hp records manager · hp records manager software version: 8.0 sharepoint 2013 integration...

HP Records Manager

Software Version: 8.0

SharePoint 2013 Integration

Installation Guide

Document Release Date: September 2013

Software Release Date: 8.0: September 2013

2

Legal Notices

Warranty

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notices

© Copyright 2008-2013 Hewlett-Packard Development Company, L.P.

Trademark Notices

Microsoft®, Windows®, Windows® XP and Windows Vista® are U.S. registered trademarks of Microsoft Corporation.

Documentation Updates

The title page of this document contains the following identifying information:

Software Version number, which indicates the software version.

Document Release Date, which changes each time the document is updated.

Document Version, which changes each time the document is released.

Software Release Date, which indicates the release date of this version of the software.

To check for recent updates or to verify that you are using the most recent edition of this document, go to: http://support.openview.hp.com/selfsolve/document/KM00463094/binary/HPRM8.0SharePoint2013IntegrationInstall.pdf

This site requires that you register for a HP Passport and sign-in. To register for a HP Passport ID, either:

Go to: http://h20229.www2.hp.com/passport-registration.html, or

Click the New users - please register link on the HP Passport login page.

You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details.

Support

Visit the HP Software Support web site at: http://www.hp.com/go/hpsoftwaresupport.

This web site provides contact information and details about the products, services, and support that HP Software offers.

HP Software online support provides customer self-solve capabilities. It provides a fast and efficient way to access interactive technical support tools needed to manage your business. As a valued support customer, you can benefit by using the support web site to:

Search for knowledge documents of interest

Submit and track support cases and enhancement requests

Download software patches

http://support.openview.hp.com/selfsolve/document/KM00463094/binary/HPRM8.0SharePoint2013IntegrationInstall.pdf

http://support.openview.hp.com/selfsolve/document/KM00463094/binary/HPRM8.0SharePoint2013IntegrationInstall.pdf

http://h20229.www2.hp.com/passport-registration.html

http://www.hp.com/go/hpsoftwaresupport

3

Manage support contracts

Look up HP support contacts

Review information about available services

Enter into discussions with other software customers

Research and register for software training

Most of the support areas require that you register as an HP Passport user and sign in. Many also require a support contract. To register for an HP Passport ID, go to http://h20229.www2.hp.com/passport-registration.html.

To find more information about access levels go to http://h20230.www2.hp.com/new_access_levels.jsp.

http://h20229.www2.hp.com/passport-registration.html

http://h20230.www2.hp.com/new_access_levels.jsp

4

Table of Contents

Legal Notices .................................................................................................................................. 2

1 Introduction ............................................................................................................................ 6

1.1 HP Records Manager Integration for SharePoint .................................................................................... 6

1.2 Installation Guide ..................................................................................................................................... 6

1.2.1 Scope ............................................................................................................................................................................... 6

1.2.2 Target Audience .............................................................................................................................................................. 6

1.2.3 Versioning ........................................................................................................................................................................ 6

2 Preparing for Installation ...................................................................................................... 8

2.1 Introduction ............................................................................................................................................. 8

2.2 System Prerequisites ............................................................................................................................... 8

2.2.1 Server Prerequisites ........................................................................................................................................................ 8

2.2.2 SharePoint Configuration Prerequisites ....................................................................................................................... 10

2.2.3 HP Records Manager Configuration Prerequisites ........................................................................................................ 12

2.2.4 Establishing a “Remote” HP Records Manager Workgroup Server .............................................................................. 16

2.3 Additional System Considerations ........................................................................................................ 21

2.3.1 Client Support ................................................................................................................................................................ 21

2.3.2 Code Access Security Considerations ............................................................................................................................ 22

2.4 Account Prerequisites and Considerations ........................................................................................... 22

2.4.1 User Account Definitions ............................................................................................................................................... 22

2.4.2 Privileged Account Definitions ...................................................................................................................................... 25

2.4.3 Service Account Definitions ........................................................................................................................................... 27

2.4.4 Additional Account Configuration Considerations ........................................................................................................ 31

2.4.5 Summary of Accounts and required Permissions (CHECKLIST) .................................................................................... 32

3 Installing and Enabling the HP Records Manager Integration for SharePoint ................... 33

3.1 Introduction ........................................................................................................................................... 33

3.2 Important Considerations ...................................................................................................................... 33

3.2.1 Using a previous HP Records Manager version ............................................................................................................. 33

3.2.2 Prerequisites Met .......................................................................................................................................................... 33

3.2.3 HP Records Manager and SharePoint Unavailability .................................................................................................... 33

3.3 Installation Procedure ........................................................................................................................... 33

3.3.1 Installing the HP Records Manager Integration for SharePoint ................................................................................... 33

5

3.3.2 Installing the HP Records Manager Remote Workgroup Integration on each HP Records Manager Workgroup Server (Local or Remote) ......................................................................................................................................................................... 35

3.3.3 Deploying the Integration Solution ............................................................................................................................... 35

3.3.4 Deployment where the application server is not a web front end ............................................................................... 39

3.4 Enabling the Integration ........................................................................................................................ 39

3.4.1 Activating the HP SharePoint Integration Administration feature ............................................................................... 40

3.4.2 Configuring the Web Application Integration Settings ................................................................................................. 41

4 Additional Installation Considerations ................................................................................ 48

4.1 Accommodating Alternate Windows Authentication Methods ............................................................. 48

4.1.1 HP Records Manager Event Processing......................................................................................................................... 48

4.2 Secure Sockets Layer (SSL) Web Application Support .......................................................................... 48

4.2.1 Required SSL Configuration Considerations ................................................................................................................. 49

4.2.2 Modify the event processing configuration .................................................................................................................. 49

5 Upgrading the HP Records Manager Integration for SharePoint ....................................... 50

5.1 Introduction ........................................................................................................................................... 50

5.2 Important Upgrade Considerations ....................................................................................................... 50

5.2.1 Supported Upgrade Path ............................................................................................................................................... 50

6 Troubleshooting................................................................................................................... 51

6.1 Troubleshooting Tools ........................................................................................................................... 51

6.1.1 Additional Information .................................................................................................................................................. 51

6.1.2 Integration Event Logging ............................................................................................................................................. 52

6.1.3 Known Issues ................................................................................................................................................................. 53

I. Quick reference “how to” guide ........................................................................................... 56

Farm Server Permissions ............................................................................................................................................................. 56

Database permissions .................................................................................................................................................................. 59

HP Records Manager permissions ................................................................................................................................................ 61

SharePoint 2013 permissions ...................................................................................................................................................... 63

II. What is an AAM? ................................................................................................................... 68

III. Code Access Security Considerations .................................................................................. 69

6

1 Introduction

1.1 HP Records Manager Integration for SharePoint HP Records Manager Integration for SharePoint allows your organization to manage SharePoint content using HP Records Manager.

Users can continue to use all SharePoint functionality on managed content in SharePoint. Your organization can also expose HP Records Manager records as items in SharePoint, allowing users to leverage the functionality of SharePoint.

Users can continue to use standard SharePoint search, and can use an additional search capability which allows them to search records in HP Records Manager that your organization does not want to expose through SharePoint.

With the integration, you can use a manual or automated process to manage SharePoint list and library based content.

The integration is highly configurable as HP Records Manager and SharePoint themselves are highly configurable.

1.2 Installation Guide

1.2.1 Scope

This document details the installation, enablement, and upgrade procedures for all versions in the 8.0.x stream of HP Records Manager Integration for SharePoint releases. For guidance on the administrative features and functions of the integration software, please refer to the HP Records Manager Integration for SharePoint Configuration Guide:

http://support.openview.hp.com/selfsolve/document/KM1463068/binary/TRIM7.30IntegrationConfiguration.pdf

Consult the appropriate HP or Microsoft documentation for detail on HP Records Manager or Microsoft SharePoint Server 2013.

1.2.2 Target Audience

This document is for IT professionals responsible for installing, enabling, and upgrading the HP Records Manager Integration for SharePoint. You should be knowledgeable about:

HP Records Manager administration

Microsoft SharePoint Server 2013 farm administration

To perform the installation or upgrade of the integration software, you do not need to be knowledgeable about records or information management principles or about working with HP Records Manager or SharePoint user content.

The person configuring the integration will need to understand your organization’s information management requirements.

1.2.3 Versioning

This document is subject to update. To ensure you have the latest version, please check this link in the Software Support Online database:

http://support.openview.hp.com/selfsolve/document/KM1463067/binary/TRIM7.30IntegrationInstall.pdf


http://support.openview.hp.com/selfsolve/document/KM1463067/binary/TRIM7.30IntegrationInstall.pdf

7

Access will require a registered username and password. If you do not have this access, navigate to the URL above and select “New users – please register.”

8

2 Preparing for Installation

2.1 Introduction Prior to installing the HP Records Manager Integration for SharePoint software, you must perform the prerequisite steps and configuration considerations detailed in this chapter.

IMPORTANT: Retrospectively applying prerequisites may not resolve issues that you may encounter.

2.2 System Prerequisites

2.2.1 Server Prerequisites

SharePoint farm servers must meet the following prerequisites in order to support the HP Records Manager Integration for SharePoint.

Operating System

All farm servers must run Windows Server 2012 (64-bit).

SharePoint Installation

Version

The HP Records Manager Integration for SharePoint 2013 is only supported with Microsoft SharePoint 2013, installed in accordance with Microsoft guidelines.

Licensing

The integration is supported for both the “Standard” and “Enterprise” SharePoint Server 2013 Client Access License (CAL) models.

SharePoint Database

The SharePoint database must be run on SQL Server 2012.

There is no product support for SQL Server Express.

.Net framework

The following versions of the .Net framework are required

3.5 4.5

HP Records Manager Installation

For Version 8.0.0 of the HP Records Manager Integration for SharePoint

If installing version 8.0 of the HP Records Manager Integration for SharePoint, the same version of HP Records Manager must be installed in accordance with the directions in the HP Records Manager install document and the specifications and requirements detailed in the HP Records Manager specifications document. It is not necessary to install the same build however if using a different build, consult the section Using a previous HP Records Manager version

9

HP Records Manager Installation Requirements for Local vs Remote Workgroup Server configurations

Independent of which version of HP Records Manager is to be used (subject to the above), HP Records Manager must be installed on all application servers (AS) and web front end (WFE) servers in the farm:

If using a Local HP Records Manager workgroup server configuration:

Install and configure every SharePoint AS and WFE server as an HP Records Manager workgroup server.

If using a Remote workgroup server configuration:

Install the HP Records Manager Client on every SharePoint AS and WFE server.

The Remote server(s) must be installed as HP Records Manager workgroup server(s).

User Account Control

To enable the operating accounts of the HP Records Manager Integration for SharePoint to perform necessary automated actions without interference, User Account Control (UAC) must be set to Never notify on all application, web front end and HP Records Manager Workgroup servers in the environment.

Scratch Directory

The integration requires a dedicated directory for use as a temporary location for extracting documents and assembling zip files during the storage of managed attachments. This location, known as the Scratch Directory, must be created on each WFE server in the farm so it can later be designated during configuration of the HP Records Manager Web Application Integration Settings page.

Being a temporary location, the content of the scratch directory is purged at regular intervals and will not consume excessive disk space. The space required at any point should be based on the maximum document size that is likely to be managed multiplied by the maximum number of times this is likely to occur simultaneously.

For example, if in your organization you expect the maximum document size to be 500 MB and no more than ten simultaneous management actions at any time, then you would require a minimum of 5 GB of space to be available at any time in the scratch directory.

It is recommended that you provide double the amount calculated here as a safeguard.

HP Records Manager Web Server Work Path

HP Records Manager requires a dedicated location on each SharePoint WFE server to maintain a number of temporary files.

Known as the Web Server Work Path, this location can be set to any desired directory during configuration of the HP Records Manager Web Application Integration Settings page, with the default path being:

C:\HP Records Manager\WebServerWorkPath

The desired location must exist on each SharePoint web front end server in the farm in order for the integration to function correctly. The directory itself must therefore be created on each SharePoint WFE server individually so you can later designate it on the web application integration settings page.

The space requirements for this path vary based on your implementation of HP Records Manager. It is recommended that at least 1 GB be available to accommodate these temporary files.

The SharePoint Hive directory

For most SharePoint implementations, the SharePoint 2013 hive directory is located at:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15

As this path is referenced at various points throughout this document, it will be denoted as [hive].

10

2.2.2 SharePoint Configuration Prerequisites

Web Application Configurations

This document considers the “standard” web application configuration to be

Claims authenticated,

NTLM,

Disallowing anonymous access, and

HTTP (i.e. NOT using secure sockets layer).

However, the HP Records Manager Integration for SharePoint is supported for web applications of various configurations. These alternate configurations are discussed below:

Claims Based Authentication

The HP Records Manager Integration for SharePoint is supported for use with Claims Based Authenticated web applications.

Kerberos

Web applications using a Kerberos security authentication configuration are supported for use with the SharePoint Integration, assuming the farm has already been correctly configured for this purpose.

Allow Anonymous Access

When a web application has anonymous access enabled, during the first deployment of the solution, errors may occur including:

Server was unable to process request. ---> Failed to set the HP Records Manager

path to the environment variable, PATH ---> Requested registry access is not

allowed.

Additionally, if you then try to manually activate the SharePoint Integration Administration web application feature (as this is where the error above is occurring), you may get an error saying that it could not access the HPConfig.pdot file.

To prevent these errors from occurring, configure AAMs that allow accessing the web application via machine name and port. You must have AAMs for each WFE in the farm. For further information on this, see the Alternate

Access Mapping (AAM) requirements.

When anonymous access is enabled, the zone to which the machine name based URLs are added must allow anonymous access. It is only this zone that you need to enable anonymous access for to resolve this error.

Secure Sockets Layer (SSL)

The most likely scenario for using SSL would be across a reverse proxy such as Microsoft Forefront Server. In such a configuration, it isn’t necessary to configure the web application itself to use SSL. However, if the farm is configured to use SSL, the integration is still supported with some additional, post-deployment configuration steps detailed later in this document at section 4.2.

Alternate Access Mapping (AAM) requirements

If you are unfamiliar with Alternate Access Mapping (AAM), a quick introduction is available at appendix II of this document.

Machine specific URLs

Regardless of any existing AAM configurations, it is essential that all site collections using this product can be accessed via the machine specific URL of each WFE server in the farm. This is because that the integration uses a number of web services, and these must be accessible using a machine specific URL.

For example, consider the scenario whereby the farm includes two web front end servers, those machines being named:

11

WFE1

WFE2

These servers have a web application hosted on port 200 with a single site collection at the root path. End users are accessing this site collection via the following URL:

http://sharepoint

This being the case, the existing AAM configuration must therefore already include an AAM for this URL. However, in order to use the HP Records Manager Integration for SharePoint with this site collection, the following two AAMs must also be added (if not already present):

http://WFE1:200

http://WFE2:200

It is not important to what zone these AAMs are added; however, be sure not to enable machine specific browsing in an undesirable zone.

Support for localhost URL

SharePoint Integration is supported for use in SharePoint farms that employ a reverse proxy. However in such scenarios, further consideration must be given to the AAM architecture if intending to use the HP Records Manager Search capabilities of the product.

The search features of the integration use a federated search location. This location is configured by default to use “localhost” in place of the machine name or host header. Without an AAM entry for localhost, this federated location will not be accessible and the HP Records Manager Search web parts will fail.

You can browse to the RSS feed that is used to provide search results at:

[site collection root URL]/_layouts/DataStoreSearchProvider.aspx

Consider the scenario where the internal URL for the SharePoint web application hosting the RSS feed is:

http://sharepoint

The federated location will be configured to point to the URL:

http://localhost/_layouts/DataStoreSearchProvider.aspx

The following AAM is required to ensure that you can use this location:

Internal URL Zone Public URL for zone

http://localhost Intranet http://sharepoint

An alternative to adding this AAM is to modify the URL of the federated location to:

http://sharepoint/_layouts/DataStoreSearchProvider.aspx

If we consider the following reverse proxy scenario:

Client SharePointReverse Proxy

http://ourintranet http://sharepoint

In order for the RSS to be accessible externally, the AAM required would be:


12

http://localhost Intranet http://ourintranet

Outgoing E-mail Settings

If intending to use email functionality associated with the SharePoint Integration’s Lifetime Management Policies, ensure that outgoing e-mail settings are correctly configured for the SharePoint farm.

Facilitating Timer Job Execution

During the activation of the Records Management or Site Management feature, a timer job called HP Integration Currency Checker is created. This timer job performs a range of maintenance tasks via a scheduled web service call. It executes by default at 2:00 a.m. daily.

Since the default SharePoint web service call timeout period of two minutes is insufficient to support successful execution of the HP Integration Currency Checker timer job, you must extend this timeout period.

To extend the timeout period of the web service call, on each WFE server in the farm:

1 Open the following web.config file for editing:

[hive]\ISAPI\web.config

2 Insert the text <httpRuntime ExecutionTimeout="x"/> as below (where x is equal to the time in seconds that the Timer Job will require to execute).

<system.web>

<webServices>

<protocols>

<remove name="HttpGet" />

<remove name="HttpPost" />

<remove name="HttpPostLocalhost" />

<add name="Documentation" />

</protocols>

</webServices>

<httpRuntime executionTimeout="x" />

<customErrors mode="On"/>

</system.web>

We recommend that the web service call period is no less than 4 hours (14,400 seconds).

2.2.3 HP Records Manager Configuration Prerequisites

To prepare HP Records Manager datasets and workgroup servers for the integration, you must configure, save, and deploy the following settings in the HP Records Manager Enterprise Studio. The steps assume that the HP Records Manager installation is licensed for one or both of the SharePoint Integration modules.

Allocating an HP Records Manager Workgroup server to the SharePoint Farm

After installing HP Records Manager Workgroup servers either

locally (i.e. directly on each AS and WFE server in the SharePoint farm),

remotely (i.e. on a separate server), or

any combination thereof,

you must allocate each workgroup server that is assigned for use by a specific SharePoint AS and/or WFE server in the farm to that farm to perform its role.

To allocate a HP Records Manager Workgroup server to a specific farm:

13

1 Logged into the HP Records Manager Enterprise Studio as an administrator, expand the Workgroup Servers menu to locate the appropriate workgroup server. Right-click on the workgroup server, and from the menu options, select Properties.

2 On the General tab of the Properties dialog, select the applicable farm for this workgroup server from the SharePoint server farm drop-down list. Click OK to confirm the selection and close the Properties dialog.

The farms available for selection in this list are titled generically and accommodate configuration across up to 100 SharePoint farms. It is not important which farm number you select from this list; however, for all HP Records Manager Workgroup servers that are to be used by a specific farm, the selected farm number must be the same.

3 Save and Deploy the amended settings in the HP Records Manager Enterprise Studio.

Configuring the HP Records Manager database to support Unicode

To support the capture of SharePoint content with HP Records Manager, you must configure the HP Records Manager database to support Unicode characters.

Unicode support is NOT enabled by default, so you need to confirm for each HP Records Manager database that is to manage SharePoint content, whether its schema is configured to provide this support. If it is not (or if you are unsure), you will need to repair the database schema to correct it.

To review and if need be repair the HP Records Manager database schema:

14

1 Logged into the HP Records Manager Enterprise Studio as a system administrator, expand the Datasets menu to locate the appropriate dataset. Right-click on the dataset, and from the menu options, select Schema > Repair.

2 In the Schema Repair dialog, locate the option String columns should support Unicode characters.

3 If the option is already checked (and hence is “greyed out”), this means that the database has already been configured to support Unicode and there is no need to progress any further with these steps. If the option is not checked though, a schema repair is required.

As schema repair of the HP Records Manager database is a significant action, we strongly advise that the following steps be performed during a period of scheduled environment downtime.

4 Tick the String columns should support Unicode characters box and select Run to initiate the schema repair, confirming the action on the subsequent prompts to proceed.

5 The Dataset Work in Progress dialog is displayed, allowing you to configure how the repair process is to progress. Select the Pause after options you desire, then click Start.

The repair process can take some time to complete. Depending on the settings you have made on the “Dataset Work in Progress” dialog, it may pause in between steps for you to review progress prior to manually resuming the process.

15

Configuring “SharePoint Integration” Event Processing on the Dataset

During general management and administration of SharePoint content with a HP Records Manager dataset, events will be raised to maintain both currency and synchronicity of content across sources. HP Records Manager will act as the data authority. The HP Records Manager Workgroup server(s) that have been allocated to the farm (and configured to process events) must therefore be enabled to queue and process these events as they are generated for the specific dataset.

To configure SharePoint Integration event processing on a specific dataset:

1 Logged into the HP Records Manager Enterprise Studio as a system administrator, expand the Datasets menu to locate the appropriate dataset. Right-click on the dataset, and from the menu options, select Event Processing > Configure.

2 On the Configure Processes tab of the resultant dialog, locate the SharePoint Integration event processor type, and set the Configuration status to Enabled. Click OK to confirm and close the dialog.

The Run on Workgroup option is intentionally unavailable for selection because issuance of events of this type is automatically load balanced across all HP Records Manager Workgroup servers that are allocated to the farm and configured to process events.

3 Save and Deploy the amended settings in the HP Records Manager Enterprise Studio.

Preparing to use HP Records Manager Search Web Parts

The SharePoint Integration includes a suite of HP Records Manager Search web parts, provisioned for a site collection by the activation of the HP Records Manager Search site collection feature.

16

For more information on the HP Records Manager Search feature, refer to the SharePoint Integration Configuration Guide.

If you intend to use these web parts in any SharePoint site collection, then consider the following:

Word Indexing

The HP Records Manager Search Results web part provides Title based search of HP Records Manager records. To use this web part it is therefore necessary to enable Word Indexing on each applicable HP Records Manager dataset.

For steps to enable Word Indexing on a HP Records Manager dataset, refer to the HP Records Manager Help File.

Document Content Indexing

If you intend to extend the HP Records Manager Search Results web part to also return results based on document content of records in HP Records Manager, it is necessary to ensure Document Content Indexing is configured for each applicable dataset in HP Records Manager.

For steps to configure document content indexing for an HP Records Manager dataset, refer to the HP Records Manager Help File.

2.2.4 Establishing a “Remote” HP Records Manager Workgroup Server

The HP Records Manager Integration for SharePoint includes the ability to locate the HP Records Manager workgroup server on a machine other than a SharePoint web front end. Known as a remote workgroup server, this overcomes the potential constraint of early versions of the integration (pre-7.2.0), whereby each and every web front end server in the SharePoint farm was required to also be configured as a HP Records Manager Workgroup server (i.e. a local workgroup server).

Since version 7.2.1 of the SharePoint Integration, the remote workgroup server components are also required to support processing of integration specific events, through the HP Records Manager event processor. Therefore, each and every HP Records Manager workgroup server, regardless of whether local or remote MUST have these components installed.

The “remote” workgroup server concept provides the flexibility when architecting an environment to either:

Use existing HP Records Manager Workgroup servers with the integration without having to also establish them as SharePoint web front ends, or

Create new dedicated HP Records Manager Workgroup servers for use by the integration, without extending the roles (and resources) of existing web front end servers in the SharePoint farm.

Planning the use of Workgroup Servers

With the introduction of the remote workgroup server capability, remote and local workgroup servers may be used either exclusively or in combination to establish the most practical environment configuration for your installation.

Although not strictly a prerequisite task, it is therefore wise to consider your workgroup server topology while planning your installation. The following are some of the primary options that are available.

The first option involves using a local workgroup server on each server in the farm. In this scenario, each server must be configured to run as an HP Records Manager workgroup server.


17

The second option is to utilize a single remote workgroup server for all servers in the farm.

The third option involves utilizing a separate workgroup server for each SharePoint server in the farm.

18

The fourth common option is to utilize load balancing to distribute the load across multiple workgroup servers.

Although illustrated as a separate machine in the following diagram, this is not designed to indicate that the load balancer must be a dedicated machine.

Combinations of these options can of course be utilized. These options are illustrated only as the most common scenarios.

Regardless of which workgroup server combination is used, if employing remote workgroup servers in your implementation it is essential that the HP Records Manager Client is still installed on any SharePoint server that is NOT also an HP Records Manager Workgroup server.

Installing and Configuring a Remote Workgroup Server

In order to enable a HP Records Manager Workgroup server to be used in a “remote” capacity, and to support event processing specific to the SharePoint Integration, there are some components of the SharePoint Integration that need to be installed on the machine. These components allow the workgroup server to communicate with SharePoint upon the event of HP Records Manager records being modified.

19

To perform this installation:

1 Logged on to the HP Records Manager Workgroup server (that is NOT also a SharePoint web front end) as a system administrator, launch the HP Records Manager 8.0 CD-ROM, or manually open the contents.html file.

2 Navigate to 64 bit installs, and then select Install HP Records Manager SharePoint Remote Workgroup Integration.

3 The HP Records Manager SharePoint Remote Workgroup x64 Installation Wizard is launched.

20

4 Read the disclaimer and select Next.

5 Review the End User License Agreement, and if you accept it, toggle the radio button to indicate as such, and then click Next.

6 Note the Destination Folder for installed files and click Next.

7 In the SharePoint URL field, enter the URL of any SharePoint web application to which the integration will be deployed (or in the case of an existing integration, already has been deployed). Regardless of which web application is selected, the remote workgroup server will then be provisioned.

If there is no site collection at the root address of the web application, you must instead specify the full URL of a site collection within the nominated web application.

It is not essential to specify this URL during the actual installation of the remote workgroup server, however if a valid URL is not specified at this time, you will have to configure this directly in the TRIMEvent.exe.config file prior to being able to use the remote workgroup server to process SharePoint Integration events. Refer to the following section for this procedure.

Note that the SharePoint URL should NOT include a trailing “/”, as this will cause an incorrect entry in the TRIMEvent.exe.config file:

Valid URL – http://sharepoint/sites/sitecollection

Invalid URL – http://sharepoint/sites/sitecollection/

8 Click Next to begin the installation.

9 The Remote HP Records Manager Workgroup server has now been successfully installed. Click Finish to close the Wizard.

The HP Records Manager SharePoint Remote Workgroup installation package must be run on all workgroup servers that will be accessed remotely by SharePoint.

Configuring the SharePoint URL in the TRIMEvent.exe.config File

If you opted not to specify a SharePoint URL during installation of the remote workgroup server, or if the URL that was initially specified is no longer valid, the URL can be amended by editing the TRIMEvent.exe.config file on the server.

This configuration file can be found on the remote workgroup server machine in the HP Records Manager install directory, which by default is:

[Program Files]\Hewlett-Packard\HP Records Manager

http://sharepoint/sites/sitecollection

http://sharepoint/sites/sitecollection

21

To modify or set the value of the SharePoint URL, open this file. The contents of this file will be similar to the following: <?xml version="1.0" encoding="utf-8" ?>

<configuration>

<system.serviceModel>

<bindings>

<basicHttpBinding>

<binding name="HPTrimServiceSoap" closeTimeout="00:01:00" openTimeout="00:01:00"

receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"

bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"

maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"

messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"

useDefaultWebProxy="true">

<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

maxBytesPerRead="4096" maxNameTableCharCount="16384" />

<security mode="TransportCredentialOnly">

<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm"

realm="" />

</security>

</binding>

</basicHttpBinding>

</bindings>

<client>

<endpoint address="http://sharepoint/_layouts/HPTrimService.asmx"

binding="basicHttpBinding" bindingConfiguration="HPTrimServiceSoap"

contract="HP.HPTRIM.Integration.SharePoint.HPTrimServiceSoap"

name="HPTrimServiceSoap" />

</client>

</system.serviceModel>

</configuration>

The highlighted line above is the line that must be modified. The address to enter will be the full URL of the site collection to be used, with “/_layouts/HPTrimService.asmx” appended to the end.

Once you have set this value, save the file and restart the HP Records Manager workgroup service to apply.

2.3 Additional System Considerations

2.3.1 Client Support

The following client operating systems and applications are supported for use with the HP Records Manager Integration for SharePoint:

Operating Systems

The HP Records Manager for SharePoint Integration supports the following client operating systems:

Windows 7 32-bit

Windows 7 64-bit

Windows 8 32-bit

Windows 8 64-bit

Web Browsers

The HP Records Manager for SharePoint Integration supports the following web browsers:

Internet Explorer 9

Internet Explorer 10

22

Whilst other SharePoint supported web browser applications not listed here should also operate effectively with the HP Records Manager integration, due to testing limitations these are not supported.

Microsoft Office Applications

The HP Records Manager Integration for SharePoint supports the following Microsoft Office applications:

Microsoft Office 2010 suite (Up to and including SP1)

Microsoft Office 2013 suite

HP Records Manager Client Access

To utilize HP Records Manager integration with SharePoint, there is no requirement for HP Records Manager to be installed on end user machines.

The only users in your organization that will require access to a HP Records Manager client are those that will be responsible for configuring and maintaining HP Records Manager itself.

2.3.2 Code Access Security Considerations

Use of the Global Assembly Cache (GAC)

During HP Records Manager Integration for SharePoint Solution Deployment via the Farm Solutions Gallery, you will encounter warning messages regarding the requirement of the integration solution to place assemblies in the Global Assembly Cache (GAC), and to modify the effective trust policy. For detailed information on these two requirements, refer to appendix III of this document.

In order to deploy the integration, both of these tasks must be undertaken. If you are unwilling to accept these requirements then you will not be able to deploy the SharePoint Integration.

2.4 Account Prerequisites and Considerations The SharePoint Integration uses a number of accounts throughout installation, configuration, and ongoing administration. The various types of accounts used can be categorized as:

User accounts. Accounts to be physically logged on to and run by a user during the course of installation, upgrade and configuration of the HP Records Manager Integration for SharePoint.

Privileged accounts. Accounts that have been granted elevated permission levels in both HP Records Manager and SharePoint so as to perform certain controlled functions on behalf of users of the integration as required.

Service accounts. Existing service accounts of either HP Records Manager or SharePoint that are leveraged by the integration.

To perform the necessary functions, these accounts require specific permissions. This section explains the prerequisite accounts of the HP Records Manager Integration for SharePoint in terms of initial installation and enablement.

While it isn’t essential to use a dedicated account for each individual role detailed in this section, its intended that this account structure will facilitate “least privilege” security configurations.

2.4.1 User Account Definitions

In addition to end users of the integration, there are two specific user accounts that must be considered in the installation and configuration of the HP Records Manager Integration for SharePoint. In this document, these accounts are referred to as the Installing User and the Configuring User.

23

Installing User

The Installing User is defined as the account that is used to install the HP Records Manager Integration for SharePoint, deploy the integration solution to applicable web applications, and activate the HP SharePoint Integration Administration feature for those web applications. The Installing User must have the following permissions:

Local Administrator

The account requires membership of the local “Administrators” group of each server in the SharePoint farm:

Required to run the MSI (although this can be achieved with “run as administrator”)

Required access to deploy the solution (although Microsoft indicates that the user only needs to be a farm administrator, in practice this has not been found to be sufficient)

For steps to configure this permission, refer to Adding an account as a local administrator.

SharePoint Farm Administrator

The Installing User must be a SharePoint farm administrator for each SharePoint farm for which the integration is to be installed. This permission enables the account to perform such administrative actions as:

Adding the hprecordsmanager.15.wsp solution file to the farm solutions gallery as part of the installation process

Initiating deployment of the solution to selected web applications

Activating the HP SharePoint Integration Administration feature on selected web applications

Configuring the HP Records Manager Web Application Integration Settings (WAIS)

Assuming that SharePoint has been installed in accordance with best practice guidelines, the BUILTIN\Administrators group of the application server will be included in the SharePoint farm administrators group. Since the Installing User account must also be a local administrator on each SharePoint farm server, it should therefore already be a SharePoint farm administrator.

For steps to configure this permission, refer to Adding an account as a SharePoint Farm Administrator.

Member of the db_owner role of the SharePoint Configuration Database

In some scenarios we have found that db_owner permission is required in the SharePoint configuration database in order to add the solution to the solution store. We recommend that the installing user is granted these permissions.

Full Control access to all applicable Site Collections

This permission enables the account to perform the administrative function of Configuring the Web Application

Integration Settings; upon save, those settings are propagated to the child site collections of the web application.

In addition, if upgrading the integration, as part of manual reactivation of the HP SharePoint Integration Administration feature, certain site collection features must also be automatically reactivated. The Installing User, as the account performing the upgrade, is used to run this site collection level task.

To address these requirements the Installing User must either be:

A Site Collection Administrator of each site collection within a web application to which the integration solution has been deployed, or

Given “Full Control” access under the user policy for each web application where the integration solution has been deployed.

The recommended approach is to apply permissions at the web application user policy level. Defining it at this level means the account does not need to be added to every site collection. For web applications hosting hundreds or thousands of site collections, this approach significantly reduces the administrative overhead.

For steps to configure the Site Collection Administrator permission, refer to Adding an account as a SharePoint Site

Collection Administrator.

24

For steps to configure the web application user policy, refer to Adding an account to the user policy for a web application.

Inquiry user in HP Records Manager database used

The Installing User is responsible for initially saving the web application integration settings (WAIS). During the save of this page, the specified HP Records Manager database is validated to confirm that it exists and is accessible. This action is performed as the interactive user therefore the user saving these settings must be a valid location in the HP Records Manager database with at least inquiry user permissions.

Configuring User

Once the HP Records Manager Integration for SharePoint solution has been installed, deployed and enabled by the Installing User, the Configuring User is responsible for administering the integration functionality. The key functions of this account include:

Activating the HP Records Manager Integration for SharePoint features located in the site collection features gallery

Configuring the HP Records Manager Integration Settings of the site collection

General administration of the integration within the site collection

In order to perform these key functions, the Configuring User requires the following permissions:


This is necessary to allow the account to administer the HP Records Manager site collection level features and HP Records Manager Site Collection Integration Settings.

To address these requirements the Configuring User must either be



The recommended approach is to apply permissions at the web application user policy level, defining it at this level means the account does not need to be added to every site collection. For web applications hosting hundreds or thousands of site collections, this approach significantly reduces the administrative overhead.

For steps to configure the Site Collection Administrator permission, refer to Adding an account as a SharePoint Site

Collection Administrator.


Information Manager in the HP Records Manager Dataset being used by the web application

While activating features in the integration, information manager permissions are required in HP Records Manager for the database being used by the web application.

For steps to configure this permission, refer to Configuring the profile of a HP Records Manager Location.

All Interactive Users of the Integration

“Full Control” access to the Web Server Work Path

Independent of what level of access a user may have to either SharePoint 2013 or HP Records Manager individually, all users of the integration must have “full control” access to the path specified as the HP Records

Manager Web Server Work Path for the web application on each web front end server in the SharePoint farm.

This is so that any interactive user will have the capacity to add any temporary files (if and as necessary) to the path as part of general interaction between SharePoint 2013 and HP Records Manager via the integration.

Although providing this level of access to a directory on the web front end server may be perceived as a security risk, as long as the directory is NOT “shared,” then users will have no physical means of accessing this path and so will be unable to perform any direct actions, malicious or otherwise, on the server itself.

25

For steps to configure this permission, refer to Providing an account with Full Control access to a specific file path.

2.4.2 Privileged Account Definitions

There are a number of scenarios during the course of standard user interaction with the integration whereby privileged operations need to be carried out in either HP Records Manager or SharePoint in order to complete certain actions. For example, consider the scenario where a user manages the first list item in a list. As part of this operation, the “Management Status” column needs to be added to that list. The user may have permission to manage items but may not have sufficient permission to modify the columns in the list.

Rather than require users to have inappropriate, elevated privileges; an account with these permissions is impersonated to carry out these privileged operations in a controlled manner.

The accounts that perform such privileged operations in HP Records Manager and SharePoint are known as the HP Records Manager Privileged Account and the SharePoint Privileged Account respectively.

SharePoint Privileged Account

The SharePoint privileged account (SPA) requires the following permissions in order to perform privileged actions in SharePoint:


The SPA is used to add the “Management Status” column to a list the first time a list item is managed in that list. Making the SPA a site collection administrator ensures that this account will have permission to all lists in your site collection to perform this action.

In addition, as application configuration data (such as RMOs) is stored in site property bags, the SPA being a site collection administrator ensures that during background processes such as propagation of RMOs that these settings can always be accessed.

To address these requirements the SPA must either be



The recommended approach is to apply permissions at the web application user policy level, defining it at this level means the account does not need to be added to every site collection. For web applications hosting hundreds or thousands of site collections, this approach significantly reduces the administrative overhead.

For steps to configure the Site Collection Administrator permission, refer to Adding an account as a SharePoint Site Collection Administrator.


Full Control access to the Scratch directory

The scratch directory is used as a temporary location for extracting documents and assembling zip files during the storage of managed attachments. The SPA requires permission to:

Write to the scratch directory during extraction

Read from the scratch directory in order to use documents that have been extracted to the directory

Delete temporary documents from the directory once they are no longer required

Giving the SPA “full control” access to this directory facilitates these requirements.


HP Records Manager Privileged Account

The HP Records Manager Privileged Account (TPA) requires the following permissions in order to perform privileged actions in HP Records Manager:

26


During lifetime management, workflow activities impersonate the TPA to carry out management processes. To ensure that the lifetime management processes can access all list items, the TPA must be a site collection administrator.

To address these requirements the TPA must either be:

A Site Collection Administrator of each site collection within a web application to which the integration solution has been deployed or;

Given Full Control access under the user policy for each web application where the integration solution has been deployed.

The recommended approach is to apply permissions at the web application user policy level, defining it at this level means the account does not need to be added to every site collection. For web applications hosting 100s or 1000s of site collections, this approach significantly reduces the administrative overhead.

For steps to configure the Site Collection Administrator permission, refer to Adding an account as a SharePoint Site Collection Administrator.

For steps to configure the web application user policy, refer to Adding an account to the user policy for a web application

Administrator in the HP Records Manager Dataset being used by the web application

The TPA is used to examine the configuration of the HP Records Manager installation. This includes for example returning the collection of fields that are supported or the collection of record types that are available.

Additionally, during the activation of the records management or site management feature, a number of items are created in HP Records Manager:

the “Site Record” record type

the “List Record” record type

the “SharePoint Properties” user defined field

the “SharePoint Audit” user defined field

Also, the first time a record type is used to create a List Item Record, “record type preparation” is conducted, which involves adding the “SharePoint Properties” and “SharePoint Audit” user defined fields to the record type.

Making the TPA an Administrator in the HP Records Manager dataset in use ensures that these tasks can be successfully completed.


<Highest> security in HP Records Manager

When exposing records from HP Records Manager into SharePoint, typically one or more containers are specified to be exposed. A search of these containers is conducted as the TPA. In order to access these containers the TPA location in HP Records Manager needs to have <Highest> security to allow it access in cases where records or containers have security levels and / or caveats applied.


Accept logins in HP Records Manager

Whilst there is no requirement for the account to be physically logged on to by any user, in order to facilitate impersonation the TPA location in HP Records Manager must accept logins.

Although the HP Records Manager Privileged Account is not a user account, this configuration will consume a HP Records Manager license seat.


Trusted account of the HP Records Manager workgroup server

To be entrusted with supplying valid user credentials to the HP Records Manager workgroup service, the TPA must be made a “trusted account” in the HP Records Manager Enterprise Studio.

27

For steps to configure this permission, refer to Adding an account as a trusted user in HP Records Manager.


When moving documents from SharePoint to HP Records Manager, the document is initially extracted to the Scratch directory before being checked in to the List Item Record in HP Records Manager. Once checked in, this temporary file is deleted from the Scratch directory.

As this action is performed as the TPA, this account requires permission to:




Giving the TPA “full control” access to this directory facilitates these requirements.


Full Control access to the Web Server Work Path

In addition to all interactive users of the integration, the HP Records Manager Privileged Account must have “full control” access to the HP Records Manager Web Server Work Path on each web front end server in the farm.


2.4.3 Service Account Definitions

HP Records Manager Workgroup Service Account

When a change is made to a List Item Record, the change is propagated to the respective Managed List Items (MLI) in SharePoint. It is the HP Records Manager event processor that conducts this process (known as MLI maintenance).

The event processor runs as the HP Records Manager Workgroup Service Account.

HP Records Manager prerequisite permissions configured

As the HP Records Manager Workgroup Service Account is required by the HP Records Manager installation independent of any integration with SharePoint; in this capacity alone it already has a number of prerequisite permissions that must be configured. For information on these specific prerequisite permissions, refer to the HP Records Manager documentation.

HP Records Manager Location type of “Person”

The Location of the HP Records Manager Workgroup Service Account must be of type “Person” in order to be able to accept logins.


Accept logins in HP Records Manager

Whilst there is no requirement for the account to be physically logged on to by any user, in order to facilitate retrieval of record details during the MLI maintenance process, the HP Records Manager Workgroup Service Account’s location in HP Records Manager must accept logins.

Although the HP Records Manager Workgroup Service Account is not a user account, this configuration will consume a HP Records Manager license seat.


Valid user in SharePoint

For HP Records Manager Integration for SharePoint events to process successfully, the HP Records Manager Workgroup Service Account requires a minimum of “Read” permissions in each SharePoint site collection within each web application to which the solution has been deployed.

28

However in the event of a breakage in permissions inheritance within a site collection, the account must then be provided with “Read” access to the content that has been isolated from the permissions of the site collection.

As such, the configuration decision must be made to either:

Give the account ‘Full Read’ access under the user policy for each web application where the integration solution has been deployed; OR

Make the account a valid user in the site collection and subsequently add it as a valid user of each site and or list that doesn’t inherit permissions from its parent; OR

Make the account a site collection administrator so as to bypass any breakages in permissions inheritance

The recommended approach is to define read access via web application user policy. Whilst the alternatives are viable options, they will require much more administrative overhead to maintain. Setting read access at the web application means that the account will automatically be given the correct access to all site collections within that web application.


In some scenarios, temporary documents are created in the scratch directory by the workgroup service account. These are deleted as soon as they are no longer used.

As this action is performed as the application pool account, this account requires permission to:




Giving the workgroup service account “full control” access to this directory facilitates these requirements.


Application Pool Account

In terms of this document, the application pool account (APA) is defined as the SharePoint managed account that is designated as the security account of the application pool for a web application to which the integration solution has been deployed. Depending on the number of web applications that the HP Records Manager Integration for SharePoint solution is to be deployed to, it may be the case that there are multiple APAs.

SharePoint prerequisite permissions configured

As the APA is an account native to the SharePoint 2013 installation that the HP Records Manager integration solution is simply leveraging; it’s assumed that, prior to any specific configuration prerequisites of the integration being considered, it has already been:

Registered as a Managed Account in SharePoint 2013 (and hence provisioned accordingly); and

Designated as the security account of the application pool of the applicable web application(s).

“System” Location in HP Records Manager

Any Application Pool Account (at the time of creation/extension of a web application) is subsequently identified as the SharePoint “System Account” (SharePoint\System) by the farm.

In order to facilitate communication with HP Records Manager for some functionality in SharePoint, a generic Location must therefore be created to represent the Application Pool Account in this capacity.

The Location must have the following properties:

Location type of Person;

Accept logons;

Username = System; (do not put a domain prefix, use exactly this format for the name)

User type = Information Worker.

29

Configured in this way, this Location represents all Application Pool Accounts for all web applications using the HP Records Manager Integration for SharePoint. This configuration will consume a HP Records Manager license seat.

For steps to configure these permissions, refer to Configuring the profile of a HP Records Manager Location.

Member of the db_owner role for the SharePoint configuration database

As part of the activation process for the “Records Management” or “Site Management” feature, one or more timer jobs are created. To create a timer job via this method (i.e. feature activation) requires the APA to have “execute” permissions to the dbo.proc_putObject stored procedure in the SharePoint configuration database. Without this permission, the activation of these features via the SharePoint UI will fail.

To ensure the APA has sufficient permissions to execute the abovementioned procedure, it must be made a member of the db_owner role for the SharePoint configuration database (you can remove this permission once the features have been activated).

If you use stsadm to activate these features instead, then the identity of the interactive user will be used to install the timer job. You can use this technique to avoid having to give this permission to the APA at all.

Once feature activation has been completed, you may remove this permission.

For steps to configure this permission, refer to Adding an account to a SQL database role.

Member of the db_owner role for the administration database of each search service application

In order to activate the search feature, a federated location needs to be added to the collection of federated locations of the search service application. This requires that the APA has permission to the relevant database.

The name of the relevant database can be found by administering the search service:

Note that you must give this permission for all search services in your farm. This permission can be removed after you have activated the Search feature.

For steps to configure this permission, refer to Adding an account to a SQL database role.

“Full Control” access to the SharePoint “Config” directory

As part of the activation process for the “Records Management” or “Site Management” feature, one or more timer jobs are created. To create a timer job requires the APA to have “full control” access to the following directory:

[ProgramData]\Microsoft\SharePoint\Config

30

This directory is a hidden directory. You will not see it unless you modify the folder “View” options in windows explorer to “Show hidden files, folders and drives.”



In some scenarios, temporary documents are created in the scratch directory by the application pool account. These are deleted as soon as they are no longer used.

As this action is performed as the application pool account, this account requires permission to:




Giving the application pool account “full control” access to this directory facilitates these requirements.


SharePoint Server Farm Account

The Server Farm Account (SFA) is a prerequisite account of SharePoint 2013 independent of any integration with HP Records Manager. In its core capacity, the SFA fulfils the following roles in SharePoint:

Security account of the application pool for the SharePoint 2013 Central Administration web application;

Process identity of the SharePoint Timer Service

In these roles, this account is also leveraged by the HP Records Manager Integration for SharePoint, and hence requires the following permissions.

SharePoint prerequisite permissions configured

During the installation and configuration of SharePoint 2013 (in accordance with Microsoft best practice guidelines), the SFA is granted a host of prerequisite permissions. It is essential for the HP Records Manager integration, not to mention SharePoint itself, that these permissions are maintained on the account.

Local Administrator

During activation of the HP SharePoint Integration Administration feature (which also occurs automatically as part of the first deployment of the integration solution file), the SharePoint Server Farm Account is used to set the environment variable PATH. In order to perform this task, the account should be made a Local Administrator on all application and web front end servers in the farm.

Once the feature has been successfully activated on applicable web applications, this permission can be removed from the account; however will need to be added again if the integration is to be subsequently extended to another web application.

For steps to configure this permission, refer to Adding an account as a local administrator.

This local administrator requirement is only to allow the environment variable to be read and set. If elevating the privileges of this account is of concern to you, you can circumvent this requirement by granting read and write access to the section of the registry on each machine where environment variables are stored.

Valid user in SharePoint

The SFA needs to have read permissions on all sites that the integration is used on. This is required by a timer job that runs periodically.

To address these requirements the SFA must either be:

A member of ‘Site Collection Visitors’ or equivalent, for each site collection within a web application to which the integration solution has been deployed or;

Given ‘Full Read’ access under the user policy for each web application where the integration solution has been deployed.

31

The recommended approach is to apply permissions at the web application user policy level, defining it at this level means the account does not need to be added to every site collection. For web applications hosting 100s or 1000s of site collections, this approach significantly reduces the administrative overhead.

For steps to configure the web application user policy, refer to Adding an account to the user policy for a web application

2.4.4 Additional Account Configuration Considerations

Supporting use of Remote HP Records Manager Workgroup Servers

HP Records Manager Workgroup Service Account permissions

In Establishing a “Remote” HP Records Manager Workgroup Server for use in the HP Records Manager / SharePoint integrated environment; any SharePoint farm server (of any role within the SharePoint farm) that is not also configured as a remote HP Records Manager workgroup server does not require any specific local permissions to be provided for the HP Records Manager Workgroup Service Account.

In accordance with HP Records Manager Workgroup server installation guidance, the HP Records Manager Workgroup Service account only needs to be provided with the local permissions “Local Administrator” and “Log on as a Service” on servers that are specifically installed as HP Records Manager Workgroup servers, regardless of any SharePoint farm roles that the server may also fulfill.

32

2.4.5 Summary of Accounts and required Permissions (CHECKLIST)

The below table summarizes the prerequisite permissions configurations for each of the accounts detailed previously in this section, NOT including the “Additional Account Configuration Considerations.” This can be used as a checklist in configuring the accounts for your environment.

Inst

alli

ng U

ser

Configuri

ng U

ser

HP

Rec

ord

s M

anager

Pri

vile

ged

Acc

ount

Share

Poin

t Pr

ivile

ged

Acc

ount

HP

Rec

ord

s M

anager

Work

gro

up S

ervi

ce

Acc

ount

Applic

atio

n P

ool A

ccount

Share

Poin

t Ser

ver

Farm

Acc

ount

Local Machine Administrator (all Application and Web Front End servers)

“Full Control” access to the

Web Server Work Path (all Application and Web Front End servers)


Scratch Directory (all Application and Web Front End servers)


SharePoint\Config Directory (all Application and Web Front End servers)

SharePoint

Farm Administrator

Full Control access to all

applicable Site Collections (all site collections in all web applications to

which the integration solution is deployed)

Valid SharePoint User (at least “Read” access to all content in the

site collection)

HP Records Manager Enterprise

Studio

“Trusted Account”

HP Records Manager Location (Type = ‘Person’; Accepts Logons) Inquiry User Information

Manager Administrator

(Security =

<Highest>) Administrator

Information

Worker

(Username =

“System”)

db_owner:

SharePoint_Config database

db_owner:

Search Service Application

database(s)

In addition to the HP Records Manager Privileged Account having this permission, all interactive users of the integration must also have this same level of access (full control).

The permissions requirements detailed in this table are in addition to the required permissions for any of these accounts in HP Records Manager or SharePoint independently.

33

3 Installing and Enabling the HP Records Manager Integration for SharePoint

3.1 Introduction Having successfully prepared the environment for the HP Records Manager Integration for SharePoint, installation and enablement can now be performed in accordance with the following procedures.

3.2 Important Considerations

3.2.1 Using a previous HP Records Manager version

Version 8.0 of the HP Records Manager Integration for SharePoint does not support the use of earlier versions of HP Records Manager or HP TRIM.

3.2.2 Prerequisites Met

Ensure that you have completed all prerequisites detailed earlier in this document prior to proceeding with the installation.

3.2.3 HP Records Manager and SharePoint Unavailability

During the installation process, the entire farm should be considered unavailable for use.

You should schedule this installation for a time where the system is not required by end users.

3.3 Installation Procedure To install the HP Records Manager Integration for SharePoint, follow the steps in the sections below precisely.

3.3.1 Installing the HP Records Manager Integration for SharePoint

The installer file can now be run on the SharePoint 2013 application server to install the HP Records Manager Integration for SharePoint.

The HP Records Manager Integration for SharePoint MSI does not support ‘Administrative Installation’ (Using the /a command line option).

To run the installer file:

1 Log on to the SharePoint 2013 farm server that hosts Central Administration as the Installing User.

2 Launch the HP Records Manager 8.0 CD-ROM, or manually open the contents.html file

3 Navigate to the 64 bit Installs, then select Install HP Records Manager 2013 SharePoint Integration.

34

4 The SharePoint 2013 Integration x64 Installation Wizard is launched.

5 Read the disclaimer and select Next.

6 Review the End User License Agreement, and if you accept it, toggle the radio button to indicate as such, then click Next.

If you do not accept the license agreement, you will not be able to proceed with installing the HP Records Manager Integration for SharePoint.

35

7 Note the Destination Folder for installed files and click Next.

8 Click Next to begin the installation.

As the installation executes, a command prompt will be made visible for a period of time. Upon successful completion of the installation the prompt will be closed, and a confirmation dialog will be displayed in the Installation Wizard.

9 The HP Records Manager Integration for SharePoint has now been successfully installed. Click Finish to close the Wizard.

3.3.2 Installing the HP Records Manager Remote Workgroup Integration on each HP Records Manager Workgroup Server (Local or Remote)

For an HP Records Manager workgroup server to process SharePoint Integration events, it is necessary to install and configure the event handling components directly onto that machine, regardless of its disposition as either a local or remote workgroup server.

The HP Records Manager SharePoint Remote Workgroup Integration MSI is used to install these components and must be run on all workgroup servers that will be used to process HP Records Manager events relating to SharePoint content. (As you can see, the name of this MSI no longer accurately reflects its purpose. We plan to correct this in a future version.)

For installation steps, refer to Installing and Configuring a Remote Workgroup Server.

3.3.3 Deploying the Integration Solution

Following successful installation of the integration to the farm server that hosts Central Administration, a solution file named hprecordsmanager.15.wsp is now present in the SharePoint farm solutions gallery. Essentially, this solution packages the features of the HP Records Manager Integration for SharePoint for deployment to designated web applications in the SharePoint farm.

Using the farm solution deployment capability of SharePoint Central Administration, the solution can be deployed to one or multiple web applications individually; or to all content applications at once.

Alternatively, the solution can also be deployed using the SharePoint Team Services Administration (STSADM) command via the SharePoint 2013 Management Shell.

Prior to deploying the solution though, there are some considerations and preparatory steps to undertake.

Preparing Services for Solution Deployment

Regardless of the farm topology and any resultant deployment considerations; before deploying the solution, steps must be undertaken to prepare certain services to allow the deployment itself to proceed unhindered.

Confirming the status of necessary SharePoint services

In order for deployment of the HP Records Manager Integration for SharePoint to succeed, you must confirm that the following services are started on each application and web front end server in the farm:

the SharePoint Administration service; and

the SharePoint Timer service

These services should already be started as part of a standard SharePoint deployment.

Stopping and Disabling the HP Records Manager Workgroup service

To ensure that none of the key HP Records Manager assemblies used by the integration are being or could possibly become held (and effectively locked) during the deployment and activation processes; the HP Records Manager Workgroup service must be stopped and disabled for all HP Records Manager Workgroup servers in the environment.

To stop and disable this service:

36

1 Logged on to the server as a local administrator, via the Server Manager, navigate to Configuration > Services.

2 In the list of services, locate the HP Records Manager Workgroup Service. Right-click on it and select Properties.

3 On the General tab of the Properties dialog, Stop the service.

4 Set the Startup type to Disabled.

37

5 Apply the changes then click OK to close the Properties dialog.

Solution Deployment via the Farm Solutions Gallery

To deploy the HP Records Manager Integration for SharePoint solution file via the farm solutions gallery in Central Administration:

1 Logged on to the farm server that hosts Central Administration (i.e. the server upon which the integration was installed) as the Installing User; launch SharePoint 2013 Central Administration and navigate to System Settings.

2 From the Farm Management group in the System Settings, select Manage farm solutions.

3 In the Solution Management gallery, locate and select the solution hprecordsmanager.15.wsp.

38

4 On the Solution Properties page for the integration solution, select Deploy Solution.

5 On the Deploy Solution page, configure the Deploy When? settings as appropriate; and in the Deploy To? section, select the web application to which the integration solution is to be deployed (or “All content Web Applications” if so desired).

Information on the Global Assembly Cache warning displayed on the Deploy Solution page is provided at appendix III of this document. If you do not accept this concession then you will not be able to deploy the HP Records Manager Integration for SharePoint.

6 Click OK to initiate the deployment and return to the Solution Management gallery. Noting the Status of the deployment process for the solution, refresh the page periodically until it is updated to Deployed.

39

Having followed these steps, the HP Records Manager Integration for SharePoint is now successfully deployed to the selected web application.

As part of the initial deployment of the solution to the first web application, the HP SharePoint Integration Administration feature is also successfully activated for that web application. As such, it is not a requirement to perform the activation steps for this feature (as detailed in the following section of this chapter) on the first web application.

Subsequent Solution Deployments

Following the first successful deployment of the integration solution file to a web application, subsequent solution deployments can be performed following the same steps as detailed above.

IMPORTANT

It is important to be aware though that for any subsequent deployments, the HP SharePoint Integration Administration feature will NOT be automatically activated as part of solution deployment, despite what the status of the feature may be displayed as in the Manage Web Application Features gallery of the subsequent web application(s):

Pre-existing Web Applications

In scenarios where the solution is deployed to a subsequent web application that itself existed in the farm PRIOR to the solution being deployed to a first web application, the feature will appear as Deactivated. After deployment, this feature must be manually activated in accordance with the steps provided in section 3.4.1 of this document.

New Web Applications

It is a known issue that in scenarios where the solution is deployed to a subsequent web application that itself was created in the farm AFTER the solution was deployed to a first web application, that the feature will appear as Activated, when in fact it is NOT.

As such, the feature must be manually deactivated prior to reactivating in accordance with the steps provided in section 3.4.1 of this document.

3.3.4 Deployment where the application server is not a web front end

If the application server (AS) in the SharePoint farm is not a web front end (WFE), you must perform the following steps to ensure that deployment is successful.

Once the HP Records Manager Integration for SharePoint solution has been deployed to your content web application(s) you must:

Deploy the solution to the Central Administration web application Activate the “HP SharePoint Integration Administration” feature for the Central Administration web

application Ensure that the alternate access mappings do not include URLs that point to the AS

Failure to follow these steps will result in errors occurring when saving the web application integration settings for your content web application(s).

3.4 Enabling the Integration This section describes the a set of actions that must be carried out in order to provide the minimum configuration information required to prepare for the activation of site collection specific features.

40

3.4.1 Activating the HP SharePoint Integration Administration feature

The HP SharePoint Integration Administration Feature

The core capabilities required to administer the HP Records Manager Integration for SharePoint are provided by the HP SharePoint Integration Administration feature.

Made available via the Manage Features gallery of a web application, activating this feature is the first step in enabling the integration for use, and is a prerequisite to Configuring the Web Application Integration Settings.

Feature activation prerequisites

Prior to activating the HP SharePoint Integration Administration feature, in order to ensure accessibility of the necessary integration assemblies, you must:

Ensure that the HP Records Manager Workgroup service is Stopped and Disabled on all HP Records Manager Workgroup servers;

Restart the SharePoint Timer service on all SharePoint servers; and

Perform and IISreset on all SharePoint servers.

In addition, refer to the section Subsequent Solution Deployments section of this document to ensure that the feature is in the correct state for activation prior to proceeding.

These prerequisites are in addition to the prerequisites detailed in previous sections of this document.

Steps for activating the Feature

Other than for the first web application to which the solution file has been deployed, the HP SharePoint Integration Administration feature must be manually activated on each web application to which the solution has been deployed.

For the first web application to which the solution file has been deployed, this feature will be automatically activated as part of the deployment process.

To activate the HP SharePoint Integration Administration feature:

1 Logged on to the application server (the same server that the integration was installed on) as the Installing

User, launch SharePoint 2013 Central Administration and under the Application Management group, navigate to Manage web applications.

41

2 From the list of web applications on the Web Application Management page, select the applicable web application (to which the integration solution has already been deployed). Having highlighted the web application in the list, select Manage Features from the Manage section of the Web Applications ribbon.

3 In the resultant Manage Web Application Features dialog, locate and Activate the HP SharePoint Integration Administration feature.

3.4.2 Configuring the Web Application Integration Settings

Once the HP SharePoint Integration Administration feature has been successfully activated, a series of baseline settings must now be configured to finalize enablement of the integration for use with the web application.

Being configured at web application level, these settings are hence applicable to all site collections residing within that web application.

The HP Records Manager Web Application Integration Settings page

Configuration of the baseline integration settings is performed on the HP Records Manager Web Application Integration Settings (WAIS) page, which is made accessible via the ribbon menu on the Web Applications Management page in SharePoint 2013 Central Administration.

The WAIS page includes the following fields for configuration and reference:

SharePoint Farm ID

The SharePoint Farm ID field displays the unique identifier of the SharePoint farm that the web application resides within. While this value cannot be changed on the WAIS page, it is provided for as a means of reference to facilitate possible troubleshooting, in particular for multi-farm deployments using a single HP Records Manager database.

42

HP Records Manager Database

This field records the ID of the HP Records Manager database that is to be integrated with this specific web application. A single web application may only be integrated with one HP Records Manager database however one HP Records Manager database may be integrated with multiple web applications, potentially across multiple farms.

Once established (i.e. the database ID has been entered and successfully saved on the WAIS page previously), although it is possible to change the HP Records Manager database, it is strongly advised against doing so except in only the most well considered scenarios.

This is because, with the change of databases, it cannot be assumed that the unique identifiers of any of the HP Records Manager database content (i.e. records, record types, classifications, fields etc) will be consistent between the old and new values. As such, existing HP Records Manager configuration data will be largely lost, and synchronicity between ‘managed’ SharePoint content and corresponding records registered in the initial HP Records Manager database will not be able to be maintained.

The HP Records Manager Database field is mandatory, and must contain a valid HP Records Manager database ID in order for the WAIS page to be saved successfully.

HP Records Manager Temporary Files

This field allows for specifying the HP Records Manager Web Server Work Path. Any saved changes to this file path on the WAIS page must be followed by an IISreset on each web front end server in the farm.

Upon save, the format of the value entered in this field will be validated in terms of being a local file path, however as the path must be present on each HP Records Manager workgroup server used in the farm (as specified in the Configuration Caching

The “Use Configuration Caching” check box in the controls section allows for specifying whether memory caching is on or off. By default the value is checked or “on.”

Caching of configuration data improves application performance and therefore is recommended. It requires that alternate access mappings (AAMs) be configured for machine specific URLs as noted at Alternate Access Mapping

(AAM) requirements.

If it is not possible to configure AAMs, then turn configuration caching off. When memory caching is not checked or “off,” the configuration manager will bypass the in memory cache and will retrieve the value from SharePoint.

An IIS reset on all machines is required should you change the setting.

Managed Metadata

A number of term sets are created to represent values in HP Records Manager. This section allows specification of the managed metadata service to use to host these term sets. If a managed metadata service is not specified here, synchronized term sets used by the integration will not be able to be created.

HP Records Manager Workgroup Servers section), the value itself cannot be immediately validated across all farm servers. It is for this reason that the establishment of this path has been highlighted as one of the Server

Prerequisites for installing the integration.

The Web Server Work Path field is mandatory, however upon initial configuration of the WAIS, includes the default file path for this directory.

Delete Behaviour

When an item of any content type that is managed by HP Records Manager is chosen to be deleted from SharePoint, the value specified in the Delete Behaviour field of the WAIS determines how the corresponding HP Records Manager record for that item is to be handled.

If the option is unchecked, users will be able to delete items from SharePoint, subject of course to having sufficient permissions in SharePoint to do so but also to having the Modify Records permission in HP Records Manager. In meeting these permissions criteria, upon deletion the item will be sent to the site Recycle Bin in SharePoint, while the corresponding HP Records Manager record is maintained in the database.

If the option is checked, then in addition to removing the item from SharePoint, the corresponding HP Records Manager record will attempt to be deleted from HP Records Manager as well. However, due to the

43

records integrity implications of this behaviour, the user performing the delete action in SharePoint must also have the Delete Records permission in HP Records Manager for the deletion to succeed.

It must be noted though that for items managed by HP Records Manager, in order for deletion from SharePoint to succeed in either of the above scenarios, the item must have originated from the list that it is attempting to be deleted from.

If the item is present in the list/library as a result of it being exposed from HP Records Manager, then it cannot be deleted.

While this effectively means that no HP Records Manager records exposed as list items can be ‘deleted’ from a list, they can instead be removed from the list by using the ‘Relocate’ function of the integration.

Management Parameters

If during the management of a site or list, an error occurs during while processing a list item, the process continues for the next list item. In some cases though, it is possible that many errors could occur. Often, these errors may be for exactly the same reason.

The value specified in this field indicates the number of errors that when reached, should cause the management process to abort.

In order for the WAIS page to save successfully, this field must contain a value between 0 (zero) and 10000. A value of zero means that the management process will not be aborted, regardless of the number of processing errors that may be encountered.

HP Records Manager Administrator Contact Details

If users are experiencing HP Records Manager specific issues, in some cases they are provided the ability to email the HP Records Manager administrator notifying them of the issue. The email address specified here is the address these messages will go to.

This field is not mandatory, however if you do not specify a value here the option to send an email will not be provided to the user.

Privileged Accounts

This section holds the credentials of the SharePoint Privileged Account and HP Records Manager Privileged Account.

All username and password fields in this section are mandatory and entries are validated in terms of the account’s suitability to perform the specified role.

Scratch Directory Settings

This field allows for specifying the Scratch Directory.

The Scratch Directory field is mandatory.

Configuration Caching

The “Use Configuration Caching” check box in the controls section allows for specifying whether memory caching is on or off. By default the value is checked or “on.”


(AAM) requirements.



Managed Metadata

A number of term sets are created to represent values in HP Records Manager. This section allows specification of the managed metadata service to use to host these term sets. If a managed metadata service is not specified here, synchronized term sets used by the integration will not be able to be created.

44

HP Records Manager Workgroup Servers

Depending on what HP Records Manager Workgroup server configuration has been chosen to support the integration, associations between applicable SharePoint farm servers and workgroup servers can be established in this section.

If every application and web front end server in the SharePoint farm has also been installed as a HP Records Manager Workgroup server then the option to “Use local workgroup servers” can be used.

If remote HP Records Manager Workgroup servers have been installed in accordance with section 2.2.4 of this document, then the option to “Use remote workgroup servers” can be selected. In selecting this option, a Default workgroup server must be specified, with the additional option to assign workgroup servers to web front end servers directly, if so desired.

When assigning workgroup servers to web front end servers directly, if no server is specified then the default workgroup server will be used for those web front ends.

WAIS configuration prerequisites

Prior to configuring the WAIS, to ensure the integration settings can be successfully propagated, you must:

Ensure that the HP Records Manager Workgroup service is Enabled and Started on all HP Records Manager Workgroup servers;

Restart the SharePoint Timer service on all SharePoint servers; and

Perform an IISreset on all SharePoint servers.

These prerequisites are in addition to the prerequisites detailed in previous sections of this document.

Steps for configuring the WAIS

To configure the web application level integration settings on the WAIS page:

1 Logged on to the application server (the same server that the integration was installed on) as the Installing

User, launch SharePoint 2013 Central Administration and under the Application Management group, navigate to Manage web applications.

2 From the list of web applications on the Web Application Management page, select the applicable web application (to which the integration solution has already been deployed and administration feature activated). Having highlighted the web application in the list, select the HP Records Manager menu item from the Manage section of the Web Applications ribbon.

45

3 In the resultant HP Records Manager Web Application Integration Settings page:

a. In the HP Records Manager Database section, enter the ID of the HP Records Manager Database that is to be integrated with this web application.

b. In the HP Records Manager Temporary Files section, enter the Web Server Work Path.

c. In the Delete Behaviour section, select the desired option.

d. In the Management Parameters section, enter the maximum number of errors to be encountered before integration processing is aborted.

46

e. In the HP Records Manager Administrator Contact Details section, enter a contact email address for users to report any errors that may be encountered via.

f. In the Privileged Accounts section, enter the credentials (including domain prefix) of the SharePoint Privileged Account and HP Records Manager Privileged Account respectively.

g. In the Scratch Directory Settings section, enter the file path to the Scratch Directory.

47

h. In the Configuration Caching

i. The “Use Configuration Caching” check box in the controls section allows for specifying whether memory caching is on or off. By default the value is checked or “on.”


(AAM) requirements.



j. Managed Metadata

k. A number of term sets are created to represent values in HP Records Manager. This section allows specification of the managed metadata service to use to host these term sets. If a managed metadata service is not specified here, synchronized term sets used by the integration will not be able to be created.

l. HP Records Manager Workgroup Servers section, specify the desired configuration for either local or remote HP Records Manager Workgroup servers.

4 Click OK to save the HP Records Manager Web Application Integration Settings.

48

4 Additional Installation Considerations

4.1 Accommodating Alternate Windows Authentication Methods Should the HP Records Manager Integration for SharePoint be employed by web applications that use a Windows authentication method other than NTLM, additional configuration is required to ensure that the integration functions correctly.

4.1.1 HP Records Manager Event Processing

The processing of HP Records Manager events raised via the integration may also be hindered by the use of an alternate windows authentication method. It is therefore necessary to modify the HPTRIMServiceSoap binding in the TrimEvent.exe.config file of each HP Records Manager Workgroup server used by the integrated environment.

Modifying the HPTRIMServiceSoap Entry of the TrimEvent.exe.config File

To apply the appropriate modification to the HPTRIMServiceSoap entry of the TrimEvent.exe.config file of a HP Records Manager Workgroup server:

1 In the installation directory of the HP Records Manager Workgroup Server, locate and open the TrimEvent.exe.config file.

2 From within the <bindings> element of this TrimEvent.exe.config file, locate the HPTRIMServiceSoap entry:

<binding name="HPTrimServiceSoap" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00"

sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"

maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"

textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">

<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096"

maxNameTableCharCount="16384" />


<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" realm="" />

</security>

</binding>

3 Within this entry, change:

<transport clientCredentialType="Ntlm" ...

to:

<transport clientCredentialType="Windows" ...

4 Save the TrimEvent.exe.config file.

5 Restart the HP Records Manager Workgroup Service.

These steps must be performed on every HP Records Manager Workgroup server that is processing SharePoint Integration events.

4.2 Secure Sockets Layer (SSL) Web Application Support When utilising the HP Records Manager Integration for SharePoint in a farm configured to use Secure Sockets Layer (SSL), there are a series of additional steps that must be carried out manually to allow the integration to work. This section describes these steps.

These steps are only required if your web application URL itself uses SSL. If you are using a reverse proxy (such as Microsoft TMG) to expose an external URL using the https protocol, but translates this URL to an internal http URL, you do not need to consider these steps; however,,depending on the windows

49

authentication method of web applications, it may still be necessary to make the changes necessary for Accommodating Alternate Windows Authentication Methods.

4.2.1 Required SSL Configuration Considerations

Ensure only HTTPS is used

It is currently not possible to have a server host multiple web applications that use a combination of HTTP and HTTPS. For the integration to function correctly, all web applications hosted by the farm must use the same protocol.

It must also be ensured that all machines in the farm hosting the web applications use the same protocol. You cannot for example have server 1 using HTTPS and server 2 using HTTP.

4.2.2 Modify the event processing configuration

1 Go to the directory that HP Records Manager was installed. By default this will be

C:\Program Files\Hewlett-Packard\HP Records Manager

2 Locate and open the file TrimEvent.exe.config

3 Locate the element:


and replace it with:

<security mode="Transport">

4 Delete the following line if found:

<message clientCredentialType="UserName" algorithmSuite="Default" />

5 Save the file.

6 Restart the HP Records Manager Workgroup service.

These steps must be performed on every HP Records Manager Workgroup server that is processing SharePoint Integration events.

50

5 Upgrading the HP Records Manager Integration for SharePoint

5.1 Introduction Whether performing a ‘full’ upgrade of both HP Records Manager and the HP Records Manager Integration for SharePoint, or only upgrading the HP Records Manager Integration for SharePoint itself, the steps detailed in this chapter must be followed precisely in order to ensure success.

5.2 Important Upgrade Considerations There are a number of important considerations in preparing for the upgrades, and critical steps in executing them.

5.2.1 Supported Upgrade Path

The upgrade path to any version in the 8.0.x stream of the HP Records Manager Integration for SharePoint is supported only from earlier 8.0x versions.

Upgrading from SharePoint 2010 to SharePoint 2013 is currently not supported. This process will be documented in future.

51

6 Troubleshooting

6.1 Troubleshooting Tools The HP Records Manager Integration for SharePoint provides a number of tools to assist in troubleshooting issues that may be encountered during installation, administration or general use.

6.1.1 Additional Information

When an exception is experienced by a user during operation with the integration, by default only limited information is provided in the SharePoint error dialog, along with an ID for that exception.

Additional information is however generally available in such instances, but although this will be appended to resultant log entries, it is by default suppressed from the error displayed to the interactive user. This suppression is considered a security measure as some details contained in certain ‘additional information’ could conceivably be exploited by malicious users.

It is however possible to display the additional information along with the original exception message and ID, however it is advised that this only be enabled for the purposes of fault finding.

Logging is provided through use of the Microsoft Enterprise Library Tool Version 5. The SharePoint Integration is shipped with a command line tool for configuring additional logging options.

Enabling Additional Information

To enable the display of Additional Information in the SharePoint error dialog:

1 Logged on to the server upon which the HP Records Manager Integration for SharePoint was installed, open a CMD prompt and navigate to the install location of the SharePoint integration

By default, the installation directory of the HP Records Manager Integration for SharePoint is

C:\Program Files\Hewlett-Packard\HP Records Manager\SharePoint Integration

2 Export the current logging configuration by executing the following command from the CMD prompt:

Elconfigurationtool –x [Web application name]

Where [Web application name] is the display name of the web application where the integration is deployed

For example, a SharePoint farm has been configured with the following web applications:

To export the “SharePoint – 200” web application logging configuration file run the following command:

Elconfigurationtool –x “SharePoint – 200”

52

3 An XML configuration file is exported into the same folder location as a text file, ELConfigurationExport.txt. Open this file in a suitable XML editor.

4 Locate the two showAdditionalInformation parameters (Search/Find is the easiest method) and change the corresponding values from false to true

Both sections will look like this:

<TupleOfStringString>

<Item1>name</Item1>

<Item2>Display Handler</Item2>

</TupleOfStringString>


<Item1>showAdditionalInformation</Item1>

<Item2>true</Item2>



<Item1>type</Item1>

<Item2>HP.Integration.SharePoint.ExceptionHandling.DisplayOnlyHandler,

HP.Integration.SharePoint, Version=1.0.0.0, Culture=neutral,

PublicKeyToken=c0e8a57fc919aedb</Item2>


5 Save and close the file.

6 Reimport the configuration file by executing the following command from the CMD prompt:

Elconfigurationtool –i [Web application name] [File name]

Where [Web application name] is the display name of the web application where the integration is deployed and [File Name] is the name of the exported configuration file.

For example, to reimport the changed configuration to the “SharePoint – 200” web application, execute the following command

Elconfigurationtool –i “SharePoint – 200” ELConfigurationExport.txt

7 Perform an IISreset.

For multiple web applications, repeat steps 2-6 and then perform an IISreset at the end.

Note that if you extend a web application, to support external access or another authentication method, then you will need to repeat steps 2-6 for the extended web application. Otherwise, only access via the internal URLs will have additional information logged.

6.1.2 Integration Event Logging

The integration includes the ability to log messages to help troubleshoot issues with the product. Log messages can include:

Exception messages

Information messages

General integration messages can be logged to:

The SharePoint ULS log

In addition, specific functionality in the integration also utilizes dedicated lists for logging information.

The configuration document describes how to configure these particular options however, a default logging configuration is provided following installation.

This section describes how these log messages can be used to help troubleshoot issues.

53

Exception logging to the SharePoint ULS

The HP Records Manager Integration for SharePoint includes the capability for logging to the SharePoint Unified Logging Service (ULS) logs.

Upon installation the integration logs exceptions to the ULS log by default, though can also be configured to log other event outcome categories to the ULS.

Logging integration exceptions to the ULS improves user capacity to investigate and resolve any possible issues encountered by merging trace entries of the integration with broader SharePoint event logging.

Locating and viewing a ULS log

SharePoint ULS logs are by default maintained in the \LOGS directory of the [hive]. A new log is by default created every 30 minutes, and is titled in the format

[NAME]-YYYYMMDD-HHMM

where

[NAME] is the machine name, and

YYYYMMDD-HHMM is the date and time that the file was created (i.e. the file will contain log entries commencing from this time).

Although ULS logs, as .log files, can be opened for viewing with a variety of applications, Microsoft also provides a ULS Viewer tool at:

http://archive.msdn.microsoft.com/ULSViewer

Please be aware that, as stated on this site, The ULS Viewer application is not supported by Microsoft and is to be used at your own risk.

Identifying HP Records Manager entries in the log

In integrating with SharePoint’s ULS logging capability, entries relating specifically to HP Records Manager are merged with those of SharePoint. While this provides context to entries in terms of the system en masse, it doesn’t necessarily make them easily identifiable in the log.

HP Records Manager entries can be located or isolated in the log by performing a search or filter of the Area field (or if using the ULS Viewer, the Product field) by the value:

HP Records Manager

6.1.3 Known Issues

Site column mapping may throw an error when attempting to save changes

When attempting to update column mappings via the ‘Map site columns to HP Records Manager fields’ page, a generic SharePoint error is displayed to the user.

Tracking the cause in the ULS log, shows the following error details: System.InvalidOperationException: Operation is not valid due to the current state of the object.

http://archive.msdn.microsoft.com/ULSViewer

54

at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()

at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)

at System.Web.HttpRequest.FillInFormCollection() The error 'ThrowIfMaxHttpCollectionKeysExceeded' is caused by a Microsoft security update - MS11-100, released on 29 December 2011. This update has been released to fix ASP.NET DoS vulnerability and limits the amount of parameters for a single HTTP POST to 1000.

This limit can potentially prevent the saving of the Site column mapping page.

The way to fix this is to add an entry to the web.config file, for each content web application where the HP Records Manager Integration for SharePoint is deployed, providing the ability to increase the parameter limit: <appSettings>

<add key="aspnet:MaxHttpCollectionKeys" value="5000"/>

</appSettings>

The suggested value is 5000, but it is recommended to test this value and ensure the ceiling is set high enough to accommodate your specific configuration.

Asynchronous processing of items with multiple large attachments (totaling over 10 MB) fails

When managing list items with multiple attachments, the HP Records Manager Integration for SharePoint automatically packages the attachments into a single zip file, which is then stored with the corresponding record in HP Records Manager.

However, if list items are being captured as part of an asynchronous job, any list items with multiple attachments that exceed 10 MB will not get captured correctly. The creation of the associated zip file will fail and the asynchronous job will eventually fail.

Reviewing the asynchronous job in the HP Records Manager Job Queue will show the following error message for the relevant list items:

[List Item Name]: Attempted to package the attachments but failed.

There are a number of ways to resolve the issue; however, the recommended approach is:

1 Locate the offending List Item(s). To do this, you can use the URL in the job to locate the list, and the list item name from the error text.

2 Manually perform the appropriate HP Records Manager action for the job on each offending list item in turn: Manage, Finalize, Relocate, and Archive

It is important to perform the action on each offending item individually; selecting multiple items will just create another asynchronous job.

3 Once all offending items have been dealt with, navigate to the HP Records Manager job queue, change the job status from Failed to Pending, and save the job.

This will add the failed job back into the queue; the job will re-run and will automatically skip the items that have been dealt with manually.

Mapping SharePoint Number column with “Show as percentage enabled”

When a SharePoint Number column with "Show as percentage enabled" is mapped to a HP Records Manager Decimal Additional field, the value in the SharePoint Number column looks different than the value in the HP Records Manager Decimal field once the list item is managed. This is expected behavior. For example, the value 50 in the SharePoint column represents 50%. This same value is stored in the list item and HP Records Manager Additional field as .50.

Mapping SharePoint Number column that uses decimal

When a SharePoint Number column using decimal places is mapped to a HP Records Manager number field, the value the value in HP Records Manager will not contain the decimal places. This can then cause the value in SharePoint to be updated to have no decimal places.

55

Error accessing some pages “The HTTP request is unauthorized with client authentication scheme ‘Ntlm’…”

When accessing the web application integration settings page (or other pages), if the user sees an error message similar to the following:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The

authentication header received from the server was 'Negotiate,NTLM'."

This may be an indication that the security settings in IE are not configured correctly.

In IE, navigate to Tools > Internet Options > Security tab > Custom Level, Locate the 'User Authentication' set of values (usually at the bottom of the list Ensure that either 'Automatic log-on in Intranet zone' or 'Automatic log-on with current username and

password' is selected

This issue has been seen when this value was set to 'Prompt for username and password'.

56

I. Quick reference “how to” guide Sections of this document referred to performing particular actions in SharePoint and HP Records Manager. Although it is not the intention of this document to describe how to use these two products, how to perform a number of these tasks have been included in this appendix as a quick reference only.

The content in this section is not intended to supersede the official HP Records Manager and SharePoint documentation. This information is for quick reference only. Where a discrepancy exists, you should consider the official product documentation as being correct.

Farm Server Permissions

Adding an account as a local administrator

Applicable accounts

This permission is a prerequisite for the Installing User.

Configuration steps

1 Logged on to the machine with an existing administrator account, launch Computer Management, then navigate to ‘Configuration > Local Users and Groups > Groups’.

2 From the available groups, double left-click on Administrators to launch the group Properties, and then under the listed Members, select the Add button.

57

3 In the resultant object selection dialog, enter and validate the applicable account and select OK.

4 In the Properties, verify that the account has been added to the Members of the group, Apply the changes and click OK.

5 Perform an IISreset.

Providing an account with Full Control access to a specific file path

Applicable accounts

These steps are applicable to the following integration accounts / prerequisites:

Account Prerequisite(s)

All Interactive Users of the Integration - Full Control access to the Web Server Work Path

HP Records Manager Privileged Account - Full Control access to the Web Server Work Path - Full Control access to the Scratch directory

SharePoint Privileged Account - Full Control access to the Scratch directory

Application Pool Account - Full Control access to the SharePoint “Config” directory

Configuration steps

Although the following example screenshots depict configuration for the Scratch Directory, which has been created at the root of C drive; the steps are applicable for configuring ‘Full Control’ access to any directory.

1 Logged on to the machine with an existing administrator account, navigate to the appropriate directory using the Windows Explorer navigation pane. Right-click on the directory in the navigation pane and select Properties.

58

2 From the Security tab of the directory’s Properties dialog, under the Group or user names field, select Edit.

3 In the resultant Permissions dialog, under the Group or user names field, select the Add.

59

4 In the resultant object selection dialog, enter and validate the applicable account and select OK.

5 Now returned to the Permissions dialog, noting that the newly added account is highlighted in the Group or user names field; in the below Permissions field, select the Allow option for the Full control permission level.

6 Apply your changes and select OK for the Permissions dialog, and then for the Properties dialog.

Database permissions

Adding an account to a SQL database role

Applicable accounts



Installing User - db_owner of the SharePoint Config database

Application Pool Account - db_owner of the SharePoint Config database - db_owner of Search Service Application databases

Configuration steps

Although the following example screenshots depict configuration for db_owner of the SharePoint_Config database; the steps are applicable for adding an account to any database role for any SQL server database.

60

1 Logged into the SQL Server Management Studio as an existing system administrator, in the Object Explorer of the database engine, navigate to Security > Logins.

2 Select the appropriate user account from the list of available Logins and double left-click on it to launch the Login Properties, then select User Mapping from the Select a page pane on the left.

If the account has not yet been added as a Login for the database engine, first add it by right-clicking on the Logins folder and selecting New Login...

3 From Users mapped to this login list, select the Database for which this account is to be assigned to a role, and check the box in the Map column.

4 Once mapped, options in the Database role membership list will be enabled. Check the box for the appropriate database role to be assigned to this account.

61

5 Click OK to save the configuration.

HP Records Manager permissions

Configuring the profile of a HP Records Manager Location

Applicable accounts



Configuring User - Accept logins - User Type of (at least) Information Manager

HP Records Manager Privileged Account

- Accept logins - Security level of <Highest> - User Type of Administrator

HP Records Manager Workgroup Service Account

- Accept logins

Application Pool Account

- Accept logins - User name (logon name) of “System” - User Type of Information Worker

Configuration steps

The following steps assume that a HP Records Manager Location of type “Person” has already been created for the applicable account.

Although the following example screenshots depict configuration for the HP Records Manager Privileged account; the steps are applicable for configuring the profile of any HP Records Manager “Person” Location.

1 Logged into the HP Records Manager client as an existing Administrator, locate the applicable Location using the Find Locations tool from the Search menu. Right-click on the Location in the search results and select Properties.

62

2 In the Profile tab of the Location’s Properties:

a. To enable a Location to accept logins, check the option to Accept logins for this user, using login name.

b. To provide a security level of <Highest> to a Location, select the Security button, and in the resulting dialog, select the Highest button. Click OK to return to the Properties dialog.

c. To set the User Type of the Location, select the applicable option from the User Type drop-down menu.

3 Click OK on the properties dialog to save settings.

Adding an account as a trusted user in HP Records Manager

Applicable accounts

This permission is a prerequisite for the HP Records Manager Privileged Account.

Configuration steps

1 Logged into the HP Records Manager Enterprise Studio as a system administrator, navigate to General > Miscellaneous. Right-click on the Miscellaneous folder and select Properties.

63

2 In the resultant Properties dialog, in the field captioned Enter user account name and press Add, enter the name of the HP Records Manager Privileged Account in the format domain\username and select Add.

3 With the HP Records Manager Privileged Account added to the trusted server accounts list and click OK to close the dialog.

4 Save and deploy your changes in the Enterprise Studio.

SharePoint 2013 permissions

Adding an account as a SharePoint Farm Administrator

Applicable accounts

This permission is a prerequisite for the Installing User.

64

Configuration steps

1 Logged into SharePoint 2013 Central Administration as an existing Farm Administrator, from the Security section on the home page, select Manage the farm administrators group.

2 In the Farm Administrators group list, select New > Add Users.

3 In the resultant Grant Permissions dialog, enter and validate the applicable account and select OK.

Adding an account as a SharePoint Site Collection Administrator

Applicable accounts

This permission is a prerequisite for the following integration accounts:


Installing User - Site Collection Administrator of each site collection within a web

application to which the integration solution has been deployed.

Configuring User - Site Collection Administrator of each site collection within a web


65

HP Records Manager Privileged Account - Site Collection Administrator of each site collection within a web


SharePoint Privileged Account - Site Collection Administrator of each site collection within a web


Configuration steps

1 Logged into the SharePoint 2013 site collection as an existing Site Collection Administrator, from the Site Actions menu on the home page, select Site Settings.

2 Under the Users and Permissions section on the Site Settings page, select Site collection administrators.

3 Enter the applicable account into the Site Collection Administrators peoplepicker control, and select OK.

Adding an account to the user policy for a web application

Applicable accounts

This permission is a prerequisite for the following integration accounts:


Installing User - Full Control under the user policy for the web application to which the

integration solution has been deployed.

Configuring User - Full Control under the user policy for the web application to which the


HP Records Manager Privileged Account - Full Control under the user policy for the web application to which the


SharePoint Privileged Account - Full Control under the user policy for the web application to which the


66

Configuration steps

1 Log on to SharePoint 2013 Central Administration with an account that can administer web applications

2 Under the Application Management group, navigate to Manage web applications.

3 From the list of web applications, select the application where the SharePoint Integration is to be deployed and click on User Policy in the ribbon

4 Click on Add Users, choose the appropriate zone/s and click Next

67

5 Add the required accounts and permission levels and then click Finish

68

II. What is an AAM? A SharePoint page typically includes many links and images. The URL of these links and images assumes that these locations are accessible using the host header or machine name. For example, if the URL of the page was:

http://sharepoint/SitePages/Home.aspx

Images on this page might have a URL of:

http://sharepoint/images/Image.jpg

In the case though where a user accesses a site through a reverse proxy where the externally accessible URL is different to the internal one, this can cause issues. Consider the previous scenario with a reverse proxy. In this example the organization has configured an externally accessible URL of:

http://ourintranet

Therefore to access the previous page, the URL is:

http://ourintranet/SitePages/Home.aspx

However, the URL of the example image on the page will be determined as:

http://sharepoint/images/Image.jpg

As this URL is not accessible from the external side of the reverse proxy, the image will fail to load.

Alternate access mappings allow you to “tell” SharePoint that when being accessed through a particular URL, that all links and images should use another URL in when constructing the path to links and images. This URL is known as the “Public URL for the zone”.

Continuing the previous example, the following AAM entries for the web application would resolve the issue:


http://ourintranet Intranet http://ourintranet

http://sharepoint Intranet http://ourintranet

This second entry notifies SharePoint that any requests that are routed to http://sharepoint should have all relative URLs constructed to use http://ourintranet

Typical symptoms that AAMs have not been configured correctly in SharePoint are:

Missing images

Links that fail when clicked

When browsing to the root of a site collection, the user is not redirected to the home page of the site collection however, if they type in the full URL to the home page, it displays correctly

69

III. Code Access Security Considerations

Use of the Global Assembly Cache (GAC)

The Global Assembly Cache (GAC) is a system location for the deployment of assemblies. Usually when an assembly is simply deployed to an application directory, the assembly can only be used by other assemblies in that directory. Deploying assemblies to the GAC allows assemblies to be used by others from any location on the machine.

In effect, the GAC is a mechanism to allow sharing and maintenance of a set of assemblies from a common, central location.

From a SharePoint perspective, assemblies that are deployed to the GAC are considered fully trusted. This means that no code access security is applied to these assemblies. During deployment of the HP Records Manager Integration for SharePoint solution, this will cause a warning to be displayed to the user:

“Warning: Deploying this solution will place assemblies in the global assembly cache. This will grant the solution assemblies full trust. Do not proceed unless you trust the solution provider.”

This warning is not stating that the assemblies are likely to perform malicious actions, it is only there to make you aware that these assemblies will potentially have higher privileges than you had intended when designing your SharePoint security policy file.

The key line in this warning is:

“Do not proceed unless you trust the solution provider.”

The assemblies deployed to the GAC by this solution have been authored by two reputable software development companies, HP Software (in the case of all assemblies beginning with HP.*) and Microsoft (in the case of all assemblies beginning with Microsoft.Practices.EnterpriseLibrary.*).

If you are unwilling to deploy these assemblies to the GAC, then you will be unable to utilise the HP Records Manager Integration for SharePoint.

See for yourself

It is not practical to detail exactly what every assembly in our solution does. We can guarantee that the solution assemblies written by HP do not carry out any malicious activity. However, if you are concerned, the following sections describe methods for you to verify this for yourself.

The Microsoft Enterprise Library assemblies are based on version 5.0 of the enterprise library. You can download the source code for these assemblies at:

http://msdn.microsoft.com/en-US/library/ff632023.aspx

As these assemblies were compiled and signed by Microsoft, you can be certain that they are using the code that is available in the download rather than a modified version.

It is possible to view the permissions required for each assembly using the PermCalc tool that ships with Visual Studio.

http://msdn.microsoft.com/en-us/library/ms165077(VS.80).aspx

This will produce a report outlining exactly what permissions are utilised by a particular assembly. Included in the output report produced by PermCalc (XML format) you will find “Demand” nodes describing the permission set that a particular method exercises. The following is an example of a “Demand” node: <Demand>

<PermissionSet class="System.Security.PermissionSet" version="1">

<IPermission Read="COMPUTERNAME" class="System.Security.Permissions.EnvironmentPermission, mscorlib,

Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" />

<IPermission class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0,

Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="true" />

<IPermission Flags="MemberAccess" class="System.Security.Permissions.ReflectionPermission, mscorlib,

Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" />

<IPermission class="System.Security.Permissions.KeyContainerPermission, mscorlib, Version=2.0.0.0,

Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="true" />

</PermissionSet>

</Demand>

http://msdn.microsoft.com/en-US/library/ff632023.aspx

http://msdn.microsoft.com/en-us/library/ms165077(VS.80).aspx

hp records manager · hp records manager software version: 8.0 sharepoint 2013 integration...

Documents