openCRX Admin Guide

Version 2.6.0+

www.opencrx.org

02-Aug-2010 @ 01:19:26 PM

1 About this Book

This book describes various configuration settings and tasks that make an openCRX administrator's life easier.

openCRX is the leading enterprise-class open source CRM suite. openCRX is based on openMDX, an open source MDA framework based on the OMG's model driven architecture (MDA) standards. This guarantees total openness, standards compliance, a state-of-the-art component-based architecture, and virtually unlimited scalability.

1.1 Who this book is for

The intended audience are openCRX administrators.

1.2 What do you need to understand this book

This book describes some of the settings and configurations an openCRX administrator can use to control the behavior of openCRX.

1.3 Tips, Warnings, etc.

We make use the following pictograms:

	Information provided as a “Tip” might be helpful for various reasons: time savings, risk reduction, etc. - it goes without saying that we advise to follow our guides meticulously meticulous \muh-TIK-yuh-luhs\, adjective: Extremely or excessively careful about details.
	You should carefully read information marked with “Important”. Ignoring such information is typically not a good idea.
	Warnings should not be ignored (risk of data loss, etc.)

2 Prerequisites

This guide assumes that you have access to a properly installed instance of openCRX 2.7.0 (for installation instructions, please refer to the guides available from http://www.opencrx.org/documents.htm).

You can either follow the openCRX Server Installer documentation (http://www.opencrx.org/server.htm) or you can do a manual installation of openCRX following the installation guide for Tomat 6.

3 Security

In this chapter we will present a high-level overview of openCRX security and discuss a few important issues.

We do not recommend learning about security with mission critical data. Backup your data before you make changes if you are not certain what the consequences are! The risk of you being locked out is real and the resources required to fix broken security settings can not be overestimated! The default settings should work for virtually all users; the probability of getting yourself into trouble by changing default settings should not be underestimated. Read and understand at least the basics of openCRX security BEFORE you make any changes.

3.1 Introduction

3.1.1 Basic Concepts and Conventions

• Each “real user” is represented by a Subject (e.g. “Guest”). Subjects are managed by the openCRX Root administrator (admin-Root).

• Each subject has an Application Login Principal (also called login id). Application login principals are managed by the openCRX Root administrator (admin-Root).

• Each application login principal is assigned to a subject (e.g. principal “guest” is assigned to subject “Guest”) and allows a “real user” to login.

• A “real user” can have one or more additional segment login principals. The Segment Login Principal has typically the same name as the application login principal (e.g. “guest”) and grants a “real user” login access to a segment. Segment login principals are managed by the openCRX segment administrators (e.g. admin-Standard for the Segment Standard).

• Each “real user” who has access to a segment (i.e. has a segment login principal) has (in addition to the segment login principal) a segment user principal, e.g. “guest.User”. The Segment User Principal is required to assign objects to an Owning User. Each “real user” also has a Principal Group, e.g. “guest.Group”.

• Each segment has a corresponding realm to manage Principals:

• The application login principals are stored in the realm Default.

• The segment login principals for segment <segment name> are stored in the realm <segment name> (e.g. principals for the segment Standard are stored in the realm Standard).

• Each segment has a segment administrator principal (admin-<segment name>) (e.g. admin-Standard for the segment Standard).

The following figure shows the situation after the initial setup of openCRX (assuming you installed openCRX Server or followed the installation guide for Tomat 6):

Figure 1: Security Realms, Principals and Subjects after Initial Setup

Summarizing the above:

• there is a realm for each segment (e.g. a realm Standard corresponding to the segment Standard)

• the realm Default acts as login realm; it contains all principals who are allowed to login to the openCRX application; PrincipalGroups in this realm are only used to configure Granted Roles by inheritance (in addition to configuring them directly in the appropriate grid).

• there is a subject for each “real user” and all principals of a user are assigned to the same subject; this allows openCRX to find all principals of a user (--> role selection drop down)

The segment administrator (e.g. admin-Standard) creates principals and User home pages with the operation createUser():

• Each segment login principal has a home page in the corresponding segment (qualifier of principal and home page must match!).

• Each segment login principal is correlated with a contact. This correlation is for example required to find all activities and contracts assigned to the logged in principal.

  

Figure 2: Segment Administration

While each “real user” (typically) has 1 application login principal only, “real users” may have multiple segment login principals (e.g. because a “real user” is allowed to access multiple segments or because a “real user” is allowed to access a particular segment in different roles like Head of Sales or CFO).

Available segment login principals are listed in the so-called Role Drop Down:

Figure 3: Role Drop Down with list of available Segment Login Principals

3.1.2 Permissions / Access Control

The openCRX security framework makes a clear distinction between Ownership Permissions (permissions granted on a particular object) and Model Permissions (permissions granted on a particular model element). As the latter are not implemented (yet) we only talk about Ownership Permissions in this guide.

Ownership permissions are used to control browse/delete/update access to openCRX objects by Users and UserGroups (i.e. Ownership access control). Every openCRX object is a SecureObject. The following figure shows an extract from the UML model (if you are interested in all the details and the formally correct and complete specifications you should refer to the latest openCRX UML models):

Figure 4: openCRX UML Model – Class Diagram SecureObject

	If you see N/P in a reference field instead of a more meaningful value you probably do not have browse access to the respective object (N/P stands for No Permission)
	If you see N/A in a reference field instead of a more meaningful value the object cannot be retrieved (N/A stands for Not Available); maybe the object was deleted or the respective provider is not accessible/available.

The most important security attributes of an object X are discussed below:

• Owning User: this user "owns" object X; the Owning User can always browse/delete/update object X (unless the access level is set to 0 [in which case nobody has access – probably not a desirable situation]).

• Owning Groups: these groups might enjoy privileged treatment for browsing/deleting/updating object X depending on the relevant access level settings.

• Access Granted by Parent: this attribute is set by configuration and refers to the parent object that grants access to object X.

• Browse Access Level: this setting determines which users/user groups are granted browse access to direct composite objects of object X [i.e. who can view/inspect direct composite objects of object X (including all their attributes)].

  It is a common misconception that browse access level of an object X controls browse access to this object X – please read the above definition carefully!

• Delete Access Level: this setting determines which users/user groups are granted delete access to object X and all its composite objects (recursively!) [i.e. who can delete object X and all its composite objects (recursively!)].

• Update Access Level: this setting determines which users/user groups are granted update access to object X [i.e. who can change object X; this includes adding composite objects to object X].

Figure 5: System attributes of an openCRX object as shown in the GUI

The following access levels are available to control which users/user groups are granted permission to browse/delete/update a particular object X:

Access Level	Meaning
0 – N/A	no access
1 – private	access is granted if the user is owning user of object X
2 – basic	access is granted if at least one of the following conditions is true: (a) the user is owning user of object X (b) the user is member of any of the owning groups of object X (c) any of the owning groups of object X is a subgroup** of any group the user is member of
3 – deep	access is granted if at least one of the following conditions is true: (a) the user is owning user of object X (b) the user is member of any of the owning groups of object X (c) any of the owning groups of object X is a subgroup** of any group the user is member of (d) any of the owning groups of object X is a subgroup** of any supergroup* of any group the user is member of
4 – global	all users are granted access
* Owning group Gsuper is a supergroup of an owning group G if every user who is member of G is also member of Gsuper
** Owning group Gsub is a subgroup of an owning group G if every user who is member of Gsub is also member of G

3.1.3 The SQL approach to understanding security

If you are familiar with SQL, the following approach to understanding security might be helpful. Let's put ourselves into the role of the AccessControl Plugin; accessing an object (read mode) results in a SELECT statement as follows:

SELECT * FROM T WHERE owner IN (p1, p2, ....)

• owner is a column that is present in all (multi-valued) tables xACCOUNT_, xADDRESS_, etc.) and it contains a list of principals who are permitted to access the respective object in read-mode

• the set P = {p1, p2, ...} is calculated by the AccessControl Plugin before accessing the object and it corresponds to the principals who are assigned to the current user based on the object's AccessLevel as shown in the following table:

Access Level	Set P = {p1, p2, ...}
0 – N/A	P = {}
1 – private	P = Pp where Pp = {all groups directly assigned to the principal p}
2 – basic	P = Pp + Pupper where Pp = {all groups directly assigned to the principal p} Pupper = {all groups that contain at least one group contained in Pp}
3 – deep	P = Pp + Pupper + Plower where Pp = {all groups directly assigned to the principal p} Pupper = {all groups that contain at least one group contained in Pp} Plower = {all groups contained in Pupper}
4 – global	the where-clause “WHERE owner IN (p1, p2, ....)” is not required, i.e. the SELECT statement reduces to SELECT * FROM T

You can mark PrincipalGroups as “Base group” to better control the inclusion of PrincipalGroups with Access Level 3.

3.2 Activating Security

Security (including Access Control) is not just a fancy add-on, rather it is an integral part of openCRX; openCRX Access Control is always activated.

The openCRX security provider manages all security data and provides access control services for all requests through the openCRX API. Hence, you can rely on openCRX access control even if you write you own clients or adapters for openCRX.

The only “hardening” you might want to do is the one described in the following chapter: set browse access level to 3 for non-Root segments.

3.3 Default Settings

Default access level settings for non-Root segments (e.g. segment Standard) after a clean install are as follows:

Browse Access Level:	4 – global
Update Access Level:	3 – deep
Delete Access Level:	1 – private

Figure 6: Table OOCKE1_SEGMENT after default installation

Due to the setting access_level_browse = 4 (global) any user with access to a particular segment is allowed to browse top level objects (i.e. any user can browse all accounts, all activities, all documents, etc.).

These default settings are suitable for test environments and deployments in smaller companies/teams with a generous access policy; for most real-world applications, however, it is more appropriate to set access_level_browse = 3 (deep) for non-Root segments. You can do this by changing the values in the column access_level_browse from 4 to 3 (table OOCKE1_SEGMENT). After this change, the table OOCKE1_SEGMENT will look as shown in the following figure:

Figure 7: Table OOCKE1_SEGMENT after modification

Segment security settings are loaded during the initialization of the openCRX servlet. Hence, if you change settings you must redeploy openCRX for the new settings to become active.

3.4 Security Settings of New Objects

New objects are by default created with the following security settings:

Browse Access Level:	3 – deep
Update Access Level:	2 – basic
Delete Access Level:	2 – basic
Access Granted by Parent	in general: Parent object as modeled exceptions: there are some select exceptions, but they are all pre-configured
Owning User:	User who is creating the object
Owning Groups:	Primary User Group of the user who is creating the object and (meaning as well as) Owning Group(s) of the parent object of the new object (except Users, see below).

Please note that the User Group Users (e.g. Standard\\Users) is not added to the list of Owning Groups of newly created objects unless the creating user's Primary User Group is equal to Users.

	By default, a user's primary user group is <user>.Group. This group is created automatically when the segment administrator runs the wizard User Settings from a user's homepage (see chapter 4.1 Creating Users).
	Please note that a User's Primary User Group can be set by the segment administrator with the operation Create User . To change an existing user's primary group, the segment administrator simply executes the operation Create User again with a new parameter for primary user group.

In the context of activity management there are various operations that set/change the Owning Groups of objects based on the settings of an assigned Activity Creator or assigned Activity Group and not based on the settings of the user who executes the operation.

3.5 Checking Permissions

You can check security permissions on any SecureObject with the operation Security > Check Permissions. Provide the principal name as a parameter. The following figure shows the result of the operation on a user's homeage:

Figure 8: Result of Check Permissions

The meaning of the above result is as follows:

Has read permission:	principal can browse this object principal cannot browse this object
Has update permission:	principal can modify/update this object principal cannot modify/update this object
Has delete permission:	principal can delete this object principal cannot delete this object
Membership for read:	principal has read permission if the intersection of the resulting list of groups and the list of owning groups of the respective SecureObject is not empty
Membership for update:	principal has modify/update permission if the intersection of the resulting list of groups and the list of owning groups of the respective SecureObject is not empty
Membership for delete:	principal has delete permission if the intersection of the resulting list of groups and the list of owning groups of the respective SecureObject is not empty

3.6 Login Procedure

The openCRX login procedure consists of 2 levels:

3.6.1 Apache Tomcat / Application Server Login

The Apache Tomcat / application server login procedure depends on various parameters:

• Servlet container (Apache Tomcat, JBoss, BEA WLS, IBM WAS, etc.)

• configuration of Apache Tomcat / application server

  • file-based realm (e.g. tomcat-users.xml for Tomcat)

  • DB-based realm (e.g. JDBCRealm Tomcat)

  • LDAP-based realm (e.g. JNDIRealm for Tomcat; see also chapter 16.3 Tomcat w/ openCRX and LDAP-based Authentication)

  • company-specific / custom-tailored realms

Please note that even though openCRX might be involved in managing some of the above-mentioned realms (e.g. DB-based realm) the login procedure is not really under control of openCRX. Many login problems are really related to incomplete/faulty configuration settings of the servlet container.

Detailed documentation about the many Realms supported by Apache Tomcat is available at http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

3.6.2 Segment Login

Access to segments is managed/controlled by the ObjectInspectorServlet. The included DefaultRoleMapper identifies all Segment Login Principals of a given Subject and grants access to the respective segments through the Role Drop Down:

Figure 9: Role Drop Down with list of available Segment Login Principals

It is possible to deploy user-specific implementations of the DefaultRoleMapper so that you can adapt the segment login procedure to your requirements.

3.6.3 Disabling Login

Please refer to the chapter “Disable/Deactivate Users”.

3.7 Resetting Security

If you get the setting of Update Access Level wrong you may not be able to change the respective object from the GUI anymore (and that includes the security settings of that object!). For example, the only way to recover from setting Update Access Level to 0 – N/A for a particular object is to edit the data directly in the database! It is simply not possible to disable openCRX Security.

If you (or one of your users) managed to screw up the security settings in a major way you might be forced to reset all security settings to a well-defined state. Not an easy task – and it typically involves a lot of manual work.

Educate your users about openCRX security. You might also consider disabling some of the more powerful operations and/or security attributes in the default GUI.

4 Managing Users

Read through the chapter Basic Concepts and Conventions (Security) before reading this chapter. It is quite helpful to have a good understanding of the terms Subject, Application Login Principal, Segment Login Principal, User, etc. before you start reading here.

4.1 Creating Users

Even though you can create users with a variety of methods, “behind the scenes” the following steps are always required to create a new openCRX user:

Who	Steps
Root administrator admin-Root	create a new Subject set the qualifier to the desired login id create a new Principal in the realm Default (--> Application Login Principal) set the qualifier to the desired login id link this Principal to the Subject created in the previous step make this Principal member of the appropriate Principal Group(s), e.g. Users
Segment administrator admin-<SegmentName>	create a new Contact create a new User link this new User to the Contact created in the previous step the Segment Login Principal is created automatically the userhome is created automatically run the wizard Edit > User Settings from the new user's homepage

Depending on how you create a new user, some of the above steps might be taken care of by a wizard. If you want to have full control over the user creation process, however, then you can certainly create new users following the above instructions step by step.

Have a look at Figure 1: Security Realms, Principals and Subjects after Initial Setup and Figure 2: Segment Administration to see how this all fits together.

4.1.1 Create Users as Segment Administrator

The Segment administrator can create new users with the following steps:

• login as Segment administrator (e.g. admin-Standard)

• create a contact for the new user

• Click on the (potentially hidden) tab [User Homepages]:

Figure 10: New user guest – step 1

• Next you select the operation Actions > Create User... which allows you to create and initialize a new user:

Figure 11: New user guest – step 2

• Type the new user's principal name (e.g. guest) into the field Principal name, use the Lookup Inspector or the auto-completer to fetch values for Contact and Primary user group (unless you have a good reason to provide a user group, leave Primary User Group empty and openCRX will automatically create a user group with name <principal name>.Group), and then type a password (e.g. opencrx) into the fields Initial password and Password again:

Figure 12: New user guest – step 3

• Status 0 indicates that the user guest was created without errors:

Figure 13: New user guest – step 4

• Next we navigate to the homepage of the newly created user guest by clicking on the icon as show below:

Figure 14: New user guest – step 4

• Please note that we are still logged in as admin-Standard (as shown in the header of the application), but we are looking at the homepage of the user guest. Execute the operation Edit > User Settings:

Figure 15: New user guest – step 5

• This will start the wizard User Settings. You can configure various settings with this wizard. At a minimum you should probably set the timezone and enter the new user's e-mail address. Once you're done you can click the button [Apply]. The wizard will then create a bunch of objects and finalize the initialization of the user guest:

Figure 16: New user guest – step 6

• Click [Cancel] to leave the wizard.

The wizard User Settings creates a user group <username>.Group, in the above case guest.Group. The primary user group of the user guest was automatically set to this new user group guest.Group. If you want to change the primary user group to anything else or if you ever must reset a user (lost password, etc.), you can re-execute the operation Create User as admin-Standard at any time. If you want to reset a user without changing the user's password, you can simply leave the password fields empty when recreating the user.

4.1.2 Import Subjects and Application Login Principals

Creating large numbers of subjects/principals by hand can be quite a tedious job. If you prepare a text file containing the appropriate information in the file format as outlined below, the Root administrator (admin-Root) can use the operation Actions > Import Login Principals to create Subjects and Application Login Principals automatically.

Figure 17: Operation Actions > Import Login Principals (admin-Root)

Listing 1: File Format Subjects and Application Login Principals

Subject;<subject name>;<subject description>

Principal;<principal name>;<principal description>;<subject name>;<groups>

Listing 2: Example File Subjects and Application Login Principals

Subject;joe;Doe, Joe
Subject;mark;Ferguson, Mark
Subject;peter;Lagerfeld, Peter
Principal;joe;Doe, Joe;joe;Users,Administrators
Principal;mark;Ferguson, Mark;mark;Users
Principal;peter;Lagerfeld, Peter;peter;Users

4.1.3 Import Users

Similarly to importing Subjects and Application Login Principals from a file you can also import Users from a file. If you prepare a text file containing the appropriate information in the file format as outlined below, the Segment administrator (admin-<SegmentName>) can use the operation Actions > Import Users to create Users automatically.

Figure 18: Operation Actions > Import Users (admin-Standard)

Listing 3: File Format Users

User;<principal>;<account alias>;<account full name>;<primary group>;<password>[;group [, group] ]

Parameter	Description
<principal>	required, name of principal
<account alias>	at least one value per user must be provided, i.e. either the alias name of the contact, or then the full name
<account full name>
<primary group>	optional, default is <principal>.Group
<password>	required, clear text value
group	optional, the user is made a member of each provided principal group

Please note that a “-” value (a dash without the quotes) means empty in the context of a user file. Example: if you don't want to explicitly define a primary group, you can just put a dash and the importer will create the default primary group <principal>.Group for the respective user.

Listing 4: Example File Users

User;joe;JD;Doe, Joe;Users;2%jOd.IT;MGMT,SALES
User;mark;Fergi;Ferguson, Mark;Users;maFe&.3-;MGMT
User;peter;-;Lagerfeld, Peter;-;PlF*;ReGaL;SALES

Contacts are not created automatically; existing Contacts are first searched by <account alias>. If no matching account alias is found, Contacts are search by <account full name>. If still no matching account is found, the UserHome is not created. Users are only imported/created if the referenced Principals exist.

4.2 Disable/Deactivate Users

There are various ways of disabling/deactivating users. To fully understand your options it is helpful if you are familiar with the openCRX Login Procedure.

4.2.1 Disable Users at the level Tomcat /Application Server

Depending on the configuration of your application server you can disable users at that level. For example, if you rely on file-based realms, you can simply remove users from the file tomcat-users.xml (with Apache Tomcat) or users.properties (with JBoss) to prevent access to openCRX. If you block access at the level Tomcat / application server such users are locked out from accessing any application and any openCRX segment. However, as the Tomcat/ application server Login procedure is not entirely controlled by openCRX you might have to consult the documentation of your respective application server or ask your application server administrator for details.

4.2.2 Disable Users at the level openCRX

The segment administrator (e.g. admin-Standard) can prevent a user from accessing a particular openCRX segment by either disabling the respective Segment Login Principal or by deleting it altogether. Disabling is the preferred option to prevent access temporarily. If a user has multiple Segment Login Principals you must disable all of them to prevent access to the openCRX application.

Figure 19: Disabling of Segment Login Principal guest by admin-Standard

You should not delete a particular Subject as long as it is referenced by any Principal. Otherwise you'll end up with “dangling” Subject references.

5 Deployment Scenarios

openCRX supports a multitude of deployment scenarios.

5.1 Typical Deployment Scenarios

The following table lists some of the pros and cons of the most common openCRX deployment scenarios. Please note that the list is by no means complete:

3-Tier with Tomcat/OpenEJB	Figure 20: 3-Tier with Apache Tomcat / OpenEJB
Tomcat engine extended by openEJB (lightweight EJB 3.0 implementation) so that EARs with EJBs and WARs can be deployed simple setup and manage­ment (Server Installer) limited scalability and availability (no clustering) highest performing 3-Tier deployment with full transaction service

4-Tier with Tomcat/OpenEJB	Figure 21: 4-Tier with multiple Tomcat / OpenEJB instances
Multiple Tomcat engines extended by OpenEJB and fronted by load balancer (subsequent session requests are sent to the same Tomcat instance) database cluster good scalability and avail­ability high performance 4-Tier deployment with full transaction service

3-Tier with AppServer	Figure 22: 3-Tier with J2EE-compliant Application Server
J2EE-compliant Application Server (JBoss is supported out of the box) simple setup and manage­ment (one application server) limited scalability and avail­ability (no clustering) Transaction Service

4-Tier with Clusters	Figure 23: 4-Tier with Clustered Application and DB Servers
demanding setup (four and more application servers) multiple security zones for highest security (Internet, DMZ, Intranet) maximum availability fully fault tolerant unlimited scalability Transaction Service

5.2 Multi Entity Deployment Scenarios

The open source MDA platform openMDX supports a multitude of deployment scenarios and persistency configurations. The most common multi entity deployment scenarios are discussed in the following sections.

5.2.1 Multiple Data Segments in a single DB

The setup “Multiple Data Segments in a single DB” provides adequate security for many use cases and is relatively easy to manage. As all the data is stored in a single database, however, security configuration mistakes (e.g. principals linked to the wrong subject, etc.) might lead to situations where a user is granted access to the data of a particular company/client that should not be accessible (please note that human error is the real root cause here, not a malfunction of openCRX). Furthermore, this setup is not recommended if users can get direct access to the database, e.g. with third party reporting tools as those tools typically bypass the openCRX API.

Figure 24: Multiple Data Segments in a single DB

Detailed instructions on how you can create and configure new segments are provided in the installation guide for Tomat 6.

5.2.2 Multiple DBs

The highest level of security is provided by setting up a dedicated database for each entity so that data sets of the various entities are physically separated:

Figure 25: Dedicated DB for each Entity

5.3 openCRX Custom Applications

Information about openCRX custom projects is available from the openCRX wiki, e.g. https://sourceforge.net/apps/trac/opencrx/wiki/Sdk24.CustomProject.

6 Workflow Controller

With the Workflow Controller the openCRX Root administrator (admin-Root) can enable/disable various servlets (configured in web.xml) included in the openCRX distribution. This chapter gives an overview over the currently available servlets and explains how to start/stop them.

You can access the Workflow Controller by navigating to the URL

http://127.0.0.1:8080/opencrx-core-CRX/WorkflowController

or starting the Workflow Controller Wizard as shown in the figure below:

Figure 26: Accessing the openCRX Workflow Controller

You should connect to the Workflow Controller with http. If you use SSL-secured connections to start/stop servlets you must ensure that your server's certificate is available in cacerts.

The following figure shows the Workflow Controller of openCRX 2.7.0:

Figure 27: openCRX 2.7.0 Workflow Controller

Please note that access is granted to the openCRX Root administrator (admin-Root) only. Hence, if you see the openCRX login screen instead of the Workflow Controller you must first login as Root administrator. Also, ensure that openCRX is properly initialized before you connect to the Workflow Controller.

The first time the Workflow Controller is started it will create a default configuration: Figure 28: Default Configuration of WorkflowController If you ever need to recreate this default configuration, you can do so with the following steps: stop the WorkflowController delete the Configuration with the name WorkflowController start the WorkflowController

You can manually start (stop) servlets that are managed by the Workflow Controller by clicking on “Turn On” (“Turn Off”). Please note that you can control servlets on a segment by segment basis. For example, if you created a segment “OtherSegment” in addition to the segment “Standard” you can start/stop servlets of the segment “OtherSegment” without interfering with the servlets of the segment “Standard”.

6.1 Workflow Controller Configuration

In addition to configuring the Startup option of the Workflow Controller you can also configure various options related to the servlets managed by the Workflow Controller. The configuration of the Workflow Controller is available to the openCRX Root administrator (admin-Root) by navigating to Administration and then clicking on the icon of the WorkflowController:

Figure 29: openCRX Administration – WorkflowController

6.1.1 Startup Configuration in web.xml

You can start the Workflow Controller manually by navigating to the URL

http://127.0.0.1:8080/opencrx-core-CRX/WorkflowController

or starting the Workflow Controller Wizard. However, it is also possible to start the Workflow Controller automatically by activating the corresponding option in the file web.xml:

Listing 5: web.xml – auto startup of the Workflow Controller

<!-- WorkflowController -->
<servlet id="WorkflowController">
<servlet-name>WorkflowController</servlet-name>
<servlet-class>org.opencrx.kernel.workflow.servlet.WorkflowControllerServlet</servlet-class>
...
<!-- activate if WorkflowController should be initialized at startup-->
<load-on-startup>10</load-on-startup>
</servlet>

With the value of load-on-startup (10 above) you can control the order of starting up servlets in case there is more than one servlet.

6.1.2 ServerURL

Adapt the value of serverURL to your environment (e.g. http://127.0.0.1:8080/opencrx-core-CRX):

Figure 30: Workflow Controller Configuration – serverURL

6.1.3 Handler pingrate and autostart

Use pingrate to define the interval (in minutes) between successive calls of the respective handler and autostart (true/false) to start the respective handler automatically:

Figure 31: Workflow Controller Configuration – pingrate and autostart

6.2 Servlet IndexerServlet

The openCRX IndexerServlet updates index entries (used for keyword/index based search introduced with openCRX v2) by indexing all objects which do not have an IndexEntry newer than the modification date of the object. The IndexerServlet creates an index by invoking the operation updateIndex() on the object to be indexed.

Please note that indexing can put some heavy load on your database server. Hence, you might consider turning off (or at least lowering the frequency of calling) the IndexerServlet during busy hours. If you are looking for a way to define advanced schedules for calling the openCRX indexer you might consider cURL in combination with a scheduler provided by your operating system (e.g. Scheduled Tasks on Windows, cron on Linux). With curl calling the indexer boils down to calling curl with the appropriate URL as a parameter. The following example shows how to call the indexer for the provider CRX and the segment Standard: curl "http://localhost:8080/opencrx-core-CRX/IndexerServlet/execute?provider=CRX&segment=Standard"

6.3 Servlet SubscriptionHandler

The openCRX SubscriptionHandler is the backbone of the openCRX Subscribe / Notify Services. The Subscription Handler does not require any configuration by the openCRX administrator other than setting the pingrate and autostart options, i.e. it is designed to work “out of the box”.

Turning on the SubscriptionHandler of a particular segment is required if you want that segment to provide Alerts and E-mail Notifications to its Users. The polling frequency can be set by the Root administrator (see Figure 31: Workflow Controller Configuration – pingrate and autostart).

The SubscriptionHandler checks openCRX audit entries on a regular basis and – if matching Subscriptions exist – executes the Workflow Process referenced by the Subscription using Userhome.executeWorkflow().

Userhome.executeWorkflow() – implemented by the openCRX plugin – creates an entry in Userhome.wfProcessInstance (accessible through the grid Workflow Process Instances). Synchronous workflows are executed immediately, asynchronous workflows are left alone (the Servlet WorkflowHandler is specialized in dealing with asynchronous workflows – see below for details).

6.4 Servlet WorkflowHandler

The openCRX WorkflowHandler is responsible for executing WfProcessInstances based on asynchronous WfProcesses like:

• org.opencrx.mail.workflow.ExportMailWorkflow

• org.opencrx.mail.workflow.SendMailNotificationWorkflow

• org.opencrx.mail.workflow.SendMailWorkflow

The execution frequency can be set by the Root administrator (see Figure 31: Workflow Controller Configuration – pingrate and autostart).

Please note that the WorkflowHandler is required for outbound E-Mail Services.

The WorkflowHandler executes Workflow Process Instances that have not been executed yet.

The first time the WorkflowHandler is started it will create various default Workflow Processes: Figure 32: Default Workflow Processes created by WorkflowHandler If you ever need to recreate these default Workflow Processes, you can do so with the following steps: stop the Servlet WorkflowHandler delete the Workflow Processes that were originally created by the WorkflowHandler (or at least the ones that still exist) start the Servlet WorkflowHandler

All WfProcesses with undefined/unknown runtime length should be defined as asynchronous. This is particularly true for WfProcesses that might block. The default setup ensures that blocking WfProcesses cannot block openCRX.

6.5 Trouble Shooting Servlets

All the openCRX servlets controlled by the Workflow Controller log their actions to the server log file (e.g. TOMCAT_HOME\log\catalina.<date>.log). The following log file extract shows, for example, that the three Servlets Indexer­Servlet, SubscriptionHandler, and WorkflowHandler seem to be working fine:

Listing 6: Servlets managed by Workflow Controller log to server.log

20:25:18,388 INFO [STDOUT] Tue Mar 04 20:25:18 CET 2008: Indexer CRX/Standard
20:27:18,400 INFO [STDOUT] Tue Mar 04 20:27:18 CET 2008: SubscriptionHandler CRX/Standard
20:27:18,400 INFO [STDOUT] Tue Mar 04 20:27:18 CET 2008: WorkflowHandler CRX/Standard

openCRX Exceptions (like NullPointers, etc.), however, are still logged to the application log file as configured during the installation.

It is always worth checking whether the Workflow Handlers actually are active; they must be started by the Root administrator. You can find out by connecting to the Workflow Controller (see Figure 27: openCRX 2.7.0 Workflow Controller).

After restarting the application server all servlets managed by the WorkflowController are inactive, i.e. the Root Administrator must explicitly turn them on again (if desired) unless the respective servlet's autostart option is set to true in the WorkflowController's configuration and the WorkflowController's Startup option is set to true in the file web.xml. The servlets do not automatically resume the state they were in before the application server was shut down.

7 Subscribe / Notify Services

openCRX features a powerful event subscription and notification service:

Figure 33: Event and Notification Service

Once a topic is created, openCRX users can subscribe to it. Users manage their subscriptions individually on their UserHomes (with the Wizard UserSettings or by editing their subscriptions manually). If a topic has subscribed users and a monitored event occurs then the predefined actions are performed. If the action is set to – for example – creating an alert for subscribed users, then each subscribed user will receive an alert on the UserHome.

	Please note that event and notification services depend on the Servlet SubscriptionHandler, i.e. you must turn on the openCRX Subscription Handler for the respective segment with the Workflow Controller, otherwise Topic Actions are not executed, i.e. no Alerts will be created and E mail Notifications will not be delivered.
	Furthermore, as outbound E-Mail Services depend on the WorkflowHandler, you must activate the Workflow Handler to receive E-Mail Notifications.

The openCRX distribution includes quite a few default topics (see Figure 34: Standard Topics included in the openCRX distribution) to get you started:

• Topic Account modification alert sends an alert to the UserHome of subscribed users whenever an account is modified.

• Topic Activity follow-up modification alert sends an alert to the UserHome of subscribed users whenever a Follow Up of an Activity is modified.

• Topic Mail notification for new alerts sends an e-mail notification to subscribed users – assuming outbound e-mail services are configured correctly – whenever an Alert is created/modified.

Please note that newly created Segments do neither contain Workflow Processes nor Topics (i.e. the respective grids are empty). Both Workflow Processes and Topics can be created by the segment administrator with the wizard Segment Setup.

Figure 34: Standard Topics included in the openCRX distribution

Users can easily custom-tailor their subscriptions with filters and by selecting event types like Object Creation, Object Replacement, and Object Removal.

7.1 Example Subscription – Account Modifications

In this example we will create a subscription to the standard Topic Account Modifications for the user “guest”.

• Login as guest, and execute the operation Edit > User Settings to start the respective wizard. Check both “Is Active” and “Creation” as shown below:

Figure 35: Create a new Subscription

• Click Apply to store your settings.

Please note that the Root administrator must start the Subscription Handler – otherwise you will not get any Alerts/Notifications.

7.2 Example Subscription – Activity Assignment Changes

With the following steps you can create a subscription to activity assignment changes:

• navigate to your Userhome and create a new Subscription

• populate the fields as follows:
  Name: Activities assigned to me
  Description: (any description you like)
  Active: checked
  Event type: (leave empty)
  Topic: select Activity Modifications
  Name of filter #0: assignedTo
  Value of filter #0: copy the Identity of the respective user's homepage

• save your subscription

To locate the identity of a user's homepage, you can navigate to the respective homepage and inspect the tab [System]. The pattern is as follows:

xri://@openmdx*org.opencrx.kernel.home1/provider/<providerName>/segment/<SegmentName>/userHome/<principal>
e.g. xri://@openmdx*org.opencrx.kernel.home1/provider/CRX/segment/Standard/userHome/guest

7.3 Example Subscription with Filtering

In combination with openCRX security the subscription filter feature enables you to provide highly specific subscriptions. Imagine the following situation: there are 2 Activity Trackers DivisionA:ProjectX and DivisionA:ProjectY and some of your users are interested in receiving notifications related to activities of ProjectX only, whereas some users want to receive notifications related to activities of ProjectY only. A third group of users wants to receive notifications from both projects. Such a situation could be handled as follows:

• create a PrincipalGroups DivisionA.ProjectX and DivisionA.ProjectY

• assign PrincipalGroup DivisionA.ProjectX to ActivityTracker DivisionA:ProjectX; like this new activities assigned to this Tracker will also be assigned the PrincipalGroup DivisionA.ProjectX

• assign PrincipalGroup DivisionA.ProjectY to ActivityTracker DivisionA:ProjectY; like this new activities assigned to this Tracker will also be assigned the PrincipalGroup DivisionA.ProjectY

• an Activity Modification subscription of a user wanting notifications related to ProjectX and ProjectY would look as follows:

Figure 36: Create a Subscription with Filters

Enter the name of the attribute (owner in our example) into the name field and then enter the value(s) to match into the value field (in our case Standard:DivisionA.ProjectX and Standard:DivisionA.ProjectY)

Multiple values of a named filter are combined with OR. Multiple named filters are combined with AND.

7.4 RSS Feeds

New alerts are also available as RSS feeds. Users can subscribe to their news feed directly from their homepage:

7.5 Trouble Shooting Notification Services

The following table lists some of the common issues and how to fix them:

Problem	Solution
The grids Workflow Processes and/or Topics are empty.	verify that the Segment Administrator created Workflow Processes and Topics with the wizard Segment Setup click the filter button to see all rows without filtering (maybe you defined a default filter in the past?)
I started the Subscription Handler but I never receive any Alerts / Notifications	verify that you started the correct Subscription Handler (each segment has its own Subscription Handler) in case you upgraded to a new version of openCRX and forgot to delete Workflows and Topics provided by openCRX, stop the Subscription Handler, delete Workflow Processes and Topics, recreate Workflow Processes and Topics with the wizard Segment Setup, and then start the Subscription Handler again check the openCRX log files to find out whether bad/corrupt data might be causing problems (e.g. NullPointer Exception during Workflow execution)
I receive Alerts triggered by my Subscriptions but no Notification E mails	verify that JavaMail is properly installed and the mail service properly configured (see chapter 8.1 Install and Configure Mail Resource and E-Mail Services for more information) verify your e-mail settings (see E-mail Services) verify that the Servlet WorkflowHandler of the respective segment is turned on

8 E-mail Services

Please note that we have no intention to duplicate mail server (MTA) or mail client functionality in openCRX as there are lots of excellent products available (Open Source and commercial). It is our goal, however, that openCRX integrates with all the major products that adhere to the major standards and support standard protocols like SMTP, POP3, IMAP, etc. This ensures that you can continue to use your favorite mail server (qmail, postfix, etc.) and your favorite mail client (Thunderbird, Outlook, etc.).

Installation of JavaMail is required if you want to make use of E-mail Services.

The following figure shows the flow of mail messages between openCRX, mail server, and mail client as it is supported with openCRX 2.7.0:

Figure 37: Flow of e-mail messages between openCRX, MTA and mail client

In this chapter we will first guide you through the required installation and configuration steps before we discuss various important use cases.

8.1 Install and Configure Mail Resource and E-Mail Services

The following chapters explain how to install JavaMail and how to configure the Java mail service and various in- and outbound E mail services.

Please note that outbound E-Mail Services depend on the Servlet WorkflowHandler of the respective segment being turned on.

8.1.1 Installation of JavaMail

Detailed installation instructions are provided at the JavaMail home:

http://java.sun.com/products/javamail/FAQ.html

And here is the short version:

• Download JavaMail (at least version 1.4.3) from http://java.sun.com/products/javamail/downloads/index.html

• Put the file mail.jar into the directory TOMCAT_HOME\lib

8.1.2 Mail Resource for openCRX on Apache Tomcat

8.1.2.1 Add resource definition(s) to openejb.xml

Open the file TOMCAT_HOME\conf\openejb.xml and add (or modify) the mail resource definition. Typically you would add one (smtp) mail resource definition per provider for outgoing mail and one mail resource definition for each segment that requires the MailImporterServlet. Below are some sample files which you can use as a starting point (adapt the highlighted strings to your own environment):

Listing 7: File openejb.xml – mail resource outgoing mail

...
<Resource id="mail/provider/CRX" type="javax.mail.Session">
mail.transport.protocol smtp
mail.smtp.user crx_mail_user
mail.smtp.password crx_mail_user_password
mail.smtp.starttls.enable true
mail.smtp.auth true
mail.smtp.host mail_server_name_or_ip_address
mail.smtp.port 25
mail.from noreply@opencrx.org
mail.debug true
</Resource>

...

Please note that the above mail resource definition for provider “CRX” will apply to all segments (including “Standard”) of that provider.

Make sure that you set mail.from to a reasonable value as this value might be used in outgoing mails (see also chapter 8.2.2 Outgoing E-mail's FROM value).

The following mail resource definitions apply to the segment “Standard” (of the provider “CRX”) and show default configurations for the various mail protocols supported by mail.jar (pop3, pop3s, imap and imaps):

Listing 8: File openejb.xml – mail resource incoming mail POP3

...
<Resource id="mail/CRX_Standard" type="javax.mail.Session">
mail.store.protocol pop3
mail.pop3s.host mail_server_name_or_ip_address
mail.pop3s.port 110
mail.pop3s.auth true
mail.pop3s.user crx_mail_user
mail.pop3s.password crx_mail_user_password
mail.debug true
</Resource>
...

Listing 9: File openejb.xml – mail resource incoming mail POP3S

...
<Resource id="mail/CRX_Standard" type="javax.mail.Session">
mail.store.protocol pop3s
mail.pop3s.host mail_server_name_or_ip_address
mail.pop3s.port 995
mail.pop3s.auth true
mail.pop3s.user crx_mail_user
mail.pop3s.password crx_mail_user_password
mail.debug true
</Resource>
...

Listing 10: File openejb.xml – mail resource incoming mail IMAP

...
<Resource id="mail/CRX_Standard" type="javax.mail.Session">
mail.store.protocol imap
mail.pop3s.host mail_server_name_or_ip_address
mail.pop3s.port 143
mail.pop3s.auth true
mail.pop3s.user crx_mail_user
mail.pop3s.password crx_mail_user_password
mail.debug true
</Resource>
...

Listing 11: File openejb.xml – mail resource incoming mail IMAPS

...
<Resource id="mail/CRX_Standard" type="javax.mail.Session">
mail.store.protocol imaps
mail.pop3s.host mail_server_name_or_ip_address
mail.pop3s.port 993
mail.pop3s.auth true
mail.pop3s.user crx_mail_user
mail.pop3s.password crx_mail_user_password
mail.debug true
</Resource>
...

Additional information about configuration options of JavaMail is available from the JavaMail home:

http://java.sun.com/products/javamail/FAQ.html

8.1.2.2 Mail Resource in web.xml

In the file web.xml in the directory <Tomcat Install Dir>\apps\opencrx-core-CRX\opencrx-core-CRX\WEB-INF you must uncomment the following section to activate outgoing mail:

Listing 12: Uncomment mail resource definition (outgoing mail) in web.xml

...
<!-- Wizards, Workflows (e.g. MailWorkflow), etc. can use mail resources.
Configure a mail resource for each used mail resource.

-->

<resource-ref id="mail_opencrx_CRX">

<res-ref-name>mail/provider/CRX</res-ref-name>

<res-type>javax.mail.Session</res-type>

<res-auth>Container</res-auth>

</resource-ref>

...

Please note that the res-ref-name must match the id of the respective mail resource definition in the file openejb.xml.

The following steps are only required if you want to activate incoming mail (i.e. MailImporterServlet) for a particular segment (e.g. “Standard”):

• add mail resource definition to web.xml:

Listing 13: add mail resource definition (incoming mail) in web.xml

...
<!-- incoming mail for provider CRX segment Standard -->

<resource-ref id="mail_opencrx_CRX_Standard">

<res-ref-name>mail/CRX_Standard</res-ref-name>

<res-type>javax.mail.Session</res-type>

<res-auth>Container</res-auth>

</resource-ref>

...

• add a path entry for the MailImporterServlet to the WorkflowController section in web.xml:

Listing 14: add path name of MailImporterServlet to web.xml

...
<!-- WorkflowController -->
<servlet id="WorkflowController">
<servlet-name>WorkflowController</servlet-name>
<servlet-class>org.opencrx.kernel.workflow.servlet.WorkflowControllerServlet</servlet-class>
...
<init-param>
<param-name>path[3]</param-name>
<param-value>/MailImporterServlet</param-value>
</init-param>
<!-- activate if WorkflowController should be initialized at startup -->
<load-on-startup>10</load-on-startup>
</servlet>
...

• add the class name of the MailImporterServlet to web.xml:

Listing 15: add class name of MailImporterServlet to web.xml

...
<!-- IndexerServlet -->
<servlet id="IndexerServlet">
<servlet-name>IndexerServlet</servlet-name>
<servlet-class>org.opencrx.kernel.workflow.servlet.IndexerServlet</servlet-class>
</servlet>
<!-- MailImporterServlet -->
<servlet id="MailImporterServlet">
<servlet-name>MailImporterServlet</servlet-name>
<servlet-class>org.opencrx.application.mail.importer.MailImporterServlet</servlet-class>
</servlet>
...

• add the servlet mapping of the MailImporterServlet to web.xml:

Listing 16: add servlet mapping of MailImporterServlet to web.xml

...
<servlet-mapping>
<servlet-name>IndexerServlet</servlet-name>
<url-pattern>/IndexerServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>MailImporterServlet</servlet-name>
<url-pattern>/MailImporterServlet/*</url-pattern>
</servlet-mapping>
...

Restart Tomcat for these changes to become active. Please note that additional steps are required to fully configure the MailImporterServlet (see chapter 8.3.1 Inbound E-mail with MailImporterServlet).

If you want to enable TLS/SSL connections to your mail server (smtp, pop3s, imaps) you must also import the mail server's public key into the file cacerts of your JRE: Listing 17: Importing certificate into keystore cacerts keytool -keystore cacerts -import -storepass changeit -file mailserver.cer

8.2 Outbound E-mail

8.2.1 Outbound E-mail Configuration

openCRX users can configure e-mail accounts on their homepage indicating where they would like to receive e-mail notifications (e.g. generated by subscriptions):

• Click on My Homepage and select the grid Tab E-Mail.

• Next you click on the creator menu New > E-Mail Account to create a new E-mail Account:

Figure 38: Create a new E-Mail Account – step 1

• Now you can configure your E-Mail Account for outbound e-mail service:

Figure 39: Create a new E-Mail Account – step 2

The various fields have the following meanings:

• E-mail address: enter your e-mail address (i.e. the address where you would like to receive e-mail notifications)

• Reply address: is also used for the From field (if you leave this empty, then the value the segment admin's E-Mail Account is used)

• Default: check if this is your default e-mail address (notifications will only be sent to your default e-mail address)

• Outgoing Mail Service: leave this empty (unless the default configuration does not suit you; the default name of the mail service is /mail/provider/<provider> )

• Incoming Mail Service: leave this empty (unless the default configuration does not suit you; the default name of the mail service is /mail/<provider>_<segment> )

If a user does not define the name of the mail service in his E-Mail Account settings the default name /mail/provider/<provider>/segment/<segment> is used; if there is no resource with this name the fallback name /mail/provider/<provider> is used (and if this name does not exist either, then an error is logged).

• Click the button to commit the new E-Mail Account. The grid E Mail should now contain an entry for the new E-Mail Account:

Figure 40: Create a new E-Mail Account – step 3

• On your Homepage you can provide additional information related to E Mail Notifications:

Figure 41: E-mail subject prefix and Web access URL

The meaning of the two fields is as follows:

• E-mail subject prefix: enter a string that might help you identify or filter e-mails from your openCRX server (optional, i.e. you can also leave this empty) – the entered string is prepended to the subject line of generated e-mails.

• Web access URL: enter the URL of the openCRX instance at hand; if entered correctly, generated e-mails will contain URLs that allow you to connect to your openCRX server with a single click.

You can easily test your e-mail settings if you create a subscription for Account Modifications (see Example Subscription – Account Modifications) and then work through the following steps:

• create a new account (e.g. a new contact)

• navigate to your Homepage and check whether you actually received an alert related to the newly created account

• next click on the Grid Tab Pending / Completed Workflows on your homepage (unhide it by clicking on [>] if it is not visible)

• there should be (at least) two entries (you might have to sort the column Started on to locate recent entries):

  • org.opencrx.kernel.workflow.SendAlert (which generated the Alert)

  • org.opencrx.mail.workflow.SendMailNotificationWorkflow (which was responsible for sending the E-mail Notification)

• click on the icon of the respective grid icon to inspect the corresponding Workflow Process object

• the grid Action Log Entries contains the message body of the e-mail that was sent or an error message if the workflow failed (please note that even if you see a "timeout" error message the e-mail might have been sent; timeouts are typically caused by e-mail servers with high latency – try sending out notifications through a mail server that is responsive).

8.2.2 Outgoing E-mail's FROM value

The openCRX Workflow Handler uses the mail.from value in the file openejb.xml (see chapter 8.1.2.1 Add resource definition(s) to openejb.xml).

If mail is sent as an openCRX user, the FROM value of outgoing e-mails is determined as follows:

• if the user has configured an E-Mail Account for outbound e-mail service and the value of Reply Address is set (see chapter 8.2.1 Outbound E-mail Configuration, Figure 39: Create a new E-Mail Account – step 2), then this value is used; otherwise

• if the segment administrator has configured an E-Mail Account for outbound e-mail service and the value of Reply Address is set, then this value is used; otherwise

• if the mail.from value in the file openejb.xml (see chapter 8.1.2.1 Add resource definition(s) to openejb.xml) is set, then this value is used; otherwise

• the value noreply@localhost is used

Please note that many mail servers reject incoming mails if the hostname contained in an e-mail's FROM value cannot be resolved. (and FROM: noreply@localhost is very likely to cause delivery issues). Hence, ensure that at least the value in openejb.xml makes sense.

8.2.3 Export E-mails

Please refer to chapter 9.4 Mailstore / IMAP.

8.2.4 Send E-mails directly from openCRX

Any openCRX E-Mail Activity can be sent as e-mail directly from openCRX:

Figure 42: Send E-Mail from openCRX – Overview

The idea behind this functionality is less that you will use openCRX as a mail client, rather the SendMailWorkflow is an important element of the openCRX campaign management functionality. E-Mail Activities of type “E-Mails” are controlled by the Activity Process E-mail Process. Send E-Mail Activities to all recipients by executing the operation Actions > Follow Up and then selecting the Transition Send as mail as shown below:

Figure 43: Send E-Mail from openCRX with Actions > Follow Up

	Please note that the transition “Send as mail” is only available after the Transition “Assign” has been executed.
	Media attached to E-Mail Activities are sent as e-mail attachments.

8.2.5 Send E-mails as Attachments to your Mail Client

Any openCRX E-Mail Activity can be sent to your mail client as an attachment. The idea behind this functionality is that you might want to put some finishing touches on an e-mail before you actually send it from your mail client:

Figure 44: Send E-Mail as Attachment from openCRX – Overview

E-Mail Activities of type “E-Mails” are managed by the standard Activity Process E mail Process, i.e. they can be exported to the user's default mail account by executing the operation Actions > Follow Up and then selecting the Transition Export as mail attachment:

Figure 45: Export E-Mail from openCRX with Actions > Follow Up

	Please note that the transition “Export as mail attachment” is only available after the Transition “Assign” has been executed. Exported messages are sent as attachments to the user's default mail address. See Outbound E-mail Configuration for details.
	Media attached to E-Mail Activities are sent as e-mail attachments.

8.2.6 Send E-mails to Fax-/SMS-Gateways

The SendMailWorkflow supports mail gateways if you set the attribute gateway of the respective e-mail activity. The gateway address is used for addresses which are not of type EmailAddress. For example, in the case of a phone number, the address is converted to an e-mail address as follows:

• take the address (e.g. phoneNumberFull in case of phone numbers)

• remove any characters other than digits and letters

• convert “+” (plus sign) to “_” (underscore)

• append domain part of gateway address

Example: if the domain address of an e-mail activity is set to the email address noreply@fax-gateway.opencrx.org, the the phone number +41 (44) 111-2233 is converted to the email address _41441112233@fax-gateway.opencrx.org.

This conversion feature allows you to mix e-mail addresses and phone numbers in member lists of address groups. Depending on the recipient's type of addresss the SendMailWorkflow will either send an e-mail to the listed e mail address as is (e-mail address) or first convert the recipient's phone number to an e-mail address so that the resulting e-mail can be handled by your fax-/sms-gateway.

If you are looking for reliable fax software, you might want to look into Hylafax+ http://hylafax.sourceforge.net/ (Linux only).

8.3 Inbound E-mail

Instead of offering platform specific plugins for a multitude of mail clients like MS Outlook, MS Outlook Express, Thunderbird, Eudora, Elm, etc. openCRX features a platform neutral e-mail importer. The advantages are obvious:

• works with any mail client (including your favorite one)

• no clumsy installation of plugins, i.e. you can get this to work on your company's laptop regardless of how “hardened” the system is

• supports single message import and bulk import

• imports headers, body, and attachments

• automatically creates links to sender and recipient(s) if the respective e mail addresses are present in openCRX

The following figure shows an overview of how you can import e-mails from your mail client into openCRX:

Figure 46: Import E-Mails from Mail Client

The whole setup is quite straightforward; in a first step you configure the MailImporterServlet (see chapter 8.3.1 Inbound E-mail with MailImporterServlet) so that it fetches e-mails from a mailbox, e.g. named “import”. Optionally, you can create a custom-tailored Activity Creator to handle imported E-mails exactly the way you like, but in most cases the provided Default E-mail Creator is sufficient. To import an e mail message from your mail client into openCRX, you create a new message to be sent to your importer mailbox, e.g. by entering import@company.com into the TO field of the new message. Optionally you can specify the name of the Activity Creator in the Subject of the new message. Next you attach the message(s) to be imported to that new message (yes, you can attach multiple e-mail messages and if those messages contain attachments themselves they will also be imported) and send it off. Once delivered to the appropriate mailbox (called “import” in our example) the MailImporterServlet will fetch it from there and then import the messages attached to that envelope message.

This process works for messages in any of your mail client's folders, e.g. Inbox, Outbox, Sent, Trash, etc.

8.3.1 Inbound E-mail with MailImporterServlet

See chapters 8.1.2.1 (Add resource definition(s) to openejb.xml) and 8.1.2.2 (Mail Resource in web.xml) for details on activating/configuring the MailImporterServlet the MailImporterServlet. The following steps complete the configuration of the MailImporterServlet:

• log in as openCRX Root administrator (admin-Root)

• start the wizard openCRX Workflow Controller:
  

• start the MailImporterServlet (click on the respective “Turn on”); alternatively you can also enter the following URL into your browser to trigger the MailImporterServlet:
  http://<server>:<port>/opencrx-core-CRX/MailImporterServlet/execute?provider=CRX&segment=Standard

• with the first invocation the MailImporterServlet will automatically create a new Component Configuration:
  

• navigate to this automatically created Component Configuration and create a new String Property with the name
  <provider>.<segment>.mailServiceName
  and the value
  mail/<provider>_segment
  
  For example, create a new String property (as shown below) with name CRX.Standard.mailServiceName and value mail/CRX_Standard:
  

There is no need to delete default entries as they are ignored as soon there exists an entry with the same name without the suffix “.Default”. Example: Once you created the property CRX.Standard.mailServiceName the property CRX.Standard.mailServiceName.Default will be ignored.

Test your settings by sending an e-mail to the account specified in the steps above (import@company.com). Attach the message to be imported to this “envelope” e-mail (please note that the attached e-mail only is imported by the MailImporterServlet):

Figure 47: Envelope E-Mail with attached E-Mail to be imported

Please note that neither Subject nor message body should be empty. Use the subject to pass the name of the Activity Tracker you want the imported e-mail to be assigned to (by default imported e-mails are assigned to the Activity Tracker E-Mails).

Once the Workflow Controller triggers the MailImporterServlet you will see the debug output of the servlet on the console (or Tomcat's catalina.log):

Listing 18: Debug Output of MailImporterServlet

18:42:57,810 INFO [STDOUT] DEBUG: setDebug: JavaMail version 1.3.3
18:42:57,826 INFO [STDOUT] DEBUG POP3: connecting to host "mail.company.com", port 995, isSSL true
18:42:58,654 INFO [STDOUT] S: +OK Dovecot ready.
18:42:58,654 INFO [STDOUT] C: USER xxxxxxxx
18:42:58,670 INFO [STDOUT] S: +OK
18:42:58,670 INFO [STDOUT] C: PASS xxxxxxxx
18:42:58,701 INFO [STDOUT] S: +OK Logged in.
18:42:58,717 INFO [STDOUT] C: STAT
18:42:58,748 INFO [STDOUT] S: +OK 1 3204
18:42:58,748 INFO [STDOUT] C: NOOP
18:42:58,779 INFO [STDOUT] S: +OK
18:42:58,842 INFO [STDOUT] C: TOP 1 0
18:42:58,889 INFO [STDOUT] S: +OK
...

• If the MailImporterServlet successfully imported your test mail it will be attached to the Activity Tracker E-Mails. Navigate to Activities > Activity Trackers and then click on the icon of E-Mails:
  

Figure 48: Activity Tracker E-Mail is created automatically

• By default, all imported e-mails are attached to the Activity Tracker E Mails – you should also see the successfully imported test mail in the grid Activities

• Navigate to the newly imported e-mail to load it into the Inspector.

• The mail importer will automatically link imported e-mails with corresponding objects (if they exist in openCRX) and create various additional useful objects:

• e-mail address of sender --> Sender

• e-mail addresses of recipients --> Recipients

• e-mail headers --> Notes

• e-mail attachments --> Media

openCRX includes an Activity Creator Default E-mail Creator and an Activity Tracker E-Mails. The latter is referenced in the grid Activity Groups of the former: Figure 49: Activity Creator Default E-mail Creator By default, the MailImporterServlet applies this Activity Creator to newly imported e-mails (which is the reason why they are shown in the grid Activities of the Activity Tracker E-Mails). You can easily change the contents of the grid Activity Groups so that newly imported e-mails will be attached to different Activity Tracker(s). It is also possible to create additional Activity Creators with different behavior (just make sure that these Activity Creators create Activities of type E-Mails). With the the subject line of your envelope e-mail you can indicate which Activity Creator should be used to import your e-mail. If you omit the subject line the Default E mail Creator is used.

Once the MailImporterServlet works as desired you can switch off the debugging output in the respective resource definition of the file openejb.xml (see chapter 8.1.2.1 Add resource definition(s) to openejb.xml).

8.3.2 Import E-mails

Please refer to chapter 8.3.1 Inbound E-mail with MailImporterServlet or chapter 9.4 Mailstore / IMAP.

8.4 Use openCRX as an E-mail Archive/Audit Tool

openCRX can easily keep track of all your e-mail traffic, inbound and/or out­bound (and given the increasingly more stringent rules on e-mail retention – Sarbanes-Oxley, etc. – it is probably worthwhile considering the advantages of importing all e-mail messages by default).

The following figure shows a configuration where the mail server puts a copy of each received message (inbound traffic) and all sent messages (outbound traffic) into the mailbox audit; configuring such audit accounts can easily be done with most Mail Transport Agents (MTAs) like qmail, postfix, etc. With the appropriate configuration (see Inbound E-mail), the MailImporterServlet can import all messages from that audit mailbox and attach it to an Activity Tracker of your choice:

Figure 50: E-Mail Audit – import all inbound/outbound e-mail messages

8.5 Trouble Shooting E-mail Services

The following table lists some of the common issues and how to fix them:

Problem	Solution
openCRX does not initiate TLS session with mail server	It seems that JavaMail sometimes does not (even try to) establish a TLS session when connecting to a mail server (smtp) if the certificate of the mail server has not been imported into the keystore. If the mail server requires TLS for authentication (e.g. SASL) and authentication is required to relay messages such failure to establish a TLS session will prevent openCRX from properly sending outbound mail. If you intend to use TLS/SSL to secure the connection to the outbound e-mail server (smtp) we recommend you import the mail server certificate into the keystore. Listing 19: Importing Certificate cd $JAVA_HOME/lib/security keytool -import -alias <dom> -file <name>.cer -keystore cacerts Replace <dom> with the domain of the mail server (e.g. mail.company.com) and <name> with the name of the certificate file.
I receive Alerts triggered by my Subscriptions but no Notification E mails	verify that JavaMail is properly installed and the mail service properly configured (see chapter 8.1 Install and Configure Mail Resource and E-Mail Services for more information) verify your e-mail settings (see E-mail Services for details) verify that the Servlet WorkflowHandler of the respective segment is turned on

9 Groupware Services

openCRX features the following groupware services:

Type of Service	Standard	Server Provider
vCard Server	VCF	openCRX/core (native provider)
Calendaring	FreeBusy	openCRX/core (native provider)
	iCalendar (ICS)	openCRX/core (native provider)
	CalDAV	openCRX/core (native provider)
Mailstore	IMAP	openCRX/core (native provider)

For information about over-the-air synchronization of PDAs, mobile phones, etc. with openCRX please refer to chapter 10 openCRX AirSync (ActiveSync compatible).

9.1 Directory Service / LDAP

openCRX provides LDAP Server functionality (get more information about LDAP or read what Wikipedia has to say about LDAP). In a nutshell this means that you can use any LDAP client to connect to openCRX and view openCRX accounts. Furthermore, openCRX LDAP service supports SSL. The following information is required to connect to openCRX with an LDAP client:

Host	IP address or host name of openCRX Server Examples: localhost, 127.0.0.1, myCrxServer.myCompany.com, etc.
Port	1389 (note that the LDAP standard port is 389)
BaseDN	ou=filter/[filter name],ou=Persons Example: ou=filter/All Accounts,ou=Persons
BindDN	<principal>@<segment name> Example: guest@Standard

The openCRX Directory Service / LDAP supports SSL. Hence, if your LDAP client supports SSL (Thunderbird does, MS Outlook does not), you can enable SSL for increased privacy/protection. If you enable SSL, you might want to change the port from 1389 to 1689.

9.1.1 Configuring the openCRX LDAP Port

The openCRX LDAP port is by default set to 1389 (to avoid conflicts with other LDAP daemons listening on the LDAP standard port 389). You can change this configuration in the file web.xml located in
opencrx-groupware-CRX.ear\opencrx-ldap-CRX.war\WEB-INF\

Look for the param-name port.

If you build your own EARs you can change the openCRX LDAP port in your project's file build.properties (ldap.listenPort) or directly in your build.xml.

9.1.2 Enabling SSL Support for LDAP

With the following steps you can enable SSL support for LDAP:

• Create cert and key with OpenSSL (e.g. server.key, server.crt)

• Convert cert and key to PEM format using OpenSSL:

• Key: openssl rsa -in server.key -out server-key.pem -outform PEM

• Cert: openssl x509 -in server.crt -out server-cert.pem -outform PEM

• Use a Java Keytool which allows you to a) create a keystore, b) import a certificate, c) import a private key. The following tools allow you to easily manage Java keystores:

  • Portecle: http://sourceforge.net/projects/portecle/

  • KeyTool IUI: http://yellowcat1.free.fr/keytool_iui.html

• Add the following init-param tags to the web.xml of the LDAPServlet (but don't forget to adapt the values according to your environment):

Listing 20: init-param tags required to enable LDAP SSL

...
<init-param>
<param-name>sslKeystoreFile</param-name>
<param-value>/var/ssl/keystore.jks</param-value>
</init-param>
<init-param>
<param-name>sslKeystoreType</param-name>
<param-value>JKS</param-value>
</init-param>
<init-param>
<param-name>sslKeystorePass</param-name>
<param-value>changeit</param-value>
</init-param>
<init-param>
<param-name>sslKeyPass</param-name>
<param-value>changeit</param-value>
</init-param>
...

• to avoid confusion, you might also want to change the port from 1389 (LDAP for openCRX) to 1689 (LDAPS for openCRX) – see chapter 9.1.1 Configuring the openCRX LDAP Port for information on how to do that.

9.1.3 LDAP Configuration of Thunderbird

The following steps are required to configure Thunderbird 3 for LDAP:

• start Thunderbird and select the menu Tools > Options

• select Composition and select the tab Addressing

• check Directory Server and click on the button Edit Directories
  

  Figure 51: Thunderbird LDAP Configuration

• in the dialog window LDAP Directory Servers click on the button Add

• populate the Directory Server Properties dialog as follows (the example entries are assuming the openCRX Server is at localhost, the provider is CRX and the Segment is Standard, connecting with Username guest):

Field	Entry	Example
Name	any name you like	local-CRX.Standard [All Accounts]
Hostname	host name or IP address	localhost
Base DN	ou=filter/[filter name],ou=Persons	ou=filter/All Accounts,ou=Persons
Port number	1389	1389
Bind DN	<principal>@<segment name>	guest@Standard

• click OK to accept

9.1.4 LDAP Configuration of MS Outlook

The following steps are required to configure MS Outlook 2007 for LDAP:

• start Outlook and select the menu Tools > Account Settings

• click on the tab Address Books

• populate the Add/Change E-mail Account dialog as follows (assuming the openCRX Server is at localhost, connecting with Username guest):

Server Name	localhost
This server...	check “This server requires me to log on”
User Name	<principal>@<segment name>, e.g. guest@Standard
Password	<enter your openCRX password for user guest>

• click on the button More Settings and select the tab Connection

• enter a display name (of your choice) and verify that port is set to 1389

• select the tab Search

• in the field group Search Base click on Custom and populate as follows:

Custom

ou=filter/All Accounts,ou=Persons

Figure 52: MS Outlook LDAP Configuration

• click OK, Next, Finish, and Close to conclude the configuration

9.2 openCRX vcard Servlet

The openCRX vcard servlet does for accounts what the openCRX ical servlet does for activities: it makes them available to third-party clients who access the openCRX server with the http protocol.

9.2.1 Account Selectors

openCRX can map sets of accounts to a vcard file (a sequence of vcards). The resulting vcard file can be imported and/or processed by vcard-enabled clients like Outlook, Thunderbird, etc. At this time, account filters are the only supported account selectors. Account filters support reading and updating, but not creating of accounts (R=read, U=update):

Set of Accounts	RUC	vCard Selector
Account Filter	RU	accounts?id=<provider>/<segment>/filter/<account filter name>&type=vcf

VCF Selector Examples:

accounts?id=CRX/Standard/filter/All+Accounts&type=vcf

accounts?id=CRX/Standard/filter/Accounts+with+missing+or+broken+vCard&type=vcf

Use the openCRX Wizard “Connection Helper” to generate valid VCF Selectors. You can start the wizard from your homepage: Choose the options “vCard” and “Account Filter” and then select the desired account filter:

9.2.1.1 Connecting MS Outlook to the openCRX vcard servlet

Detailed instructions on how to connect MS Outlook are available from http://www.opencrx.org/opencrx/2.4/Outlook_ICS_VCF_adapter.htm

9.2.1.2 Connecting Thunderbird to the openCRX vcard servlet

A Thunderbird add-on (supporting both TB2 and TB3) is available that enables you to map Thunderbird address books to openCRX account selectors:

http://opencrx.mozdev.org/

9.3 Calendaring

9.3.1 Calendar as a Set of Activities

openCRX supports a wide range of types of activities, including E-Mails, Tasks, Meetings, Phone Calls, etc. Even though all activities are kept in a flat structure (think of a box containing activities), openCRX offers a multitude of ways to structure, filter, and group activities:

• activities can be assigned to activity groups, which enables you to group them by Tracker, Category, and Milestone

• activities can be filtered with predefined filters (e.g. activities filtered to a user's homepage, activities filtered by resource) and user-defined ActivityFilters (either at a global level or at the level of an activity group)

To fully understand the power of this approach, consider a large project X (e.g. building a power plant) with millions and millions of activities. With openCRX, a project is typically mapped to an activity tracker (e.g. all activities of project X are assigned to the activity tracker Project X). As a large project is often times structured, i.e. broken down into subprojects, milestones, etc., let us assume that the respective subset of activities related to a milestone of Project X is assigned to an activity group Milestone 2. With openCRX, it's a single click and you can browse all the activities assigned to Milestone 2, or you can view all these activities in a calendar application like Sunbird or MS Outlook:

Figure 53: openCRX Activity Groups / openCRX Activity Filters

It goes without saying that different users have different needs. It is also quite natural that the needs change over time. With openCRX, it is easy to deliver as there are virtually unlimited possibilities to slice and dice the universe of activities. For example, instead of pulling a set of activities based on their assignment to activity groups, there are many use cases where one would like to define a filter to define a subset of activities. On the one hand, openCRX features lots of default filters, on the other hand, there are powerful tools to define custom filters virtually any way you like. For example: an auditor might be interested in all activities involving a particular subcontractor, another user could be interested in browsing through all the meetings related to Project X. Hence, in the context of calendaring it helps if you think of a calendar as a set of activities, nothing more and nothing less.

9.3.2 Calendar Selectors

openCRX can map each of the above-mentioned set of activities to a calendar. Depending on the mapping, the resulting calendar can be presented in various formats, e.g. ICS calendar, Free Busy calendar, XML file, Timeline, etc. Some typical ICS calendar selectors are listed below (R=read, U=update, C=create):

Set of Activities	RUC	ICS Calendar Selector
Tracker	RUC	activities?id=<provider>/<segment>/tracker/<name>&type=ics
... Filtered	RUC	activities?id=<provider>/<segment>/tracker/<name>/filter/<filter name>&type=ics
Category	RUC	activities?id=<provider>/<segment>/category/<name>&type=ics
... Filtered	RUC	activities?id=<provider>/<segment>/category/<name>/filter/<filter name>&type=ics
Milestone	RUC	activities?id=<provider>/<segment>/milestone/<name>&type=ics
... Filtered	RUC	activities?id=<provider>/<segment>/milestone/<name>/filter/<filter name>&type=ics
Global Filter	RU	activities?id=<provider>/<segment>/globalfilter/<activity filter name>&type=ics
Homepage	RU	activities?id=<provider>/<segment>/userhome/<home qualifier>&type=ics
Resource	RU	activities?id=<provider>/<segment>/resource/<resource name>&type=ics
Birthdays	R	bdays?id=<provider>/<segment>/filter/<account filter name>&type=ics

Use the openCRX Wizard “Connection Helper” from your Homepage to generate valid Calendar Selectors: Choose the option “Calendar” and then make your selections:

CalDAV calendar selectors look as follows (R=read, U=update, C=create):

Set of Activities	RUC	CalDAV Calendar Selector
Tracker	RUC	<provider>/<segment>/tracker/<name>
... Filtered	RUC	<provider>/<segment>/tracker/<name>/filter/<filter name>
Category	RUC	<provider>/<segment>/category/<name>
... Filtered	RUC	<provider>/<segment>/category/<name>/filter/<filter name>
Milestone	RUC	<provider>/<segment>/milestone/<name>
... Filtered	RUC	<provider>/<segment>/milestone/<name>/filter/<filter name>
Global Filter	RU	<provider>/<segment>/globalfilter/<activity filter name>
Homepage	RU	<provider>/<segment>/userhome/<home qualifier>
Resource	RU	<provider>/<segment>/resource/<resource name>

CalDAV calendar selectors return either only VEVENT items or only VTODO items – it is not possible for a CalDAV collection (by design) to contain both types at the same time. By default, openCRX returns VEVENT items, if you want to get VTODO items, you can append the suffix “/VTODO” to the above CalDAV calendar selectors. Example: <provider>/<segment>/tracker/<name> returns VEVENT items only <provider>/<segment>/tracker/<name>/VTODO returns VTODO items only Also note that this behavior of CalDAV calendar selectors is different from the behavior of ICS calendar selectors. The latter can return both types of items, i.e. VEVENT and VTODO, as a reply to the same request, whereas the CalDAV calendar selector can only return either VEVENT or VTODO (by design of the CalDAV protocol, i.e. this is not a choice made by the openCRX developers). One of the consequences is that if you work with CalDAV you need to define 2 calendars per selector with clients like Sunbird or Lightning (one calendar for VEVENT and one for VTODO), whereas you only need to define 1 calendar if you work with ICS (because it contains both VEVENT and VTODO items).

Use the openCRX Wizard “Connection Helper” from your Homepage to generate valid Calendar Selectors: Choose the option “Calendar” and then make your selections (set Type to CalDAV for CalDAV calendar selectors):

The wizard can also build URLs for CalDAV calendar collections (iPhone, etc.):

Set of Calendars	RUC	CalDAV Calendar Collection Selector
Collection	RUC	<provider>/<segment>/user/<principal name>/profile/<profile name>

Example: http://demo.opencrx.org/opencrx-caldav-CRX/CRX/Standard/user/guest/profile/MyCals

9.3.3 Mapping of Activities to Calendar Events and Tasks

Both the openCRX ical servlet and the openCRX caldav servlet map openCRX activities to calendar events (VEVENT) and tasks (VTODO) as follows based on the openCRX activity class and the iCal type at hand:

openCRX Activity Class	iCal Type	Mapped to
* (any)	VEVENT	VEVENT
* (any)	VTODO	VTODO
Incident	Automatic	VEVENT
Meeting	Automatic	VEVENT
Sales Visit	Automatic	VEVENT
Task	Automatic	VTODO
Phone Call	Automatic	VEVENT
E-Mail	Automatic	VEVENT
Mailing	Automatic	VEVENT
Absence	Automatic	VEVENT
External Activity	Automatic	VEVENT

The openCRX AirSync Adapter uses a different mapping (see chapter 10.2 Mapping of openCRX Objects to AirSync Objects for details).

Hence, all openCRX activities correspond to either calendar events (VEVENT) or tasks (VTODO). An openCRX activitiy's iCal representation is stored in the iCal attribute:

Figure 54: An openCRX activity's iCal representation

In the openCRX standard GUI the same activity is presented as follows:

Figure 55: An openCRX activity in the standard GUI

9.3.3.1 Conversions between VEVENT and VTODO

Many calendar applications differentiate between events (entries in a calendar with well-defined start and end date) and tasks or to-dos (entries in a task list with a well-defined due date). openCRX also supports this distinction and can even convert activities from VEVENT to VTODO and vice versa without loss of information. To convert an openCRX activity from one type to the other, edit the activity and change the value of the iCal type dropdown:

Figure 56: iCalendar conversion between VEVENT and VTODO

9.3.4 Calendaring / Free Busy

Free Busy is part of the iCalendar standard (RFC 2445) for calendar data exchange (see also Wikipedia). Many calendar clients rely on this information for group scheduling. openCRX can derive free busy information on-the-fly from the respective activities; as most clients do not support authentication the default configuration of the openCRX ical servlet does not require authentication to retrieve Free Busy information. However, the principal guest must exist (but you can disable the login):

Free Busy URL (without authentication, requires openCRX principal guest):

http://<crxServer>:<Port>/opencrx-ical-<Provider>/freebusy
?id=<Provider>/<Segment>/<Calendar Selector>

Example:
http://localhost:8080/opencrx-ical-CRX/freebusy?id=CRX/Standard/tracker/main

Please note that free busy information is provided by the openCRX server in a read-only fashion (i.e. free busy clients cannot update such information).

If you prefer authentication for Free Busy clients you can add the url-pattern /freebusy to the web-resource-collection (in the file web.xml of the ical servlet).

9.3.4.1 Free Busy Configuration of Thunderbird

Thunderbird 2.0 supports free busy if the following add-ons are installed:

• Lightning (at least v0.9)

• SOGo Connector Thunderbird Extension (at least v0.95)

Once the SOGo Connector is installed, Contact Cards of the Thunderbird Address Book will feature a tab CalDAV. This is where you can enter the URL:

9.3.4.2 Free Busy Configuration of MS Outlook

See http://support.microsoft.com/kb/291621. Please note that Outlook does not support SSL with free busy.

9.3.5 Calendaring / iCalendar (ICS)

iCalendar is implemented/supported by a large number of products (see RFC 2445 or Wikipedia for information about the iCalendar standard, sometimes referred to as “iCal”). openCRX can derive iCalendar information on-the-fly from the respective activities. iCal clients must authenticate to read and/or write iCalendar data.

ICS URL (with authentication):

http://<crxServer>:<Port>/opencrx-ical-<Provider>/activities
?id=<Provider>/<Segment>/<Calendar Selector>&type=ics

Example:
http://localhost:8080/opencrx-ical-CRX/activities?id=CRX/Standard/tracker/main&type=ics

	See chapter 9.3.2 Calendar Selectors for information on how to construct calendaring URLs.
	Please note that calendars without “C” (create) in the table provided in chapter 9.3.2 Calendar Selectors do not support creation of new events/tasks with external ICS clients. The reason being that without a well-defined ActivityCreator associated with the respective calendar selector it is not possible to create an activity and assign it to the appropriate activity groups.

While the mapping of most of openCRX's activity attributes to iCal attributes is obvious, the following hints might still be helpful:

VEVENT:

• Activity.disabled==true --> STATUS:CANCELLED

• Activity.percentComplete==0 --> STATUS:TENTATIVE

• percentComplete>0 --> STATUS:CONFIRMED

VTODO:

• Activity.disabled==true --> STATUS:CANCELLED

• Activity.percentComplete==0 --> STATUS:NEEDS-ACTION

• Activity.percentComplete>0 --> STATUS:IN-PROCESS

• Activity.percentComplete==100 --> STATUS:COMPLETED

Please note that Activity.percentComplete cannot be changed upon import of a vCard as openCRX activities are managed by activity processes. Hence, changing the status of an activity outside of openCRX does not change the status of this activity in openCRX (even if it is reimported).

9.3.5.1 ICS Configuration of Thunderbird/Lightning and Sunbird

Thunderbird 3.0 with the Lightning add-on (at least version 1.0) is a fully-fledged calendar client and offers virtually the same calendaring functionality as the stand-alone calendar client Sunbird (at least version 1.0). Creating a remote calendar (hosted on your openCRX server) is rather straightforward:

• start Thunderbird/Lightning or Sunbird

• select the menu File > New Calendar

• in the dialog window Create New Calendar you select On the Network

• then you select iCalendar (ICS)

• enter an ICS URL into the field Location;
  example: the user guest would connect to this openCRX homepage with the URL http://127.0.0.1:8080/opencrx-ical-CRX/activities?id=CRX/Standard/userhome/guest&type=ics
  See chapter 9.3.2 Calendar Selectors for information on ICS URLs

• give your calendar a name and pick a color of your choice

• That's it. You are connected to openCRX:
  

Version 1.0 of Thunderbird/Lightning and Sunbird requires a life connection to openCRX (i.e. no support for offline viewing/editing) unless you enable the experimental Cache of Ligthning/Sunbird.

9.3.5.2 ICS Configuration of MS Outlook

Out of the box Redmond's flagship MS Outlook 2007 does not offer you much choice with ICS calendars. You are stuck with one of the following 2 options:

• Published Calendars
  are local calendars published to a remote location, but there is no sync with that remote calendar (i.e. changes to the remote calendar will never automatically make it back into your Outlook)

• Internet Calendar Subscription
  These calendars are striclty read-only in Outlook, i.e. not very useful...

Not to leave you out in the rain, we put together a bunch of VBA scripts that teach your Outlook a few new tricks. The scripts and detailed instructions for both MS Outlook 2003 and MS Outlook 2007 are available from http://www.opencrx.org/opencrx/2.4/Outlook_ICS_VCF_adapter.htm

9.3.5.3 ICS Configuration of Zimbra

Zimbra (v5.0.14 GA Release) does not offer you much choice with remote ICS calendars. It is possible to subscribe to a remote calendar, but in read-only mode; furthermore, only a minimal set of iCal attributes is actually visible in the Zimbra calendar. Nevertheless, here is how to subscribe:

• connect to your Zimbra server and login

• click on the tab [Calendar]

• click the button [New Calendar] and then populate the dialog as follows:
  

Please note that the ICS URL in the field URL must also include your openCRX user name and password because Zimbra does not really manage your remote credentials.

9.3.5.4 ICS Configuration of iPhone

With iPhone OS3.0 you can connect to any remote ICS calendar (read-only) as follows:

• on your iPhone home screen, tap the icon Settings

• tap on Mail, Contacts, Calendars

• tap on Add Account...

• tap on Other

• tap on Add Subscribed Calendar

• enter or paste the ICS URL into the field Server

• tap [Next] to verify the account information

  If you get a message “Cannot Connect Using SSL” tap [No] to move on to the next screen where you can enter the connection details.

• verify/complete your subscription information as follows:

  Name	Value / Description
  Server	verify the ICS URL
  Description	any text you like (default is the ICS URL)
  Username	your openCRX user name
  Password	your openCRX password
  Use SSL	if you use SSL, set to [ON], otherwise [OFF]
  Remove Alarms	as you prefer

• tap [Next]

• if you use SSL in combination with a self-signed certificate, you will get a message Unable to Verify Certificate --> tap Accept

• if everything works out, you can tap Save to store the settings and your calendar will be available in the Calendar App from the iPhone's home screen

This ICS calendar feature is particularly useful to connect your iPhone to a birthday calendar generated by openCRX (use the wizard “Connection Helper” to calculate the URL (server name respectively) for any desired Account Filter:

9.3.5.5 Deleting Events

The openCRX ICS Adapter does not support deleting events (because deleting objects is typically not an acceptable operation in an enterprise environment). openCRX does support disabling of objects, however. If there is a need to disable events directly from your ICS Client, here is how to do it:

• Assuming you have a remote calendar CAL with the URL <U> defined in your ICS client, define a new remote calendar CAL-trash with the URL <U>&disabled=true (i.e. append the string “&disabled=true” to the URL); the name of the calendar is not important, we just call it “CAL-trash” to indicate that it contains disabled activities.

  example:
  existing calendar CAL (showing only events that are not disabled) with the URL
  http://127.0.0.1:8080/opencrx-ical-CRX/activities?id=CRX/Standard/userhome/guest&type=ics
  
  the URL of the calendar CAL-trash showing events that are disabled is
  http://127.0.0.1:8080/opencrx-ical-CRX/activities?id=CRX/Standard/userhome/guest&type=ics&disabled=true

• to delete an event of your calendar CAL, move the event from the calendar CAL to the calendar CAL-trash

9.3.5.6 iCalender Guard Event

If you retrieve an iCalender from the openCRX ICS Adapter, the very first event is a so-called Guard Event:

• the Guard Event is always the first event delivered by the ICS Adapter

• the attribute SUMMARY corresponds to the Calendar-ID

• the attribute DTSTART is set to 19000101T000000Z

The openCRX ICS Adapter supports the creation of new events/tasks as long as a calendar's Guard Event is posted to the adapter together with the new event/task. The openCRX ICS Adapter also verifies the UID of the Guard Event.

9.3.6 Calendaring / CalDAV

CalDAV is implemented/supported by a growing number of products (see http://caldav.calconnect.org/ or Wikipedia for information about the CalDAV standard). openCRX is a fully-fledged CalDAV server; the functionality is implemented by a native CalDAV servlet. CalDAV clients must authenticate to read and/or write CalDAV data.

CalDAV URL for individual calendar:

http://<crxServer>:<Port>/opencrx-caldav-<Provider>/<Provider>/<Segment>/<Calendar Selector>

Example:
http://localhost:8080/opencrx-caldav-CRX/CRX/Standard/tracker/main

CalDAV URL for CalDAV calendar collection:

http://<crxServer>:<Port>/opencrx-caldav-<Provider>/<Provider>/<Segment>/user/<principal name>/profile/<Calendar Profile>

Example:
http://localhost:8080/opencrx-caldav-CRX/CRX/Standard/user/guest/profile/MyCals

See chapter 9.3.2 Calendar Selectors for information on how to construct calendaring URLs. The easiest way to construct CalDAV URLs is to use the openCRX Wizard “Connection Helper” from your Homepage.

Please note that calendars without “C” (create) in the table provided in chapter 9.3.2 Calendar Selectors do not support creation of new events/tasks with external CalDAV clients. The reason being that without a well-defined ActivityCreator associated with the respective calendar selector it is not possible to create an activity and assign it to the appropriate activity groups. In the case of calendar collections/profiles, it depends on the feed whether the respective calendar supports activity creation or not. If openCRX can determine a well-defined ActivityCreator, activity creation is supported, otherwise not.

9.3.6.1 CalDAV Collections

Some CalDAV clients (e.g. Apple's iPhone) support CalDAV collections. With openCRX you can define CalDAV collections as follows:

• navigate to a user's homepage

• click on the tab [Sync Profiles] and select New > Calendar Profile:
  

• enter at least a name for your new collection, e.g. MyCals, and then click [Save]

• navigate to this new calendar profile and then add the desired feed(s), e.g. an Activity Tracker or an Activity Filter, as follows:

• select New > Activity Group Calendar Feed as shown below:
  

• select an activity group and enter at least a name for this feed and mark it as active (some CalDAV clients support coloring, i.e. you can optionally also enter color information):
  

• click [Save]

• optionally, add more feeds (you can also add additional feeds later)

9.3.6.2 CalDAV Configuration of Thunderbird/Lightning and Sunbird

Thunderbird 3.0 with the Lightning add-on (at least version 1.0) is a fully-fledged calendar client and offers virtually the same calendaring functionality as the stand-alone calendar client Sunbird (at least version 1.0). Creating a remote calendar (hosted on your openCRX server) is rather straightforward:

• start Thunderbird/Lightning or Sunbird

• select the menu File > New Calendar

• in the dialog window Create New Calendar you select On the Network

• then you select CalDAV

• enter a CalDAV URL into the field Location;
  example: the user guest would connect to this openCRX homepage with the URL http://127.0.0.1:8080/opencrx-caldav-CRX/CRX/Standard/userhome/guest
  See chapter 9.3.2 Calendar Selectors for information on CalDAV URLs

• give your calendar a name and pick a color of your choice

• that's it – you are connected to openCRX

9.3.6.3 CalDAV Configuration of MS Outlook

Outlook does not support CalDAV. There are third-party extensions you might want to try. Some of them are listed at http://wiki.davical.org/w/CalDAV_Clients/Outlook.

See also http://www.opencrx.org/opencrx/2.4/Outlook_ICS_VCF_adapter.htm

9.3.6.4 CalDAV Configuration of iPhone (OS3.0+)

Connect to any openCRX calendar collection as follows with your iPhone:

• connect to openCRX and navigate to the desired calendar collection

• start the wizard Connection Helper: AirSync / Calendar / vCard from your openCRX homepage:
  

• this wizard “calculates” the CalDAV URL required to connect:
  

• copy the above URL (you'll need to paste it later)

• on your iPhone home screen, tap the icon Settings

tap on Mail, Contacts, Calendars tap on Add Account... tap on Other tap on Add CalDAV Account and then enter or paste the CalDAV URL into the field Server and populate the fields User Name and Password as shown below: tap [Next] to verify the account information

If you get a message “Cannot Connect Using SSL” tap [No] to move on to the next screen where you can enter the connection details.

• verify/complete your subscription information as follows:

  Name	Value / Description
  Server	verify the server name
  User Name	your openCRX user name
  Password	your openCRX password
  Description	any text you like
  Use SSL	if you use SSL, set to [ON], otherwise [OFF]
  Port	port number (Tomcat)
  Account URL	the CalDAV URL

• if you use SSL in combination with a self-signed certificate, you will get a message Unable to Verify Certificate --> tap Accept

• if everything works out, you can tap Save to store the settings and your calendar will be available in the Calendar App from the iPhone's home screen

Unfortunately, neiter iPhone OS3.0+ nor iOS 4.0+ supports Tasks over CalDAV, i.e. you will only see openCRX Activities of type VEVENT in your iPhone calendar.

9.3.6.5 Deleting Events

The CalDAV protocol supports deletion of events/tasks. openCRX honors such requests, although the respective activity is disabled and not deleted. If you absolutely want to delete an activity you can do so with the standard GUI.

9.3.7 Calendaring / Timeline

Timeline is an extremely interesting DHTML-based AJAX widget for visualizing time-based events. It is like Google Maps for time-based information. A live example is available at http://www.simile-widgets.org/timeline/

Figure 57: Timeline visualizes time-based events

CrxObjects with sets of activities typically feature the wizard Timeline. Simply call that wizard to construct a timeline to visualize activities right in your browser:

9.4 Mailstore / IMAP

Instead of offering platform specific plugins for a multitude of mail clients like MS Outlook, MS Outlook Express, Thunderbird, Evolution, Eudora, Elm, etc. openCRX features a platform neutral IMAP adapter (get more information about IMAP or read what Wikipedia is saying about IMAP). The advantages of such a standardized IMAP adapter are:

• works with any IMAP client (including your favorite one)

• no clumsy installation of plugins, i.e. you can get this to work on your company's laptop regardless of how “hardened” and locked down the system is

• supports single message import and bulk import

• imports headers, body, and attachments

• automatically creates references to sender and recipient(s) if the respective e mail addresses are present in openCRX

In a nutshell this means that you can use any IMAP client to connect to openCRX and view openCRX EMailActivities. openCRX activity groups are mapped to IMAP folders. The folders contain openCRX EMailActivities.

Viewing/exporting of EmailActivities is always possible, creating/updating of EmailActivities requires that an E-Mail Activity Creator is defined for the respective Activity Group, and deleting of EmailActivities is not supported.

	If you move an e-mail message from a non-openCRX IMAP folder to an openCRX IMAP folder and the target folder does not have a valid E-Mail Activity Creator defined, openCRX will not be able to create an EMailActivitiy in that folder. Due to the move operation the message is deleted from the source folder and your e mail message is lost. Hence, it is good practice to copy (and not move) e-mails to openCRX IMAP folders. Only after verifying that the EMailActivitiy was actually created by openCRX in the target folder should you delete (if necessary) the message from the source folder.
	E-mail addresses should be unique! If you import e-mails into openCRX with the IMAP Adapter, openCRX tries to match sender and recipients based on e-mail addresses. For obvious reasons, this will produce unexpected (if not undesired) results if e-mail addresses in openCRX are not unique. You can test your openCRX database for duplicate e-mail addresses with the following query: SELECT email_address, count(*) FROM OOCKE1_ADDRESS GROUP BY email_address HAVING count(*) > 1
	E-mail address UNASSIGNED. If the openCRX IMAP Adapter is not able to link a sender/recipient address to an existing e-mail address in openCRX, the adapter can assign such senders/recipients to an account of your choice. Simply add an e-mail address UNASSIGNED to the desired account as shown below: Figure 58: E-Mail Address UNASSIGNED In order to detect missing e-mail addresses (and then enter them and reassign the respective e-mail activities) you can simply work through the activities assigned to the account with the above e-mail address.

The following information is required to connect an IMAP client to openCRX:

Host	IP address or host name of openCRX Server Examples: localhost, 127.0.0.1, myCrxServer.myCompany.com, etc.
Port	1143 (note that the IMAP standard port is 143)
User name	<login principal name>@<Segment> Example: guest@Standard
Password	principal's openCRX password

The openCRX IMAP adapter does support SSL starting with openCRX v2.6. With previous versions that do not support SSL you should use the IMAP adapter on secured networks only (Intranet, VPN, ...).

9.4.1 Configuring the openCRX IMAP Port

The openCRX IMAP port is by default set to 1143 (to avoid conflicts with other IMAP daemons listening on the IMAP standard port 143). You can change this configuration in the file web.xml located in the directory
opencrx-core-CRX\opencrx-imap-CRXWEB-INF\

Look for the the param-name port.

If you build your own EARs you can change the openCRX LDAP port in your project's file build.properties (imap.listenPort) or directly in your build.xml.

9.4.2 Configuring the IMAP Maildir Cache

For increased performance the openCRX IMAP Adapter works with a cache. The location of this cache, the so-called Maildir, can be set as a JAVA_OPTS.

You can reset the cache by deleting it. The openCRX IMAP Adapter will recreate the cache automatically. Hence, you might want to delete the cache when restarting Apache Tomcat.

9.4.2.1 Maildir Configuration with Apache Tomcat

Add the following line to your JAVA_OPTS in your Tomcat start batch file (e.g. tomcat.bat, run.bat, run.sh, etc.):

Listing 21: Set org.opencrx.maildir for Apache Tomcat

...
set JAVA_OPTS=%JAVA_OPTS% -Dorg.opencrx.maildir="%CATALINA_HOME%\maildir"
...

9.4.3 Enabling SSL Support for IMAP

With the following steps you can enable SSL support for IMAP:

• Create cert and key with OpenSSL (e.g. server.key, server.crt)

• Convert cert and key to PEM format using OpenSSL:

• Key: openssl rsa -in server.key -out server-key.pem -outform PEM

• Cert: openssl x509 -in server.crt -out server-cert.pem -outform PEM

• Use a Java Keytool which allows you to a) create a keystore, b) import a certificate, c) import a private key. The following tools allow you to easily manage Java keystores:

  • Portecle: http://sourceforge.net/projects/portecle/

  • KeyTool IUI: http://yellowcat1.free.fr/keytool_iui.html

• Add the following init-param tags to the web.xml of the IMAPServlet (but don't forget to adapt the values according to your environment):

Listing 22: init-param tags required to enable IMAP SSL

...
<init-param>
<param-name>sslKeystoreFile</param-name>
<param-value>/var/ssl/keystore.jks</param-value>
</init-param>
<init-param>
<param-name>sslKeystoreType</param-name>
<param-value>JKS</param-value>
</init-param>
<init-param>
<param-name>sslKeystorePass</param-name>
<param-value>changeit</param-value>
</init-param>
<init-param>
<param-name>sslKeyPass</param-name>
<param-value>changeit</param-value>
</init-param>
...

• to avoid confusion, you might also want to change the port from 1143 (IMAP for openCRX) to 1443 (IMAPS for openCRX) – see chapter 9.4.1 Configuring the openCRX IMAP Port for information on how to do that.

9.4.4 IMAP Configuration of Thunderbird

The following information is required to configure an IMAP account:

Email account	<login principal name>@<Segment> Example: guest@Standard
Password	openCRX password of the respective principal
Your name	<login principal name>@<Segment> Example: guest@Standard
Email Address	your e-mail address Example: guest@mycompany.com
Type of server	IMAP
Incoming Server Outgoing Server	name or IP address of your openCRX server Example: 127.0.0.1
Port	1143
Incoming User Name	<login principal name>@<Segment> Example: guest@Standard

Figure 59: Thunderbird IMAP Configuration

If you move an e-mail message from a non-openCRX IMAP folder to an openCRX IMAP folder and the target folder does not have a valid E-Mail Activity Creator defined, openCRX will not be able to create an EMailActivitiy in that folder. Due to the move operation the message is deleted from the source folder in your IMAP client and your e-mail message will be lost. Hence, it is good practice to copy (and not move) e-mails to openCRX IMAP folders. Only after verifying that the EMailActivitiy was actually created by openCRX in the target folder should you delete (if necessary) the message from the source folder.

9.4.5 IMAP Configuration of MS Outlook

The following steps are required to configure MS Outlook 2007 for LDAP:

Email account User Name	<login principal name>@<Segment> Example: guest@Standard
Password	openCRX password of the respective principal
Your Name	<login principal name>@<Segment> Example: guest@Standard
E-mail Address	your e-mail address Example: guest@mycompany.com
Account type	IMAP
Incoming mail server Outgoing mail server	name or IP address of your openCRX server Example: 127.0.0.1
Incoming Port	1143
Incoming User Name	<login principal name>@<Segment> Example: guest@Standard

Figure 60: MS Outlook IMAP Configuration

If you move an e-mail message from a non-openCRX IMAP folder to an openCRX IMAP folder and the target folder does not have a valid E-Mail Activity Creator defined, openCRX will not be able to create an EMailActivitiy in that folder. Due to the move operation the message is deleted from the source folder of your IMAP client and your e-mail message will be lost. Hence, it is good practice to copy (and not move) e-mails to openCRX IMAP folders. Only after verifying that the EMailActivitiy was actually created by openCRX in the target folder should you delete (if necessary) the message from the source folder.

10 openCRX AirSync (ActiveSync compatible)

openCRX AirSync allows you to connect your ActiveSync-enabled PDAs and mobile phones (e.g. Apple's iPhone, Android-based devices, RIM's BlackBerry, Windows Mobile devices, etc.) with openCRX to synchronize e-mails, contacts, events and tasks, including push functionality:

Figure 61: openCRX AirSync Server – Over The Air (OTA) Synchronization

Even though openCRX AirSync aims to be compatible with Microsoft's ActiveSync (see what Wikipedia has to say about ActiveSync), we are probably not quite there. openCRX v2.6 includes a first shot at an ActiveSync Server (developed from scratch based on the specs), so feel free to provide feedback, good or bad.

10.1 Configuring the AirSync Directory

The openCRX AirSync Adapter stores information about the “Folders to be monitored” in a directory on the server (one .ser file per ActiveSync client). The location of this AirSync directory can be set as a JAVA_OPTS (e.g. in a batch file like tomcat.bat, run.bat, run.sh, etc.):

Listing 23: Set org.opencrx.airsyncdir for Apache Tomcat

...
set JAVA_OPTS=%JAVA_OPTS% -Dorg.opencrx.airsyncdir="%CATALINA_HOME%\airsyncdir"
...

If the content of the AirSync directory gets lost, ActiveSync clients must renew the ping information (which recreates the respective .ser file). The iPhone, for example, does this if you enter/exit the respective Exchange Account settings.

10.2 Mapping of openCRX Objects to AirSync Objects

The openCRX AirSync servlet maps openCRX objects to ActiveSync objects (Contacts, Events, Tasks, Mails) as follows based on the openCRX object class and additional information at hand:

openCRX Object Class	Additional Requirement(s)	Mapped to	R=read U=update C=create
AccountGroup	referenced by ContactsFeed	Contact Folder	RUC
Account	referenced by member of AccountGroup that is mapped to Contact Folder	Contact	RUC
ActivityGroup	referenced by CalendarFeed and with assigned ActivityCreator for Meetings	Calendar Folder	RUC
Meeting (includes SalesVisit)	assigned to ActivityGroup that is mapped to Calendar Folder	Event	RUC
Incident	assigned to ActivityGroup that is mapped to Calendar Folder	Event	RU
ActivityGroup	referenced by CalendarFeed and with assigned ActivityCreator for Tasks	Task Folder	RUC
Task	assigned to ActivityGroup that is mapped to Task Folder	Task	RUC
ActivityGroup	referenced by CalendarFeed and with assigned ActivityCreator for E-Mails	E-Mail Folder	RUC
EMailActivity	assigned to ActivityGroup that is mapped to E-Mail Folder	E-Mail	RUC
ActivityFilter	referenced by CalendarFeed	Calendar Folder Task Folder E-Mail Folder	RU
Meeting (includes SalesVisit)	filtered by ActivityFilter that is mapped to Calendar Folder	Event	RU
Incident	filtered by ActivityFilter that is mapped to Calendar Folder	Event	RU
Task	filtered by ActivityFilter that is mapped to Task Folder	Task	RU
EMailActivity	filtered by ActivityFilter that is mapped to E-Mail Folder	E-Mail	RU

The openCRX ical and caldav Adapters use a different mapping for activities (see chapter 9.3.3 Mapping of Activities to Calendar Events and Tasks for details).

10.3 A User's AirSync Profile

10.3.1 Creation of a User's AirSync Profile

openCRX users can create a personal AirSync profile as follows:

• login and start the wizard Edit > User Settings from your homepage:
  

• click the button [Apply] – the wizard will create a SyncProfile named AirSync; you can verify this by clicking [Cancel] in the wizard and then navigating to the Grid [Sync Profiles] of your homepage:
  

• navigate to the AirSync profile – the wizard User Settings created two Sync Feeds, a Calendar Feed and a Contacts Feed (both named with your username, guest in the screen shot below):
  

10.3.2 Creating/Configuring an AirSync Calendar Feed

openCRX users have a private Activity Tracker called <username>~Private (e.g. guest~Private for the user named guest) and several private Activity Creators:

• <username>~Private (to create Incidents)

• <username>~Private E-Mails (to create E-Mail Activities)

• <username>~Private Meetings (to create Meetings)

• <username>~Private Tasks (to create Tasks)

Activities created with one of the above Activity Creators are automatically assignend to the respective user's Activity Tracker <username>~Private and the security is set such that only the respective user can access/update/delete such activities.

If you only need one private “calendar” to manage your activities, the wizard User Settings does all the work for you, i.e. there is nothing more to configure.

You can, however, add more calendar feeds (activity group calendar feeds or activity filter calendar feeds) to your AirSync profile just as you would add calendar feeds to a calendar profile (see chapter 9.3.6.1 CalDAV Collections).

10.3.3 Creating/Configuring an AirSync Contacts Feed

openCRX users have a private Account Group called <username>~Private (e.g. guest~Private for the user named guest). Any openCRX Account that is a referenced by a member of this Account Group is synchronized through your AirSync Contacts Feed. Think of a Contacts Feed as an Address Book.

The private Account Group created by the wizard “User Settings” is empty initially, i.e. there are no members defined. You can add members to your private Account Group as follows:

• navigate to your private Account Group, e.g. guest~Private (or any other Account Group referenced in the Contacts Feed you want to configure)

• start the wizard Wizard > Manage Members:
  

• the wizard Manage Members allows you to select Accounts to be added (or removed) as members from various predefined sets:

• all accounts (* Accounts)

• members of the respective Account Group (Member)

• filtered accounts of any Account Filter (Account Filter name)

  in addition, you can also restrict the choice to Contacts, Legal Entities, Groups, or Unspecified Accounts only:
  

• you can add individual accounts as members (click the respective checkbox) or all the accounts that are visible on the current page (click the button [+] followed by [OK]; similarly you can disable (or delete) members individually or all members that are visible on the current page

• the wizard can also detect duplicates based on the following criteria (check the respective option to enable duplicate detection): a particular e-mail address is shared by more than one account or more than one member references a particular account:
  

• once you're done with adding the desired accounts as members to your Account Group you can leave the wizard – in the grid [Members] you should see all the active members pointing to accounts that you will be able to synchronize with your AirSync Contacts Feed:
  

Seeing an account (and being able to retrieve it through AirSync) does not imply that you can also update such an account. Whether you have update access to a particular account depends on the security settings of the respective account. Please note that certain ActiveSync clients do not notify the user when an update fails (the iPhone, for example, does not tell you that an update request failed).

Deleting an account through AirSync does not really delete the account in openCRX, only the respective member of your Account Group (referenced in the respective Contacts Feed) is disabled. If required, you can reactive such a member, e.g. with the wizard Manage Members.

Please note that accounts in your private AirSync Contacts Feed are not necessarily private. Whether other openCRX users can see, update and delete such accounts depends on the security settings of the respective account.

10.3.4 Configuration of AirSync E-Mail

openCRX users have a private Activity Tracker called <username>~Private (e.g. guest~Private for the user named guest). E-Mail Activities assigned to this Activity Tracker will be synchronized with a corresponding E-Mail folder <username> – Mails (e.g. guest – Mails) in your ActiveSync client.

Furthermore, all the alerts on your homepage are mapped to E-Mails that are also synchronized with an E-Mail folder named <username> – Alerts (e.g. guest – Alerts).

No further configuration is required.

10.4 Connecting ActiveSync Clients to an AirSync Profile

In principle, any ActiveSync client should be able to connect to an openCRX AirSync Profile. The following clients have been tested and confirmed to work:

• iPhone (iOS 3.0+, iOS4.0+)

10.4.1 iPhone (iOS 3.0+, iOS4.0+)

Here are the steps to configure your iPhone to connect to an openCRX AirSync Profile:

Please note that with iOS3.0+ the number of Exchange Accounts is limited to 1, i.e. if you want to connect to more than 1 account you need to upgrade your iPhone to iOS4 (or Jail Break your iOS3).

10.4.1.1 Setting up an Exchange Account on the iPhone

• connect to openCRX and navigate to the desired calendar collection

• start the wizard Connection Helper: AirSync / Calendar / vCard from your openCRX homepage:
  

• let the wizard “calculate” server and domain of your AirSync profile:
  

• copy the server info (you'll need to paste it later)

• on your iPhone home screen, tap the icon Settings

tap on Mail, Contacts, Calendars tap on Add Account... tap on Microsoft Exchange and then enter your e-mail address (e.g. guest@opencrx.org) into the field Email and populate the fields Domain, Username and Password as shown to the right: tap [Next] to verify the account information

If you get a message “Cannot Connect Using SSL” tap [No] to move on to the next screen where you can enter the connection details.

• verify/complete your subscription information (enter or copy the server info as calculated by the wizard “Connection Helper”) as follows:

  Name	Value / Description
  Email	your (openCRX) e-mail
  Server	server info as calculated by the wizard “Connection Helper”, e.g. demo.opencrx.org:80/opencrx-airsync-CRX
  Domain	openCRX domain as calculated by the wizard “Connection Helper”, e.g. Standard
  User Name	your openCRX user name
  Password	your openCRX password
  Description	leave this empty (and let the iPhone calculate it)
  Use SSL	if you use SSL, set to [ON], otherwise [OFF]

• if you use SSL in combination with a self-signed certificate, you will get a message Unable to Verify Certificate --> tap Accept

• if everything works out, you can tap Save to store the settings

10.4.1.2 Setting up Synchronization for Contacts

tap on Mail, Contacts, Calendars tap on the Exchange Account, e.g. guest@opencrx.org enable synchronization of contacts by setting the ON/OFF button of Contacts to ON you are asked whether you want to keep your existing local contacts on your iPhone; that's probably a good idea, i.e. tap on Keep on My iPhone you are warned about duplicate entries, but just tap on Keep on My iPhone again

now your Exchange Account settings should look similar to the screen shot on the right:

leave the Exchange Account settings (e.g. by pressing your iPhone home button) and start your Contacts app; you should see the following contacts groups of your Exchange account, similar to the screen shot on the right: guest – Contacts Global Address List Search in the Global Address List is not implemented yet as of openCRX v2.6.0

tap on guest – Contacts to open your openCRX Contact group; you should see all the accounts referenced by members of your Account Group in openCRX tap on one of the Contacts to see the details as shown on the right

	You can synchronize multiple iPhone Contact Groups by defining multiple AirSync Contacts Feeds in openCRX (each of them will be mapped to an iPhone Contacts Group).
	openCRX address information supports multiple lines (separated by EOL or CR LF) – the iPhone maps this to two consecutive blanks (i.e. a blank immediately followed by another blank).
	If you don't have update rights in openCRX for a particular openCRX account, you will not be able to update this contact with the iPhone either. Unfortunately, the iPhone does not tell you about failed update requests (the update fails “silently”), i.e. make sure that your updates actually make it to openCRX before spend too much time correcting data...

10.4.1.3 Setting up Synchronization for Calendars

tap on Mail, Contacts, Calendars tap on the Exchange Account, e.g. guest@opencrx.org enable synchronization of calendars by setting the ON/OFF button of Calendars to ON you are asked whether you want to keep your existing local calendars on your iPhone; that's probably a good idea, i.e. tap on Keep on My iPhone you are warned about duplicate entries, but just tap on Keep on My iPhone again now your Exchange Account settings should look similar to the screen shot on the right:

leave the Exchange Account settings (e.g. by pressing your iPhone home button) and start your Calendar app; you should see an entry corresponding to your iPhone Exchange Account settings with subcalendars for each active calendar feed in your AirSync Profile (openCRX demo in the screen shot).

Neither iPhone OS 3.0+ nor iOS4.0+ synchronizes tasks through Exchange Account settings. Hence, you will only be able to see Events.

If your Calendar Feed references an Activity Group without a corresponding Activity Creator for the required activity type (you can verify this by navigating to the Activity Group and checking the grid [Activity Creators]) you will not see a calendar corresponding to your Calendar Feed. See also 10.2 Mapping of openCRX Objects to AirSync Objects).

10.4.1.4 Setting up Synchronization for Mail

tap on Mail, Contacts, Calendars tap on the Exchange Account, e.g. guest@opencrx.org enable synchronization of mail by setting the ON/OFF button of Mail to ON now your Exchange Account settings should look similar to the screen shot on the right:

to enable push mail you can tap on Mail Folders to Push and then select the desired folders by tapping; the screen shot on the right shows a push subscription for openCRX alerts sent to the user guest:

leave the Exchange Account settings (e.g. by pressing your iPhone home button) and start your Mail app; you should see an entry corresponding to your iPhone Exchange Account settings. If you open up the respective account you will see your mail folders provided by openCRX:

E-Mails sent through this account will be created in openCRX if an appropriate Activity Creator for E-Mails is available. By default, the user's private E-Mail Activity Creator <username>~E-Mails will be used.

11 openCRX is a REST Service (Web Service)

The openCRX REST servlet allows easy 3rd party integration with openCRX. The full functionality of the openCRX API can be accessed via REST requests, i.e. you can use openCRX as a REST Service.

See http://code.google.com/p/rest-client/ for a REST client.

Sample REST requests are available from
http://www.opencrx.org/opencrx/2.3/new.htm#REST

You might also want to look at the following Wiki page:
http://sourceforge.net/apps/trac/opencrx/wiki/Sdk26.Rest

12 Data Import/Export

There are many ways of importing data (from other systems into openCRX) and exporting data (from openCRX to other systems). Generally speaking, there is no best way of doing imports/exports because depending on how much weight you put on the pros and cons of the various methods you may come to a different conclusion. Some issues to consider are:

• one-time import/export vs. multiple imports/exports

• file-based/batched vs. connection-based/real-time

• allow manual process steps vs. fully automated

• ...

In this chapter we will cover some of the basic options you can choose from, but there are obviously other (and sometimes better) options to consider.

While it may be tempting to connect to the openCRX database for “quick and dirty” imports/exports, you should really consider using the openCRX API. On the one hand, importers/exporters accessing the database directly are bypassing openCRX security (this is actually more of a warning than a tip...). On the other hand, the openCRX database schema is subject to change (whereas the API is stable).

12.1 Importing Data into openCRX

The task of importing data is handled by importers. In principle, you can import almost anything into openCRX, it’s really only a matter of writing an appropriate importer.

You must ensure that (legal) values are assigned to all mandatory (i.e. non-optional) attributes of openCRX objects created/updated during the import; in particular, all code attributes are mandatory!

The Open Source distribution of openCRX includes importers for vCard (see Importing vCard Files)and iCalendar files (see Error: Reference source not found) in addition to the XML importer.

12.2 Importing XML Files

You can import virtually any data into openCRX as long as you provide it in the form of schema-compliant XML files. The openCRX schema files can be found in the file opencrx-kernel.jar (unzip and look for xmi subdirectories). Alternatively, you can export example objects as XML files and look at the produced XML files (although the generated XML file also contains all the derived and optional attributes; hence, you will have to prune the generated XML file before you can use it as a template).

Some of the configuration information and data provided with openCRX are also provided in the form of XML files and imported during system setup (e.g. units of measurement are loaded from opencrx-core-CRX\opencrx-core-CRX\WEB-INF\config\data\ Root\101_uoms.xml).

An XML import from a third party system might typically involve the following steps:

Figure 62: XML import from 3^rd party system – overview

You can import schema-compliant XML files with the following methods:

• Interactive / on-demand

  Navigate to your user home and execute the operation File > Import:

  

  Figure 63: Interactive import of XML Files

  Click on the button and navigate to XML file to be imported. Next you click OK to to start the import. Please note that this method is very suitable for small XML files and on-the-fly imports. If you are dealing with larger XML files, however, you should consider the bulk import described below.

• Bulk Import

  Use the bulk import for large XML files or if you need to import multiple XML files in an automated fashion. Put your XML file(s) into the following directory (you might have to expand the EAR file to do so):

  opencrx-core-CRX\opencrx-core-CRX\WEB-INF\config\data\<SegmentName>

  where <SegmentName> can be Root, Standard, or whatever your Segment is named.

  Next you login as openCRX Root administrator (admin-Root) and execute the operation View > Reload. Click Yes to start the operation.

  

  Figure 64: Interactive import of XML Files

	Once the import is started you can close the browser, i.e. there is no need to keep the session alive until the import is completed. Some information regarding the progress of the import is written to the console.
	In case you have data dependencies between/among your XML files (e.g. some files contain Contact data while others contain address data which is composite to Contact data) you should make sure that parent data are imported before child data gets imported. This should be relatively easy to achieve as XML files are imported in alphabetical order.

12.2.1 Importing Excel Files ( openCRX Accounts)

You can directly import Excel Sheets that contain field names in the first row and then data in the rows 2, 3, .... An example sheet is shown below:

Figure 65: Import Accounts from Excel Sheet – Sample Excel Sheet

The following field attributes are supported by the importer wizard:

Field Name	openCRX Attribute / Description
XRI	(optionally) provide XRI of openCRX account to be updated; if there is no match with an existing account, a new one will be created
DTYPE	(optionally) provide the type of openCRX account; acceptable values are: CONTACT, LEGALENTITY, GROUP, and UNSPECIFIEDACCOUNT
FIRSTNAME	Contact.firstName
MIDDLENAME	Contact.middleName
LASTNAME	Contact.lastName
ALIASNAME	Contact.aliasName
NICKNAME	Contact.nickName
SUFFIX	Contact.suffix
COMPANY	depending on the type of imported Account, the value is mapped to one of the following attributes: - Contact.organization - LegalEntity.name - Group.name - UnspecifiedAccount.name if the imported account is of type Contact and a matching account with name equal to COMPANY is found, then the imported Contact is made a member of the matching account; furthermore, COMPANYROLE is mapped to Member.memberRole and JOBTITLE is mapped to Member.description
JOBTITLE	Contact.jobTitle
DEPARTMENT	Contact.department
BIRTHDAY	Contact.birthdate the following formats are recognized: dd-MM-yyyy, dd-MM-yy, MM/dd/yyyy, MM/dd/yy
HOMEPHONE	Account.PhoneNumber.fullNumber (with usage = home)
HOMEPHONE2	Account.PhoneNumber.fullNumber (with usage = other)
HOMEFAX	Account.PhoneNumber.fullNumber (with usage = fax home)
HOMEADDRESSLINE	Account.PostalAddress.postalAddressLine (usage = home)
HOMESTREET	Account.PostalAddress.postalStreet (usage = home)
HOMECITY	Account.PostalAddress.postalCity (usage = home)
HOMEPOSTALCODE	Account.PostalAddress.postalCode (usage = home)
HOMESTATE	Account.PostalAddress.postalState (usage = home)
HOMECOUNTRY or HOMECOUNTRYREGION	Account.PostalAddress.postalCountry (usage = home)
BUSINESSPHONE	Account.PhoneNumber.fullNumber (with usage = business)
BUSINESSPHONE2	Account.PhoneNumber.fullNumber (with usage = other)
BUSINESSFAX	Account.PhoneNumber.fullNumber (with usage = fax business)
BUSINESSADDRESSLINE	Account.PostalAddress.postalAddressLine (usage = business)
BUSINESSSTREET	Account.PostalAddress.postalStreet (usage = business)
BUSINESSCITY	Account.PostalAddress.postalCity (usage = business)
BUSINESSPOSTALCODE	Account.PostalAddress.postalCode (usage = business)
BUSINESSSTATE	Account.PostalAddress.postalState (usage = business)
BUSINESSCOUNTRY or BUSINESSCOUNTRYREGION	Account.PostalAddress.postalCountry (usage = business)
MOBILEPHONE	Account.PhoneNumber.fullNumber (usage = mobile)
EMAILADDRESS	Account.EMailAddress.emailAddress (usage = business)
EMAIL2ADDRESS	Account.EMailAddress.emailAddress (usage = home)
EMAIL3ADDRESS	Account.EMailAddress.emailAddress (usage = other)
WEBPAGE	Account.WebAddress.webUrl (usage = business)
ASSISTANTSNAME	if a matching account with full name equal to ASSISTANTSNAME is found, then the matching account is made a member of the imported account; furthermore, ASSISTANTSNAMEROLE is mapped to Member.memberRole
MANAGERSNAME	if a matching account with full name equal to MANAGERSNAME is found, then the imported account is made a member of the matching account; furthermore, MANAGERSROLE is mapped to Member.memberRole
BUSINESSTYPE	Account.businessType you can provide a list of business types (each business type on a separate line) – see drop down / code table for valid values
NOTES	Account.description
MEMBEROF	if a matching account with full name equal to MEMBEROF is found, then the imported account is made a member of the matching account; furthermore, MEMBERROLE is mapped to Member.memberRole (you can provide a semicolon-separated list of member roles (e.g. founder;owner;Board of Directors) note: with this powerful feature you can establish relationships between accounts right at the time of importing accounts
CATEGORIES	Account.category you can provide a semicolon-separated list of categories (e.g. Business;Birthday;Xmas) and the importer will add all missing items to the list of categories contained in Account.category
NOTE_TITLE	creates or updates (if a note with the given title already exists) a note attached to the imported account; furthermore, NOTE_TEXT is mapped to the text attribute of the note
generic / model-driven String Boolean Short BigDecimal	the importer can also handle single-valued attributes of the types listed in the left-hand column in a generic / model-driven fashion; examples are: userString0 userBoolean3 userCode2 userNumber3 consult the openCRX UML Model for information on which attributes are available: http://www.opencrx.org/documents.htm#Doclatestuml

Those field names that are supported by MS Outlook match with the names produced if you export Contacts from MS Outlook to an Excel Sheet:

The Importer produces a detailed on-screen report with clickable links and a summary report stating the total number of created/updated accounts:

Figure 66: Import Accounts from Excel Sheet – Import Report

Before you launch an import of thousands of accounts, verify the structure of your Excel sheet with a few lines/accounts only.

12.2.2 Importing vCard Files ( openCRX Contacts)

vCard is file format standard for personal data interchange, specifically electronic business cards (additional information is for example available from http://en.wikipedia.org/wiki/VCard).

These are the steps to import a vCard file:

• click on the provider Accounts and navigate to an existing Contact (or create a new one)

• select the operation File > Import vCard to unhide the import dialog:

  

Figure 67: Operation vCard Import

• select the appropriate language

• click the Browse button and navigate to the vCard file you want to import

• click the OK button to start the import operation

12.2.3 Importing E-Mails

Please refer to the Chapter 8 E-mail Services, in particular chapter 8.3.2 Import E-mails.

12.2.4 Other Options

There are various other options to consider. You could for example develop a custom-tailored JSP Wizard to import data on demand or on a regular basis (e.g. controlled by the openCRX WorkflowController).

Sometimes it is more appropriate to develop a specific openCRX client to handle imports, and in a typical enterprise class environment you will probably consider developing adapters to connect/integrate openCRX with 3^rd party systems on a real-time basis.

12.3 Exporting Data from openCRX

The task of exporting data is handled by exporters. The Open Source distribution of openCRX includes exporters for vCard and iCalendar files in addition to the XML exporter.

This allows you to export contacts and meetings/sales visits or any other object from openCRX. vCard and iCalendar files can be imported by a large variety of other applications, including Microsoft Outlook. This chapter shows how to export data.

12.3.1 Exporting XML Files

Navigate to the object to be exported as XML file and execute the operation File > Export Advanced as shown below:

Figure 68: Exporting SalesOrder as XML File

In order to better control which additional objects (composites, referenced objects, ...) the XLM exporter should export together with the object loaded in the Inspector, you can (optionally) provide a reference filter (optionally with a navigation level). By default, only the current object will be exported. If you provide – for example when export­ing a sales order – customer;address as a reference filter, the customer and all referenced addresses will be exported together with the main object. If you export a contact and provide the reference filter member[1] you will get direct members of this contact.

If the export is successful the exporter will terminate with status OK and you will be provided with a link to the file Export.zip containing the raw data:

Figure 69: XML Exporter provides XML data file and code tables as ZIP file

The openCRX ICS Adapter can also export iCalendars in XML format:

ICS URL (to get XML file with authentication):

http://<crxServer>:<Port>/opencrx-ical-<Provider>/activities
?id=<Provider>/<Segment>/<Calendar Selector>&type=xml

Example:
http://localhost:8080/opencrx-ical-CRX/activities?id=CRX/Standard/tracker/main&type=xml

See chapter 9.3.2 Calendar Selectors for information on how to construct calendaring URLs.

12.3.2 Exporting Data to MS Excel / Open Office Calc Files

Navigate to the object to be exported as spreadsheet file and execute the operation File > Export Advanced as shown below:

Figure 70: Exporting SalesOrder as Spreadsheet File

In order to better control which additional objects (composites, referenced objects, ...) the XLM exporter should export together with the object loaded in the Inspector, you can (optionally) provide a reference filter. By default, only the current object will be exported. If you provide – for example – :*/:* as a reference filter, all composites up to 2 levels deep will be exported together with the main object (this should be sufficient for most use cases). You can also provide a reference filter to dereference and export referenced objects like the customer or the salesRep of a sales order.

If the export is successful the exporter will terminate with status OK and you will be provided with a link to the file Export.xls containing the raw data:

Figure 71: Exported Spreadsheet File

Based on such spreadsheet files end-users can easily create reports or do some ad-hoc data analysis without the need to know anything about Java or writing JSPs. The standard distribution of openCRX includes various example reports based on this technology.

12.3.3 Exporting openCRX Contacts ( vCard Files)

These are the steps to manually export a contact to a vCard file:

• navigate to the contact you want to export

• click on the tab Account

• select the contents of the field vCard and copy it to an empty text file

• save the text file with any name and extension “vcf”, e.g. contact.vcf:

Figure 72: Manually Export Contact as vCard

There is also a wizard vCard.jsp available which allows you to export individual accounts or batches of accounts as vCards.

Navigate to an Account and select File > Save as vCard to start the export:

Figure 73: Export individual Contact as vCard with Wizard

In order to export multiple accounts as vCards, create an Account Filter that selects the desired accounts and then navigate to this Account Filter. Select File > Save Filtered Accounts as vCard:

Figure 74: Export multiple Contacts as vCards with Wizard

12.3.4 Exporting openCRX Meetings ( iCalendar Files)

These are the steps to export an individual activity (e.g. a meeting or a sales visit) to an iCalendar file:

• navigate to the meeting (or sales visit) you want to export

• click on the tab Details

• select the contents of the field iCal and copy it to an empty text file

• save the text file with any name and extension “ics”, e.g. meeting.ics:

Figure 75: Exporting Meeting / Sales Visit as iCalendar File

There is also a wizard iCal.jsp available which allows you to export individual activities or batches of activities as iCals.

Navigate to an Activity and select File > Save as iCal to start the export:

Figure 76: Export individual Activity as iCal with Wizard

In order to export multiple activities as iCals, navigate to an Activity Group (Activity Tracker, Category, Milestone), to an Activity Filter (or to any other object that features a list of assigned activities like Userhome, Account) and then select File > Save Filtered Activities as iCal (Save Assigned Activities as iCal).

12.3.5 Exporting E-Mails

Please refer to the Chapter 8 E-mail Services, in particular chapter 8.2.3 Export E-mails.

12.3.6 Other Options

There are various other options to consider. You could for example develop a custom-tailored JSP Wizard to export data on demand or on a regular basis (e.g. controlled by the openCRX WorkflowController).

Sometimes it is more appropriate to develop a specific openCRX client to handle exports, and in a typical enterprise class environment you will probably consider developing adapters to connect/integrate openCRX with 3rd party systems on a real-time basis.

If you have a REST client available, then exporting via REST is also a very viable option.

13 Customizing openCRX

Please refer to the guides available at http://www.opencrx.org/documents.htm for detailed information regarding UI customization and localization.

13.1 Managing Locales

The default installation of openCRX activates all locales that are included in the Open Source distribution. The openCRX administrator may wish to deactivate certain locales from the locale list. This chapter shows how you can achieve this.

The locale list is contained in the file

opencrx-core-CRX\opencrx-core-CRX\WEB-INF\web.xml

Look for the section <!-- locales --> to find a list of available locales:

Listing 24: Locales in web.xml

<!-- locales -->
<init-param>
<param-name>locale[0]</param-name>
<param-value>en_US</param-value>
</init-param>
<init-param>
<param-name>locale[1]</param-name>
<param-value>de_CH</param-value>
</init-param>
<init-param>
<param-name>locale[2]</param-name>
<param-value>es_MX</param-value>
</init-param>
...

You can deactivate locales by simply commenting them out. The following example shows how to deactivate the locale de_CH.

Listing 25: Activating/Deactivating Locales in web.xml

<!-- locales -->
<init-param>
<param-name>locale[0]</param-name>
<param-value>en_US</param-value>
</init-param>
<!--
<init-param>
<param-name>locale[1]</param-name>
<param-value>de_CH</param-value>
</init-param>
-->
<init-param>
...

Please note that you must not deactivate the base locale (that is the locale with the id 0, typically en_US) as the base locale contains a lot of customizing information not present in other locales.

13.2 Managing Packages

The default installation of openCRX activates all packages that are included in the Open Source distribution. The openCRX administrator may wish to deactivate certain packages if they are not used. This chapter shows how you can achieve this.

The package list is contained in the file

opencrx-core-CRX\opencrx-core-CRX\WEB-INF\web.xml

Look for the section <!-- Admin --> to find a list of available packages:

Listing 26: Packages in web.xml

<!-- Admin -->
<init-param>
<param-name>rootObject[0]</param-name>
<param-value>xri:@openmdx:org.opencrx.kernel.admin1/provider/CRX/segment/${SEGMENT}</param-value>
</init-param>
<!-- Home -->
<init-param>
<param-name>rootObject[1]</param-name>
<param-value>xri:@openmdx:org.opencrx.kernel.home1/provider/CRX/segment/${SEGMENT}/userHome/${USER}</param-value>
</init-param>
<!-- Accounts -->
<init-param>
<param-name>rootObject[2]</param-name>
<param-value>xri:@openmdx:org.opencrx.kernel.account1/provider/CRX/segment/${SEGMENT}</param-value>
</init-param>
...

You can deactivate packages by simply commenting them out. The following example shows how to deactivate the package depot1:

Listing 27: Activating/Deactivating Packages in web.xml

...
</init-param>
<!-- Depots -->
<!--
<init-param>
<param-name>rootObject[6]</param-name>
<param-value>xri:@openmdx:org.opencrx.kernel.depot1/provider/CRX/segment/${SEGMENT}</param-value>
</init-param>
-->
<!-- Documents -->
<init-param>
<param-name>rootObject[6]</param-name>
<param-value>xri:@openmdx:org.opencrx.kernel.document1/provider/CRX/segment/${SEGMENT}</param-value>
</init-param>
<!-- Buildings -->
...

Please note that you must renumber all the packages listed after the package you deactivated so that the package numbering does not have any gaps (i.e. package numbering starts at 0 and it must be consecutive).

It is also possible to change the order of the active packages by renumbering them. However, you must still ensure both that the numbering starts at 0 and that the numbering is consecutive.

13.2.1 Enabling/Disabling Root Menu Entries

Individual user can enable/disable root menu entries with the wizard User Settings (available on a user's Homage):

Figure 77: Launch Wizard User Settings

Once the wizard has loaded, uncheck entries you don't need:

Figure 78: Wizard User Settings – enable/disable Root Menu Entries

Please note that entries corresponding to packages disabled by the openCRX administrator cannot be enabled with this wizard. Packages disabled in web.xml are not available at all!

Depending on the width of your screen you can adjust the number of items shown as tabs in the top-level navigation in the same wizard by changing the value of Show max items in top navigation (fewer items for narrow screens, more items for wider screens). If you uncheck Show top navigation sub-levels the top-level tabs will not contain menus for sub-levels.

13.3 Role-based UI

Requires Model Permissions (which are not implemented yet). The same goal can easily be achieved with multiple web applications, however.

13.3.1 Model Permissions

Model permissions are not implemented yet.

13.3.2 Custom Layout JSPs

openCRX is distributed with 2 default layout JSPs located in the directory opencrx-core-CRX\opencrx-core-CRX\WEB-INF\config\layout\en_US:

• show-Default.jsp

This layout JSP renders all pages that show information (typically an Inspector containing information about the current object and all the grids containing associated information). This layout JSP is generic (it is provided by openMDX/portal) and it can handle any object.

• edit-Default.jsp

Similarly, this layout JSP renders all pages that are used to edit objects.

If you have a need for specialized screens for a particular object in edit and/or show mode, you can write your own layout JSP and deploy it to the above-mentioned directory. The file name of your custom layout JSP determines which objects (or rather: objects of which class) will be handled by your custom layout JSP.

Example:

Let's assume you want to replace the default edit screen for openCRX Contacts (i.e. class org.opencrx.kernel.account1.Contact) with a custom layout JSP. Name your file

edit-org.opencrx.kernel.account1.Contact.jsp

and deploy it to the directory ...\WEB-INF\config\layout\en_US. After restarting Tomcat or your application server your new layout JSP will be active.

If you develop localized JSPs you can create new directories for the respective locales and then deploy your localized JSPs there. The fallback algorithms are comparable to those in ui customization.

14 Integration with Office Application

openCRX provides various technologies that enable you to easily integrate common office suites like Open Office or Microsoft Office.

14.1 MS Word, OpenOffice Writer, etc.

openCRX supports the JSP-wizard-based generation of RTF documents. You can generate RTF documents from scratch or merge data with existing RTF templates. The RTF documents are generated on the fly and can be opened with any RTF-compatible word processor including OpenOffice Writer and MS Word.

You can test this feature on our demo server (or on your own installation if you installed the openCRX Server) with the following steps:

• connect and login as user guest

• navigate to any contact and execute the operation
  Tools > Mail Merge --> RTF Document

• the wizard will provide a list of suitable templates and then generate the RTF document on the fly

Figure 79: RTF Document generated by merging live data with template

If you installed the openCRX SDK you will find the templates and the JSP wizard in the following locations:

• <SDK_Install_Dir>\opencrx-2.5.1\core\src\data\org.opencrx\documents

• <SDK_Install_Dir>\opencrx-2.5.1\core\src\data\org.opencrx\wizards\en_US\MailMerge.jsp

With this approach it is quite easy to generate all kinds of documents, including letters, invoices, purchase orders, etc.

14.2 MS Excel, Open Office Calc, etc.

openCRX supports both a raw spreadsheet export of data and the JSP-wizard-based generation of XLS documents. You can generate XLS documents from scratch or merge data with existing XLS templates. The XLS documents are generated on the fly and can be opened with any XLS-compatible spreadsheet program including OpenOffice Calc and MS Excel.

You can test this feature on our demo server (or on your own installation if you installed the openCRX Server) with the following steps:

• connect and login as user guest

• navigate to Accounts

• execute the operation Reports > Contacts Report as shown below
  

Figure 80: Contacts Export Dialog

• the Spreadsheet is generated on the fly and can be downloaded from the openCRX server by clicking on the link provided in the operation result

You might also want to look at the information provided in the chapters

• 12.3.2 Exporting Data to MS Excel / Open Office Calc Files

• 15.1 Standard Reports

14.3 MS Outlook, Thunderbird/Lightning, Sunbird, etc.

See chapters 9 Groupware Services and 10 openCRX AirSync (ActiveSync compatible) for more information.

15 Reporting

openCRX provides various technologies that enable you to create reports of a wide variety, anything from simple ad-hoc reports to large scale bulk reports.

15.1 Standard Reports

Included in the openCRX standard distribution are the following reports:

• Account List (available on Account Filters)

• Account Member List (available on Groups)

• Activity List (available on Activity Groups and Filters)

• Activity List with Follow-Ups (available on Activity Groups and Filters)

• Contract List (available on Contract Filters)

• Contract List with Positions (available on Contract Filters)

You can install these standard reports into any openCRX Segment with the wizard Segment Setup. The reports are based on spreadsheet templates. If you installed the openCRX SDK you will find the templates in the following location:

<SDK_Install_Dir>\opencrx-2.5.1\core\src\data\org.opencrx\documents\

The templates contain VBA macros to “beautify” the reports. These macros will probably not work in Open Office Calc...

You can test – for example – the Report Account List with the following steps:

• connect and login as user guest

• navigate to Accounts > Account Filters and select All Accounts

• select the Menu File > Export
  

• click the button [OK] to generate Export.xls

• open Export.xls with Excel (enable Macros) to get an alphabeticallly sorted list of accounts complete with e-mail address and phone numbers

15.2 Ad-hoc Reporting

See chapter 12.3.2 Exporting Data to MS Excel / Open Office Calc Files.

Standard office suite know how (and maybe a bit of macro programming) should get you a long way. Once you're ready to “institutionalize” a report you can prepare a template and an openCRX Export Profile. Consult the templates and the Export Profiles provided by the opeCRX distribution for examples.

15.3 Large Scale Reporting

If your task is to produce a large number of reports (e.g. monthly reporting for all your clients) or reports based on large amounts of data, spreadsheet-based reporting is probably not the way to go. Maybe you want to generate reports in a format other than XLS. On the one hand, openCRX already includes libraries to generate reports and documents in various formats, on the other hand you can easily add additional libraries to openCRX.

Format	Library / Additional Information
XLS	Apache POI / http://poi.apache.org/
PDF	iText / http://www.lowagie.com/iText/
RTF	Simple RTF Writer / http://www.it-s-easy.com/downloads.htm

Obviously, there are many more possibilities, like for example exporting data in XML format and then doing some kind of fancy transformation. One such example is available from http://www.koalix.org/

In terms of how to generate your reports, there are also various options available depending on your preferences:

• JSP-Based Reporting
  This approach is typically recommended if you need on-demand reporting and the generation of the report does not put an undue burden on the server. The following screen shot shows an example HTML-report:
  

• Java Program
  Large-scale batch reporting can be done with a Java Program (basically an openCRX client programmed in Java that prepares the desired reports).

• BI-Reporting Suite
  If you plan to use a BI-Reporting Suite (e.g. Crystal Reports, Pentaho, BIRT, etc.), you should keep in mind that directly accessing the openCRX database is not a very good idea. We strongly recommend you either retrieve data through the openCRX API (e.g. with REST) or set up a dedicated reporting DB (the process to populate such a reporting DB should retrieve data from the openCRX DB through the openCRX API). The reason for not accessing the openCRX database directly is the following one: while the openCRX API is stable, the OO-to-relational mapping is not and hence the schema of the openCRX DB is subject to change over time. Hence, if you access the openCRX DB directly you will have to adapt your reports if the DB schema changes, a potentially expensive proposition. Furthermore, whenever you access the openCRX DB directly there is no access control...

16 Miscellaneous Topics

16.1 Extended Service for openCRX/Tomcat Management

16.1.1 Multiple Instances of Tomcat

Extended Service is a Tomcat extension which allows to start multiple Tomcat instances with the same configuration and allows to stop / start the connectors of these instances individually.

The class org.openmdx.catalina.core.ExtendedService allows to handle the requested scenario. Adapt the server.xml as follows:

...
<Server port="${tomcat.server.port}" shutdown="SHUTDOWN">
...
<Service name="Catalina" port="${tomcat.service.port}" className="org.openmdx.catalina.core.ExtendedService">
...

The system properties are set per Tomcat instance, e.g.

Instance A:

• -Dtomcat.server.port=8005

• -Dtomcat.service.port=8006

Instance B:

• -Dtomcat.server.port=8105

• -Dtomcat.service.port=8106

If instance A and instance B have to run with different versions of EARs/WARs, create a Tomcat directory for each instance.

* Start instance A. The connectors are started.

* Start instance B. The connectors can not be started because of port conflicts.

Switch from instance A to B as follows:

* telnet localhost 8006 and enter command stopConnectors

* telnet localhost 8106 and enter command startConnectors

If the property org.openmdx.catalina.core.ExtendedService.autostartConnectors is unset or the property is set to true then the connectors will be started at startup of Tomcat. Otherwise the connectors are not started.

16.1.2 IMAPServer: pause / resume

The IMAPServlet (opencrx-imap-CRX/IMAPServlet) provides a GUI which allows to pause and resume the IMAPServer. The Wizard IMAPServer.jsp available as admin-Root redirects to the IMAPServlet. The IMAPServlet accepts the system property org.openmdx.catalina.core.ExtendedService.autostartConnectors. If unset or set to true, the IMAPServer is started at startup. If set to false, then the IMAPServer has to be started manually.

16.1.3 WorkflowController: pause / resume

The WorkflowControllerServlet accepts the new commands pause and resume. Pause stops pinging the controlled WorkflowServlets. The new commands are available via the GUI. The WorkflowControllerServlet accepts the system property org.openmdx.catalina.core.ExtendedService.autostartConnectors. If it is unset or set to true the WorkflowController is activated on startup. If set to false the WorkflowController has to be started/resumed manually.

16.2 SNMP Monitoring (with Sun JVM)

The SNMP agent for the Sun JVM can be enabled as described at http://java.sun.com/j2se/1.5.0/docs/guide/management/SNMP.html and http://www.ilikespam.com/blog/monitoring-the-jvm-with-snmp.

1. Put snmp.acl in TOMCAT_LWC_HOME/bin and give read access to the file for the owner only.

#The communities public and private are allowed access from the local host.
acl = {
{
communities = public, private
access = read-only
managers = localhost
}
}
# Traps are sent to localhost only
trap = {
{
trap-community = public
hosts = localhost
}
}

2. Add the following options to tomcat.sh -Dcom.sun.management.snmp.port=8161 -Dcom.sun.management.snmp.acl.file=TOMCAT_LWC_HOME/bin/snmp.acl

3. After startup the variables can be retrieved with
   snmpwalk -c public -v2c localhost:8161 .1.3.6.1.4.1.42.2.145.3.163.1.1.4.1.
   See http://support.ipmonitor.com/mibs/JVM-MANAGEMENT-MIB/oids.aspx for a list of all OIDs supported by the JVM.

A simple cron-based monitoring environment can invoke snmpwalk periodically and send mail if a monitored parameter violates a predefined constraint. Use gkrellm with the snmp extension (see http://triq.net/gkrellm_snmp.html) or OpenNMS (see http://www.opennms.org/) for more advanced monitoring.

This approach only works for the Sun JVM.

16.3 Tomcat w/ openCRX and LDAP-based Authentication

You can connect Tomcat w/ openCRX with OpenLDAP as follows:

• replace the JDBC Realm entry in the file opencrx-core-CRX\opencrx-core-CRX\META-INF\context.xml with the following entry:

<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="cn=Manager,dc=opencrx,dc=org"
connectionPassword="secret"
connectionURL="ldap://localhost:389"
userPassword="userPassword"
userPattern="cn={0},ou=people,dc=opencrx,dc=org"
roleBase="ou=groups,dc=opencrx,dc=org"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>

• Users must be entered into your LDAP server as follows (userPattern):

# Users
dn: cn=guest,ou=people,dc=opencrx,dc=org
objectClass: organizationalPerson
sn: guest
cn: guest
userPassword: opencrx

dn: cn=admin-Root,ou=people,dc=opencrx,dc=org
objectClass: organizationalPerson
sn: admin-Root
cn: admin-Root
userPassword: opencrx

dn: cn=admin-Standard,ou=people,dc=opencrx,dc=org
objectClass: organizationalPerson
sn: admin-Standard
cn: admin-Standard
userPassword: opencrx

• Groups must be entered into your LDAP server as follows (roleBase, roleName, and roleSearch):

# Groups
dn: ou=groups,dc=opencrx,dc=org
objectClass: organizationalUnit
ou: groups

dn: cn=OpenCrxRoot,ou=groups,dc=opencrx,dc=org
objectClass: groupOfUniqueNames
cn: OpenCrxRoot
uniqueMember: cn=admin-Root,ou=people,dc=opencrx,dc=org

dn: cn=OpenCrxAdministrator,ou=groups,dc=opencrx,dc=org
objectClass: groupOfUniqueNames
cn: OpenCrxAdministrator
uniqueMember: cn=admin-Standard,ou=people,dc=opencrx,dc=org

dn: cn=OpenCrxUser,ou=groups,dc=opencrx,dc=org
objectClass: groupOfUniqueNames
cn: OpenCrxUser
uniqueMember: cn=guest,ou=people,dc=opencrx,dc=org

16.4 OpenEJB / Reestablishing dropped DB Connection

Add the 3 highlighted lines (TimeBetweenEvictionRunsMillis, ValidationQuery, TestWhileIdle) to the datasource definition in the file openejb.xml so that dropped database connections are reestablished automatically:

<?xml version="1.0" encoding="UTF-8"?>
<openejb>
...
<!-- openCRX with PostgreSQL, DB: CRX_CRX -->
<Resource id="jdbc_opencrx_CRX" type="DataSource">
...
ValidationQuery SELECT object_oid FROM prefs_preference WHERE object_oid = 'PERSISTENCE:type' AND object_idx = 0
TestWhileIdle true
TimeBetweenEvictionRunsMillis 1000
</Resource>
...
</openejb>

More information is available from http://openejb.apache.org/3.0/containers-and-resources.html.

16.5 Installing / Configuring OpenCms

OpenCms from Alkacon Software is a website content management system that allows you to create and maintain websites fast and efficiently. OpenCms nicely integrates with openCRX. The following instructions get you started (assuming you have a working installation of openCRX already):

• Follow instructions at http://www.opencms.org/ to install and setup OpenCms.

  The following hints might save you some time: Don't try to run the initial OpenCms setup with the Tomcat instance running openCRX; use a clean (unchanged) Tomcat instance. If you use PostgreSQL, the database name must be in small letters only (the OpenCms Setup Wizard doesn't handle capitalization correctly).

• Download opencms.war from http://www.opencms.org/ and copy the file opencms.war to TOMCAT_HOME\webapps\

• Start Tomcat (and make sure that the contents of the file TOMCAT_HOME\webapps\opencms.war get expanded into the directory TOMCAT_HOME\webapps\opencms)

• With your browser, connect to

http://localhost:8080/opencms/setup

• to be completed (we will probably provide a custom project to get you off the ground without much hassle in the future...)

17 Next Steps

You might want to have a look at some of the additional documentation published at http://www.opencrx.org/documents.htm.