on Custom level.
3. On the screen that will be displayed, select the Automatic logon with current user name and password
option.
4. Click OK. Save and close the configuration screen.
Testing the Single Sign-On (SSO)
The single sign-on test must be performed on a client workstation. Nor the SE Suite server or the
authentication server may be used.
To use Kerberos Single Sign-On (SSO) on the client stations, the following must be true:
§ Kerberos must be enabled in SE Suite;
§ The user must have permission to access SE Suite (he/she must log in by using a user name and password);
§ The user must be authenticated for Active Directory (AD) via Kerberos on the client computer.
1. Make sure the selected authentication mode is Kerberos. Perform the synchronization of the (SE
Configuration Configuration Authentication) users
2. After synchronizing the users, access the system. On the login screen, select the desired domain and
click on the Single Sign-On button.

3. If this is the user's first login, the system will display a screen requiring his/her credentials; otherwise,
the login will be concluded.
Note: § The credentials refer to the user saved on the authentication server, and it will be necessary
to enter the authentication server domain in the user login field. Ex: domain\login;
§ If the Kerberos SSO fails, the user may still log into SE Suite with his/her user name and
password.
FAQ
§ Authentication error: If after doing/redoing the user's configuration and it does not authenticate, the
following command (at the command prompt) can be executed in the customer workstation (which is
accessing SE Suite):
klist purge
This command clears the Kerberos authentications cache, forcing it to take over the new configuration.
§ Error "GSSException: Failure unspecified at GSS-API level (xxxxxxxxx)" at the time of authenticating the user.
There are several causes for this error, so we present a checklist to be validated:
1) Authentication server
i. Was the user created as User type in AD?
ii. After the execution of the commands described in 'Authentication server', was the user
information updated in AD?
iii. Is the user password used in the ktpass command correct?
2) Service server
i. Was the Java JCE package updated with the USA encryption rules?
iii. Is the Keytab generated by the ktpass command during the configuration of the authentication
server accessible to the service server?
iii. Are the server and client times the same?
3) SE Suite
i. Was the 'Kerberos' option selected in the authentication configuration program (CM008)?

ii. Was the 'SPN' entered in the Principal field?
iii. Was the keytab file path generated by the ktpass command informed in the Keytab field?
4) Internet Explorer and Google Chrome browsers
i. Check the advanced configurations, in the security, if the Enable integrated Windows authentication
option is selected.
ii. Check, in the security, configurations, in Custom level, whether the Automatic logon with current
username and password option is selected.
iii. If, after synchronization, the user is unable to log into the system, access the user creation menu
(AD004) and check whether the user is inactive or blocked and/or whether there is a department
or access group configured to him/her.
§ Authentication Kerberos Problem: GSSException: Defective token detected (Mechanism level: GSSHeader did
not find the right tag)
Problem in the definition of the user credentials, which ended up generating an invalid token. Check
whether the correct credentials were entered in the first login
of the user during authentication.
Note: In the login field, it will be necessary to enter the authentication server domain. Ex:
contoso.local\kerberos
§ Authentication Kerberos Problem: GSSException: Failure unspecified at GSS-API level (Mechanism level: Clock
skew too great (37))
Problem in synchronizing server clocks and client stations: Set the clocks for the same time.

6.2.2 - SAML authentication
Overview
SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange
user authentication and authorization data. The architecture consists of three agents: SESUITE, as the service
server app (SP), Client Active Directory with ADFS configured, as Authentication Server (IdP) and Client. The
fact that the agents are in different domains enables the client to use their own authentication server to
validate the access to a third-party service. Digital signatures ensure that all message exchanged between
agents are secure.
Architecture
There are several ways to build the architecture of the agents by using SAML. We will only cover the structure
in which the Authentication Server and the Client are in the same domain and SESUITE is in an external
domain.
The picture below represents the steps for the authentication of a user by using SAML:

[1] Access SE Suite ( https://<domínio>/softexpert ) by using a safe environment. If the user

is not logged in the system, the request is redirected to the ADFS (Active Directory
Federation Service) to start the authentication process;
[2] The ADFS generates the authentication request that is sent, through the user browser, to
the Active Directory;
[3][4] Message exchanges between the agents to perform the authentication;
[5] If the user is not authenticated, the system generates an authentication request for
him/her;
[6] If needed, some additional information is obtained from Active Directory;
[7][8] After the user is authenticated, there are some exchanges of requests between the
[9] agents to validate security issues and generate the final artifact of the negotiation. This
artifact will contain, among other things, the definition of the user and respective domain.
It is necessary to establish a secure link between the agents to ensure the reliability of the information. In
addition to the requirement of using SSL for transactions using SAML, it is necessary to exchange the keys
between the authentication server and SE Suite by using configuration files (metadata). Both SE Suite and the
authentication server generate and exchange the respective metadata files between them. In this way, each
agent has information that can be used to validate the received message.
SAML Authentication configuration
Prerequisites
Due to an export rule in the USA, the Java JDK default installation has a restriction regarding encryption
capacity. For authentication using the SAML protocol, this limitation must be removed. For that, the JCE (Java
Cryptography Extension) extension pack must be installed, according to the respective version of the JDK on
the server where SE Suite is installed. The package is available for download at the Oracle website. To install
it, just follow the steps described in the README.txt file available with the package.
The authentication using the SAML protocol requires that the Java extended encryption package is installed. For more
details on how to perform the installation of this package, refer to the Java Security Extension package section.
Configuration
Three steps are necessary for the authentication using the SAML protocol to be configured in SE Suite. We
recommend obeying the following sequence for possible errors in the process to be avoided:

1. Add information about the security certificate to the SAML authentication configuration in SE Suite;
2. Configure the federation service on the authentication server;
3. Add the authentication server metadata to the SAML authentication configuration in SE Suite
Configure the Certificate in the Federated Authentication in SE SUITE
To configure the federated authentication, it is necessary to follow the steps below:
1. Access the authentication configuration screen, SE Configuration Configuration Authentication. The

system offers three types of Single Sign On (SSO) authentication, which are: Kerberos SSO and
Federation service. Only one of them may be selected. Therefore, select the SAML 2.0 (ADFS) option:
2. Download the ADFS Metadata: https://adfsserver/Federationmetadata/2007-
06/Federationmetadata.xml

3. In the federation service configuration section, click on the button to add and create the connection with
the federation service:
i. On the screen that opens up, enter in the ID # field one identifier for the connection with the
federation server. This information will be used further on to identify which federation server will
be used;
ii. Click on the Upload of Identify Provider configurations button and import the metadata file
retrieved from the federation server;
iii. In the Validity (years) field enter the number of years that the certificate will have until it
expires;
iv. Click on the Revoke Certificate button to generate the Service Provider metadata file;
v. Click on the Download of Service Provider configurations button to obtain the Service Provider
metadata file.
This file must be imported further on into the ADFS of the authentication server.

4. Click OK.
Configure Federation on the Authentication Server
The Authentication Server uses ADFS (Active Directory Federation Service) to provide Federation services. It
provides SSO technologies to authenticate a user in various Web applications. ADFS does that safely by
sharing the digital identity and the authorizations or "statements" through the company and security limits.
Configurations
1. Execute the Wizard ADFS in ADFS Management Console and select Add Relying Party Trust to start the
Wizard configuration of the ADFS:

2. Select the Import data about the relying party from a file option and e select the metadata that
represents the SE Suite information. This file can be obtained from the authentication configuration
screen (SE Configuration Configuration Authentication).
3. Specify the name that will identify the ADFS configuration. A suggestion is to use Sesuite.

4. Select the I do not want to configure multi-facto authentication settings for this relying party trust
at this time option.

5. Select the Permit all users to access this relying party option.

6. Check if in the Endpoints tab the configuration to SAML Assertion Consumer Endpoints and SAML
Logout Endpoints are filled out.

7. Select the Open the Edit Claim Rules dialog option and click on Close.

8. The system will display the Edit Claim Rules screen. On the screen, select the Issuance Transform
Rules tab and click on Add Rules.

9. Select the Send LDAP Attributes as Claims option.
10. Define a name to identify the configuration in the Claim rule name field.
11. Select the Active Directory option in the Attribute store field.

12. In the map of attributes, select the following options:
LDAP Attribute Outgoing Claim Type
User-Principal-Name Windows account name
13. Click on Finish to finish the configuration.

14. To re-edit the newly finished configuration, access the Advanced tab and change the "Secure hash
algorithm" field to "SHA-1".
Configuring the browser
Internet Explorer
1. Access, in Control Panel Internet Options, the Security tab.
2. In Trusted sites, add the URL of the ADFS server as a safe Intranet site:

Chrome
1. It is necessary to add Chrome to the list of navigators with authentication protection on the
authentication server. For that, access the ADFS server.
2. Now, it will be necessary to disable the protection for it to be possible to add Chrome to the list of
browsers. For that, access the prompt and execute the following command:
Set-ADFSProperties –ExtendedProtectionTokenCheck None
3. Execute the following command to display the list of browsers that currently support the authentication
protection:

Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
4. Select all the listed browsers and add "Mozilla/5.0". Execute the command below:
Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE

8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights
Management Client", "Mozilla/5.0")
5. Restart the ADFS service. At this moment, the authentication protection will be enabled again.
Reconfiguring
In some situations, such as of an expired certificate and database update, among others, it will be necessary
to reconfigure the SAML authentication process.
To reconfigure the SAML authentication environment, it is necessary to regenerate the system configuration
file and reimport it into ADFS. Below are the steps to be followed:
1. Access the SAML authentication configuration (SE Configuration Configuration Authentication)

screen. In the Navigation side panel, access the SAML menu.
2. Check and if necessary, update the User domain and Domain used in key fields for the same domain
used to access the system.
3. In the Validity section, click on the Revoke certificate button.
4. After the certificate is generated, click on the Download of Service Provider configurations button
located in the Configuration files section.
5. Access ADFS and delete the respective record from the federation used by the system.
6. Recover the generated XML file and redo the ADFS configuration steps described in step 4 of the
Configure Federation in the Authentication Server subtopic.

Testing the Single Sign-On (SSO)
The single sign-on test must be performed on a client workstation. Nor the SE Suite server or the
authentication server may be used.
1. Make sure the selected authentication mode is SAML. Perform the synchronization of the (SE
Configuration Configuration Authentication) users.
2. After synchronizing the users, access the system. On the login screen, select the desired domain and
click on the Single Sign-On button.
3. If this is the user's first login, the system will display a screen requiring his/her credentials; otherwise,
the login will be concluded.
Note: If the SAML single sign-on fails, the user may still log into SE Suite with his/her user name and
password.
FAQ
§ "Failed to decrypt EncryptedData" error when authenticating the user
This error occurs when the Java JDK encryption key restriction rules are limited to 1024 bits. Check the
prerequisite in the "SAML Authentication Configuration" section for further details.
§ "PKIX path building failed" error when validating the certificate.
This error refers to problems when validating the certificates between the agents. Below are the
possible causes of this error:
1. The certificate used to sign the requests is not valid:
i. Generate a new certificate and execute the procedure to install the SESUITE new metadata on
the Authentication Server.
2. The SSL certificate used in the SESUITE server is not recognized by the authentication server:
i. Import the SSL certificate as a trusted certificate into the authentication server.

3. The authentication server certificates are not recognized by SESUITE:
First: ADFS certificate
i. Access ADFS, select the 'Certificate' folder, and double-click 'Token-signing';
ii. Access the 'Details' tab and click the 'Copy to File' button;
iii. Export the certificate as Base-64 Encoded X.509;
Second: IIS Certificate authentication server
iv. Export the certificate as Base-64 Encoded X.509;
v. Import the certificate onto the SE Suite server:
keytool -import -trustcacerts -file <path/certificate.cer> -alias

<alias> -keystore <path/certificate>.jks
vi. Add the attribute in the Tomcat JAVA_OPTIONS: -

Djavax.net.ssl.trustStore=<path/certificate>.jks
§ "Time Synchronization" error when authenticating the user
The processing of the SAML messages is limited to a short interval. That is done to prevent request
repetition attacks. That way, both the server running SE Suite and the authentication server must have
their clocks synchronized. Otherwise, the Time Synchronization error will be displayed in the product log
and the login will be aborted.
§ After synchronization, the user is unable to log into the system
Access the user, (SE Administration File Organization structure User), record and verify that the
user is not inactive or blocked and still has the same Access Area and Group configured.
§ Authentication negotiation is unable to access the ADFS server
Test the link below to validate whether the user and password acknowledged by the browser are
correct. The link should display the ADFS configuration list for connection.
https://adfsserver/adfs/ls/IdpInitiatedSignOn.aspx

6.2.3 - SE-Identity - Integration of Microsoft AD users with

SE Suite
Overview
SE Identity is an application that synchronizes the SE Suite users with Microsoft AD when the SE Suite server
does not have direct access to the Microsoft Active Directory server. This type of situation may occur when the
organization has several independent and isolated domains.
The application must be installed on a station within the network with access to Microsoft AD and SE Suite.
When being executed, the application will access the user data in Microsoft Active Directory to generate the
integration files and send them to SE Suite for the integration to be performed.
Requirements
§ Java Runtime 8 or later;
Installation
1. To install SE Identity, in the SE Configuration component, access the Configuration
2. Click on the button to download the application file se-identity.zip.
3. Decompress the file.
Configuration
4. To configure SE Identity, access the conf folder, inside the folder that was decompressed:
se-identity/conf/
5. Open the se-identity.xml file. Make sure to have permission to edit the file.
The information examples will follow the standard below:
§ The values between <...> are required and must be modified with real values of the environment where it will
be executed.
§ The values between [...] are optional values; if not necessary to enter them, they must be removed from the
configuration.

Configuration attributes
Connection with Microsoft AD
§ url: URL to access Microsoft AD using the LDAP protocol (LDAP://<host>[:port]). For example:
<url>ldap://softexpert.local:389</url>
§ userLdap: User name (displayName, not the login) with permission to view the data in Microsoft AD;
§ passwordLdap: Password of the user with permission to view the data in Microsoft AD.
§ loginUserLdap: User login for authentication on the LDAP server.
General data
§ enable: When creating the domain in SE Suite, defines the status as active.
§ released: When creating the domain in SE Suite, defines the status as released.
§ ssoPort: Domain address port.
§ fgSyncLanguage: Sets the synchronized user language (0 - English, 1 - Portuguese, 2 - Spanish).
Domain identification
§ domain: Name of the domain.
§ domainIdentifier: Domain ID #.
User selection
§ importDN: Path in the directory structure where the users are.
§ userAuthorizationPattern: Filter to select the users who will be integrated with SE Suite.
§ defaultSynchronyzerFilter: Identifier that will be used as a key in the first integration with users already
existent in the SE Suite database.
§ onLoginImport: If enabled, imports the user into SE just as he/she authenticates in the system.
User data
§ nmSyncFieldNmDomainUID: User creation field in Microsoft AD that will be used as unique identifier when
creating the user in SE Suite
§ nmSyncFieldIdLogin: User creation field in Microsoft AD that will be used as login when creating the user
in SE Suite
§ nmSyncFieldIdUser: User creation field in Microsoft AD that will be used as User ID when creating the
user in SE Suite

§ nmSyncFieldNmUser: User creation field in Microsoft AD that will be used as name when creating the user
in SE Suite
§ nmSyncFieldDsUserEmail: User creation field in Microsoft AD that will be used as email when creating the
user in SE Suite
§ fgSyncNotice: Indicates to the system whether the user will receive training notifications, improvements,
and system news.
§ fgSyncLeader: Indicates to the system whether the Microsoft AD "manager" attribute should be
synchronized into SE Suite.
Position data
§ fgSyncPos: Indicates to SE Suite whether the user position synchronization is active.
§ nmSyncFieldIdPosition: User creation field in Microsoft AD that will be used as identifier when creating
the position in SE Suite
§ nmSyncFieldNmPosition: User creation field in Microsoft AD that will be used as name when creating the
position in SE Suite
§ fgSyncPosEnabled: Indicates to the system whether the user will be created as active or inactive.
Department data
§ fgSyncDept: Indicates to SE Suite that the user department synchronization is active;
§ nmSyncFieldNmDepartment: User creation field in Microsoft AD that will be used as identifier when
creating the department in SE Suite
§ nmSyncFieldIdDepartment: User creation field in Microsoft AD that will be used as name when creating
the department in SE Suite
§ fgSyncDeptEnabled: Indicates to the system whether the department will be created as active or inactive.
§ idDefaultAccessGroup: Access group code (if set, this will be the default access group when performing
the user synchronization).
Connection with SE Suite
§ nmAddress: Access address to SE Suite (https://domain/).
§ nmSEUser: User login that will be used to authenticate in SE Suite with permission to perform the
integration.
§ nmSEPassword: User password that will be used to authenticate in SE Suite with permission to perform
the integration.
Data for Notification Synchronization
§ qtNotifierPeriod: Time limit for synchronization inactivity; The system administrator will be notified by e-
mail when the synchronization inactivity period is reached.

§ fgNotifierPeriodType: Time limit for synchronization inactivity type. Types available: Minutes, Hours, DAYS
e WEEKS.
§ mergeDepartmentFunction: If enabled, when synchronizing the user, the AD user department will be
replaced by the current department associated in SE Suite; if it is disabled, the AD user department will be
incremented in the departments associated with the user in SE Suite.
Execution
6. After configuring the se-identity.xml file, double-click the se-identity.jar file, located in the se-identity
folder. The application will display the following screen:
7. Click on the Simulate synchronization button to execute a synchronization simulation, without affecting
the changes of the SE Suite. The system will notify when the data sending finishes. To verify the
simulation, in the SE Configuration component access, the menu Configuration Authentication (CM008)
and click on the (View synchronization simulation) button.
8. Click on the Synchronize button to perform the synchronization of Microsoft Active Directory user data
with SE Suite. The system will notify when the data sending finishes. To verify the synchronization, access
the SE Configuration component, Configuration Authentication (CM008) menu and, on the Browse panel,
access the synchronization section.
Scheduling
It is possible to schedule the execution of the application on Windows. For this, access the Task Scheduler in
Control Panel Administrative Tools Task Scheduler and schedule as you need. Below is an example of how
to create a basic task on Windows, executed daily:

9. In the Task Scheduler tool, click the "Create Basic Task..." option, located on the right-side panel.
10. On the screen that will be displayed, enter a name and a description for the task. After, click on the Next
button to proceed with the scheduling record:

11. In the Trigger step, enter the frequency of the scheduling being created. Click on the Next button and
enter the details about the selected frequency. Click on Next to proceed with the scheduling:

12. In the Action step check the "Start a program" option and click on Next to configure the startup
parameters of the SE Identity application:

13. Now, enter the information referring to the SE Identity start up and, after that, click Next:
§ Program/script: javaw
Command to execute se-identity.jar. Remember that the java installation folder must be in the
system path (environment variables) for the file to be executed from any folder in the system or
enter the specific path for the desired version;
§ Add arguments (optional): -jar se-identity.jar run
Command used as the javaw argument for the execution of the se-identity.jar file.
§ Start in: Enter the path where the application can be found. Ex: C:\sesuite\se-identity\

14. In the Finish step, check the summary of the scheduling and click on Finish to create the scheduling. At
this point, the SE Identity application will always be executed according to the frequency set in the
scheduling.

6.3 - File Manager server
This section contains the steps for the installation and configuration of the File Manager server to be used to
redirect the PDF conversion and File Manager update.
All the procedures below must be executed on a Windows server, on which File Manager will be installed, not on the SE
Suite server.
1. Access the server where SE Suite is installed;
2. Edit the database_config.xml.
3. In the <domain> field change to the domain used by the users;
Note: If there is more than one domain used for the same database, update it to the most common one.
Example: If the URL to access the system is https://client.softexpert.com/softexpert, enter the

'client.softexpert.com' only.
4. In the <connectionName> enter the same information that is in the <domain> field;
Note: If it is a multi-database, repeat steps 3 and 4 for all the databases.
5. Copy the following files to the server where FileManager will be installed:
§ SESUITE_HOME\conf\database_config.xml
§ SESUITE_HOME\usr\local\se\plugins\FileManagerInstaller.zip
6. Access the server where FileManager will be installed;
7. Install the 32-bit version of Java JRE 8;
8. Add Java to the Windows PATH:
a) Start Menu > type "This PC";
b) Right-click "This PC";

c) Click "Properties";
d) Click "Advanced System Settings";
e) Click "Environment Variables...";
f) In "System Variables", identify the "Path";
g) Double-click on "Path";
h) At the beginning of the line, paste the Java installation path:
C:\Program Files (x86)\Java\jre8\bin;
Note: Do not forget the “;” after bin.
i) Click on "OK" to finish.
9. Decompress the "FileManagerInstaller.zip" file copied in step 5;
10. Open the cmd as administrator:
a) Start Menu > type "cmd";
b) Right-click on "Command Prompt" and, after that, click "Run as administrator"
c) On the title bar of cmd should appear "Administrator:"
11. Access to the folder where you decompressed "FileManagerInstaller.zip" in step 9:
cd C:\Users\Administrator\Desktop\FileManagerInstaller
12. Execute the installer:
java -jar FilemanagerInstaller.jar
13. Enter the path where FileManager will be installed:
C:\SEFILEMANAGER
14. Enter the ports that FileManager will install.
HTTP Port = 5020

AJP Port = 5009
Note: There should not be an active installation of Tomcat on the same server.
15. Press Next, Next, Finish to finish.
16. Create a local user on Windows, member of the "Administrators" group;
17. Open the Windows service manager:
a) Start Menu > type services.msc, then, press ENTER;
18. Locate the "File Manager Server" service;
19. Right-click on > "Properties";
20. Click on the "Log On" tab and then "This account";
21. Enter the user and password created in step 16;
22. Click OK and confirm the alerts that are displayed;
23. Install and activate 32-bit Microsoft Office;
Note: The version should be equivalent to the one used by the users. This installation should not be logged with
a Microsoft or corporate account. The older version should have the PDF conversion add-in installed.
24. With the cmd opened in step 10, type "mmc comexp.msc /32";
25. Expand "Component Services > Computers > My Computer > DCOM Config";
26. Locate the "Microsoft Excel Application" item;
27. Right-click "Properties";

28. In the "Identity" tab, check "This user" and fill it in with the user created in step 16;
29. Click on OK to confirm;
30. Copy the database_config.xml file copied in step 5 into the conf folder of FileManager:
C:\SEFILEMANAGER\conf
31. If Oracle, skip to step 35;
32. Edit the C:\SEFILEMANAGER\conf\ database_config.xml file;
33. Confirm if the <server> field is pointing to the correct bank server;
When in doubt, follow the procedure below:
a) Access the server where sesuite is installed;
b) Execute this command:
ping <server field value>
c) Access the server where FileManager is being installed;
d) Execute this command:
ping <server field value>
If the value is different or if it does not respond. Change the <server> field in database_config.xml
of FileManager for IP result of item b);
34. If use SQL Server or PostgreSQL, skip to step 46;
35. Install the 32-bit Oracle client.
Note: During the Oracle client installation, select the "Administrator" mode (complete).
36. Copy the Oracle lib to the FileManager folder:
§ Oracle Client 10: C:\oracle\product\10.2.0\client_1\jdbc\lib\ojdbc14.jar

To the C:\SEFILEMANAGER\lib folder
37. Access the server where SE Suite is installed;
38. Copy the content of the /usr/local/se/apps/oracle-client/tnsnames.now file
39. Access the server where FileManager is being installed;
40. >Paste the content copied in step 38 into the file:

C:\oracle\product\11.2.0\client_1\network\admin\tnsnames.ora
41. Still, in the tnsnames.ora file on the server where FileManager is being installed, confirm the HOST field;
When in doubt, follow the procedure below:
a) Access the server where sesuite is installed;
b) Execute this command:
ping <HOST>
c) Access the server where FileManager is being installed;
d) Execute this command:
ping <HOST>
If the value is different or if it does not respond. Change the HOST in the tnsnames.ora field of
FileManager for IP result of item b);
42. Edit the C:\SEFILEMANAGER\conf\ database_config.xml file;
43. Confirm if the <port> field is correct;
44. In the <db> field enter the bank's SID;

Note: The SID may be the same as the SERVICE_NAME, but that is not a rule. When in doubt, ask the DBA for
the correct SID.
45. In the <server> filed, fill in with the same value as the HOST field configured on tnsnames.ora (C:
\oracle\product\11.2.0\client_1\network\admin\tnsnames.ora);
46. Verify if the server time FileManager is less than 5 minutes apart with the SE Suite server;
47. Restart the FileManager service:
a) Start Menu > type "services.msc" and Enter;
b) Locate the "File Manager Server" service;
c) Right-click on > "Restart";
48. Restart the SE Suite services.
49. Verify if the port 5020 is released in the firewall of the SE Suite output server, in the incoming firewall of
the server where FileManager is being installed, and whether it is also released in some firewall server
between the two servers.
50. Open a browser and access SE Suite through the URL defined in step 3;
51. Access the Document > Configuration > General parameters (DC035) screen.
52. In the Services tab, check the "Enable service redirection" option;
53. In "Server", enter http://<ip_servidor_filemanager>
54. In "Port", enter 5020;
55. Click the checkbox next to the "Port" field to test the connection;

56. Click on Save and exit to Finish.
Test
§ Create a category and enable PDF conversion;
§ Create a document and associate an electronic file;
§ Verify whether the electronic file was converted to PDF.
If a problem occurs in the conversion to PDF, refer to the following link:
http://stackoverflow.com/questions/4408538/exportasfixedformat-with-excel-fails

6.4 - Scale service (SE Asset)
For the gage to connect with SE Suite, it is necessary to install ScaleService on the client machine(s). See how
to install that service in the steps below:
1. First of all, access the web/wwwroot/asset/app/ directory of the SE Suite server and copy the
ScaleService.rar file to the C:/ client's machine. Then, decompress the ScaleService.rar file in the C:/
directory.
2. With admin privileges in cmd, execute the following command:
cd c:/ScaleService
3. After that, execute the following command:
SEScaleService.exe install
4. After installing the service, it should be started. For that, click on the Start Windows menu and type
"services.msc". Click the option and wait for the service manager screen to open;
5. In the service manager, search for SESuite Scale Connection Service and start the service.
For the correct connection with the equipment, the service must always be in execution. With that, configure the
service with an automatic start for it to be started with Windows.

6.5 - PDF conversion
This section will describe some procedures regarding the conversion to PDF, such as the addition of the PDF
conversion service with the Windows services, or the use of Microsoft Office as a PDF converter. See further
details in the following sections:
§ Addition of the PDF service
§ Conversion to PDF with Microsoft Office

6.5.1 - OpenOffice PDF conversion service
The OpenOffice PDF conversion service is required to convert documents in the OpenDocument Text (.odt)
format. To insert the PDF conversion service to the Windows services, execute the following steps:
1. Download and install OpenOffice;
2. Download and install Windows Server 2003 Resource Kit Tools;
3. Create the C:\sesuite\pdfconverter directory;
4. Copy thesrvany.exe file installed by the Windows server 2003 Resource Kit tools C:\Program Files
(x86)\Windows Resource Kits\Tools in the directory to C:\sesuite\pdfconverter;
5. Click on the Start Windows menu, type "cmd", click on the wait option for the screen to open;
6. On the MS-DOS screen, type in the following command:
sc create "PDF Converter" binPath= "c:\sesuite\pdfconverter\srvany.exe"
7. Click on the Start Windows menu, type "regedit", click on the wait option for the screen to open;
8. In the registry editor, browse to the following service key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PDF Converter
9. Create a new key named "Parameters";
10. Create a new character chain value (String) named "Application";
11. Edit the just created value and enter the value:
"<openoffice_installation_dir>\program\soffice.exe" -headless -
accept="socket,host=0,port=5011;urp;" -nofirststartwizard
12. The registry key must look as shown in the image below:

13. Click on the Start Windows menu and type "services.msc". Click on the option and wait for the service
manager screen to open;
14. Search for the PDF Converter service;

6.5.2 - Conversion to PDF with Microsoft Office
It is possible to use Microsoft Office to convert documents to PDF. For that, it will be necessary to configure the
SE Suite server and, on that server, install Microsoft Office Professional 2007 or later.
This is an optional procedure and, if it was not executed, the system may use OpenOffice for conversion.
Directories
After installing Microsoft Office on the SE Suite server, it will be necessary to create a directory. See below the
location where the folder must be created for each architecture type Windows may have, that is, 32-bits or 64-
bits:
Windows Server x86
§ If the system is installed on a 32-bit Windows Server environment, the following directory must be created:
C:\Windows\System32\config\systemprofile\Desktop
Windows Server x64
§ If the system is installed on a 64-bit Windows Server environment, the following directory must be created:
C:\Windows\SysWOW64\config\systemprofile\Desktop
§ If the Windows Server environment architecture version is 64-bits and Microsoft Office Professional version is
32-bits, the following directory must also be created:
C:\Windows\System32\config\systemprofile\Desktop
Conversion service configuration
The following configuration must be set on the SE Suite server after installing Microsoft Office.
If you wish to use File Manager, set the following configuration on the File Manager server.
1. Access the Windows registry (regedit.exe).

2. For the conversion service to work correctly, it will be necessary to insert the "Devices", "PrinterPorts",
and "Windows" key registries into [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows
NT\CurrentVersion]:
§ HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Devices
§ HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
§ HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows
3. For that, import the following code into the registry key:
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Send To OneNote 2010"="winspool,nul:"
"Microsoft XPS Document Writer"="winspool,Ne00:"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Send To OneNote 2010"="winspool,nul:,15,45"
"Microsoft XPS Document Writer"="winspool,Ne00:,15,45"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"UserSelectedDefault"=dword:00000000
"Device"="Send To OneNote 2010,winspool,nul:"
4. After importing the records, restart the Tomcat service.

6.6 - Workstations configuration
This section will cover the necessary configurations on the workstations. This configuration section contains
the main following topics:
§ Internet Explorer configuration
§ Firefox configuration
§ OpenOffice automation
§ MSI installation
The activities in this section must be executed on all the workstations that will access SE Suite.

6.6.1 - Internet Explorer configuration
If the workstation environment is Windows and the browser to be used is Internet Explorer, check whether
the Internet Explorer security configurations meet the minimum requirements for SE Suite to work on the
workstations:
1. Access the Start Control Panel menu;
2. In the control panel, access the Internet Options (category Network and Internet) menu;
3. Access the Security tab and in Select a zone to v iew or change security settings, click Local intranet;
4. In the Security levels for this zone, click on Custom level... and in Settings;
Make sure to add your SE Suite link to the Allowed sites section.
5. Verify whether the following items are configured as described:
§ ActiveX controls and plug-ins > Binary and script behaviors: enable
§ ActiveX controls and plug-ins > Run activeX controls and plugins: enable
§ ActiveX controls and plug-ins > Script ActiveX controls marked safe for scripting: enable
§ Downloads > Automatic prompting for file downloads: enable
§ Downloads > File download: enable
§ Scripting > Active scripting: enable
6. Click OK;
7. Access the Privacy tab and in Pop-up Blocker, click on Settings;
8. On the window that opens up, in the Blocking level select Low: Allow pop-ups from secure sites
option. See further details in the following image:

Make sure to add your SE Suite link to the Allowed sites section.
9. Click on Close to close this window and then on OK to close the Internet Options window;
10 Restart Internet Explorer.

6.6.2 - Firefox configuration
Check whether the Firefox configurations meet the minimum requirements for SE Suite to work on the
workstations:
1. Open Firefox and access Tools Options on the menu bar;
2. In the Content tab, in Block pop-up windows, click on the Exceptions button;
3. Enter the SE Suite domain and click on the Allow button;
4. Click on Close to close this screen and then click on OK to close the Options screen;
5. On the Firefox menu bar, click on Tools Add-ons;
6. Access the Plugins tab and check if the installed and enabled Java plugin exists;

6.6.3 - OpenOffice automation
The OpenOffice automation allows disabling the save, print options, among others. To use the OpenOffice
automation, the client machine must have access to the following directories (on the client machine itself):
C:\Windows\Temp
C:\Program Files\Java\jre8\lib\ext

6.6.4 - MSI installation
PDF, DWG, and DXF files are viewed, in SE Suite, through SE Viewer. When opening one of these files for the
first time, the system requests the installation of the viewer. If the logged user has no permission to install the
viewer, the administrator will have to execute the following procedure:
Locate thesepreview.zip file, in the SE Suite installation directory (server): C:

\Inetpub\SE\web\wwwroot\generic\app\viewer\sepreview.zip.
Manual procedure
Uncompress the sepreview.zip file and execute the MSI file on the client workstations that need to install
the viewer.
The execution should be performed by a user with administrator permission on the machine.
Automatic procedure
Decompress the sepreview.zip file and add the MSI file in the network login script so that it is replicated
to all stations automatically.
It must be parameterized to be executed with administrator permission whenever a new user logs on to the
machine.

6.7 - Remote access configuration
If the system is accessed through a remote access environment (Citrix, Terminal Services, etc.), the following
configuration must be set in the Citrix or Terminal Services servers:
1. In the Windows registry (regedit.exe), access:
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing
2. In the "State" item change the 23c00 value to 23e00, this will disable the CRL verification to the system
user account.

6.8 - External access configuration
A reverse proxy is a network server that receives all the external connections and forwards them to the Web
server. See below how to configure the system external access:
For the external access to work correctly, the URL to access the system must be interpreted both on the stations and
on the application server. For this, the domain used in the external access must be recorded in the file hosts operating
system, application server pointing to the local IP (or 127.0.0.1).
1. Open to edit the hosts file of the SE Suite server:
C:\Windows\System32\drivers\etc\hosts
2 And add the access domain line according to the following example:
127.0.0.1 externalaccess.softexpert.com
There may be not port change in the NAT configuration. If, in the IIS, port 80 is being used, the firewall must direct to
port 80 as well. For instance, it cannot be directed from 81 to 80, only to the same port.
Reverse proxy
Considering that the DNS to be used externally is sesuite.softexpert.com, this very DNS must respond internally
on the proxy server, pointing to the application server where SE Suite is installed, as well as in the internal
network resolve the internal IP of the same server.
To ensure this procedure, we may use the proxy server HOSTS file and force the DNS redirecting to the desired
IP (internal). The same must be performed on the application server.

Follow the mod_proxy configuration example using the DNS sesuite.softexpert.com:
<Proxy *>
Order deny, allow
Allow from all
</Proxy>
ProxyRequests On
ProxyVia On
ProxyPass /se http://sesuite.softexpert.com/se
ProxyPassReverse /se http://sesuite.softexpert.com/se
ProxyPass /softexpert http://sesuite.softexpert.com/softexpert
ProxyPassReverse /softexpert http://sesuite.softexpert.com/softexpert
ProxyPass /bi http://sesuite.softexpert.com/bi
ProxyPassReverse /bi http://sesuite.softexpert.com/bi
Below is the diagram this system:

6.9 - Troubleshooting
The topics in this section contain the steps to solve problems identified in SE Suite.
§ Requirements check
§ Index server
§ System version
§ Single Sign-On

6.9.1 - Requirements check
Starting in version 2.0.5, SE Suite contains a requirements checker. This resource is a functionality, executed
during the SE Suite initialization, which aims to make sure the server meets all the requirements for system
use. If a requirement for system use is not met, the checker will display a message to indicate the
configuration that needs to be solved.
See below some configurations that may be required to start the SE Suite service:
Configuring the time zone in Java
By default, the time zone used in Java is the same of that configured in the operating system. To start the
application with a time zone different from the one used by the operating system, it is necessary to
indicate that to Java in the system start up, through the user.timezone attribute, according to the
following examples:
SE Suite in Windows:
§ Execute the "Tomcat monitor" application (TOMCAT_HOME\bin\tomcat7w.exe)
§ Access the Java tab
§ Add a new line in the "Java options" with the value: -Duser.timezone=America/Los_Angeles
The time zone used in the example is the official USA time zone, the ID # for other time zones can be found at:
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones (Accessed on Sep/08/2016).
Adjusting the day light saving time
If the system displays a divergence in the daylight-saving time configuration between Java and PHP, the
problem may be in the version of the Java time zone database. To update the database, execute the
following steps:
§ Download the "Time zone Updater Tool" application
§ Run the application with the same Java virtual machine used by SE Suite with the command line " java -
jar tzupdater.jar -f"
§ If the current directory is not the same as the tzupdater.jar is, use the full path up to the tzupdater.jar file
§ To compare the time zone database versions of Java and of the application, execute the "java -jar
tzupdater.jar -V" command.

Configuring the time zone in PHP
To set the time zone that will be used by PHP it is necessary to edit the file php.ini (usually located in
SESUITE_HOME\web\php\lib\php.ini). Locate and edit the following line according to your time zone:
date.timezone = America/Los_Angeles
The time zone used in the example is the official USA time zone, the ID # for other time zones can be found at:
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones (Accessed on Sep/08/2016).
Solving JAVA issues
System Parameter Description
GENERAL HD "HD free space is {SPAC E AVAILABLE IN DISK}, when it should be at

least 5GB."
Solution: Release physical space in the machine.
GENERAL JavaVersion "The installed Java version is {JAVA VERSION}, when it should be 1.7."
Solution: Remove the java version and install the correct one.
GENERAL TomcatMemory "The Apache Tomcat server is configured to use up to

{C ONFIGURED_MEMORY} MB of memory. At least 1024 MB are required.
See how to perform this operation in the Installation guide."
Solution: For Windows environments, see the memory configuration procedure, described in the Apache Tomcat
installation section.

Solving php.ini issues
GENERAL output_buffering "Output_buffering variable value is {VALUE}, when it should be 1. C heck

configuration in php.ini."
GENERAL max_input_time "Max_input_time variable value is {VALUE}, when it should be at least

300. C heck configuration in php.ini."
GENERAL memory_limit "Memory_limit variable value is {VALUE}, when it should be -1. C heck
GENERAL post_max_size "Post_max_size varaible value is {VALUE}, when it should be at least

500M. C heck configuration in php.ini."
GENERAL upload_max_filesize "Upload_max_filesize variable value is {VALUE}, when it should be at

least 500M. C heck configuration in php.ini."
GENERAL session.name "Session.name variable value is {VALUE}, when it should be se-

authentication-token. C heck configuration in php.ini."
GENERAL session.gc_probability "Session.gc_probability variable value is {VALUE}, when it should be 0.

C heck configuration in php.ini."
GENERAL session.gc_maxlifetime "Session.gc_maxlifetime variable value is {VALUE}, when it should be

GENERAL session.cache_expire "Session.cache_expire variable value is {VALUE}, when it should be

GENERAL opcache.enable "Opcache.enable variable value is {VALUE}, when it should be 1. C heck

GENERAL opcache.memory_consu "Opcache.memory_consumption variable value is {VALUE}, when it

mption should be 256. C heck configuration in php.ini."
GENERAL opcache.interned_strings "Opcache.interned_strings_buffer variable value is {VALUE}, when it

_buffer should be 128. C heck configuration in php.ini."
GENERAL opcache.max_accelerate "Opcache.max_accelerated_files variable value is {VALUE}, when it

d_files should be 70000. C heck configuration in php.ini."
GENERAL opcache.save_comments "Opcache.save_comments variable value is {VALUE}, when it should be

GENERAL opcache.load_comments "Opcache.load_comments variable value is {VALUE}, when it should be


GENERAL opcache.enable_cli "Opcache.enable_cli variable value is {VALUE}, when it should be 0.

GENERAL max_execution_time "Max_execution_time variable value is {VALUE}, when it should be at

least 200. C heck configuration in php.ini."
GENERAL session.save_path "Session.save_path variable was not configured. C heck configuration in

php.ini."
GENERAL date.timezone Date.timezone Java variable (JAVA_TIMEZONE) must be the same as the
PHP variable (PHP_TIMEZONE). Java uses the time zone defined by the
operating system, while PHP uses the value defined in the php.ini file."
Solution:
1. Open the SUITE_HOME\web\php\php.ini file and search for the message variable.
2. C heck for other similar variables (repeated).
3. If there are repeated variables, add a “;” (semi-colon) at the beginning of the line for it to be commented, thus
the variable will not be validated. Example of a commented variable:
;cgi.force_redirect = 1
Example of valid variable (uncommented):
cgi.force_redirect = 1
4. After locating the variable, define the correct value, as described in the message.
5. Save the file and restart SE Suite.
WINDOWS realpath_cache_size "Realpath_cache_size varaible value is {VALUE}, when it should be at

least 1024k. C heck configuration in php.ini."
WINDOWS cgi.force_redirect "C gi.force_redirect variable value is {VALUE}, when it should be 0.

WINDOWS fastcgi.impersonate "Fastcgi.impersonate variable value is {VALUE}, when it should be 1.

Solution:
1. Open the SUITE_HOME\web\php\php.ini file and search for the message variable.
2. C heck for other similar variables (repeated).
3. If there are repeated variables, add a “;” (semi-colon) at the beginning of the line for it to be commented, thus
the variable will not be validated. Example of a commented variable:
;cgi.force_redirect = 1
Example of valid variable (uncommented):
cgi.force_redirect = 1
4. After locating the variable, define the correct value, as described in the message.

WINDOWS Zend OPcache "zend_extension=ZendLoader.dll extension is not enabled. C heck

WINDOWS memcache "extension=php_memcache.dll extension is not enabled. C heck

WINDOWS zip "extension=zip.dll extension is not enabled. C heck configuration in

php.ini."
WINDOWS soap "extension=soap.dll extension is not enabled. C heck configuration in

php.ini."
WINDOWS gd "extension=gd.dll extension is not enabled. C heck configuration in

php.ini."
Solution:
1. Open the SUITE_HOME\web\php\php.ini file and search for the extension described in the message.
2. C heck for other similar extensions (repeated).
3. If there are repeated extensions, add a “;” (semi-colon) at the beginning of the line for it to be commented,
thus the extension will not be validated. Example of a commented extension:
;zend_extension=php_opcache.dll
Example of a valid extension (uncommented):
zend_extension=php_opcache.dll
4. After locating the extension, define the correct value, as described in the message.
Solving template issues
GENERAL ...web\include\template The {NAME_OF_FILE} template is not a template in the JSON format.
Solution: C ontact SoftExpert.

6.9.2 - Index server
The objective of the index server is to extract data from records and files in SE Suite to index them. These
indexes are used in some system search screens, in addition to the general search. This service works in
parallel with the system; when starting SE Suite, the index service is also started. See below the steps to
verify whether the service is being executed:
1. Open the Task manager (taskmgr.exe), access the tab that shows the services that are running and
enable the display of a column called Command Line:
The procedure to make this column be displayed may vary according to the version of the Operating System:
§ Right-click the title of the columns and select the "Select columns" option; or
§ Access the "View > Select columns" menu.

2. Locate the Java service with the following command line (column Command Line):
"SESUITE_HOME\tools\se-fts-indexer-server\se-fts-indexer-server.jar".
In some situations, this service may not work adequately. See below a list of possible causes and their
solutions:
Port blocked in the FIREWALL
1. Open for editing the SESUITE_HOME\tools\se-fts-indexer-server\conf\config.properties file and

verify the indexer.server.port parameter port. Example:
#Port used by the index server

indexer.server.port=31712
2. Check whether there is a firewall configuration blocking the port of the 'indexer.server.port'
parameter. After unblocking the port, it will be necessary to restart the system and check whether the
index service is being executed.
Port being used in another service
1. Open for editing the SESUITE_HOME\tools\se-fts-indexer-server\conf\config.properties file and

verify the indexer.server.port parameter port. Example:
#Port used by the index server

indexer.server.port=31712

2. Check whether there is another service using the port of the indexer.server.port parameter. If
affirmative, select an available port.
Problem with the Oracle database
Check for the following error in the SE Suite logs:
'java.lang.UnsatisfiedLinkError'
If existent, it will be necessary to perform the following procedure:
1. Execute SE Configurator, which may be found at SESUITE_HOME\tools\configurator. On the screen

that will be displayed, edit the connection:
2. At this point, the connection data will be displayed. Click the 'Save and exit' button:

3. Wait for the connection tests to finish:
4. After that, click 'Cancel' and the procedure will be finished.
5. Restart the SE Suite services.

6.9.3 - System version
The system verifies the versioning of the packages, aiming to maintain SE Suite stability. Incompatibilities
between the versions of the installed/updated packages may be found. See below the solution to stabilize SE
Suite:
1. First, stop all the services used by SE Suite:
2. Execute SE Configurator, which may be found in SESUITE_HOME\tools\configurator. On the screen

that will be displayed, click the button to equalize the base:
3. After equalization, restart the system.

6.9.4 - Single Sign-On
To advance possible problems in the process of synchronizing and authenticating users in a domain, you can
test the configuration of the domain in the system authentication configuration (CM008), in the "Directory
integration Domains" section, when creating or editing a record. This procedure will test the communication
from the SE Suite server with the authentication and directory servers that are informed in the configuration.
The protocols tested are LDAP, using the Connection string, user and password provided, and communication
with the domain address and port NTLMV2, for authentication via the NTLMV2 protocol.
Generally, the failure, in the connection test, occurs if there are errors in the domain configuration or problems
in the network connections between the SE Suite server and the servers that host the directory services and
authentication. Therefore, it is indicated the use of tools to perform connection diagnostics or the assistance of
the network administrator for any verification of addresses and ports used in the communication.
Possible connection test returns:
§ Message of error to connect to domain controller: The SE Suite server was unable to open a connection via
the LDAP protocol using the URL that was informed in the "Connection string" field. Verify if the field is filled
in correctly and if a port has not been specified in the URL itself, verify if the server is accepting
connections on the default LDAP port 389, or for ports 636 and/or 3269, defaults for LDAPS, or contact the
directory service administrator to check the availability of the service.

§ Alert message informing that the connection via NTMV2 failed: The SE Suite server was unable to open a
connection for the domain address and port reported in the configuration. Verify if the respective fields
("domain address" and "Port NTLMv2") are correct and if the destination server is accepting connections
on the informed port. If it is not, check the firewall rules or contact your network administrator. Comments:
If there is no intention to use the NTLMV2 authentication protocol, this alert can be ignored.
§ Error message informing you that the user was not found or the password is incorrect: communication
with the directory service has occurred smoothly, but the user and password that are informed in the
"User" and/or "Password" fields are incorrect. This user refers to a created user in the directory service, so
it must be verified if the name and password conform to the information logged in the service. Remember
that in the "User" field should be typed the name, not the login.
§ Alert message informing that authentication via NTMLV2 failed: In this case, the "User Login" (example:
user.test@domain.local) and/or the "Password" entered are incorrect. The user in question is also a
created user in the directory service, it is just needed to check if the information is correct. Comments: If
there is no intention to use the NTLMV2 authentication protocol, this alert can be ignored.

6.10 - Database - Good practices
This section addresses the topics related to best practices regarding database management and maintenance.
Make sure to verify each one of these items.
§ Check the possibility to create a routine to update the statistics and defragment the database objects.
§ Keep a database backup routine; the frequency must be set to meet the technical and business
requirements.
§ Whenever possible, try to simulate the need of backup restoration; this action aims to identify possible
failures in their media and routine.
§ Periodically monitor the free space in the disk where the database files are stored. With that, it will be
possible to avoid any type of failure due to the lack of disk space.

Document history 137
Chapter VII
Document history
The table below describes the main changes made to this document.
Revision Version Change description
20 2.0.11 Apr/27/2018
ð Addition of the single sign-on troubleshooting section, in the Single Sign-On topic.
19 2.0.11 Mar/07/2018
ð Breakdown of Oracle and Oracle client configuration topics in the Oracle section.
ð Update of the following topics:
18 2.0.10 Dec/07/2017
ð Addition of notes on the user's e-mail and password configuration, in the Base
configuration section.
ð Removal of the NTLM Authentication section.
ð Update of the following sections:
§ Kerberos authentication.
§ SAML authentication.
17 2.0.9 Sep/15/2017
ð Update of the following sections:
§ Kerberos authentication.
16 2.0.8 Jul/31/2017
ð Addition of Java Security Extension package section.
ð Update of theSAML Authentication section.
15 2.0.8 Jun/23/2017
§ Java JRE installation
14 2.0.7 May/06/2017
ð Update of the topic.
13 2.0.7 Mar/27/2017
§ User creation on Windows Server
§ Starting the services
ð Addition of the Scale service (SE Asset) topic
12 2.0.6 Mar/01/2017
§ NTLM authentication
11 2.0.5 Nov/24/2016
§ File Manager update
§ Requirements check

Document history 138
10 2.0.5 Oct/17/2016
ð Update of the Requirements check topic.
ð Addition of Troubleshooting and System version topic.
ð The Requirements check and Indexing servers were moved into the Troubleshooting
topic.
09 2.0.5 Oct/03/2016
ð Addition of the Index server topic.
08 2.0.5 Sep/26/2016
ð Addition of theStarting the services and Requirements check topics.
ð Update of the Apache Tomcat installation topic.
07 2.0.4 Aug/03/2016
06 2.0.4 Jun/23/2016
05 2.0.3 May/06/2016
ð Update of the SAML authentication topic.
04 2.0.2 Mar/22/2016
ð Update of the following topics
§ Oracle configuration
§ PostgreSQL configuration
ð Addition of the configuration for the indexing services in the File Manager
configuration and PDF C onversion with Microsoft Office topics.
ð Addition of the SE-Identity - Integration of Microsoft AD users with SE Suite topic.
03 2.0.1 Dec/14/2015
§ Oracle configuration
§ OpenOffice PDF conversion service
§ File Manager server installation(prerequisite).
02 2.0.1 Nov/24/2015
§ SE Suite update
§ IIS installation
01 2.0.0 Sep/14/2015
ð Addition of the SE Suite update topic.
§ Installation packages preparation
§ Network configuration
§ SSL configuration
ð C orrection in the Windows versions mentioned in the User creation on Windows
Server topic.
ð C orrection in the order of the subtopics in the System configuration topic.
ð C orrection in the order of the subtopics in the Single Sign-On with AD topic.
00 2.0.0 Sep/01/2015
ð C reation of the document from the "SE Suite 1.3 - Installation Guide - Windows"
document.
ð Update of the Pre-required activities topic.
ð Update of the Installation activity topic.
ð Update of the Additional procedures topic.
Document update history

Company
SoftExpert is a Market leader in software and services for enterprise-wide business process
improvement and compliance management, providing the most comprehensive application suite
to empower organizations to increase business performance at all levels and to maximize
industry-mandated compliance and corporate governance programs
Founded in 1995 and with more than 2,000 customers and 300,000 users worldwide, SoftExpert
solutions are used by leading corporations in all kinds of industries, including manufacturing,
government and public sector, pharmaceutical sector, hospitals and laboratories, financial
services, high tech and IT, education, energy and utilities, logistics, retail, services, among
others.
Along with its extensive network of resellers spread across all continents, SoftExpert also
provides hosting, implementation, post-sales support, and validation services for its solutions to
ensure that customers realize the maximum value from their investments.
Copyright © SoftExpert Software - Software for Performance Excellence

All rights reserved.

Installation Guide 2.0

Uploaded by

Copyright:

Available Formats

You might also like

Installation Guide 2.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Installation Guide 2.0

Uploaded by

Copyright:

Available Formats

Technical Documentation

SE Suite 2.0 - Windows

C opyright © 2018 SoftExpert Software SA. All rights reserved.

About this document

Who should read this document

Installation Guide — SE Suite 2.0 - Windows

SE Suite installation steps diagram

Installation Guide — SE Suite 2.0 - Windows

2.1 - Installation plan

§ Activities to be executed by the network and operating system manager:

§ Activities to be executed by the database manager:

§ Activities to be executed by the e-mail manager:

o E-mail server configuration

Installation Guide — SE Suite 2.0 - Windows

This section covers the following topics:

§ E-mail server configuration

Installation Guide — SE Suite 2.0 - Windows

3.1 - SE Suite update

Installation Guide — SE Suite 2.0 - Windows

3.2 - Network configuration

Configure the network

Installation Guide — SE Suite 2.0 - Windows

3.3 - E-mail server configuration

§ E-mail account name;

§ E-mail account password;

§ E-mail server name;

These configurations must be executed by the e-mail manager.

Installation Guide — SE Suite 2.0 - Windows

3.4 - Windows configuration

§ User creation on Windows Server

§ Java JRE installation

§ Apache Tomcat installation

Installation Guide — SE Suite 2.0 - Windows

3.4.1 - User creation on Windows Server

1. Click on the Windows Start menu;

2. Right-click on My computer and click on the Manage option;

Installation Guide — SE Suite 2.0 - Windows

§ Password: Enter a password for the user;

§ Confirm password: Retype the password to confirm it;

§ User cannot change password: Check this option;

§ Password never expires: Check this option.

§ It is not allowed to use | and & characters in the user password.

7. Right-click the newly created user and select Properties;

8. On the user properties screen, select the Mem ber Of tab;

10. On the Select Groups screen, click on Advanced;

Installation Guide — SE Suite 2.0 - Windows

Installation Guide — SE Suite 2.0 - Windows

3.4.2 - Java JRE installation

To install Java JRE, execute the following steps:

1. Download Java on the site: http://www.java.com;

JAVA_HOME environment variable configuration

3. After installing Java, click on the Windows Start menu;

4. Right-click on My Computer and select Properties;

5. Select the Adv anced tab and click on Environment;

6. In System Variables, click on New;

7. On the New System Variable screen, fill in the following fields:

§ Variable name: Enter JAVA_HOME;

Installation Guide — SE Suite 2.0 - Windows

9. In the System Variables list, select Path and click on Edit;