PanfilovAB
4 Beryllium

Re: Ask the Expert: What's New in EMC Documentum 7.1?

In that case it's not clear why such setup is strongly recommended (see initial Alvaro's question), why not restrict docbase registration on docbroker side? Actually such setup would more useful especially for DEV/TEST environments.

Another question about SSL implementation: now CS has four(?) certificates stores: netscape for LDAP, dm_public_key_certificate, dm_private_key_certificate and pkcs for SSL connections, in my opinion it is absolutely inconsistent - every new feature has its own cryptostore implementation (also need to add D2's lockbox). Why do not remove all redundant stuff and store all cryptography settings inside docbase?

fainemr
4 Beryllium

Re: Ask the Expert: What's New in EMC Documentum 7.1?

I noticed that also, it seems to just be getting worse all the time, how many different store types is too many for EMC?   I was thinking about suggesting they use a single type of store but I like your suggestion better.

0 Kudos
pwalsh1
2 Bronze

Re: Ask the Expert: What's New in EMC Documentum 7.1?

With Documentum, we try to balance the addition of new features against the impact to current solutions.  We're discussing areas that have reached a point where the complexity demands careful reduction.  We're looking to approach stores from two angles: consolidate as much as possible within Documentum for standalone deployments or push as much as possible to remote protection system that can secure the stores in one location across the Enterprise.

0 Kudos
fainemr
4 Beryllium

Re: Ask the Expert: What's New in EMC Documentum 7.1?

@Patrick Walsh  That sounds like a reasonable response, though I don't know what it is you're responding to?  Perhaps you meant to reply to someone else?  I don't think I asked any questions about stores, or did I?

0 Kudos
pwalsh1
2 Bronze

Re: Ask the Expert: What's New in EMC Documentum 7.1?

I agree that strongly recommended does need more context.

And a good suggestion for the docbroker.  The docbroker was originally built to direct traffic, but it has potential to evolve into something greater. 

0 Kudos
PanfilovAB
4 Beryllium

Re: Re: Ask the Expert: What's New in EMC Documentum 7.1?

Patrick Walsh wrote:

Anonymous SSL mode secures the communication between the DFC client and the Content Server.  The new SSL mode also establishes the identity of the Content Server.  As you pointed out earlier, this secures the system from malicious internal masquerade attacks that try to spoof the identity of the Content Server.

Patrick Walsh

Yesterday we discussed incompatibilities introduced with Certificate-based SSL:

14-03-2014 9-03-29 PM.png

And that is a real issue, for example: how can we copy some data between old CS and 7.1 with Certificate-based SSL without switching it to anonymous SSL? And I can't understand what was the problem to implement new SSL feature in clearer way? For example:

  1. add support of new options to DFC like:
    dfc.security.trusted_docbase[0]=docbase1
    dfc.security.trusted_cert_alias[0]=cert_alias1
    that will cause DFC to require server authentication for specific docbase
  2. when server sends response on NEW_SESSION_BY_ADDR request it sets some flag whether it supports Certificate-based SSL or not (the same behavior is implemented for serialization protocol and time format convention)
  3. if DFC expects that connection should be secure but CS didn't set specific flag, DFC disconnects
  4. otherwise DFC upgrades cipher suite (removes DH_anon_*), initiates renegotiation and checks received server certificate
0 Kudos
PanfilovAB
4 Beryllium

Re: Ask the Expert: What's New in EMC Documentum 7.1?

Is it worth waiting the answer to the "compatibility question"?

0 Kudos
pwalsh1
2 Bronze

Re: Ask the Expert: What's New in EMC Documentum 7.1?

On connection compatibiltiy:

It's true that the Content Server, DocBroker, and DFC need to be set to use either native, anonymous SSL, or certificate SSL modes.  When the DFC app is configured for certificate SSL mode, it needs an extra trust store defined in the dfc.properties file and it will not connect to servers configured for anonymous SSL - the mixed SSL mode is not supported.  However it is still possible to run 6.7 SP2 content servers in native connection mode, run 7.1 content servers in certificate SSL mode and have the same DFC app talk to both.

You may consider that solution restrictive.  As mentioned in other posts, we need to balance the impact of adding new capabilities against the impact of changing what works for existing solutions.  I like your suggestions that clean up the complexities while maintaining the flexibility to move forward and be backwards compatible.  The team will be considering them in the future. Thanks.

0 Kudos
aldago-zF7Lc
4 Beryllium

Re: Ask the Expert: What's New in EMC Documentum 7.1?

Thanks for the answers Patrick, some more questions:

Server Certificate Authentication was not available as an Out-of-the-Box configuration before 7.1.  This mode provides enhanced trust when identifying Documentum servers using DFC client

Was it something available with previous TCS versions or is it something new developed for 7.1?

We're interested in your feedback and experiences with this new release, including supporting material like the documentation.  Let me know if you have additional suggestions that would make the process more straightforward.

(Happening in both windows and linux 7.1 setups): If you configure the docbroker to work in secure mode only it will use port 1489 even when the log indicates it is using 1490. Launching the docbroker with -port 1490 will make the docbroker listen to 1490 while the log indicates it is using 1491. Either fix this behaviour or note it in the installation guide because as now it is... confusing.

Besides, the whitepaper @PanfilovAB linked before, should be included as a full section in the documentation. Even when the installer allows you to configure the certificate-based secure mode, the troubleshooting section of that WP is quite useful.

In the future, we may adopt a new EBS interpreter or add support for other scripting languages as core components evolve.

At least is being considered an update...

0 Kudos
aldago-zF7Lc
4 Beryllium

Re: Ask the Expert: What's New in EMC Documentum 7.1?

I'm answering myself:

(Happening in both windows and linux 7.1 setups): If you configure the docbroker to work in secure mode only it will use port 1489 even when the log indicates it is using 1490. Launching the docbroker with -port 1490 will make the docbroker listen to 1490 while the log indicates it is using 1491. Either fix this behaviour or note it in the installation guide because as now it is... confusing.

I've been playing again with one of the two machines I've used to setup the SSL configuration, and I must say that what I said is completly wrong. Setting the docbroker in secure mode only, uses port 1490 by default. I messed with a lot of files/database entries so I probably broke something while I was testing it...

0 Kudos