Professional Documents
Culture Documents
Installation Guide 2.0
Installation Guide 2.0
Installation Guide 2.0
Installation Guide
SoftExpert Excellence Suite (SE Suite) offers a set of multilingual modules that are natively integrated and fully
Web-based to automate the processes required to improve and optimize the different business areas at
organizations. This boosts the quality of management, cuts operating costs and facilitates compliance with the
main market norms and regulations.
The solution also supplements and enhances the use of corporate management systems and is integrated with
main market ERPs through connectors that may be developed based on the company’s specific needs.
The information contained herein is subject to change without notice. If you find inconsistent information, please
report it in writing to our support.
The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise
noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted in examples herein are fictitious. No association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
C omplying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of SoftExpert.
SoftExpert may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
SoftExpert, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
This software and documentation may provide access to or information on content, products, and services from
third parties. SoftExpert is not responsible for and expressly disclaim all warranties of any kind with respect to
third-party content, products, and services. SoftExpert will not be responsible for any loss, costs, or damages
incurred due to your access to or use of third-party content, products, or services.
Chapter I
Introduction
The installation should be performed by IT professionals knowledgeable about Windows Server, network
infrastructure, and database. In addition to that, it should be in accordance with the requirements defined in
the SE Suite - System Requirements document.
All efforts were made to offer complete installation instructions. New versions of this guide will be distributed
periodically. Check for new available versions.
This document applies to SE Suite Installer TOOL-2.0 and to SE Suite 2.0 or superior. It describes all the
procedures required for installing SE Suite on a Windows environment.
Any IT professional who needs to know the process of installing SE Suite on a Windows environment, for the
planning of either implementation or support activities.
ATTENTION
Although providing support for recent versions of third-party software packages and patches, SoftExpert has no control
over those software updates and, thus, cannot ensure compatibility with their products. In any case, contact the
supplier for product specifications and further details about compatibility.
Chapter II
Installation overview
This topic covers the installation process overview. See below the diagram that exemplifies the steps that will
be covered in this documentation:
§ Pre-requisite activities: This step covers the activities that must be executed and finished before the SE
Suite installation, because among them are activities to prepare the environment where SE Suite will be
installed, in addition to the installation of third-party software required by SE Suite.
§ Installation activities: This step covers the installation packages preparation activities and the installation
itself. In the package preparation step, the installer package, which must be decompressed, and the
installation package, which must be saved in an uncompressed folder of the installer, are involved. After
preparing the packages, it will be possible to execute the SE Suite installation. When executing the installer,
it will allow installing, updating, and removing SE Suite. When selecting the installation option, the
installation tool will check whether the environment meets the installation predefined requirements. If an
error occurs, it is possible to view the error screen by double-clicking the step presenting the error. After
that, the installer will ask for the necessary information to configure IIS. The installer will extract the files and
install the complementary tools. During the installation, the system will ask for the data to add the
database(s). At the end of the installation, the services will be restarted and it will be necessary to configure
SE Suite.
§ Additional procedures: This step contains the activities that are executed after the SE Suite installation.
Among them, find the post-installation activities that include the SE Suite initial configuration and activation.
Find also in this step the configurations of some SE Suite functions, such as the directory service
configuration on an external server. The workstation configuration activities must be performed in the
browsers that will access SE Suite, such as unblocking SE Suite domain pop-ups and the configurations in
the browsers to use single sign-on.
1. Refer to the SE Suite - System Architecture Overview document to define the architecture to be used by
SE Suite in your environment.
2. View the SE Suite - System requirements document to define the installation environment, in addition to
determining which third-party software is compatible and which are required for the installation and the
correct execution of the SE Suite. All information contained in this document assumes you have met all
requirements.
3. Review and perform all prerequisite activities: Network Configuration, Windows Configuration, and
Database Configuration, so that the environment can be prepared for the SE Suite installation to run.
4. Familiarize yourself with the tasks to be executed when configuring SE Suite by reading the following
topics:
§ Installation activities
§ Post-installation activities
§ Workstation configuration
5. For better planning of the SE Suite installation in your environment, see below whom the activities are
usually assigned to:
o Network configuration
o Windows configuration
o Database configuration
The documentation mentioned above may be found at the customer center: www.softexpert.com/sac
Chapter III
Pre-required activities
The activities in this section describe how to prepare the environment for the SE Suite installation. Do not start
the installation step until all relevant prerequisites have been met and all activities in this section have been
executed.
§ SE Suite update
§ Network configuration
§ Windows configuration
§ Database configuration
Considering the major requirement changes incorporated into SE Suite version 2.0, compared to version 1.3,
we suggest installing version 2.0 on a new server, where version 1.3 was never installed. Such procedure will
allow the use of new Tomcat and Java versions, and other requirements automatically installed by the
installation process.
Nevertheless, if the organization wishes to use the same server, version 1.3 must be previously removed
using the 1.3 version removal tool. Additionally, the following steps must be executed manually:
1. Open the ISS administration console. For that, click on the Start menu and type "inetmgr", or access the
Administrative tools, in the Control panel, and double-click on "Internet Information Services".
2. Select the server where version 1.3 was installed and, on the right page, open the FastCGI settings
option.
3. Select the PHP used by SE Suite 1.3 from the list and remove it through the actions panel, located on the
right side.
4. Go back to the home page and select again the server where version 1.3 was installed. And, on the
page on the right, open the ISAPI and CGI Restriction option.
5. Select the "seredirect" item and remove it by using the action panel located on the right side.
6. Select the server where version 1.3 was installed, select the site created, and remove it. If you wish to
use the same site, check, in the SE Suite installation section, the "Web Site" configuration, in item 7.
Note that the HTTPS port must be set for the SSL configuration.
7. Uninstall Tomcat version 6, because, in SE Suite version 2.0, Tomcat version 6 is no longer supported.
For further details, Refer to the SE Suite - System requirements document.
The requirements of this activity refer to the network where SE Suite will be installed.
Synchronize the time and date on all servers. The system users may have trouble if one or more servers are
not synchronized with the rest of the system.
In version 2.0, the use of HTTPS is mandatory to increase the security while using the solution. We suggest
the use of a valid digital certificate, issued by certifying authorities. If the organization has no available valid
digital certificate, a certificate self-signed by IIS may be generated; however, security warnings may be issued
to the users while using SE Suite.
SE Suite supports multiple databases. To configure this functionality, create a different DNS for each
connection with the database, pointing to the same webserver. There should be a DNS pointing to the same
webserver for each connection with the database.
Create an e-mail account to be used to configure the sending of to-do task e-mails for SE Suite to be able to
send such e-mails to the final user. The necessary information includes:
§ Port to the e-mail server (if the SMTP protocol is being used).
This section covers the necessary configurations for the environment to be prepared for the SE Suite
installation execution. See, in the topics below, how to proceed to create a user and install and configure the
main SE Suite dependencies:
§ IIS installation
In this Installation Guide are only covered the requirements for the installation of the SE Suite, view the SE Suite -
System Requirements document to verify the other requirements that should be on the SE Suite server for the system
to work correctly.
SE Suite needs a local user. To create it on Windows Server 2008 or 2012, execute the following steps:
3. On the left side, in the hierarchical tree, find Local Users and Groups;
§ On the Windows Server 2008, go to Server Manager Configuration Local Users and Groups;
§ On Windows Server 2012, go to Server Manager Tool Computer Management Local Users and Groups;
4. Expand Local Users and Groups and right-click on the Users folder;
5. Click on the New user... option. Fill in the following fields on the screen that will be displayed:
§ User name: Fill this field in with the name of the user being created;
§ Full name: Fill this field in with the full name of the user being created;
§ Description: Enter, in this field, the description of the user being created;
§ User must change password at next logon: Uncheck this option if checked;
§ The maximum size for the user name (User name field) is 20 characters (upper or lower case), except for the
following characters: \ / " [ ] : | < > + = ; , ? * @. The name may not contain periods (.) or blank spaces
either.
6. After filling in the required fields, click on Create and then on Close;
9. Click on Add;
11. Click on Find Now. At this point, you will see a list of groups in the search results section, search for
and select the Guests and IIS_IUSRS groups and click on OK;
12. The group selection screen will look like the image below. Click on OK on this screen
See the SE Suite - System Requirements document to verify the version of Java.
2. Execute the Java installation file and proceed with the installation;
§ Variable value: Enter the JAVA directory, for example: C:\Program Files\Java\jre8
8. Click OK;
10 In the Variable v alue field, type: %JAVA_HOME%\bin before the first instruction, as shown in the image
below:
§ On Windows Server 2008: Right-click on Roles (panel on the left side) and select the "Add Roles"
option. Go to the "Installation type" screen. Select the "Role based or feature..." option and advance.
Select the server.
§ On Windows Server 2012: Click on Manage (at the top right of the screen) and select the "Add Roles
2. Check the "Web server (IIS)" option with the following items enabled:
Web Server
Static C ontent
Default Document
HTTP Errors
HTTP Redirection
Security
Basic Authentication
Application Development
ISAPI Extensions
ISAPI Filters
C GI
Performance
Management Tools
3. Click on Next in the other installer screens and wait for the installation to complete.
Refer to the "System Requirements" document to verify the Apache Tomcat version.
Make sure Java is installed before starting the Tomcat installation because Java JRE is a pre-requirement for the
Tomcat operation.
6. Select the path in which Java was installed in your system, for example: C:\Program
Files\Java\jre1.X_XX;
7. Uncheck the Run Apache Tom cat option and click on Finish;
14. At this point the Tomcat Setup screen is displayed, go to the Java tab and configure the values of the
following fields:
Java Options: At the end of this field add the following parameters, in case they do not exist:
-XX:MaxPermSize=512m
-Duser.language=en
-Duser.country=US
Initial memory pool: 512 MB
The values entered above are the minimum necessary for SE Suite to work correctly. If needed, assign values
greater than 1024m to these variables.
See in this section how to configure the database server. This section covers the database creation and
configuration, necessary for SE Suite to work in the following DBMSs:
§ Oracle
§ PostgreSQL
ATTENTION
This section covers the procedure to create and configure the database in the SQL Server. See the steps
below:
4. On the left side, on the General page, enter a name in Database name;
Example: sesuite
5. On the left side, on the Options page, choose the 'collation' to be used and click OK;
The collations that may be used in western languages for the SE Suite database on the SQL Server are:
§ SQL_Latin1_General_CP1_CI_AS
§ SQL_Latin1_General_CP1_CI_AI
§ Latin1_General_CI_AS
§ Latin1_General_CI_AI
The CI (Case Insensitive) parameter of the collation must always be used. We recommend the use of the
AI (Accent Insensitive) parameter for new databases starting in 2.0. For eastern languages, contact SoftExpert's
Support.
9. On the left side, on the General, page in the Login name enter a name for the login;
Example: sesuite
15. Click on the User Mapping page and in Users mapped to this login, select a database created in steps 3
to 5;
16. In the Database Role membership box, check the following options:
§ Public;
§ db_owner.
Network configuration
It is necessary to enable the TCP/IP connections in SQL Server Configuration Manager. See the steps below:
19. In the hierarchical tree, expand the SQL Server <v ersion> Network Configuration item;
26. In each existing IP, check whether the port defined in TCP Port is 1433.
If you do not need to configure another database, continue with the SE Suite installation from the Installation
activity section.
3.5.2 - Oracle
This section will cover the Oracle configuration. It will also cover the Oracle client configuration. This section
contains the following topics:
Oracle configuration
This section covers the procedure to create and configure databases in Oracle. See the steps below:
This procedure assumes that Oracle is installed, with created instances, and that TNSNames is duly configured on the
server where SE Suite will be installed.
This procedure requires the Oracle Provider and OJDBC components to be installed on the server where SE Suite will be
installed.
Substitute the <tablespaces_directory> for the path where the tablespace must be created on the
Oracle server.
Substitute the <tablespaces_directory> for the path where the tablespace must be created on the
Oracle server.
5. To create a user for SE Suite and define the necessary permissions, execute the following steps:
Substitute <SESUITE> and <PASSWORD> for the user's name and password respectively.
§ VALUE1:
§ VALUE2:
§ VALUE3:
16. Fill in the Variable Value field with the information returned by the SQLPlus in the order of the previous
step: VALUE1_VALUE2.VALUE3
Example:AMERICAN_AMERICA.WE8MSWIN1252
ATTENTION
§ For the proper operation of the application, 2 Oracle clients must be installed on the SE Suite server. A 64-bit version
§ If the 32-bit Oracle Client is installed first and the 64-bit Oracle Client is installed after it, the environment variables must
be properly configured. Otherwise, it will be necessary to configure them again. Note that, after the installation of the
32-bit Oracle Client, there will probably be a service in execution and that will make it impossible to install the 64-bit
Client. For that, it is necessary to stop the OracleRemExecServiceV2 service.
§ In the PATH variable on Windows, the 64-bit Client must be first, then the 32-bit Client.
Run the following configuration to make sure that the Path variable is configured correctly:
4. In the System Variables, locate the variable of the Path environment and click on Edit;
5. In the Variable value field, add the Oracle Client 64-bits and the Oracle 32-bits path. In that case, the
64-bit Oracle Client path must be the first parameter and the 32-bit Oracle Client must be the second
parameter, as shown in the image below:
7. Now it is necessary to configure the 64-bit Oracle Client and 32-bit Oracle installations. For this, click on
the Windows Start menu, type regedit.exe and press ENTER;
§ Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORACLE\KEY_OraClient11g_home1
§ Record: ORACLE_HOME_KEY
Only the path should be adjusted, by inserting Wow6432Node, leaving the rest as it is.
If it is not necessary to configure another database, continue with SE Suite installation from the section Installation
activity on.
3.5.3 - PostgreSQL
This section covers the procedures for creating and configuring the database for PostgreSQL DBMS. First, it will
present the PostgreSQL and pgAdmin III installation procedures.
To use the SE Capture index service, after installing PostgreSQL, it will be necessary to install PostgreSQL Native OLEDB
Provider (pgoledb.msi) on the SE Suite server. After the installation, update the PATH environment variable with the
PostgreSQL Native OLEDB Provider installation directory.
Installing PostgreSQL
4. In Installation Directory, choose a directory for the installation or keep the default path;
5. In Data Directory, enter the directory where the data will be stored. Click on Next;
6. Enter the password for the superuser of the database and the service account (postgre). Click on Next;
7. Enter the port where the service is listening on. Click on Next;
This procedure must be performed on the server where SE Suite will be installed.
13. Execute the installation file and follow the software instructions;
15. Click on the Add a connection to a server button to add a connection to the database server;
18. Port enter the PostgreSQL port. The default port is 5432;
This section covers the procedure to create and configure the database in PostgreSQL. To configure the
PostgreSQL Network, execute the following steps:
22. Access the PostgreSQL directory that contains the configuration files;
24. Locate the 'IPv4 local connections' configuration block and add a new line with the network data of the
server where SE Suite is being installed:
25. This configuration file can also be performed by pgAdmin III (menu File open pg_hba.conf), as
shown in the following image:
28. Locate the listen_addresses parameter and change its value as shown below:
29. This configuration file can also be performed by pgAdmin III (menu File open pg_hba.conf), as
shown in the following image:
32. Access the PostgreSQL directory where the folders will be created or use the PostgreSQL default Data
folder.
39. Set Full Control permission of the Allow column for this user;
42. On the left side, in the Object Browser menu, select the default server and connect to it;
43. Right-click on Login Roles and select the New Login Role;
44. On the New Login Role screen, on the screen that will be displayed, fill in the following fields:
§ Account expires: If needed, enter an expiration date for the account being created.
45. Still, on the user creation screen, access the Role privileges tab and select the Superuser;
Creating Tablespaces
48. Select New Tablespace and fill in the following fields on the screen that will be displayed:
§ Location: Enter the directory for the SOFTEXPERT_DATA tablespace folder. Example: C:\Program
Files\PostgreSQL\8.x\data\SOFTEXPERT_DATA.
49. Still, on the tablespace creation screen, access the Privileges tab;
Creating databases
53. Select New Database, on the screen that will open up, fill in the following fields:
54. Still, on the database creation screen, access the Privileges tab and select ALL;
Chapter IV
Installation activities
This section will cover the obtainment and preparation of the packages required to install SE Suite and the
system. This section contains the following topics:
§ SE Suite installation
§ System configuration
This section covers the obtainment and preparation of the packages required for the SE Suite installation.
2. Click on Customer Center and on the customer center page, click on Click here to access the Portal;
4. Access the Distribution Center section at the top of the navigation bar.
5. Select the desired version (2.0) and download the installation tool for Windows.
6. After downloading the installation tool, download the "Install Files" package of the desired version.
7. After saving the packages, execute the SE Suite installation according to the procedure described in the
following topic.
This section covers the steps to install SE Suite. At the end of the installation, the services will be restarted
and the process is finished with the installation activation. See the steps of the installation process below:
First, the SE Suite installer will check whether the environment meets the installation requirements. Because of that,
make sure to execute all the Pre-required activities.
1. Access the installation tool directory as described in the Preparing the installation packages topic and
execute the installation tool downloaded before.
§ The installation tool must be executed with administration permission. For that, right-click it and select the "Run
as administrator" option.
3. On the "Operation Type" screen, click on the Install button to install SE Suite. If another instance was
started before the installation but was not closed, a message will be displayed when clicking install. If
you choose to continue the installation, it will continue from the step it was canceled in;
4. On the "Licence Terms" screen, check "I accept the terms of this agreement" and click Next.
5. On the "Environment Check" screen, the environment verification step is performed, i.e., the installation
tool will verify whether the environment meets the predefined installation requirements. If an error
occurs, it is possible to view the error screen by double clicking the pre-requirement presenting the error.
If no error occurs or if errors are corrected, click on Next.
If you need to stop the installation to correct an error on this screen, click on Cancel. After correcting the error,
execute the previous steps again.
6. On the "Select Package" screen, select the "Install Files" package downloaded during the Preparing
the installation packages step. For that, click on the Browse button and select the package. Wait for the
installer to validate the selected package; check the status on the progress bar on the screen.
When the validation ends, verify whether the installation directory will be the default directory "C:
\sesuite" selected automatically. In case, it is another directory, use the Browse button to choose
another. Click on Next.
§ Username: Enter the name of the Windows user created for the SE Suite. We recommended the IIS
§ User Domain: Enter the domain, hostname or IP address. We recommend entering the domain in this
§ Web app name: It is the directory of IIS. By default, this field is filled in with "se". Update the field
§ Web Site: It is possible to use an existing website. For that, check the "Existing" option and select
the website in the field next to it. If you wish to create a new one, check the "Use new site" option
and fill in the Name and Port.
If the entered user does not belong to the Guests group, the installer will display the "The specified user is not a
member of the Guests group. It is recommended that the IIS User be a member of this group. Continue anyway?"
message. Click Yes to continue with the installation or No to wait on the previous screen for the user to be added
to the group.
9. On the "Setup Java Services" screen, verify, in the Tomcat Home Dir field, the Apache Tomcat
installation directory path. If you need to change it, click Search.
10. On the "Perform Installation" screen, several steps will be executed automatically, such as package
extraction, permission definition in files, service installation, among others. Wait for these steps to be
executed. If an error occurs, it is possible to view the error screen by double clicking the step presenting
the error. If no error occurs or if errors are corrected, click on Next.
If you need to stop the installation to correct an error on this screen, click on Cancel. After correcting the error,
when executing the installer again and selecting the option to continue the installation, it will return to the step
the installation was canceled in.
11. On the "Perform Final Task" screen, the last steps of the installation are executed automatically, such
as: synchronize, load and save services, and save the SE Suite application configurations. When this
step finishes, click Next.
12. On the SE Suite installation closing screen, two documents that must be viewed will be available. The
first document is an SSL configuration tutorial; follow all the steps in it carefully. The second document
contains the steps to configure the database; execute the configuration steps of your database
according to it. After setting the necessary configurations, click Finish.
The SE Suite activation process occurs after the license key is entered in the SE Configuration component. Refer
to Post-install activities to obtain more details.
See how to configure the database to be used by SE Suite and how to configure the SSL on the SE Suite
Server:
§ SSL configuration
§ Database configuration
The use of a digital certificate on the web server allows all information traffic between the server and the client
to be encrypted. In version 2.0, the use of certificates is mandatory, since non-encrypted traffic may be easily
captured by hackers, causing the client information to be accessed.
We suggest the use of valid certificates, issued by certification entities (Verisign, Certisign, Thawte, among
others). If the organization chooses to use self-signed certificates, the system will work; however, during the
access, security messages may be issued by the navigator - without being controlled by SoftExpert.
For further details about how to configure certificates in IIS, we suggest reading and executing the procedures
released by Microsoft (https://technet.microsoft.com/en-us/library/cc732230(v=ws.10).aspx).
Due to an export rule in the USA, the Java JDK default installation has a restriction regarding encryption
capacity. Some system features that use encryption requires the extended Java encryption package.
3. Paste the files with .jar extension into the directory "<JAVA_HOME>\lib\security".
The SE Configurator is a tool responsible for configuring connections to the database and associating it with a
domain (to be used by multiple databases). To configure the system, access the SE
Configurator(<sesuite_dir>/tools/configurator) folder and execute the run.bat file, at this moment the SE
Configurator screen will be displayed.
During the base configuration process, the system will request to configure the user's e-mail and password, which must
follow the following password strength rules:
§ At least 6 characters;
1. On the SE Configurator screen, access the Databases tab. Through this tab it is possible to add, update,
delete, and verify whether the databases were updated correctly:
2. To include a database, click on the button and fill out the following fields of the screen that will be
displayed:
§ Domain: Enter the domain that will be used to access the system. It must point to the domain where
SE Suite is installed.
§ JDBC Driver: By clicking the combobox will be shown all the database options that the SE Configurator
supports: Oracle, PostgreSQL and SQL Server. When you select one of the options, the screen is
updated according to the selected database and the Port field is filled in with the default value of the
database. Fill in the other fields with the data of the selected database.
3. After filling them out, click on the button. At this point, the SE Configurator will run a test with the
values entered in an attempt to create a connection to the database. If any of the tests fail, the
Previous button will be enabled to return to the connection screen and so make the correction:
4. If no error occurs at the end of the test of the SE Configurator, the Next button will be enabled, allowing
the user to finish creating the connection with the database.
5. At this point, the system will create, parameterize, and equalize the base. The SE Configurator will display
a message when this process is finished, click on OK. After that, click on Next.
6. SE Configurator will display the data of the configured database. Click on Finish. After the process
finishes, the created database will be displayed.
Base equalization/parameterization
See below how to configure an existing database. This procedure should be performed in a previously
configured base.
1. On the SE Configurator, access the Databases tab and select a base which will be equalized and activate
the "Check database" button:
2. At this point, the equalization process will start. In the message window, click OK.
3. When the equalization process is complete, click Next and then, click on OK.
Database deletion
1. On the SE Configurator screen, access the Databases tab. Select the database you wish to delete and
then click the "Delete" button:
3. At this point, the deletion process will start. When it finishes, click on Next.
After installing SE Suite and configuring the database, start the services used by SE Suite:
§ During the SE Suite service start up, the system will perform a requirement check. If a requirement does not meet the
system use, the checker will display a message to indicate the configuration that needs to be solved. See the
Requirements check section for details on how to solve major configuration issues.
§ It is important to remember that, when restarting the database, it will be necessary to restart the SE Suite service as
well.
IIS service
3. Press Enter;
Tomcat service
8. Go back to the services manager (services.msc) and search for the PDF Converter service;
Chapter V
Deletion activity
If it is necessary to delete SE Suite version 2.0, check for customizations in the system.
For that, it is necessary to access the following folders and perform their backups.
<install_dir>/wwwroot/Custom_SRV
<install_dir>/include/Custom_SRV
Check your customization documentation for any doubts regarding the required specific files.
Chapter VI
Additional procedures
This section contains the activities that will be executed after the SE Suite installation. Among them, find the
system configuration activities and the pop-up unblocking for the SE Suite domain in the browser of the
workstations that will access SE Suite.
§ Post-installation activities
§ PDF conversion
§ Workstation configuration
§ Troubleshooting
1. Access SE Suite. Once the page loads, a configuration screen will be displayed. Use it to configure, at
least, the name of the organization that acquired the system and the access password of the admin user.
For further information about how to proceed on this screen, refer to the SE Configuration component
documentation, in the Configuration System section.
2. Once the user admin is configured, enter the activation key. For more information about how to proceed
with this configuration, access the SE Configuration component documentation, in the Configuration
License key section.
After any changes in the license key, whether when switching the key or adding a new one, it will be necessary to
activate SE Suite.
If in the SE Configuration component (in the Configuration System menu) is selected the Enable automatic
activation option, it will not be required to perform the activation procedure described below.
SE Suite activation
3. If the automatic activation is not enabled, whenever there is any change in the system configurations, it
will be necessary to activate SE Suite manually. When that happens, the following screen will be
displayed:
4. To activate the system, click on the System activation button. The system will display a screen with a
brief description of the changes made:
5. Carefully follow the instructions on the system activation screen. Download the file (activation.hbl) and
access the Customer center. Enter your login and password. At this point, you will be redirected to the
activation page.
Note that the Customer center will be opened in a new tab in your browser. The tab displaying the SE Suite page
must not be closed, because, after generating the activation code, it will be necessary to return to it.
6. On the customer center activation page, Upload the file. After selecting the activation.hbl file in the
respective field, click on the UPLOAD button.
7. At this point, the system will display the screen with the activation code. Copy the generated code, return
to the SE Suite screen, and enter the activation code.
8. After that, click on the Activate button. The SE Suite page will be reloaded and now any already created
user may access the system.
For information on how to configure the e-mail server, refer to SE Configuration document, in the
Configuration E-mail server section.
For information on how to proceed with the email sending configuration, refer to the SE Configuration
document, in the Configuration Notification section.
Enable thumbnails
To enable the viewing of thumbnails, it will be necessary to install SE Preview on the SE Suite server.
SoftExpert makes available an MSI for the installation of SE Preview on the workstation. This MSI
(sepreview.msi) can be found, compressed, within the SE Suite server directory, in
<dir_installation_SE_Suite>\web\wwwroot\generic\app\viewer\ or can be downloaded via the
URL https://<domínio_SE_Suite>/se/generic/app/viewer/sepreview.zipof the SE Suite.
Decompress and perform the installation. Remember that, before executing the MSI, it is necessary to
uninstall SE Viewer.
The purpose of this section is to guide the SE Suite user on how to convert the data of SE Risk version 1.3 to SE Suite
version 2.0.
This section will describe the main changes expected once the conversion process is finished. The SE Risk
component went through several changes to SE Suite version 2.0. From the structural point of view of the
system, we can highlight the new relational tables used in version 2.0, that have the "RI” suffix, instead of
"HA” in the old version, and the new ISOSYSTEM code of the component, which changed from 163 to 215. Only
the Object, Process and Project contexts of the SE Suite 1.3 will be converted, that is, the plans that are from
other contexts will not be considered. The control plans from SE Suite 1.3 will not be converted either since
they have been disabled from version 1.3 on. See below the changes between the versions.
Tokens
There will no longer be token customization by context, as in version 1.3. It is possible to customize a term in
SE Suite 2.0 through the Administration Configuration Customize Token (AD031) menu, which is valid for
the entire system.
Plan revision
In SE Suite 2.0, the plan revision is generic, that is, the same revision method is used for a Scorecard, Process,
etc., and, for a plan to go through revision, its type must be properly configured.
By default, after data conversion, plan types will not be configured to have a revision control. Therefore, the
user will have to do it by accessing the plan type data screen and, in the Revision tab, check the option to
control the revision as well as to fill in the fields.
All plans will be converted as being "not-default”, that is as if they were created from the Management Plan
planning (RI301) menu. Therefore, do not follow the associated object revision (Ex.: Process, Project,
Scorecard).
The SE Suite 1.3 plans that have a revision in execution, and another one in the analysis, will be converted as
follows:
§ The revision that was under analysis will be converted to planning (revision in the draft step).
Security
The revision permission in the plan type security of SE Suite 1.3 will no longer exist in SE Suite 2.0. The plan
security in SE Suite 2.0 works as a hierarchy of screens, that is, in the "plan security" tab, on the plan type
screen, the user configures the permissions of all the plans created in that type and, in the security tab, on the
plan data screen, the user configures the structure permissions of that plan. The plan type also has the type
security, where the permissions of that type are configured.
For the system to enable the conversion option, it is necessary to insert, in the database, a record in the
ADPARAMS table. The SQL ANSI command to insert the record into the database is:
After entering the record in the database, the user should access the General parameters screen of the
component through the Configuration General parameters (RI110) menu, as in the following image.
The data conversion process is performed in two steps, which must, necessarily, be executed in the following
order:
1. Records: Convert all records that understand the configuration and file menus of the system, that is,
attributes, checklist, teams, identification masks, dynamic navigator, all the types (plan type, risk type,
control type, etc.) and all the records (risk, control, treatment, etc.).
2. Plans: Convert all the records that encompass the management and execution menus of the system,
that is, risk plans, revisions, risk analysis and their evaluations, and control analysis and their evaluations.
When clicking the 1. Records button, a new screen will be displayed. On that screen, the system will execute a
conversion script, which may take a few seconds to finish. The "Processing" message will be displayed while
the screen remains open and, when the process finishes, a message will be displayed according to the image
below.
After executing the first conversion step (records), the user must go to the last part of the conversion through
the 2. Plans button. The process is similar to what was described in step 1.
After executing the two steps, the user may verify whether there are differences between the data of the two
versions of the system, by clicking on the Conversion status button.
The conversion status will show a list with all the tables that were converted. A success icon will be displayed
if all records of each table were converted. A failure icon will be displayed if at least one record was not
converted or if the number of records is different.
It is important to point out that there may be some differences between the number of converted records of a
table, caused by inconsistency in the information coming from the SE Risk component. The image below shows
the conversion status screen.
Finally, the purpose of the Remove all records is to erase all data from the SE Risks component of Suite 2.0
and should only be triggered if there is a problem in the conversion of the records. Records added from version
2.0 will also be deleted.
The risk and control analyses were converted having the user logged in SE Suite during conversion as the
party responsible for them. To receive the analysis tasks, the users must edit the responsible user.
The Dashboards of Suite 1.3, now called Portals, were not converted to SE Suite 2.0 because the widgets
change. To use them, the users must create them manually through the system Portals menu.
Since in SE Suite 2.0 there is a unification of the contexts of version 1.3, there may be situations in which the
ID # of type records (plan type, risk type, control type, etc.) and of other records (plan, risk, control, risk
source, etc.) are repeated. To overcome this situation, the converter adds a unique code at the end of each
record ID # to differentiate them.
SE Suite allows authenticating users through the LDAP, NTLM, Kerberos, and SAML protocols. See below how
to set the configuration for each one of these authentication modes.
AD integration
Active Directory is an implementation of the directory service in the LDAP protocol. It is a Microsoft software
used on Windows environments. To use AD integration, follow the following procedure:
1. Set the configuration of the LDAP server. For that, refer to the SE Configuration component manual, in the
Configuration Authentication Configuring an authentication section.
3. See further details in the section that corresponds to the selected configuration:
§ Kerberos authentication
§ SAML authentication
Overview
The architecture used by the Kerberos protocol consists of three agents: SE Suite, as the service server, the
client's Active Directory, as the authentication server, and the client. The protocol works with the exchange of
signed messages between the agents to ensure connection security. If there is a difference between the
signature of the messages, the access to the desired resource is denied.
Architecture
The Kerberos protocol uses three different agents to implement security, and they must be in the same
network domain:
[1] When logging into the network, the users sign onto the authentication server by entering
their login and encrypted password. That is the only time the user password will be
transmitted through the network.
[2] After authenticating the user, the server returns an authentication key. In the Kerberos
traditional model, that key is called Ticket Granting Ticket (TGT). It will be used to identify the
user in the next accesses to the network resources.
Comment: These two steps occur whenever a user logs in to a domain controlled by the
authentication server, regardless of future access to a resource using the Kerberos protocol.
[4] The authentication server is responsible for analyzing whether the user may access the
requested resource. At this point, is sent the TGT obtained by the login process and the ID #
of the resource to be accessed.
[5] If the client (user) may access the resource, the authentication server returns a new key to
the client, the Ticket Granting Service (TGS). This key will inform the services server the client
may be trusted.
[6] The TGS, just obtained, is sent to the service server, which will validate the key to avoid
accesses with expired keys.
[7] If the TGS sent contains a valid request, the desired resource is released to the client.
Three steps are necessary for the authentication using the Kerberos protocol to be configured in SE Suite. We
recommend obeying the following sequence for possible errors in the process to be avoided:
1. Configure the authentication server to answer the requests using the Kerberos protocol;
Authentication server
The authentication server supported by SE Suite is Microsoft Active Directory. Below are the steps to prepare
the server to answer the authentication requests by using the Kerberos model:
1. Create a new user. The account type must be “User” and no other type may be used;
Password: test!123
2. Select the This account supports Kerberos AES 128-bit encryption, This account supports Kerberos Kerberos
AES 256-bit encryption and Do not require Kerberos preauthentication options.
3. In the AD server, add the Service Principal Name (SPN) to the user created. For the following
configurations, 3 nomenclatures will be used:
Example:
4. Add the ktpass command to define the Service Principal Name (SPN):
Example:
Important!
The SPN name must be defined in the format shown above, otherwise, Kerberos will not work.
6. After running the ktpass command, it is possible to observe that in the User Logon Name field, the
Kerberos user details changed to: HTTP/sesuiteserver.softexpert.local@SOFTEXPERT.LOCAL
SE Suite
Prerequisites
The SE Suite server must be on a machine other than the authentication server and the client workstations.
Otherwise, authentication with the Kerberos protocol will not work.
The authentication using the Kerberos protocol requires that the Java extended encryption package is installed. For more
details on how to perform the installation of this package, refer to the Java Security Extension package section.
2. In the configuration section of Kerberos authentication, enter in the Domain ID field the name of the
SPN (Service Principal Name) set in the configuration of the authentication server.
Example: HTTP/sesuiteserver.softexpert.local@softexpert.local.
3. Then, upload the certificate generated by the ktpass command executed on the configuration of the
authentication server. This file must be accessible to the SE Suite server.
Client workstations
The Kerberos SSO is supported in Internet Explorer, Google Chrome, and Mozilla Firefox, but the browser must
be enabled to answer to negotiation requests. If the browser does not return the header in the correct
format, an NTLM token will be generated, which will result in an authentication error. See further details for
each browser:
1. In Control panel, access the Internet options menu. On the screen that will be displayed, access the
Security tab;
4. Click on Advanced. On the screen that will be displayed, add all related domains.
5. Click on Close.
Mozilla Firefox
2. Click on "I'll be careful, I promise" when warned about the change in the advanced configurations.
http://,https://
http://,https://
Intranet authentication
1. In Control panel, access the Internet options menu. On the screen that will be displayed, access the
Security tab;
3. On the screen that will be displayed, select the Automatic logon with current user name and password
option.
The single sign-on test must be performed on a client workstation. Nor the SE Suite server or the
authentication server may be used.
To use Kerberos Single Sign-On (SSO) on the client stations, the following must be true:
§ The user must have permission to access SE Suite (he/she must log in by using a user name and password);
§ The user must be authenticated for Active Directory (AD) via Kerberos on the client computer.
1. Make sure the selected authentication mode is Kerberos. Perform the synchronization of the (SE
Configuration Configuration Authentication) users
2. After synchronizing the users, access the system. On the login screen, select the desired domain and
click on the Single Sign-On button.
3. If this is the user's first login, the system will display a screen requiring his/her credentials; otherwise,
the login will be concluded.
Note: § The credentials refer to the user saved on the authentication server, and it will be necessary
to enter the authentication server domain in the user login field. Ex: domain\login;
§ If the Kerberos SSO fails, the user may still log into SE Suite with his/her user name and
password.
FAQ
§ Authentication error: If after doing/redoing the user's configuration and it does not authenticate, the
following command (at the command prompt) can be executed in the customer workstation (which is
accessing SE Suite):
klist purge
This command clears the Kerberos authentications cache, forcing it to take over the new configuration.
§ Error "GSSException: Failure unspecified at GSS-API level (xxxxxxxxx)" at the time of authenticating the user.
There are several causes for this error, so we present a checklist to be validated:
1) Authentication server
ii. After the execution of the commands described in 'Authentication server', was the user
information updated in AD?
2) Service server
i. Was the Java JCE package updated with the USA encryption rules?
iii. Is the Keytab generated by the ktpass command during the configuration of the authentication
server accessible to the service server?
3) SE Suite
i. Was the 'Kerberos' option selected in the authentication configuration program (CM008)?
iii. Was the keytab file path generated by the ktpass command informed in the Keytab field?
i. Check the advanced configurations, in the security, if the Enable integrated Windows authentication
option is selected.
ii. Check, in the security, configurations, in Custom level, whether the Automatic logon with current
username and password option is selected.
iii. If, after synchronization, the user is unable to log into the system, access the user creation menu
(AD004) and check whether the user is inactive or blocked and/or whether there is a department
or access group configured to him/her.
§ Authentication Kerberos Problem: GSSException: Defective token detected (Mechanism level: GSSHeader did
Problem in the definition of the user credentials, which ended up generating an invalid token. Check
whether the correct credentials were entered in the first login
Note: In the login field, it will be necessary to enter the authentication server domain. Ex:
contoso.local\kerberos
§ Authentication Kerberos Problem: GSSException: Failure unspecified at GSS-API level (Mechanism level: Clock
Problem in synchronizing server clocks and client stations: Set the clocks for the same time.
Overview
SAML (Security Assertion Markup Language) is an XML standard that allows secure web domains to exchange
user authentication and authorization data. The architecture consists of three agents: SESUITE, as the service
server app (SP), Client Active Directory with ADFS configured, as Authentication Server (IdP) and Client. The
fact that the agents are in different domains enables the client to use their own authentication server to
validate the access to a third-party service. Digital signatures ensure that all message exchanged between
agents are secure.
Architecture
There are several ways to build the architecture of the agents by using SAML. We will only cover the structure
in which the Authentication Server and the Client are in the same domain and SESUITE is in an external
domain.
The picture below represents the steps for the authentication of a user by using SAML:
[2] The ADFS generates the authentication request that is sent, through the user browser, to
the Active Directory;
[5] If the user is not authenticated, the system generates an authentication request for
him/her;
[7][8] After the user is authenticated, there are some exchanges of requests between the
[9] agents to validate security issues and generate the final artifact of the negotiation. This
artifact will contain, among other things, the definition of the user and respective domain.
It is necessary to establish a secure link between the agents to ensure the reliability of the information. In
addition to the requirement of using SSL for transactions using SAML, it is necessary to exchange the keys
between the authentication server and SE Suite by using configuration files (metadata). Both SE Suite and the
authentication server generate and exchange the respective metadata files between them. In this way, each
agent has information that can be used to validate the received message.
Prerequisites
Due to an export rule in the USA, the Java JDK default installation has a restriction regarding encryption
capacity. For authentication using the SAML protocol, this limitation must be removed. For that, the JCE (Java
Cryptography Extension) extension pack must be installed, according to the respective version of the JDK on
the server where SE Suite is installed. The package is available for download at the Oracle website. To install
it, just follow the steps described in the README.txt file available with the package.
The authentication using the SAML protocol requires that the Java extended encryption package is installed. For more
details on how to perform the installation of this package, refer to the Java Security Extension package section.
Configuration
Three steps are necessary for the authentication using the SAML protocol to be configured in SE Suite. We
recommend obeying the following sequence for possible errors in the process to be avoided:
1. Add information about the security certificate to the SAML authentication configuration in SE Suite;
3. Add the authentication server metadata to the SAML authentication configuration in SE Suite
06/Federationmetadata.xml
3. In the federation service configuration section, click on the button to add and create the connection with
the federation service:
i. On the screen that opens up, enter in the ID # field one identifier for the connection with the
federation server. This information will be used further on to identify which federation server will
be used;
ii. Click on the Upload of Identify Provider configurations button and import the metadata file
retrieved from the federation server;
iii. In the Validity (years) field enter the number of years that the certificate will have until it
expires;
iv. Click on the Revoke Certificate button to generate the Service Provider metadata file;
v. Click on the Download of Service Provider configurations button to obtain the Service Provider
metadata file.
This file must be imported further on into the ADFS of the authentication server.
4. Click OK.
The Authentication Server uses ADFS (Active Directory Federation Service) to provide Federation services. It
provides SSO technologies to authenticate a user in various Web applications. ADFS does that safely by
sharing the digital identity and the authorizations or "statements" through the company and security limits.
Configurations
1. Execute the Wizard ADFS in ADFS Management Console and select Add Relying Party Trust to start the
Wizard configuration of the ADFS:
2. Select the Import data about the relying party from a file option and e select the metadata that
represents the SE Suite information. This file can be obtained from the authentication configuration
screen (SE Configuration Configuration Authentication).
3. Specify the name that will identify the ADFS configuration. A suggestion is to use Sesuite.
4. Select the I do not want to configure multi-facto authentication settings for this relying party trust
at this time option.
5. Select the Permit all users to access this relying party option.
6. Check if in the Endpoints tab the configuration to SAML Assertion Consumer Endpoints and SAML
Logout Endpoints are filled out.
7. Select the Open the Edit Claim Rules dialog option and click on Close.
8. The system will display the Edit Claim Rules screen. On the screen, select the Issuance Transform
Rules tab and click on Add Rules.
10. Define a name to identify the configuration in the Claim rule name field.
11. Select the Active Directory option in the Attribute store field.
14. To re-edit the newly finished configuration, access the Advanced tab and change the "Secure hash
algorithm" field to "SHA-1".
Internet Explorer
2. In Trusted sites, add the URL of the ADFS server as a safe Intranet site:
Chrome
1. It is necessary to add Chrome to the list of navigators with authentication protection on the
authentication server. For that, access the ADFS server.
2. Now, it will be necessary to disable the protection for it to be possible to add Chrome to the list of
browsers. For that, access the prompt and execute the following command:
3. Execute the following command to display the list of browsers that currently support the authentication
protection:
4. Select all the listed browsers and add "Mozilla/5.0". Execute the command below:
5. Restart the ADFS service. At this moment, the authentication protection will be enabled again.
Reconfiguring
In some situations, such as of an expired certificate and database update, among others, it will be necessary
to reconfigure the SAML authentication process.
To reconfigure the SAML authentication environment, it is necessary to regenerate the system configuration
file and reimport it into ADFS. Below are the steps to be followed:
2. Check and if necessary, update the User domain and Domain used in key fields for the same domain
used to access the system.
4. After the certificate is generated, click on the Download of Service Provider configurations button
located in the Configuration files section.
5. Access ADFS and delete the respective record from the federation used by the system.
6. Recover the generated XML file and redo the ADFS configuration steps described in step 4 of the
Configure Federation in the Authentication Server subtopic.
The single sign-on test must be performed on a client workstation. Nor the SE Suite server or the
authentication server may be used.
1. Make sure the selected authentication mode is SAML. Perform the synchronization of the (SE
Configuration Configuration Authentication) users.
2. After synchronizing the users, access the system. On the login screen, select the desired domain and
click on the Single Sign-On button.
3. If this is the user's first login, the system will display a screen requiring his/her credentials; otherwise,
the login will be concluded.
Note: If the SAML single sign-on fails, the user may still log into SE Suite with his/her user name and
password.
FAQ
This error occurs when the Java JDK encryption key restriction rules are limited to 1024 bits. Check the
prerequisite in the "SAML Authentication Configuration" section for further details.
This error refers to problems when validating the certificates between the agents. Below are the
possible causes of this error:
i. Generate a new certificate and execute the procedure to install the SESUITE new metadata on
the Authentication Server.
2. The SSL certificate used in the SESUITE server is not recognized by the authentication server:
i. Import the SSL certificate as a trusted certificate into the authentication server.
ii. Access the 'Details' tab and click the 'Copy to File' button;
The processing of the SAML messages is limited to a short interval. That is done to prevent request
repetition attacks. That way, both the server running SE Suite and the authentication server must have
their clocks synchronized. Otherwise, the Time Synchronization error will be displayed in the product log
and the login will be aborted.
Access the user, (SE Administration File Organization structure User), record and verify that the
user is not inactive or blocked and still has the same Access Area and Group configured.
Test the link below to validate whether the user and password acknowledged by the browser are
correct. The link should display the ADFS configuration list for connection.
https://adfsserver/adfs/ls/IdpInitiatedSignOn.aspx
Overview
SE Identity is an application that synchronizes the SE Suite users with Microsoft AD when the SE Suite server
does not have direct access to the Microsoft Active Directory server. This type of situation may occur when the
organization has several independent and isolated domains.
The application must be installed on a station within the network with access to Microsoft AD and SE Suite.
When being executed, the application will access the user data in Microsoft Active Directory to generate the
integration files and send them to SE Suite for the integration to be performed.
Requirements
Installation
Configuration
4. To configure SE Identity, access the conf folder, inside the folder that was decompressed:
se-identity/conf/
5. Open the se-identity.xml file. Make sure to have permission to edit the file.
§ The values between <...> are required and must be modified with real values of the environment where it will
be executed.
§ The values between [...] are optional values; if not necessary to enter them, they must be removed from the
configuration.
Configuration attributes
§ url: URL to access Microsoft AD using the LDAP protocol (LDAP://<host>[:port]). For example:
<url>ldap://softexpert.local:389</url>
§ userLdap: User name (displayName, not the login) with permission to view the data in Microsoft AD;
§ passwordLdap: Password of the user with permission to view the data in Microsoft AD.
General data
§ enable: When creating the domain in SE Suite, defines the status as active.
§ released: When creating the domain in SE Suite, defines the status as released.
Domain identification
§ domainIdentifier: Domain ID #.
User selection
§ userAuthorizationPattern: Filter to select the users who will be integrated with SE Suite.
§ defaultSynchronyzerFilter: Identifier that will be used as a key in the first integration with users already
§ onLoginImport: If enabled, imports the user into SE just as he/she authenticates in the system.
User data
§ nmSyncFieldNmDomainUID: User creation field in Microsoft AD that will be used as unique identifier when
§ nmSyncFieldIdLogin: User creation field in Microsoft AD that will be used as login when creating the user
in SE Suite
§ nmSyncFieldIdUser: User creation field in Microsoft AD that will be used as User ID when creating the
user in SE Suite
§ nmSyncFieldNmUser: User creation field in Microsoft AD that will be used as name when creating the user
in SE Suite
§ nmSyncFieldDsUserEmail: User creation field in Microsoft AD that will be used as email when creating the
user in SE Suite
§ fgSyncNotice: Indicates to the system whether the user will receive training notifications, improvements,
§ fgSyncLeader: Indicates to the system whether the Microsoft AD "manager" attribute should be
Position data
§ nmSyncFieldIdPosition: User creation field in Microsoft AD that will be used as identifier when creating
§ nmSyncFieldNmPosition: User creation field in Microsoft AD that will be used as name when creating the
position in SE Suite
§ fgSyncPosEnabled: Indicates to the system whether the user will be created as active or inactive.
Department data
§ nmSyncFieldNmDepartment: User creation field in Microsoft AD that will be used as identifier when
§ nmSyncFieldIdDepartment: User creation field in Microsoft AD that will be used as name when creating
§ fgSyncDeptEnabled: Indicates to the system whether the department will be created as active or inactive.
§ idDefaultAccessGroup: Access group code (if set, this will be the default access group when performing
§ nmSEUser: User login that will be used to authenticate in SE Suite with permission to perform the
integration.
§ nmSEPassword: User password that will be used to authenticate in SE Suite with permission to perform
the integration.
§ qtNotifierPeriod: Time limit for synchronization inactivity; The system administrator will be notified by e-
§ fgNotifierPeriodType: Time limit for synchronization inactivity type. Types available: Minutes, Hours, DAYS
e WEEKS.
§ mergeDepartmentFunction: If enabled, when synchronizing the user, the AD user department will be
replaced by the current department associated in SE Suite; if it is disabled, the AD user department will be
incremented in the departments associated with the user in SE Suite.
Execution
6. After configuring the se-identity.xml file, double-click the se-identity.jar file, located in the se-identity
folder. The application will display the following screen:
7. Click on the Simulate synchronization button to execute a synchronization simulation, without affecting
the changes of the SE Suite. The system will notify when the data sending finishes. To verify the
simulation, in the SE Configuration component access, the menu Configuration Authentication (CM008)
and click on the (View synchronization simulation) button.
8. Click on the Synchronize button to perform the synchronization of Microsoft Active Directory user data
with SE Suite. The system will notify when the data sending finishes. To verify the synchronization, access
the SE Configuration component, Configuration Authentication (CM008) menu and, on the Browse panel,
access the synchronization section.
Scheduling
It is possible to schedule the execution of the application on Windows. For this, access the Task Scheduler in
Control Panel Administrative Tools Task Scheduler and schedule as you need. Below is an example of how
to create a basic task on Windows, executed daily:
9. In the Task Scheduler tool, click the "Create Basic Task..." option, located on the right-side panel.
10. On the screen that will be displayed, enter a name and a description for the task. After, click on the Next
button to proceed with the scheduling record:
11. In the Trigger step, enter the frequency of the scheduling being created. Click on the Next button and
enter the details about the selected frequency. Click on Next to proceed with the scheduling:
12. In the Action step check the "Start a program" option and click on Next to configure the startup
parameters of the SE Identity application:
13. Now, enter the information referring to the SE Identity start up and, after that, click Next:
§ Program/script: javaw
Command to execute se-identity.jar. Remember that the java installation folder must be in the
system path (environment variables) for the file to be executed from any folder in the system or
enter the specific path for the desired version;
Command used as the javaw argument for the execution of the se-identity.jar file.
§ Start in: Enter the path where the application can be found. Ex: C:\sesuite\se-identity\
14. In the Finish step, check the summary of the scheduling and click on Finish to create the scheduling. At
this point, the SE Identity application will always be executed according to the frequency set in the
scheduling.
This section contains the steps for the installation and configuration of the File Manager server to be used to
redirect the PDF conversion and File Manager update.
All the procedures below must be executed on a Windows server, on which File Manager will be installed, not on the SE
Suite server.
Note: If there is more than one domain used for the same database, update it to the most common one.
4. In the <connectionName> enter the same information that is in the <domain> field;
5. Copy the following files to the server where FileManager will be installed:
§ SESUITE_HOME\conf\database_config.xml
§ SESUITE_HOME\usr\local\se\plugins\FileManagerInstaller.zip
c) Click "Properties";
g) Double-click on "Path";
cd C:\Users\Administrator\Desktop\FileManagerInstaller
C:\SEFILEMANAGER
Note: There should not be an active installation of Tomcat on the same server.
20. Click on the "Log On" tab and then "This account";
Note: The version should be equivalent to the one used by the users. This installation should not be logged with
a Microsoft or corporate account. The older version should have the PDF conversion add-in installed.
24. With the cmd opened in step 10, type "mmc comexp.msc /32";
25. Expand "Component Services > Computers > My Computer > DCOM Config";
28. In the "Identity" tab, check "This user" and fill it in with the user created in step 16;
30. Copy the database_config.xml file copied in step 5 into the conf folder of FileManager:
C:\SEFILEMANAGER\conf
33. Confirm if the <server> field is pointing to the correct bank server;
If the value is different or if it does not respond. Change the <server> field in database_config.xml
of FileManager for IP result of item b);
Note: During the Oracle client installation, select the "Administrator" mode (complete).
41. Still, in the tnsnames.ora file on the server where FileManager is being installed, confirm the HOST field;
ping <HOST>
ping <HOST>
If the value is different or if it does not respond. Change the HOST in the tnsnames.ora field of
FileManager for IP result of item b);
Note: The SID may be the same as the SERVICE_NAME, but that is not a rule. When in doubt, ask the DBA for
the correct SID.
45. In the <server> filed, fill in with the same value as the HOST field configured on tnsnames.ora (C:
\oracle\product\11.2.0\client_1\network\admin\tnsnames.ora);
46. Verify if the server time FileManager is less than 5 minutes apart with the SE Suite server;
49. Verify if the port 5020 is released in the firewall of the SE Suite output server, in the incoming firewall of
the server where FileManager is being installed, and whether it is also released in some firewall server
between the two servers.
50. Open a browser and access SE Suite through the URL defined in step 3;
51. Access the Document > Configuration > General parameters (DC035) screen.
52. In the Services tab, check the "Enable service redirection" option;
55. Click the checkbox next to the "Port" field to test the connection;
Test
http://stackoverflow.com/questions/4408538/exportasfixedformat-with-excel-fails
For the gage to connect with SE Suite, it is necessary to install ScaleService on the client machine(s). See how
to install that service in the steps below:
1. First of all, access the web/wwwroot/asset/app/ directory of the SE Suite server and copy the
ScaleService.rar file to the C:/ client's machine. Then, decompress the ScaleService.rar file in the C:/
directory.
cd c:/ScaleService
SEScaleService.exe install
4. After installing the service, it should be started. For that, click on the Start Windows menu and type
"services.msc". Click the option and wait for the service manager screen to open;
5. In the service manager, search for SESuite Scale Connection Service and start the service.
For the correct connection with the equipment, the service must always be in execution. With that, configure the
service with an automatic start for it to be started with Windows.
This section will describe some procedures regarding the conversion to PDF, such as the addition of the PDF
conversion service with the Windows services, or the use of Microsoft Office as a PDF converter. See further
details in the following sections:
The OpenOffice PDF conversion service is required to convert documents in the OpenDocument Text (.odt)
format. To insert the PDF conversion service to the Windows services, execute the following steps:
4. Copy thesrvany.exe file installed by the Windows server 2003 Resource Kit tools C:\Program Files
(x86)\Windows Resource Kits\Tools in the directory to C:\sesuite\pdfconverter;
5. Click on the Start Windows menu, type "cmd", click on the wait option for the screen to open;
7. Click on the Start Windows menu, type "regedit", click on the wait option for the screen to open;
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PDF Converter
11. Edit the just created value and enter the value:
"<openoffice_installation_dir>\program\soffice.exe" -headless -
accept="socket,host=0,port=5011;urp;" -nofirststartwizard
12. The registry key must look as shown in the image below:
13. Click on the Start Windows menu and type "services.msc". Click on the option and wait for the service
manager screen to open;
It is possible to use Microsoft Office to convert documents to PDF. For that, it will be necessary to configure the
SE Suite server and, on that server, install Microsoft Office Professional 2007 or later.
This is an optional procedure and, if it was not executed, the system may use OpenOffice for conversion.
Directories
After installing Microsoft Office on the SE Suite server, it will be necessary to create a directory. See below the
location where the folder must be created for each architecture type Windows may have, that is, 32-bits or 64-
bits:
§ If the system is installed on a 32-bit Windows Server environment, the following directory must be created:
C:\Windows\System32\config\systemprofile\Desktop
§ If the system is installed on a 64-bit Windows Server environment, the following directory must be created:
C:\Windows\SysWOW64\config\systemprofile\Desktop
§ If the Windows Server environment architecture version is 64-bits and Microsoft Office Professional version is
C:\Windows\System32\config\systemprofile\Desktop
The following configuration must be set on the SE Suite server after installing Microsoft Office.
If you wish to use File Manager, set the following configuration on the File Manager server.
2. For the conversion service to work correctly, it will be necessary to insert the "Devices", "PrinterPorts",
and "Windows" key registries into [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows
NT\CurrentVersion]:
§ HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Devices
§ HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
§ HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows
3. For that, import the following code into the registry key:
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Send To OneNote 2010"="winspool,nul:"
"Microsoft XPS Document Writer"="winspool,Ne00:"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Send To OneNote 2010"="winspool,nul:,15,45"
"Microsoft XPS Document Writer"="winspool,Ne00:,15,45"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"UserSelectedDefault"=dword:00000000
"Device"="Send To OneNote 2010,winspool,nul:"
This section will cover the necessary configurations on the workstations. This configuration section contains
the main following topics:
§ Firefox configuration
§ OpenOffice automation
§ MSI installation
The activities in this section must be executed on all the workstations that will access SE Suite.
If the workstation environment is Windows and the browser to be used is Internet Explorer, check whether
the Internet Explorer security configurations meet the minimum requirements for SE Suite to work on the
workstations:
2. In the control panel, access the Internet Options (category Network and Internet) menu;
3. Access the Security tab and in Select a zone to v iew or change security settings, click Local intranet;
4. In the Security levels for this zone, click on Custom level... and in Settings;
Make sure to add your SE Suite link to the Allowed sites section.
§ ActiveX controls and plug-ins > Binary and script behaviors: enable
§ ActiveX controls and plug-ins > Run activeX controls and plugins: enable
§ ActiveX controls and plug-ins > Script ActiveX controls marked safe for scripting: enable
6. Click OK;
8. On the window that opens up, in the Blocking level select Low: Allow pop-ups from secure sites
option. See further details in the following image:
Make sure to add your SE Suite link to the Allowed sites section.
9. Click on Close to close this window and then on OK to close the Internet Options window;
Check whether the Firefox configurations meet the minimum requirements for SE Suite to work on the
workstations:
2. In the Content tab, in Block pop-up windows, click on the Exceptions button;
4. Click on Close to close this screen and then click on OK to close the Options screen;
6. Access the Plugins tab and check if the installed and enabled Java plugin exists;
The OpenOffice automation allows disabling the save, print options, among others. To use the OpenOffice
automation, the client machine must have access to the following directories (on the client machine itself):
C:\Windows\Temp
C:\Program Files\Java\jre8\lib\ext
PDF, DWG, and DXF files are viewed, in SE Suite, through SE Viewer. When opening one of these files for the
first time, the system requests the installation of the viewer. If the logged user has no permission to install the
viewer, the administrator will have to execute the following procedure:
Manual procedure
Uncompress the sepreview.zip file and execute the MSI file on the client workstations that need to install
the viewer.
The execution should be performed by a user with administrator permission on the machine.
Automatic procedure
Decompress the sepreview.zip file and add the MSI file in the network login script so that it is replicated
to all stations automatically.
It must be parameterized to be executed with administrator permission whenever a new user logs on to the
machine.
If the system is accessed through a remote access environment (Citrix, Terminal Services, etc.), the following
configuration must be set in the Citrix or Terminal Services servers:
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing
2. In the "State" item change the 23c00 value to 23e00, this will disable the CRL verification to the system
user account.
A reverse proxy is a network server that receives all the external connections and forwards them to the Web
server. See below how to configure the system external access:
For the external access to work correctly, the URL to access the system must be interpreted both on the stations and
on the application server. For this, the domain used in the external access must be recorded in the file hosts operating
system, application server pointing to the local IP (or 127.0.0.1).
C:\Windows\System32\drivers\etc\hosts
2 And add the access domain line according to the following example:
127.0.0.1 externalaccess.softexpert.com
There may be not port change in the NAT configuration. If, in the IIS, port 80 is being used, the firewall must direct to
port 80 as well. For instance, it cannot be directed from 81 to 80, only to the same port.
Reverse proxy
Considering that the DNS to be used externally is sesuite.softexpert.com, this very DNS must respond internally
on the proxy server, pointing to the application server where SE Suite is installed, as well as in the internal
network resolve the internal IP of the same server.
To ensure this procedure, we may use the proxy server HOSTS file and force the DNS redirecting to the desired
IP (internal). The same must be performed on the application server.
<Proxy *>
Order deny, allow
Allow from all
</Proxy>
ProxyRequests On
ProxyVia On
ProxyPass /se http://sesuite.softexpert.com/se
ProxyPassReverse /se http://sesuite.softexpert.com/se
ProxyPass /softexpert http://sesuite.softexpert.com/softexpert
ProxyPassReverse /softexpert http://sesuite.softexpert.com/softexpert
ProxyPass /bi http://sesuite.softexpert.com/bi
ProxyPassReverse /bi http://sesuite.softexpert.com/bi
6.9 - Troubleshooting
The topics in this section contain the steps to solve problems identified in SE Suite.
§ Requirements check
§ Index server
§ System version
§ Single Sign-On
Starting in version 2.0.5, SE Suite contains a requirements checker. This resource is a functionality, executed
during the SE Suite initialization, which aims to make sure the server meets all the requirements for system
use. If a requirement for system use is not met, the checker will display a message to indicate the
configuration that needs to be solved.
See below some configurations that may be required to start the SE Suite service:
By default, the time zone used in Java is the same of that configured in the operating system. To start the
application with a time zone different from the one used by the operating system, it is necessary to
indicate that to Java in the system start up, through the user.timezone attribute, according to the
following examples:
SE Suite in Windows:
§ Add a new line in the "Java options" with the value: -Duser.timezone=America/Los_Angeles
The time zone used in the example is the official USA time zone, the ID # for other time zones can be found at:
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones (Accessed on Sep/08/2016).
If the system displays a divergence in the daylight-saving time configuration between Java and PHP, the
problem may be in the version of the Java time zone database. To update the database, execute the
following steps:
§ Run the application with the same Java virtual machine used by SE Suite with the command line " java -
jar tzupdater.jar -f"
§ If the current directory is not the same as the tzupdater.jar is, use the full path up to the tzupdater.jar file
§ To compare the time zone database versions of Java and of the application, execute the "java -jar
tzupdater.jar -V" command.
To set the time zone that will be used by PHP it is necessary to edit the file php.ini (usually located in
SESUITE_HOME\web\php\lib\php.ini). Locate and edit the following line according to your time zone:
date.timezone = America/Los_Angeles
The time zone used in the example is the official USA time zone, the ID # for other time zones can be found at:
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones (Accessed on Sep/08/2016).
GENERAL JavaVersion "The installed Java version is {JAVA VERSION}, when it should be 1.7."
Solution: Remove the java version and install the correct one.
Solution: For Windows environments, see the memory configuration procedure, described in the Apache Tomcat
installation section.
GENERAL memory_limit "Memory_limit variable value is {VALUE}, when it should be -1. C heck
configuration in php.ini."
GENERAL date.timezone Date.timezone Java variable (JAVA_TIMEZONE) must be the same as the
PHP variable (PHP_TIMEZONE). Java uses the time zone defined by the
operating system, while PHP uses the value defined in the php.ini file."
Solution:
1. Open the SUITE_HOME\web\php\php.ini file and search for the message variable.
3. If there are repeated variables, add a “;” (semi-colon) at the beginning of the line for it to be commented, thus
the variable will not be validated. Example of a commented variable:
;cgi.force_redirect = 1
Example of valid variable (uncommented):
cgi.force_redirect = 1
4. After locating the variable, define the correct value, as described in the message.
Solution:
1. Open the SUITE_HOME\web\php\php.ini file and search for the message variable.
3. If there are repeated variables, add a “;” (semi-colon) at the beginning of the line for it to be commented, thus
the variable will not be validated. Example of a commented variable:
;cgi.force_redirect = 1
Example of valid variable (uncommented):
cgi.force_redirect = 1
4. After locating the variable, define the correct value, as described in the message.
Solution:
1. Open the SUITE_HOME\web\php\php.ini file and search for the extension described in the message.
3. If there are repeated extensions, add a “;” (semi-colon) at the beginning of the line for it to be commented,
thus the extension will not be validated. Example of a commented extension:
;zend_extension=php_opcache.dll
zend_extension=php_opcache.dll
4. After locating the extension, define the correct value, as described in the message.
GENERAL ...web\include\template The {NAME_OF_FILE} template is not a template in the JSON format.
The objective of the index server is to extract data from records and files in SE Suite to index them. These
indexes are used in some system search screens, in addition to the general search. This service works in
parallel with the system; when starting SE Suite, the index service is also started. See below the steps to
verify whether the service is being executed:
1. Open the Task manager (taskmgr.exe), access the tab that shows the services that are running and
enable the display of a column called Command Line:
The procedure to make this column be displayed may vary according to the version of the Operating System:
§ Right-click the title of the columns and select the "Select columns" option; or
2. Locate the Java service with the following command line (column Command Line):
"SESUITE_HOME\tools\se-fts-indexer-server\se-fts-indexer-server.jar".
In some situations, this service may not work adequately. See below a list of possible causes and their
solutions:
2. Check whether there is a firewall configuration blocking the port of the 'indexer.server.port'
parameter. After unblocking the port, it will be necessary to restart the system and check whether the
index service is being executed.
2. Check whether there is another service using the port of the indexer.server.port parameter. If
affirmative, select an available port.
'java.lang.UnsatisfiedLinkError'
2. At this point, the connection data will be displayed. Click the 'Save and exit' button:
The system verifies the versioning of the packages, aiming to maintain SE Suite stability. Incompatibilities
between the versions of the installed/updated packages may be found. See below the solution to stabilize SE
Suite:
To advance possible problems in the process of synchronizing and authenticating users in a domain, you can
test the configuration of the domain in the system authentication configuration (CM008), in the "Directory
integration Domains" section, when creating or editing a record. This procedure will test the communication
from the SE Suite server with the authentication and directory servers that are informed in the configuration.
The protocols tested are LDAP, using the Connection string, user and password provided, and communication
with the domain address and port NTLMV2, for authentication via the NTLMV2 protocol.
Generally, the failure, in the connection test, occurs if there are errors in the domain configuration or problems
in the network connections between the SE Suite server and the servers that host the directory services and
authentication. Therefore, it is indicated the use of tools to perform connection diagnostics or the assistance of
the network administrator for any verification of addresses and ports used in the communication.
§ Message of error to connect to domain controller: The SE Suite server was unable to open a connection via
the LDAP protocol using the URL that was informed in the "Connection string" field. Verify if the field is filled
in correctly and if a port has not been specified in the URL itself, verify if the server is accepting
connections on the default LDAP port 389, or for ports 636 and/or 3269, defaults for LDAPS, or contact the
directory service administrator to check the availability of the service.
§ Alert message informing that the connection via NTMV2 failed: The SE Suite server was unable to open a
connection for the domain address and port reported in the configuration. Verify if the respective fields
("domain address" and "Port NTLMv2") are correct and if the destination server is accepting connections
on the informed port. If it is not, check the firewall rules or contact your network administrator. Comments:
If there is no intention to use the NTLMV2 authentication protocol, this alert can be ignored.
§ Error message informing you that the user was not found or the password is incorrect: communication
with the directory service has occurred smoothly, but the user and password that are informed in the
"User" and/or "Password" fields are incorrect. This user refers to a created user in the directory service, so
it must be verified if the name and password conform to the information logged in the service. Remember
that in the "User" field should be typed the name, not the login.
§ Alert message informing that authentication via NTMLV2 failed: In this case, the "User Login" (example:
user.test@domain.local) and/or the "Password" entered are incorrect. The user in question is also a
created user in the directory service, it is just needed to check if the information is correct. Comments: If
there is no intention to use the NTLMV2 authentication protocol, this alert can be ignored.
This section addresses the topics related to best practices regarding database management and maintenance.
Make sure to verify each one of these items.
§ Check the possibility to create a routine to update the statistics and defragment the database objects.
§ Keep a database backup routine; the frequency must be set to meet the technical and business
requirements.
§ Whenever possible, try to simulate the need of backup restoration; this action aims to identify possible
§ Periodically monitor the free space in the disk where the database files are stored. With that, it will be
possible to avoid any type of failure due to the lack of disk space.
Chapter VII
Document history
The table below describes the main changes made to this document.
20 2.0.11 Apr/27/2018
ð Addition of the single sign-on troubleshooting section, in the Single Sign-On topic.
19 2.0.11 Mar/07/2018
ð Breakdown of Oracle and Oracle client configuration topics in the Oracle section.
ð Update of the following topics:
§ Java Security Extension package
§ SAML authentication
§ Kerberos authentication
18 2.0.10 Dec/07/2017
ð Addition of notes on the user's e-mail and password configuration, in the Base
configuration section.
ð Removal of the NTLM Authentication section.
ð Update of the following sections:
§ Kerberos authentication.
§ SAML authentication.
17 2.0.9 Sep/15/2017
ð Update of the following sections:
§ Kerberos authentication.
§ SAML authentication.
§ Java Security Extension package
16 2.0.8 Jul/31/2017
ð Addition of Java Security Extension package section.
ð Update of theSAML Authentication section.
15 2.0.8 Jun/23/2017
ð Update of the following topics:
§ SE Suite installation
§ SE-Identity - Integration of Microsoft AD users with SE Suite
§ Java JRE installation
§ Apache Tomcat installation
14 2.0.7 May/06/2017
ð Update of the topic.
13 2.0.7 Mar/27/2017
ð Update of the following topics:
§ User creation on Windows Server
§ Starting the services
ð Addition of the Scale service (SE Asset) topic
12 2.0.6 Mar/01/2017
ð Update of the following topics:
§ NTLM authentication
§ Kerberos authentication
§ SE-Identity - Integration of Microsoft AD users with SE Suite
11 2.0.5 Nov/24/2016
ð Update of the following topics:
§ File Manager update
§ Requirements check
10 2.0.5 Oct/17/2016
ð Update of the Requirements check topic.
ð Addition of Troubleshooting and System version topic.
ð The Requirements check and Indexing servers were moved into the Troubleshooting
topic.
09 2.0.5 Oct/03/2016
ð Addition of the Index server topic.
08 2.0.5 Sep/26/2016
ð Addition of theStarting the services and Requirements check topics.
ð Update of the Apache Tomcat installation topic.
07 2.0.4 Aug/03/2016
ð Update of the following topics:
§ Kerberos authentication
§ Apache Tomcat installation
06 2.0.4 Jun/23/2016
ð Update of the following topics:
§ Kerberos authentication
§ SAML authentication
05 2.0.3 May/06/2016
ð Update of the SAML authentication topic.
04 2.0.2 Mar/22/2016
ð Update of the following topics
§ Oracle configuration
§ PostgreSQL configuration
§ SAML authentication.
ð Addition of the configuration for the indexing services in the File Manager
configuration and PDF C onversion with Microsoft Office topics.
ð Addition of the SE-Identity - Integration of Microsoft AD users with SE Suite topic.
03 2.0.1 Dec/14/2015
ð Update of the following topics:
§ Oracle configuration
§ OpenOffice PDF conversion service
§ File Manager server installation(prerequisite).
02 2.0.1 Nov/24/2015
ð Update of the following topics:
§ SE Suite update
§ IIS installation
§ SE Suite installation
01 2.0.0 Sep/14/2015
ð Addition of the SE Suite update topic.
ð Update of the following topics:
§ Installation packages preparation
§ Network configuration
§ SE Suite installation
§ SSL configuration
ð C orrection in the Windows versions mentioned in the User creation on Windows
Server topic.
ð C orrection in the order of the subtopics in the System configuration topic.
ð C orrection in the order of the subtopics in the Single Sign-On with AD topic.
00 2.0.0 Sep/01/2015
ð C reation of the document from the "SE Suite 1.3 - Installation Guide - Windows"
document.
ð Update of the Pre-required activities topic.
ð Update of the Installation activity topic.
ð Update of the Additional procedures topic.
Document update history
SoftExpert is a Market leader in software and services for enterprise-wide business process
improvement and compliance management, providing the most comprehensive application suite
to empower organizations to increase business performance at all levels and to maximize
industry-mandated compliance and corporate governance programs
Founded in 1995 and with more than 2,000 customers and 300,000 users worldwide, SoftExpert
solutions are used by leading corporations in all kinds of industries, including manufacturing,
government and public sector, pharmaceutical sector, hospitals and laboratories, financial
services, high tech and IT, education, energy and utilities, logistics, retail, services, among
others.
Along with its extensive network of resellers spread across all continents, SoftExpert also
provides hosting, implementation, post-sales support, and validation services for its solutions to
ensure that customers realize the maximum value from their investments.