10 Years Later: The Hell and Glory of Installing FileNet Daeja Viewer

10 Years Later: The Hell and Glory of Installing FileNet Daeja Viewer

Back in 2015 I had to pull off one of those invisible masterpieces that leave a mark in your career: building IBM FileNet P8 + Content Navigator + Daeja Viewer from scratch, on top of Windows Server, WebSphere, DB2, and Active Directory.

It wasn’t plug-and-play. I went through 100+ virtual machines, breaking and rebuilding, until LDAP, JAAS, CE, ICN, and DB2 finally came together. While some colleagues said “this is too difficult,” I was neck deep in LDAPS, certificates, Kerberos SPNs, WebSphere JVM tuning, and those endless logs that only make sense at 3 a.m. After many sleepless nights, the system finally went live in Sydney, Darling Harbour.

---

The Number One Enemy: Daeja ViewOne

This viewer was both hated and necessary. Without it, PDFs and TIFFs would not render at all. Typical WebSphere log error looked like this:

[5/18/15 11:01:32:341 BDT] 000000cd LocalTranCoor E   
WLTC0017E: Resources rolled back due to setRollbackOnly()

FNRAC1008E: Unable to get data from server

[FNRPE0911843060E] Error executing the CA RPC call configEventExportStoreProperties
Root cause: java.lang.NullPointerException

Translation: the viewer was trying to fetch Content Engine configuration and died with a NullPointerException. If you didn’t know how to read between the lines, you could be stuck for days.

---

The Classic jiServerException Bug

Sometimes, when opening a TIFF in ICN, you’d hit this random error:

ji.net.jiServerException: Server did not respond with OK
Error: IO error: null

Open the same document a second time — and suddenly it worked. Root cause? HttpOnly cookies in WebSphere. IBM documented this years later, but back then it was all about trial and error.

Fix (WebSphere 8+):

1. Go to Servers > Server Types > WebSphere Application Servers > Session Management.
2. Uncheck Set session cookies to HTTPOnly.
3. Go to Global Security > Web and SIP Security > Single Sign-On (SSO).
4. Uncheck Set security cookies to HTTPOnly.
5. Restart the node.
   

And finally, Daeja would behave.

---

LDAP / Active Directory: The Real Challenge

Authentication was a nightmare if you didn’t master LDAP + Kerberos. These snippets saved my life back then:

SPN for the service account:

setspn -S HTTP/filenet-appsrv DOMAIN\svc-fn-was
setspn -S HTTP/filenet-appsrv.domain.local DOMAIN\svc-fn-was

Optimized LDAP filters:

(&(objectClass=user)
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (|(memberOf=CN=FN_Users,OU=Groups,DC=domain,DC=local)
    (memberOf=CN=ICN_Users,OU=Groups,DC=domain,DC=local)))

Testing LDAPS from PowerShell:

Test-NetConnection -ComputerName dc01.domain.local -Port 636

---

Lessons of a Mexican Engineer in Sydney 🇲🇽🌏

Looking back, I see that work as an invisible masterpiece. Nobody documented the fine-tuned configs I made, but that environment likely kept running 10 years later.

What I learned:

• FileNet was never for “manual installers” — it was for engineers who understood the guts of the system.
• Many of the fixes we discover at 3 a.m. never make it into IBM’s official manuals, yet they keep mission-critical systems alive.
• And yes: Mexicans can leave a mark anywhere — even in Darling Harbour.

---

#FileNet #IBMFileNet #ContentNavigator #DaejaViewer #WebSphere #DB2 #ECM #EnterpriseContentManagement #LDAP #ActiveDirectory #Kerberos #JavaEE #WAS #IBMCloudPak #SystemIntegration

Sydney will always remain more than just a project site for me. While others enjoyed Darling Harbour’s sunsets and the lights of the Opera House, I was deep in WebSphere logs, LDAP filters, and NullPointerExceptions. Yet, in between sleepless nights and 100+ virtual machines rebuilt from scratch, I felt the same energy of the city itself — resilient, alive, and relentless.

Ten years later, I look back and realize that my work was not only lines of code or system configs, but a piece of me left in that harbor, quietly running inside servers that still power critical processes. Sydney gave me sleepless nights, but also the memory that Mexican engineers can leave a mark anywhere in the world.

---

Español
Sídney siempre será mucho más que un simple lugar de proyecto para mí. Mientras otros disfrutaban de los atardeceres en Darling Harbour y las luces de la Ópera, yo estaba sumergido en logs de WebSphere, filtros LDAP y NullPointerExceptions. Sin embargo, entre desveladas y más de 100 máquinas virtuales reconstruidas desde cero, sentí la misma energía de la ciudad: resiliente, viva y persistente.

Diez años después, miro hacia atrás y me doy cuenta de que mi trabajo no fueron solo líneas de código o configuraciones de sistema, sino una parte de mí que quedó en ese puerto, corriendo en silencio dentro de servidores que aún sostienen procesos críticos. Sídney me dio noches sin dormir, pero también el recuerdo de que los ingenieros mexicanos podemos dejar huella en cualquier lugar del mundo.

How to setup an LDAP server on windows server 2012

https://social.technet.microsoft.com/Forums/en-US/c2dc9abc-dfb6-48cf-87c2-421c9ceb3821/how-to-setup-an-ldap-server-on-windows-server-2012

https://technet.microsoft.com/en-us/library/cc770639(v=WS.10).aspx

• Hello,

  We currently have an LDAP server on a linux box and are looking to migrate or re-configure an LDAP server to a windows server (preferably 2012).

  Can someone point me in the right direction or offer any suggestions on the best way to configure an LDAP server on a windows server 2012 Active Directory server?

  I've been looking around and I've only been able to find third party software alternatives. I would prefer to use something that windows already has built-in if possible. Otherwise, which is the best LDAP software I should use?

  Thanks!

  Friday, June 07, 2013 11:38 AM

  Reply

  |

  Quote

  

  dzzit

  10 Points

Answers

• 

  
  

  0

  Sign in to vote

  Microsoft recommends to never install anything on a DC, it should only be used for Directory Services.

  As far as using LDAP, there is the free software Active Directory Lightweight Directory Services (AD LDS).  Step by Step guide link below.
  http://technet.microsoft.com/en-us/library/cc770639(v=WS.10).aspx

  --
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security+, BS CSci
  2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs
  http://blogs.dirteam.com/blogs/paulbergson

  Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

  • Proposed as answer by i.biswajithMicrosoft community contributor Saturday, June 08, 2013 10:12 AM
  • Marked as answer by dzzit Monday, June 10, 2013 4:51 PM

  Friday, June 07, 2013 11:46 AM

  Reply

  |

  Quote

  

  pbbergs

  (MCC)

  26,805 Points

  Moderator

All replies

AD LDS Getting Started Step-by-Step Guide

7 out of 14 rated this helpful - Rate this topic

Updated: September 7, 2007

Applies To: Windows Server 2008

Active Directory® Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is a Lightweight Directory Access Protocol (LDAP) directory service that provides data storage and retrieval support for directory-enabled applications, without the dependencies that are required for the Active Directory Domain Services (AD DS). You can run multiple instances of AD LDS concurrently on a single computer, with an independently managed schema for each AD LDS instance.

For additional information about AD LDS, see Active Directory Lightweight Directory Services Overview (http://go.microsoft.com/fwlink/?LinkId=96084).

For more information about configuring ADAM, see Step-by-Step Guide to Deploying ADAM (http://go.microsoft.com/fwlink/?LinkId=96083).

Note

If you install security update 951746 on your Windows Server 2008 R2–based and Windows Server 2008–based computers, the Domain Name System (DNS) server’s method of port allocation changes, and this change might prevent AD LDS from obtaining the port that it requires to function correctly. For more information, see article 959215 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=157712).

About this guide

This guide describes the processes for setting up AD LDS and getting it running. You can use the procedures in this guide to install AD LDS on servers that are running the Windows Server® 2008 operating system in a small test lab environment.

As you complete the steps in this guide, you will be able to:

• Install the AD LDS server role and practice working with AD LDS instances.
• Practice using AD LDS administration tools.
• Practice creating and managing organizational units (OUs), groups, and users in AD LDS.
• Practice creating and deleting AD LDS application directory partitions.
• View, grant, and deny AD LDS user permissions.
• Practice binding to an AD LDS instance in several ways.
• Practice managing AD LDS configuration sets.

Note
To maximize your chances of successfully completing the objectives of this guide, it is important that you follow the steps in this guide in the order in which they are presented.

Requirements

Before you start using the procedures in this guide, do the following regarding your system requirements:

• Have available at least one test computer on which you can install AD LDS. For the purposes of following the exercises in this guide, install AD LDS on computers running Windows Server 2008.
• Log on to Windows Server 2008 with an administrator account.
• For the purposes of this guide, you can install replica AD LDS instances on your first test computer or you can install them on a second computer, if you have a second computer available.

Steps for getting started with AD LDS

The following sections provide step-by-step instructions for setting up AD LDS. These sections provide both graphical user interface (GUI) and command-line methods for backing up and restoring AD LDS, where applicable.

• Step 1: Install the AD LDS Server Role
• Step 2: Practice Working with AD LDS Instances
• Step 3: Practice Using AD LDS Administration Tools
• Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users
• Step 5: Practice Working with Application Directory Partitions
• Step 6: Practice Managing Authorization
• Step 7: Practice Managing Authentication
• Step 8: Practice Managing Configuration Sets

For more information, see Appendix A: Configuring LDAP over SSL Requirements for AD LDS and Appendix B: Upgrading from ADAM to AD LDS.