Opentext™ Appworks™ Gateway: Installation and Administration Guide
Opentext™ Appworks™ Gateway: Installation and Administration Guide
This guide does not replace the guides for OpenText products
that include AppWorks Gateway as part of their deployment,
such as eDOCS InfoCenter, Content Server Mobile and Tempo
Box. The installation guides for these products are available in
their respective product directories at OpenText My Support
(https://knowledge.opentext.com). These guides may include
additional or modified steps for installing the AppWorks
Gateway.
OTAG210300-IGD-EN-1
OpenText™ AppWorks™ Gateway
Installation and Administration Guide
OTAG210300-IGD-EN-1
Rev.: 2021-June-23
This documentation has been created for OpenText™ AppWorks™ Gateway CE 21.3.
It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product,
on an OpenText website, or by any other means.
Tel: +1-519-888-7111
Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440
Fax: +1-519-888-0677
Support: https://support.opentext.com
For more information, visit https://www.opentext.com
One or more patents may cover this product. For more information, please visit https://www.opentext.com/patents.
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However,
Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the
accuracy of this publication.
               Table of Contents
               1       OpenText AppWorks Gateway Overview ................................ 7
               The OpenText AppWorks Gateway (OTAG) engine component is the single point of
               contact between all clients and your production server, for example, Content Server.
               It forwards all incoming operation requests, queues data requests to reduce server
               load, and handles notifications to all registered client applications.
               During the installation process, you connect the AppWorks Gateway to a database
               such as Microsoft SQL Server or Oracle, and to OpenText Directory Services (OTDS)
               to manage and authenticate your users. As a final step, you connect to your
               production server and install the applications, components, and services in the
               AppWorks Gateway.
Mobile Client
                                                               Apache Tomcat
                                                        (OpenText AppWorks Gateway)
                                                     OpenText Directory
                      Active Directory/LDAP
                                                         Services
               Active Directory/LDAP
                   The Active Directory or LDAP server that you may be using to manage your
                   users. This is optional.
               Apache Tomcat
                  The server hosting Apache Tomcat, with AppWorks Gateway deployed and
                  configured, and your apps installed and enabled.
               Mobile Client
                 An Apple® or Android™ device.
               Desktop Client
                  A computer running a Windows or macOS® operating system.
       2.1 Prerequisites
               Before you start, review theAppWorks Gateway Release Notes, available from My
               Support (https://knowledge.opentext.com/knowledge/llisapi.dll/open/58916144) The
               Release Notes contain important information about supported environments and the
               compatibility of AppWorks Gateway with OpenText products, such as Content
               Server.
                        Important
                        Install the AppWorks Gateway and Apache Tomcat on a dedicated server.
                        Do not install OTDS, or an OpenText product, such as Content Server on
                        the same server as the AppWorks Gateway.
               • A database to connect to. Create a schema and an associated schema admin user
                 in your Microsoft SQL Server, MySQL, Oracle, Oracle RAC, PostgreSQL, or SAP
                 HANA database.
               • An OTDS installation. OTDS centralizes user and group identity information and
                 manages single sign on (SSO) between OpenText components.
               1.   Ensure you have installed the required software. For details, see “Prerequisites”
                    on page 10.
               4.   Double-click the Tomcat executable file, for example, Tomcat9w.exe and do the
                    following:
               5.     Start the Apache Tomcat service to make sure your Tomcat installation starts
                      correctly with these new settings.
                         Important
                         The AppWorks Gateway installation package includes modified versions
                         of the server.xml and context.xml files. If you have customized the
                         server.xml or context.xml files, and you want to retain those changes,
                         you must add them to the versions of the files supplied by the AppWorks
                         Gateway.
               5.    Optional If you plan on running SSL, comment out or remove the following tag in
                    the server.xml file.
                    <Listener className="org.apache.catalina.core.AprLifeCycleListener" SSLEngine="on"/>
                      Important
                      After you have specified a database and completed the installation, you cannot
                      choose a different database for AppWorks Gateway. Therefore, ensure that you
                      are connecting to the database you intend to use for your environment.
To connect to a database:
               2.     From the Select Database Vendor drop down, choose from the following
                      database options:
                    • MySQL – In the MySQL Workbench, select the Options File from the
                      Navigator panel and choose the Networking tab. Locate the max_allowed_
                      packet_length variable and change to 1024 MB. You may need to install the
                      JDBC driver (Connector/J) and place it in your <Tomcat_Home>\lib folder.
                      After adding the driver, restart the Apache Tomcat service.
                    • Oracle – You may need to download a JDBC driver JAR file and place it in
                      your <Tomcat_Home>\lib folder. After adding the driver, restart the Apache
                      Tomcat service.
                    • Oracle RAC – You may need to download a JDBC driver JAR file and place
                      it in your <Tomcat_Home>\lib folder. After adding the driver, restart the
                      Apache Tomcat service.
                    • PostgreSQL – To connect the AppWorks Gateway to a PostgreSQL database,
                      you need to add the following line to the C:\Program Files\PostgreSQL\
                      11\data\pg_hba.conf file.
                       # TYPE   DATABASE   USER   ADDRESS   METHOD
                         host   all        all    0.0.0.0/0 md5
                    • SAP HANA
                    • Custom Connection String
                                 Caution
                                 The Custom Connection String option is intended for experienced
                                 database administrators only and must be used with caution.
               3.   In the Username and Password boxes, type the credentials for an admin user of
                    your database.
                    • In the Load Balance area, choose if you would like to enable client side load
                      balancing.
                    • In the Cluster Host box, type the virtual cluster name that you chose when
                      you created the RAC database.
                    • In the Port box, type the port. The default port for Oracle is 1521.
                    • In the Service Identifier box, type the virtual service name that you chose
                      when you created the RAC database.
               5.   Click Configure Database Connection and wait for a confirmation that the
                    connection is established.
Important
                      • Once you have defined the connection to OTDS, you cannot make changes
                        to it. This means that you cannot switch from one OTDS instance to
                        another.
                      • We recommend that you do not install OTDS on the same server as
                        AppWorks Gateway. Also, OTDS should be on a separate server to an
                        OpenText product such as Content Server or eDOCS DM.
                    • OTDS server url – The URL of the Tomcat server that is running OTDS. Do
                      not use http://localhost:8080.
                    • OTDS Administrative Account Username and Password – The credentials
                      for an OTDS Admin user.
                    • Resource Name and Gateway User Partition Name – Creates an AppWorks
                      Gateway Resource and User Partition in OTDS with the names provided.
                      The default values are OTAG and otag respectively.
               3.   Click Configure OTDS. The configuration is complete when you are prompted
                    to sign in to the AppWorks Gateway.
                    Before you sign in, open a second browser window and go to the Directory
                    Services web client at http://<Tomcat_Host>:<port>/otds-admin/.
               6.   For the otag partition, select View Members from the Actions menu. Next,
                    select the Groups tab.
               7.   Select the otagadmins group, then select Edit Membership, and click Add
                    Member.
               8.   Search for the otadmin@otds.admin member and from the search results box,
                    click Add Selected to add the member to the otagadmins group.
               If you deployed the AppWorks Gateway in a non-SSL environment, you will see the
               following error in the gateway.log file in the <Tomcat_Home>\logs folder:
               ** HTTP 403 encountered during resource authentication. This is
               likely to be because OTDS is not configured to permit
               authentication traffic across unsecured (non-SSL/TLS) transports.
               If this is a development environment, you may work around this
               security feature by ensuring OTDS has the System Attribute
               "directory.auth.EnforceSSL=false". **
3. Click Add.
4. Type directory.auth.EnforceSSL in the Name field, and false in the Value field.
5. Click Save.
               You can upgrade to AppWorks Gateway 21.3 from all previous 16.x and 21.x
               versions.
               If your AppWorks Gateway installation is prior to 16.0, for example, 1.2.1, there is no
               migration procedure to preserve your current environment. You must remove
               AppWorks Gateway 1.2.x, then install AppWorks Gateway 21.3. For further details,
               see “Upgrading from AppWorks Gateway 1.2.x” on page 22.
               After upgrading to 21.3 from AppWorks Gateway 1.2.x, you may want to ensure
               that users continue to access any configured services with the URL they used prior
               to the upgrade. For further details see “Adding a URL Rewrite to AppWorks
               Gateway 16.x” on page 23.
                      Note: When upgrading to AppWorks Gateway 21.3, from 16.x,or 21.x you
                      must decrypt then re-encrypt the opentext.properties file in the
                      <Tomcat_Home>\conf folder. The steps to do this are described in the following
                      procedures.
1. Stop the Apache Tomcat service that hosts the AppWorks Gateway installation.
                         • work\Catalina\localhost
                         • temp
                         • tmp
                         • logs
               6.   Open the webapps folder and remove any folders and .war files that belong to
                    AppWorks Gateway services. For example, if there is an AppWorks Gateway
                    service named gateway-service, delete the /webapps/gateway-service
                    folder, and the /webapps/gateway-service.war file if it exists.
                    After completing the upgrade, when you start the AppWorks Gateway, the
                    folders and .war files for the services will be recreated.
                    If you have made any custom modifications or if any custom configuration files
                    exist in the /webapps/<service>/ folders, these must be manually recreated
                    from the /webapps folder that you backed up in Step 3.
                    If you do not complete this step when upgrading, you will see a message
                    indicating that app migration has failed in the gateway-otag.log file. To
                    resolve this, you must undeploy then redeploy the service. To do this:
                    a.   In the AppWorks Gateway that is running the service, click the Services
                         section of the Admin Menu.
                    b.   Disable, then re-enable the service.
                         You can download the .zip service deployment file from the AppWorks
                         Gateway prior to disabling it.
               9.     If you have made custom changes to the server.xml file, use the server.bak
                      back up file to retain those changes in your upgraded installation.
               10. Encrypt the opentext.properties file in the <Tomcat_Home>\conf folder,
                   using the Database Encryption Tools available from My Support (https://
                   knowledge.opentext.com/knowledge/llisapi.dll/open/58916144). The opentext.
                   properties file in the <Tomcat_Home>\conf folder stores the details of the
                   database for the AppWorks Gateway Installation. Proceed as follows:
                           • If you are upgrading from AppWorks Gateway 16.x, use the Database
                             Decryption tool in the 16.7 software folder in My Support. If you are
                             upgrading from 21.1, use the Database Decryption Tool in the 21.1
                             folder in My Support.
                           • Use the Database Encryption Tool in the 21.3 software folder in My
                              Support.
                      c.   Decrypt the opentext.properties file using the decrypter.jar file in the
                           Database Decryption Tool, as follows:
                    Note: When you upgrade from AppWorks Gateway 1.2.x to 21.3, you cannot
                    reuse the existing values for Resource Name, Gateway User Partition Name,
                    Gateway Admin Username and OTDS Administrative Account Username.
                    Step 2: OTDS Configuration of the installation of AppWorks Gateway 21.3
                    will not complete and you will need to repeat the process, supplying new
                    values.
               •    Sign in to your database management tool, and create a new database schema
                    for AppWorks Gateway 21.3.
               2.   The safest way to uninstall the AppWorks Gateway 1.2.x is to reinstall Apache
                    Tomcat. If you reinstall Apache Tomcat, make sure you reconfigure Tomcat for
                    the AppWorks Gateway 21.3. For details, see “Configuring Apache Tomcat for
                      the AppWorks Gateway” on page 10. However, if you have other software
                      running Tomcat and you would prefer not to uninstall it, do the following:
               This is a change from AppWorks Gateway 1.2.x, where users were taken to /
               webaccess from https://[appworksurl]/, from where they could access the
               services that were configured there, for example, Tempo Box or Tempo Social.
               When upgrading to 16.xfrom AppWorks Gateway 1.2.x, you may want to ensure
               that users continue to access any configured services with the URL they used prior
               to the upgrade. To do this, you can use URL rewriting to perform a URL redirect to
               the /content folder. The following steps describe how to redirect your users
               from http://host.opentext.com to http://host.opentext.com/content by
               downloading and configuring a Java Web filter for the Apache Tomcat installation.
Note: The UrlRewriteFilter must be the first filter in the web.xml file.
               1.   Download the latest version of the Apache Tomcat 9.0.x Service Installer for
                    Windows from https://tomcat.apache.org/download-80.cgi.
2. Stop the Apache Tomcat service via the Windows Services Control Panel.
               3.   Run the downloaded Tomcat 9.0.x Windows Installer to install the updated
                    version of Tomcat as a Windows Service.
Notes
               4.     Set the required JAVA_OPTIONS for the new Tomcat service. See
                      “Configuring Apache Tomcat for the AppWorks Gateway” on page 10 for
                      details.
               6.     Copy the following folders and or files from the existing <Tomcat_Home> folder
                      to the new <Tomcat_Home> installation folder:
– awg-keystore
                         – awg-node.properties
                         – server.xml
                         – opentext.properties
                      • From the existing <Tomcat_Home> folder, copy the entire webapps\ folder to
                        the new <Tomcat_Home>. When asked, accept to merge the directories.
                      • From the existing <Tomcat_Home> copy the entire gateway\ folder to the
                        new <Tomcat_Home> location.
                             Note: If you have made any edits to your existing server.xml, for
                             example for SSL connectors, copy across your key store and update the
                             path in the server.xml in the new Tomcat install location.
7. Start the Apache Tomcat service and examine the logs for successful startup.
               9.     Once your regression testing has been successfully completed, uninstall the old
                      Tomcat service and delete the old <Tomcat_Home> folder structure along with
                      the backups taken during the above process.
               1.     Download the latest version of the Apache Tomcat 9.0.x Service Installer for
                      Linux from https://tomcat.apache.org/download-80.cgi.
– otag-tomcat-listener-16.<x>.jar
                    • docs/
                    • manager/
                    • ROOT/
                    • examples/ (if installed)
                    • host-manager/ (if installed)
               7.   Copy the following directories from the temporary directory of the new Tomcat
                    to the following directories:
                    • bin/
                    • lib/
                    • webapps/
               9.   Copy the saved files from the lib/ directory into the <Tomcat_Home>/lib/
                    directory.
11. Start the Apache Tomcat service and examine the logs for successful startup.
                      Important
                      The following description does not include any steps to back up the installation
                      you are removing. When you take these steps you are removing the AppWorks
                      Gateway, the otag partition in OTDS, and any AppWorks data in the database
                      that you created for use with the installation.
               4.     Navigate to the <Tomcat_Home>\temp folder and delete all of the files in the
                      folder.
               5.     Navigate to the <Tomcat_Home>\tmp folder and delete all of the files in the
                      folder.
               9.     Delete the otag partition. This is the default partition name. You may have
                      supplied a different name when you installed the AppWorks Gateway.
               10. Delete the database schema that you created for use with the AppWorks
                   Gateway.
               The AppWorks Gateway can be run in debug mode. Debug mode allows for more
               detailed error information to be returned to clients. The AppWorks Gateway should
               not be left running in debug mode during production use, to avoid the
               communication of detailed error messages.
               When troubleshooting the AppWorks Gateway, you can adjust the logging level to
               debug or trace. See “Frequently Asked Questions“ on page 87.
               Always terminate the AppWorks Gateway with SSL/TLS at the Apache Tomcat
               connector layer.
               Without SSL/TLS at the Tomcat layer, the Want Secure Cookies setting will not
               work correctly. If the Want Secure Cookies setting is enabled, cookies issued by the
               AppWorks Gateway will contain the “secure” flag if possible, providing SSL/TLS
               termination is performed on the Tomcat connection. The Want Secure Cookies is on
               the General Settings page (Settings > General Settings).
               Follow industry best practices for securing the Apache Tomcat server. Consider the
               following resources:
               • https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
               • https://www.owasp.org/index.php/Securing_tomcat
               • https://geekflare.com/apache-tomcat-hardening-and-security-guide
               Protection against malicious file upload must use a layered approach – the
               environment and the application must be protected. Protection should be enforced
               on the server side and – very importantly - on the client side of the application. At
               infrastructure level, ensure the following:
               • Client systems are using a supported browser with the latest updates. Older
                 browsers have fewer protections. To protect against issues with file locking
                 OpenText recommends that you use the following settings:
                      Important
                      In this procedure we are using Active Directory Certificate Services (ADCS).
                      ADCS allows you to build, in-house, a public key infrastructure, with public
                      key cryptography, digital certificates, and digital signature capabilities, using
                      Microsoft technology. There are many alternative services that you can use,
                      and which may be more appropriate for your organization. The use of ADCS
                      here is for the purpose of providing an “end-to-end” example to explain the
                      procedures for enabling the AppWorks Gateway for HTTPS. There is no
                      requirement to use ADCS. The implementation and maintenance of security
                      protocols at your organization can be complex and should only be attempted
                      by experienced personnel.
1. Start KeyStore Explorer, click File > New and select JKS for the keystore type.
2. Click OK.
3. Click Tools > Generate Key Pair, and select RSA for the encryption algorithm.
4. Click OK.
               5.   In the Generate Key Pair Certificate dialog box, select the required Validity
                    Period.
8. Click OK.
               9.     In the Subject Alternative Name Extension dialog box, click       and do the
                      following:
               10. Click the Edit Name button            and complete the Name dialog box with
                   details relevant to your Active Directory Certificate Server.
               11. Click OK until you are prompted for an alias name. You can leave the alias
                   name unchanged and click OK.
12. In the New Key Pair Entry Password dialog box, type a password.
               You now have a functioning keystore for your required host. Next, you need to
               generate a Certificate Signing Request (CSR) that you can submit to your Certificate
               Authority (CA) for signing.
               1.   Right-click on the generated key pair, and select Generate CSR to create a
                    certificate signing request file.
               2.   In the Generate CSR dialog box, select the Add certificate extensions to
                    request check box.
3. Click Browse and choose a name and location for the CSR file and click Save.
               The next step is to sign the CSR that you have created, and this guide describes how
               to do this using Active Directory Certificate Services. This process can be used if you
               are building an internal system and do not have access to an external CA, such as
               VeriSign. If you submit the CSR to an external CA, you should receive both the
               signed certificate for your server and also the root CA certificate from the Certificate
               Authority that was used to sign the new certificate. If the CA uses intermediate
               chain certificates, you will also need these.
                        Caution
                        It is crucial that you have the full chain of certificates used to sign your new
                        certificate. Without the complete chain, SSL communication will fail.
               1.     In a text editor, open the certreq.csr file that you created in the previous
                      section.
               3.     Copy and paste the contents of the CSR file from your text editor into the Saved
                      Request box for Base-64–encoded certificate request (CMC or PKCS #10 file or
                      PKCS #7).
4. Click Submit.
               5.     In the Certificate Issued page, click Download certificate chain and save the
                      file to your hard disk.
               6.     Return to KeyStore Explorer, right-click on the generated key pair and select
                      Import CA Reply > From File.
               3.     On the AppWorks Gateway server, navigate to the cacerts file in the <Java_
                      Home>\lib\security folder.
               4.     Open the cacerts file in KeyStore Explorer. The default password for the
                      cacerts file is “changeit”.
               8.   Copy the cacerts file back into the <Java_Home>\lib\security folder on the
                    AppWorks Gateway server.
               By following these steps, your Apache Tomcat server can still run in normal mode at
               the same time on port 8080 with HTTP.
               5.   Uncomment the property and add the name of the JKS keystore file, and the
                    password you provided when you created it. The following is the new section
                    with the additional line highlighted:
                    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
                    This connector uses the NIO implementation that requires the JSSE style
                    configuration. When using the APR/native implementation, the OpenSSL style
                    configuration is required as described in the APR/native documentation -->
6. Save and close the file, and then restart the Apache Tomcat server.
               Apps may rely on an associated service. Therefore, you need to make sure all of the
               services are installed and enabled in the AppWorks Gateway. If you want to prevent
               your users from accessing a particular app, you must disable the app in the
               AppWorks Gateway. If you disable a service and not the associated app, users will
               still be able to see the app on their mobile device or desktop computer. However,
               users will not be able to use the app.
               Components offer additional functionality for apps. For example, with ECM
               Everywhere, the Object Details Viewer component allows users the ability see the
               properties, categories, and audit information for objects in the Enterprise Workspace
               app.
               Each app, component, and service in the AppWorks Gateway shows summary,
               settings, statistics, and history details. Altering the settings might negatively impact
               performance. Only experienced administrators should modify these settings.
4. Click Browse and navigate to the app, component, service, or product bundle.
Tip: You can also drag and drop the file onto the indicated region.
                5.   Click Install Package and follow the on-screen instructions. By default, all apps,
                     services, and components are disabled. In order to give your users access to an
                     app, you need to enable the app as well as the associated service.
• In the AppWorks Gateway, select one of the following from the Admin Menu:
                     • Click Apps in the Installed section, and then click Enable for the apps you
                       want your users to have access to. When an app is disabled, users will not
                       see the app in the runtime client on their mobile devices.
                     • Click Desktop Apps in the Installed section, and then click Enable for the
                       apps you want your users to have access to. When an app is disabled, users
                       will not see the app in the runtime client on their desktop computers.
                     • Click Components in the Installed section, and then click Enable for all of
                       the components you installed.
                     • Click Services in the Installed section, and then click Enable for all of the
                       services that you installed. When a service is disabled, your users will not be
                       able to access their content. If the associated app is still enabled, users will
                       still see the app in the runtime client on their mobile devices. However, it
                       will be unusable.
                     • Click Connectors in the Installed section, and then click Enable for all of the
                       connectors that you installed.
                •    To enable all the apps, services, components and connectors that you have
                     installed, click All from the Installed section of the Admin Menu, and then
                     click Enable All at the top of the page.
               1.     In the Admin Menu, click the required type from the Installed section, for
                      example, Apps or Components.
               2.     Click the Show settings for this app icon        for the item.
               3.     Click the Summary, Settings or Audience tabs to display relevant information,
                      as follows:
                      • Summary – View the version number, installed date, and the date the
                        feature was last updated.
                         You can also download the feature by clicking the Download link. Some
                         apps have associated components and services that you also need to
                         download for the app to work in another AppWorks
                         Gateway. Click Components or Services in the Admin Menu and verify if a
                         service or component is present. Based on the name and description of the
                         component or service, it may not be obvious if they affect the downloaded
                         app.
                      • Settings – These are settings that are specific to the app or service. Use
                        caution when changing and always check the documentation for the app or
                        service.
                      • Audience – Filter the app based on runtime, user, or group. For details, see
                        “Filtering the Runtime and User Audience” on page 39.
               2.     Click the Show settings for this app icon        for the app that you want to filter.
               3.     Click the Audience tab and do one of the following:
                      • To display the app in all runtimes installed on the user’s client, select the
                        Available in all runtimes check box.
                     • To display the app in a certain runtime client only, clear the Available in all
                       runtimes check box and select the check box next to the appropriate
                       runtime.
                     • To display the app in a runtime that is not displayed, click Runtimes from
                       the Management section of the Admin Menu. Complete the displayed fields
                       and click Add. Repeat steps 2 – 3, only this time select the check box next to
                       the new runtime.
4. Click Save.
2. Click the Show settings for this app icon for the app that you want to filter.
                     • To display the app in the runtimes of all users, select the Available to all
                       users check box.
                      • To display the app in the runtimes of a specific user, group or partition, clear
                        the Available to all users check box. In the Search for Users/Groups/
                        Partitions box, type the first few letters of the name of the user, group or
                        partition. Select one or more check boxes for the users, groups or partitions
                        that you want to be able to access the app.
5. Click Save.
                     Note: AppWorks Gateway 21.3 requires the 16.6 versions of the iOS and
                     Android mobile clients. The 16.6 mobile clients are compatible with 16.x
                     versions of the AppWorks Gateway. However, push notifications, including
                     remote wipe, are only available when both the AppWorks Gateway and the
                     mobile clients are on release 16.5 or later. This is due to the replacement of
                     Google Cloud Messaging (GCM) with Firebase Cloud Messaging (FCM).
                     AppWorks Gateway 16.5 and later supports FCM only.
                2.   In the Admin Menu, click Mobile Client Distribution from the Management
                     section.
                3.   In the Send Distribution Email region, select a runtime that will be included in
                     the email.
                4.   In the same region, you can choose to send an email to one or more groups in
                     OTDS, to specific users by entering their email address, or to a list of users that
                     are in a CSV file.
                2.   Confirm that you have read the OpenText End User License Agreement, and
                     click Next to display the Custom Setup dialog.
               3.     Click Next to confirm that you want to install the Desktop Client and the
                      Desktop Client shortcuts in the default location, or click Browse to choose an
                      alternative location.
                5.   Click the OpenText AppWorks Gateway shortcut from the Windows Start menu
                     to display the Setup page, and define the following:
6. Click Save.
                You can run the Desktop Client Windows installer silently from a Command Prompt
                program, passing the filename in a Command Prompt line option. The Command
                Prompt must be run with administrator level privileges, also known as an elevated
                prompt.
                1.   From the Command Prompt, navigate to the location of the MSI installer that
                     you have downloaded.
                2.   The following command will silently install the AppWorks Gateway Desktop
                     Client for Windows, and set the Server Address to http://localhost:8080.
3. Drag the AppWorks Gateway Desktop App file to your Applications folder.
               4.     Launch the OpenText AppWorks Gateway Desktop Client to display the Setup
                      page. Define the Server Address, Enable SSO and Debug Mode fields, as
                      described above.
5. Click Save.
               If you receive an Unable to connect error message, when the desktop connects to the
               AppWorks Gateway Server URL, you can troubleshoot the issue by taking the
               following steps:
               1. On the machine where the desktop client is installed, or on a mobile device, open
                  a browser and navigate to http://<appworks-server-url:port>/v3/admin/
                  auth/loginurl.
               2. The response displays a value for loginUrl. This is the URL that the desktop
                  client must be able to resolve to, for the InfoCenter Desktop client to connect to
                  the AppWorks Gateway.
               3. Enter the loginUrl value in a browser on the desktop or mobile device and check
                  the response. You should get the OpenText login page proxied via the
                  AppWorks Gateway. If the OpenText login page is not displayed, check the
                  format of the AppWorks Gateway Server URL, and change to be a fully qualified
                  domain name.
The steps to enable the desktop client for HTTPS are as follows:
                     Note: The process for installing the desktop client for specific OpenText
                     products may differ from the steps shown here. Refer to the installation guide
                     for each product to check for additional or modified steps.
                1.   Open Firefox and navigate to the HTTPS address of the AppWorks Gateway
                     login page at https://<Tomcat_Host>:<port>/gateway. In “Securing the
                     AppWorks Gateway“ on page 29 you enabled the AppWorks Gateway server
                     for HTTPS.
3. Click the chevron icon to the right of the web site address.
4. Click More Information and in the Security tab, click View Certificates.
5. In the Details tab, examine the certificate chain in the Certificate Hierarchy box.
               1.     Open a command prompt window and navigate to the location of the root CA
                      CRT file that you exported in “Export the Root CA Certificate of the AppWorks
                      Gateway Server” on page 46.
               2.     Type the following OpenSSL command to convert the CRT file to a DER file.
                      Replace the CRT input and DER output values in the example below with your
                      file names.
                      openssl x509 -in appworks-AW-EXAMPLE-CA-2.crt -out appworks-AW-EXAMPLE-CA-2.der -
                      outform DER
               3.     Type the following OpenSSL command to convert the DER input file to a PEM
                      output file. Replace the DER input value with your file name.
                      openssl x509 -in appworks-AW-DEV-OTDS2-CA-2.der -inform DER -out ca.cert.pem -
                      outform pem
                           Important
                           The output file must be called ca.cert.pem.
               4.     Open the desktop client and ensure that the server address in the Settings page
                      is the HTTPS address of your AppWorks Gateway server.
5. Restart the client. The OpenText login page is now displayed over HTTPS.
Notes
                     • For Windows 8.1, navigate to Programs and Features, select the OpenText
                       AppWorks Desktop application and click Uninstall.
                     • For Windows 10, navigate to Apps & features, select the OpenText
                       AppWorks Desktop application and click Uninstall.
                2.   Open Windows Explorer, navigate to the following folder and delete the
                     contents:
                     C:\Users\<your user name>\AppData\Roaming\appworks-desktop\standard
                          Note: For the eDOCS InfoCenter desktop client, navigate to the following
                          folder and delete the contents:
                          C:\Users\<your user name>\AppData\Roaming\appworks-desktop\edocs-infocenter
1. Drag the Application from the Applications folder to the Trash folder.
                2.   Use the Finder or Terminal to navigate to the following folder and delete the
                     contents:
                     ~/Library/Application\ Support/appworks-desktop/standard
                          Note: For the eDOCS InfoCenter desktop client, navigate to the following
                          folder and delete the contents:
                          ~/Library/Application\ Support/appworks-desktop/edocs-infocenter
               Both the Renderer process and the Main process must make outgoing HTTP
               connections. The Renderer process uses HTTP connections provided by the
               Chromium framework, while the Main process uses HTTP connections provided
               under the NodeJS framework.
               To pick up HTTP forward proxy configuration, the Renderer process uses the built-
               in proxy configuration of the host operating system. The Main process picks up its
               HTTP configuration from HTTP_PROXY and HTTPS_PROXY environment
               variables. You must ensure that both configuration methods are employed at the
               same time to configure the AppWorks Desktop Client to use an HTTP proxy.
This chapter describes the settings that are available for the following categories:
               • General – Specify the URL of the AppWorks Gateway server and the OTDS
                 server, and choose from various authentication options.
               • MDM – Specify the settings for mobile device management, for example,
                 whether to enable or disable client tracking.
               • Mail – Specify the SMTP settings to use when sending emails from the Gateway.
               • Temp File – Specify where to store temporary data files, and how long to leave
                 files on the system.
               • Notifications – Determine the settings to use when sending messages to client
                 applications.
                      • AppWorks Gateway Server URL – The URL that clients and providers use
                        to reach this server. Use the fully qualified host name of the server. Do not
                        use http://localhost:8080. This URL is also needed for links in external
                        invitations and for auto-configuration of the OTSync Connector. The
                        OTSync Connector provides a connection, authentication handling, proxy
                        mappings and trusted provider key registration for OpenText Tempo Box.
                              Note: If you change the AppWorks Gateway Server URL, stop and
                              restart the Apache Tomcat service.
                      • Want Secure Cookies – When enabled, cookies issued by the AppWorks
                        Gateway will have their “secure” flag set. This setting has no effect for
                        responses on a non-secure transport, for example HTTP. The Want Secure
                        Cookies setting is selected by default.
                      • Session Token Cleanup Interval (s) – Timed out OTAG session tokens will
                        be cleared from memory periodically given this duration.
                      • Session Token Timeout (s) – Session tokens generated by the OTAG layer
                        will become invalid after this period of inactivity.
                   • Auto Sign-Out Inactivity Period (s) – Users will be automatically signed out
                     after this period of inactivity. Enter a value in seconds of at least 120. The
                     value must not have a decimal point, for example 900.5. The value must be
                     less than the period entered in the Session Token Timeout (s) field. A
                     period of inactivity is where the user makes no input into the
                     Administration User Interface by keyboard or mouse. One minute before the
                     user’s session is due to end, a dialog box is displayed enabling the user to
                     extend the session.
                   • OpenText Directory Services (OTDS) URL – The URL of the OTDS service
                     that is used by OTAG for authentication and identity information. When
                     you installed AppWorks Gateway, you connected to an OTDS service. You
                     cannot change to a different OTDS service after installation, and this field is
                     therefore read-only.
                   • Do Not Proxy OTDS – The proxy server will not be used by the client to
                     obtain an OTDS login URL. Instead, the client will use the URL specified in
                     the AppWorks Gateway.
                   • Cookie Domain for Generated OTDS Cookies – Enter a cookie domain for
                     generated OTDS cookies generated by OTAG to be used across subdomains.
                     For example, enter “.example.com” to allow subdomain app2.example.com
                     to use cookies generated for subdomain app1.example.com.
– AppWorks Suite
– Tempo Box
                      • Client Tracking Enabled – If enabled, you can track the clients that a user
                        has used and perform a remote wipe of any applications on the mobile
                        client.
                      • Remote Wipe Timeout (s) – An email is sent to the recipients in the Remote
                        Wipe Failure Email Recipients field if a remote wipe was not successful
                        before the timeout period expires.
                      • Remote Wipe Failure Email Recipients – The email addresses listed in this
                        field will be emailed if a remote wipe action did not occur before the Remote
                        Wipe Timeout (s) period expires. If you receive a remote wipe email failure
                        notification, the wipe did not take place and you must reset the user
                        password to prevent the user from signing into their account.
                    • Permit Storage of Password (On Device) – After a user signs in for the first
                      time, this setting allows your users to close and reopen the app without
                      typing their password. This functionality is only available when the mobile
                      clients are using the default oAuth 2.0 flow.
Notes
                             – If the user signs out of the app, they must re-enter their password to
                               sign back in.
                             – If you set a value in seconds in he Password on Device Expiry (s)
                               field, the user must sign back in to the app if the duration is
                               exceeded.
                    • Password on Device Expiry (s) – The duration in which a password is
                      stored on a device.
                    • Permit Offline Access on Device – When selected, users can access
                      information on a device when it is offline.
                    • Notify Devices of Offline Policy Change – When selected, users will be
                      notified if the value of the Permit Offline Access on Device field changes.
a. In the Send Test Email section, enter an email address in the To field.
                      • Notification Purge Interval (s) – The interval at which the notifications table
                        will be purged of notification records.
                      • Maximum Notifications Table Size – The maximum number of notification
                        records retained before a purge is triggered by the table monitor.
                      • Back-channel Stale Connection Cleanup Period (s) – The interval at which
                        back-channel connections will be checked for freshness and stale connections
                        discarded.
                      • Notification Refresh Interval (s) – The interval at which fresh notification
                        sequence data is published to clients. This affects how often a client will ask
                        for new notifications based on the last known sequence value.
                      • Back-channel Timeout (ms) – The time in which a client long poll
                        connection for notifications will remain open.
                      • Max Long-poll Connections per User – This is used to prevent DoS attacks.
                        When a user connects more than this number of clients simultaneously, the
                        oldest connection will be dropped.
                      • Back-channel Stale Connection Cleanup Age (s) – Back-channel
                        connections will be cleared from memory when they have been idle for at
                        least this long.
                             Note: Logging the push notification activity results in a large log file
                             that must be actively managed.
1. Select the Use Cutoff Date check box and enter a date.
               2.   Click Send Purge Request to remove notifications that were created before the
                    Use Cutoff Date.
                    If you have not entered a cutoff date, the current, completed notifications will
                    be purged. The number of notification is shown next to Current notifications
                    row count. This value is updated after the period specified in the Notification
                    Purge Interval (s).
               2.   Select the check boxes next to the settings you require. The settings are grouped
                    under a main heading, for example, Authentication, Runtimes and so on. You
                    can deselect the main heading to choose more specific settings. For example,
                    you might want to identify when a runtime is created or deleted, but not when
                    a runtime is updated, or when the list of runtimes is displayed in the
                    Administration User Interface.
               3.   Click Update Settings. Only the actions that you have specified will be reported
                    in the otagaudit table.
               In the Proxy Settings page, complete the details for any proxy rules that you want to
               create for AppWorks Gateway. OpenText supplies various template proxy rules for
               use with OpenText products such as eDOCS InfoCenter and Content Server.
               Creating a proxy rule for your OpenText product is part of the installation process
               for the product, and further details are available in the specific installation
               documentation.
                      Note: The proxy is intended as an API proxy for AppWorks services and apps,
                      and is not to be seen as a general purpose replacement for another proxy
                      service, such as mod_proxy for the Apache HTTP Server.
               3.     Click New Rule or New Rule From Template. The New Rule From Template
                      option provides some default settings for when you are installing the
                      AppWorks Gateway with other OpenText products. For example, the OpenText
                      eDOCS RestAPI template includes URL mappings and Whitelist details that
                      help you to install OpenText eDOCS with InfoCenter.
               4.     Select the Continue check box, next to the URL Mappings fields to execute the
                      URL rewrite in a top-to bottom order. For any matched URL rewrite rule, the
                      Continue option signifies whether to stop at this match, or continue applying
                      the rules below it.
5. In the Configure Rule page, complete the required fields and click Save Rule.
               The AppWorks Gateway uses the public Firebase Cloud Message (FCM) service to
               enable native push notifications. Push notifications are configured for each mobile
               runtime using the Google developer console. A Firebase Project model is used for
               working with Firebase projects in the AppWorks Gateway.
                      • Project Private Key File – A service account JSON file also used to call
                        Firebase APIs.
                      • Project ID – A globally unique identifier for the project
                      • Server Key – A key to authorize AppWorks Gateways calls against the
                        Firebase APIs
                      • Sender ID – The ID used by the AppWorks Gateway for itself as a sender of
                        push notifications, push clients ask to be sent notifications from a sender
                      • Web Push Certificate Public Key – A public key used by, the now
                        supported, in browser push clients.
                      • Web Push SDK Configuration – A JSON configuration String to allow in-
                        browser web clients to easily make use of the Firebase JavaScript client
                        library, see here (https://github.com/firebase/firebase-js-sdk).
               The following section assumes you have a valid Google developer account and can
               access the console at https://console.firebase.google.com. Select the cog wheel in the
               left-hand menu at the Project Overview level, and select Project settings to view the
               Firebase Project Settings.
               This tabbed view provides access to the general project's details and the cloud
               messaging configuration, which includes any number of apps and their access files
               (google-services.json, GoogleService-Info.plist), and service accounts.
               Project ID
                   The general project identifier found on the General tab under Settings.
               Server Key
                   A server key that authorizes our app server, the AppWorks Gateway, to access
                   Google services. It is available on the Cloud Messaging under Settings.
                     • Web Push Certificate Public Key – The public key of any Web Push
                       certificate generated in the Web Configuration found at the bottom of the
                       Cloud Messaging tab under Settings for the project.
                     • Web Push SDK Configuration – The public configuration code block for a
                       JavaScript app that will use the FCM client exposed by the AppWorks
                       Gateway. The value can be copied directly from the Firebase console as
                       described below. JavaScript applications may use the Firebase JavaScript
                       SDK to receive push notifications in the browser. From the Firebase projects
                       overview page, do the following:
                        1. Click + Add App below the project name.
                        2. Select the web application, depicted by angled brackets.
                        3. Copy the content of the config variable is JSON block out of the provided
                           <script> tags, for example:
                            {
                                  apiKey: "AIzaSyBgXYFblWR5_IE2zfYeARydmjVdTLXljGI",
                                  authDomain: "a-customer-project.firebaseapp.com",
                                  databaseURL: "https://a-customer-project.firebaseio.com",
                                  projectId: "a-customer-project",
                                 storageBucket: "a-customer-project.appspot.com",
                                 messagingSenderId: "944462086369"
                                }
                        4. Paste the JSON block into the Web Push Notifications field in the
                           AppWorks Gateway:
                6.   In the Username/First Name/Last Name field, search for the user to whom you
                     want to send this notification.
8. Click Send.
               3.     Click Add User and provide the user information. Passwords are based on the
                      Directory Services global password policy. The default policy requires at least 8
                      characters in length with at least one capital letter and one number. The title,
                      email, phone, and location fields are not required.
                      To add an AppWorks Gateway administrative user, click Administrative User.
               2.     Type the username, first name, last name or group name in the Search for users
                      and groups box and press ENTER.
               3.     Next to the user or group whom you want to edit, click the Edit icon           ,
                      edit the information, and then click Update user.
Notes
                           • You cannot update the OTDS Administrator user information from this
                             page. You need to update this user information in the Directory Services
                             web client at <http://Tomcat_Host>:<port>/otds-admin/.
                           • You cannot update any users that were added using OTDS. You need to
                             update these users in the Directory Services web client.
                           • You cannot delete users from this page. You also need to perform this
                             action in the Directory Services web client.
               2.     Locate the otag user. This is the default user name. You may have supplied a
                      different name when you installed the AppWorks Gateway.
               4.     Click General and update the information for User ID, First Name, Last Name,
                      and so on.
5. Click Save.
                2.   Locate the otag user. This is the default user name. You may have supplied a
                     different name when you installed the AppWorks Gateway.
                3.   Click Actions and then Reset Password for the otag user.
4. Type the new password in the fields provided and click Reset Password.
                2.   If you added users using the AppWorks Gateway, locate the otag partition. This
                     is the default partition name. You may have supplied a different name when
                     you installed the AppWorks Gateway.
                4.   Select the check box next to the user whom you want to delete and then click
                     Delete.
                           Important
                           Do not delete the otag or otdsadmin users.
               Using Client Management, you can see and wipe the runtimes from your user’s
               devices that your users have used to access their account. Wiping deletes all local
               copies of server data from the runtime and prevents the user from signing in. If the
               runtime was accidentally wiped, the user can re-enter the AppWorks Gateway URL,
               sign in and continue to access their account. The user will need to reinstall all of the
               apps and download their favorite files again. Assuming the wipe was intentional,
               you should change the user's password or delete their account altogether to prevent
               the user from signing in again.
2. In the Admin Menu, click Client Management from the Management section.
3. Type the username, first name, or last name of a user and then press ENTER.
                           Tip: If you are unable to search for a user, verify that Client Tracking
                           Enabled is selected on the MDM Settings page.
                      You will see the username, runtime, device information, and connection times
                      for every client the user has used to access their account.
1. In the Admin Menu, click Client Management from the Management section.
               2.   Type the username, first name, or last name of a user and then press ENTER. If
                    you are unable to search for a user, verify that Client Tracking Enabled is
                    selected on the MDM Settings page.
               3.   Click the Wipe link for the client that you want to wipe.
               4.   Click Ok to confirm the action. The next time the user attempts to access their
                    account using the client ID you wiped, the runtime wipe will take place.
               You can deploy and configure additional AppWorks Gateway servers to use an
               existing AppWorks Gateway database. Any applications, services, and components
               that are installed on one node in the cluster are automatically installed on all of the
               other nodes. All settings changes are also propagated to all of the nodes. You do not
               need to perform any manual steps on any other node or restart the Apache Tomcat
               service. However, you must restart the Apache Tomcat service if you change any of
               the following settings in the AppWorks Gateway:
               • On the General Settings page, changes to the Session Token Cleanup Interval
                 (s) and the Session Token Timeout (s) will only take effect once the current
                 interval elapses or when the Apache Tomcat servers are restarted.
               • On the Temp File Settings page, changes to the Temporary Directory Path
                 should be made when the servers are off-line, because some services may lose
                 temporary data. Changing the Temporary Directory Path may leave old
                 temporary files in the former location. The Temporary Directory Path location
                 must exist on disk before changing the path in the AppWorks Gateway. The
                 location on disk must be the same on all nodes in the cluster. The default location
                 is C:\Program Files\Apache Software Foundation\Tomcat 9.0\tmp.
               Clients that are connected to one node can also switch to another node and continue
               functioning.
               1.     Install Apache Tomcat on the new node. For details, see “Installing the
                      OpenText AppWorks Gateway“ on page 9.
                5.   Complete the database configuration steps to connect to the database you are
                     using for all nodes in the cluster.
                          Note: Repeat this procedure at any time to add nodes to the cluster. They
                          must also be added to the load-balancer.
               3.     In the List of Tenants field, type one or more tenants. Tenant names can include
                      the characters 'a' to 'z', and '0' to '9'. Upper case characters are not valid.
               4.     Click Update Settings. A URL is created for each tenant name. For example, if
                      you type "tenant001" in the List of Tenants field, the URL http://host:port/
                      awtenant/tenant001/ is created.
               5.     To complete the installation, enter the URL for the tenant into a browser address
                      bar. A configuration page appears with options to specify a database and an
                      OTDS instance. This is the same page that you use to complete the configuration
                      of any AppWorks Gateway installation.
               7.     For Step 2: OTDS Configuration, enter the OTDS server details that you used
                      for your primary AppWorks Gateway installation.
               8.     For each tenant, provide details for the Gateway Admin Username/Password,
                      and OTDS Administrative Account/Username. You can use the same
                      administrator as your primary installation, or you can create different
                      administrators for each tenant.
9. For each tenant, provide a Resource Name and Gateway User Partition Name.
               • Reduce the high operating costs to develop, manage and maintain on-premises
                 applications
               • Avoid end user adoption issues caused by slow performance and lengthy
                 deployment timelines
               • Gain access to extensive resources to support enterprise information
                 management applications
               • Deploy enterprise information management applications and grow as needed to
                 scale to your business needs
                      Note: Apache Tomcat and OpenJDK are installed as part of the AppWorks
                      Gateway container deployment. You do not have to install this software
                      separately. OTDS and PostgreSQL require separate installations.
               A PostgreSQL installation
                  The AppWorks Gateway container deployment process connects to the database
                  and creates a database instance.
               Helm
                  Helm is used to deploy the Docker images.
               Docker
                  You tag the Docker image files and push them to your registry.
               Kubernetes
                  You use Kubernetes to run various commands during the deployment of the
                  AppWorks Gateway containers. Normally, you should have a local installation
                  of Kubernetes, but it is also possible to run Kubernetes commands on certain
                  cloud platforms. For example, on the Google Cloud Platform, you can use the
                  Google Cloud Shell to run Kubernetes commands.
               1.   Go to My Support (https://knowledge.opentext.com/knowledge/llisapi.dll/open/
                    58916144) and download the docker-compose.zip file.
               5.     In the env folder, update the pg.env file with the details of the PostgreSQL
                      installation, for example, hostname, port and so on.
6. In the .env file, enter the details for the following sections:
               9.     Run docker container ls to list the docker containers, and check that the
                      container is available and running. The name of the container is docker-
                      compose_otawg_1.
               11. To view the logs run the command docker logs container <container name>
                   —f.
12. To remove the container deployment, run the command docker-compose down.
               • The appworks-gateway.zip file containing Helm charts. You download this from
                 My Support.
               • Access to the AppWorks Gateway container image: This installs the AppWorks
                 Gateway software. This image is available from the OpenText Container
                 Repository.
               • Access to the PostgreSQL container image: This creates a database with a name
                 you have supplied in your PostgreSQL installation.
               • An AppWorks init container image: This initializes the AppWorks Gateway
                 container. By default no mobile or desktop apps are installed with the container.
                 You can customize init container to include the mobile and desktop apps that
                 you want to include with the AppWorks Gateway deployment. This image is
                 available from the OpenText Container Repository.
               1.   Go to My Support (https://knowledge.opentext.com/knowledge/llisapi.dll/open/
                    58916144) and download the appworks-gateway.zip file.
               2.   Extract the appworks-gateway.zip file to a location, for example,
                    C:\OpenTextCE\appworks-gateway. The contents of the appworks-gateway
                    folder are as follows:
               1.     The image section of the values.yaml file contains the registry and
                      repository details of the AppWorks Gateway and PostgreSQL images in the
                      OpenText Container repository. See “Updating the Image Settings” on page 79.
               2.     Confirm that you can access the repository by entering the registry address in a
                      browser. You must supply credentials to view the contents of the repository.
                      Check with your Customer Support Representative for details.
                      Note: You can choose to deploy an AppWorks Gateway container without any
                      desktop or mobile apps. See “Deploying the AppWorks Gateway Container”
                      on page 78.
                      • apps: This is the folder in which you place the desktop and mobile apps that
                        you want to deploy with the AppWorks Gateway
                      • Dockerfile: You modify this file to include the names of the apps that you
                        want to deploy
                      • README: This text file provides an explanation of the environment variables
                        and exit codes used by the init container.
               3.     Edit the Dockerfile to add the names of the apps that you added to the apps
                      folder. For example, if your apps are called starterApp1_0.0.1.zip, and
                      starterApp2_0.0.2.zip, then the Dockerfile will be as follows, with a
                      separate Copy command for each file: Dockerfile:
                      FROM artifactory.otxlab.net/otag/awg:21.3.0-22122020010729
                      MAINTAINER OpenText Corp.
                      ENV AWG_UNATTENDED_SETUP="true"
                      ENV WG_EXIT_ON_SETUP_COMPLETE="true"
7. Run the docker image ls command to check that the container has been built:
               8.   Provide a tag number for the image, using the following command:
                    docker tag <imagename> <registryname>/<repositoryname>/awg-init-
                    container:<imagename>.<tagnumber>
                    where <registryname>/<repositoryname> are the details of your own
                    registry.
               9.   Run the docker image ls command to check that the tagging has been
                    successful.
               10. Run the following command to push the new image to your registry:
                    docker push <registryname>/<repositoryname>/awg-init-
                    container:<imagename>.<tagnumber>
               1.   Locate the values.yaml file that you extracted from the appworks-gateway.
                    zip file. See “Deploying AppWorks Gateway with Helm” on page 76 for details.
               3.   Open a PowerShell administrator session and navigate to the root directory, for
                    example, C:\OpenTextCE.
               6.     Open a browser and access the AppWorks Gateway using the URL specified in
                      the values.yaml file. If you have enabled ingress, use the value you entered in
                      the host setting.
               7.     Sign in to the AppWorks Gateway using the Username and Password details
                      that you supplied in the awg section of the values.yaml file.
               8.     Check the Installed section of the Admin Menu to confirm that the desktop and
                      mobile apps that you included in your deployment are present.
               pullpolicy, imagepullsecrets
                   OpenText recommends that you do not modify these settings. If the images are
                   not available locally they will be deployed from the OpenText registry according
                   to the settings for registry, repository and tag.
                The cloud deployment is available for the Amazon Relational Database Service
                (Amazon RDS). For the cloud deployment you must first create the database in
                Amazon RDS, as follows:
                server
                    Enter the server host and port details of an on premises PostgreSQL database
                    or a PostgreSQL database in Amazon RDS.
                admin
                   Enter the user, password and database details for the database that will be
                   created by pgInitContainer. You can keep the defaults or update with new
                   values.
                appworksdb
                   Enter a username, password, and database name. For an on premises
                   PostgreSQL database, deploying the container will create an instance with these
                   credentials in the PostgeSQL installation. Make sure that the username and
                   database details are in lower case characters.
                         • If useSSL is true and trustDbCerts is false, place the certificate inside the
                           appworks-gateway\trustCertificates folder to connect over SSL.
               partition, resource
                   Enter the names of the OTDS partition and resource to be used for the
                   AppWorks Gateway container deployment.
               admin
                  Enter values for the newadminuser and newadminpassword. You use these
                  values to sign in to the AppWorks Gateway Administration User Interface.
               externalurl
                   Enter the URL that will be used to access the AppWorks Gateway
                   Administration User Interface.
               logging
                   The default setting for logging is info. You can change to trace, debug, warn or
                   error.
               settings
                    This section enables you to determine the values for the General, MDM and Mail
                    settings that are available in the AppWorks Gateway Administration User
                    Interface. If the setting is not specified here. you can update it in the
                    Administration User Interface. If you choose to set a value for a setting here, you
                    cannot update it in the Administration User Interface of the deployed
                    AppWorks Gateway. To update a setting, after you have deployed AppWorks
                    Gateway as container, see “Upgrading a Deployed AppWorks Gateway
                    Container” on page 84.
                      The following table lists the settings. For an explanation of each setting, see
                      “AppWorks Gateway Settings“ on page 51.
                      Table 13-1: General, MDM and Mail Settings
               readiness probe
                   OpenText recommends that you leave the readiness probe settings
                   unchanged. They relate to the Kubernetes architecture and perform checks to
                   determine when a container is ready to start accepting traffic.
               liveness probe
                   OpenText recommends that you leave the liveness probe settings unchanged.
                   They relate to the Kubernetes architecture and perform checks to determine
                   when to restart a container.
               service
                   OpenText recommends that you leave the service settings unchanged.
               ingress
                   Ingress provides load balancing functionality where you have deployed
                   multiple pods by setting replicaCount to a number greater than 1. Update the
                   enabled setting for load balancing. Also, if you want to access multiple
                   AppWorks Gateway pods with a single URL, set enabled to true and enter a
                   URL in the host setting.
               tls
                      To use HTTPS, set enabled to true, then provide values for the secretName
                      settings.
               resources
                   OpenText recommends that you leave the default settings unchanged. However,
                   if you want to provide customer settings, uncomment the lines for limits and
                   requests, and enter your preferred values.
               1.   Update the settings in the values.yaml file, as required. A setting that you
                    specify in the values.yaml file cannot be altered in the AppWorks Gateway
                    Administration User Interface.
               3.   Run the following command to delete the pod. You must run the command for
                    all pods in the cluster. The pod is automatically recreated.
                    kubectl delete pod <pod name>
                         Tip: The command kubectl get pods -w displays the pod name and the
                         status of the pod.
               To check the status of a deployed AppWorks Gateway container, use the following
               commands.
               If the deployment fails to initialize pginit container, the status shows 1/2 Error.
               Run the following command to see the log files:
               If the deployment fails to initialize init container, the status shows Error or
               CrashloopBack. Run the following command to see the log files:
Run the following command to show the standard container log files:
               The following FAQs provide advice on additional setup options, and basic
               troubleshooting information.
To set the log level to a higher level, for example, debug, take the following steps:
                       Important
                       When debug-level or trace-level logging is enabled, sensitive configuration
                       data may be written to the log files. Debug-level and trace-level logs should be
                       securely disposed of when they are no longer required. Return the log level to
                       its lower level when you have completed any troubleshooting tasks.
               The AppWorks Gateway proxy also logs information in the gateway.log file when
               the log level is set to debug.
               For debugging, first check the Catalina log for errors, and if necessary check the
               localhost-access_logs.<date>.txt because they record each request. This
               allows you to confirm timing and response codes for each request when nothing
               appears in the logs.
               Beyond initial configuration of the AppWorks Gateway, there are very few error
               scenarios that would be indicated in the logs. The primary issue that can occur
               relates to authentication errors. If the user has entered a correct password, but
               cannot authenticate, these issues will not be captured in the log files. The following
               steps are recommended to troubleshoot authentication errors.
               1. Review the AppWorks Gateway node information to verify the database and
                  OTDS connections. Sign in to the AppWorks Gateway and click Overview from
                  the About section of the Admin Menu.
               2. Double check that the credentials and server URL were typed correctly. This is
                  often the problem.
               4. Try using the fully qualified name. For example. <username>@otag for internally
                  created users, <username>@<domain> for OTDS synced users.
               5. Sign in to the Directory Services web client and check that the user’s account has
                  not expired or been locked.
               6. Add a new user in the AppWorks Gateway. Then, sign in to the Directory
                  Services web client and verify that the new user was added to the otag partition.
               A good example of this is for the routing of Firebase Cloud Messaging (FCM)
               communications when the environment within which the Gateway is installed only
               permits outbound HTTP communication to the public Internet via an HTTP proxy.
               The example settings shown below are from a Linux installation of the AppWorks
               Gateway.
Where:
We must NOT proxy requests via the HTTP Forward Proxy to:
Tips
               If you do not set the environment variables, then the authentication request from the
               AppWorks Desktop Client to OTDS will fail.
                     Note: For further details of the AppWorks platform and technologies, see the
                     Technical White Paper, available from the AppWorks Quick Start page of the
                     AppWorks Developer web site (https://developer.opentext.com).
               The message “Can’t create a user. Consult OTDS logs” is displayed when creating
               users in the User Management section of the AppWorks Gateway.
                      Note: The issue is not present when you perform a clean install of AppWorks
                      Gateway 21.3 with any supported version of OTDS, including 16.4.3.
               1. In the OTDS Administration UI, search for the OTAG partition. This is
                  automatically created by the AppWorks Gateway installation process, when you
                  connect the AppWorks Gateway to an instance of OTDS.
               4. In Member Selection, search for the OTAG partition and add the resource
                  principle for the OTAG resource.
               By default, the AppWorks Gateway adds an OAuth client to OTDS, with the Grant
               refresh token (when protocol permits) check box selected. When you upgrade
               OTDS to 16.6, we recommend that you confirm that the Grant refresh token (when
               protocol permits) check box is still selected. If the check box is not selected a desktop
               or mobile client does not receive the refresh token on login and the user will
               therefore be asked to log in again, once they have logged out.
To check the Grant refresh token (when protocol permits) setting, do the following:
               3. Select the Grant refresh token (when protocol permits) check box and click
                  Save.
               For further information, see the chapter on OAuth Clients in the OpenText Directory
               Services - Installation and Administration Guide (OTDS-IWC).