Update Information
As usual, all components must be updated simultaneously – server, clients, services, and microservices.
Both functional and security-related errors may occur when accessing data if some components have not been updated.
The installation data can be obtained via the Service Portal. There, you can also request test licenses.
Database Adaptations before Updating
Before updating installations with a large workflow database, we recommend preparatory steps in the enaio® database for a quick update.
Indices should be added to the database to optimize the runtimes of the statements in the setup and the creation of new table columns should be anticipated.
The individual steps and the criteria from which we consider these steps to be relevant are listed below. We assume that all the statements listed below are executed before the update and that the indices generated are removed again after the update.
Statements to Be Executed
Execute the following statements before starting the setup of enaio® 11.10:
- create Nonclustered index tmp_oswfactivities_1 on oswfactivities (containerid) INCLUDE (activityid,ractivityid,processid, name)
- create Nonclustered index tmp_history on oswfhistory (processid,entrynr) INCLUDE (histid)
- create Nonclustered index tmp_history_2 on oswfhistory (histtype) INCLUDE (histid,processid,ractivityid)
- alter table oswfhdatafields add resourceflags int default(0) with values
- insert into osmaintenance (osmaintguid, description, osverguid) values('28A6F66903384EC7903FF96E9231526C','Update der Historientabellen für 11.10 Teil3', 'C78218D0FBE64CB18BFC817840D36A9D')
- create Nonclustered index tmp_mskflds on oswfmaskfields (id, org_id, workflowid) INCLUDE (maskid)
- alter table oswfactivities add resourceflags int default(0) with values
- insert into osmaintenance (osmaintguid, description, osverguid) values('27E69C5A8EA54B758CC0491FD59E7B37', 'Gescriptete Aktivitätsname in die ResourceStorage Tabelle kopieren Teil 1' ,'C78218D0FBE64CB18BFC817840D36A9D')
Deleting all Temporary Indexes After Installation
- drop index if exists tmp_history on oswfhistory
- drop index if exists tmp_history_2 on oswfhistory
- drop index if exists tmp_oswfactivities_1 on oswfactivities
- drop index if exists tmp_mskflds on oswfmaskfields
Explanations
The limit values listed below are estimates and may vary depending on the equipment of the database server. Furthermore, we assume that the existing database server is equipped in such a way that it will not reach its capacity limits during peak loads in regular operation to date. The statements apply to Microsoft SQL Server. For other database systems, the statements may have to be adapted accordingly.
- The following indices (see statements 1, 2, 3) generally increase the performance of the workflow table update. After executing the setup, these indices should be removed from the database again.
- If the installation to be updated contains many workflow processes that have already been completed but have not yet been deleted via the workflow history cleanup, the following statements (see statements 4, 5) should be called on the database before the setup is called.
The criterion for many workflow processes could be determined with the following statement: select count(*) from oswfhdatafields. We see around 20 million entries as the relevant figure here. - If the installation contains a large number of workflows or very large forms with many fields in these workflows, the following statement (see statement 6) should be executed before calling the setup on the database. After executing the setup, the index should be removed from the database again.
The criterion for many form fields could be determined with the following statement: select count(*) from oswfmaskfields. We see around 20,000 entries as the relevant figure here. - If the installation contains several activated languages, the following statements (see statements 7, 8) should be executed before calling the setup on the database.
The number of languages can be determined using the following statement: select count(*) from oslanguages where active <> 0.
Each language that occurs multiplies the number of language strings to be created for form fields and model parameters.
Ultimately, the performance saved again depends on the number and size of the models.
Rights Control for Server Jobs
In version 11.10, the default value of the Security/SecureJobs registry entry for enaio® server was changed from 0 to 1. We do this in order to guarantee a high standard of security in a new enaio® installation per default, without the need to carry out further configurations manually afterwards.
This registry entry controls the system role evaluation on security-relevant jobs in the server API. Affected jobs are administrative jobs for enaio® administrator-for-workflow and other administration tools. These jobs can now only be executed by users with the system role 'Server: Execute ado jobs', ID 88. Furthermore, the ado.ExecuteSQL job is now also secured by this system role check. This job is often used in scripts to implement project-side business logic.
The new default value of the Security/SecureJobs registry entry for enaio® server means that the higher security standard is automatically activated when a new enaio® server is installed.
Existing systems are only affected by this new behavior if a enaio® server is added within an installation or a enaio® server is moved to different hardware. Existing server installations are not affected by updates. There, the Security/SecureJobs registry entry for enaio® server must be set to active in enaio® enterprise-manager in order to achieve the higher security standard.
In addition, new users are no longer assigned the system role 'Server: Execute ado jobs' by default. The system role must also be assigned if required. This change affects both existing projects and new installations when creating new users via enaio® administrator.
Integrating Microsoft Teams
Before updating to version 11.10, the integrated H2 database must be updated for the Microsoft Teams integration.
Carry out the following steps:
-
Load the following archive files and save them in the <service-manager-installdir>\data\msteamsactions directory:
-
Load the following batch processing file:
-
Exit enaio® service-manager.
-
Execute the batch file with the following command line parameters:
V1-V2-migration.bat <service-manager-installdir>\jdk17_x64\bin <service-manager-installdir>\data\msteamsactions
The paths must be specified as absolute paths.
-
Check whether the actions_db_v2.mv.db file is present in the <service-manager-installdir>\data\msteamsactions directory and that the update has been successfully completed.
-
Delete the loaded archive files.
The update can then be carried out via enaio® service-manager using the 'msteams-client' and 'msteams-actions' services.
enaio®-App for Microsoft Teams - Permissions
The enaio® app for Microsoft Teams is provided via the Microsoft Teams Admin Center. Files.Read.All must be added when configuring the permissions.
enaio® coLab
The following adjustments are necessary for enaio® coLab due to the component updates:
-
enaioProjectRoomCreator.exe.config
http://<gateway>/colab/#/create-project-room/{objectid}/{sessionguid}: The hash must be removed from the path: http://<gateway-IP>/colab/create-project-room/{objectid}/{sessionguid}
-
"path": "http://<gateway>/colab/#/create-project-room/$osid$/$username$: The hash must be removed from the path: "path": "http://<gateway>/colab/create-project-room/$osid$/$username$
Users must clear the browser cache after the update.
enaio® coLab requires the 'users' service since release 11.0.200.
enaio® gateway
To increase security, it is necessary to install all customer-specific and external services, i.e., all services that are not installed via enaio® service-manager, via the application-prod.yml configuration file of enaio® gateway.
enaio® webclient
Updating enaio® webclient
To update version 10.0 or previous versions, follow the instructions in the version 10.10 TRNs. The 'osweb' service introduced with version 10.10 can be installed directly in version 11.10.
Updates to version 10.10 and version 11.0 are possible without adjustments.
Discontinuation of the MSI Package for the Installation of enaio® webclient als Desktop-Anwendung
The MSI package for installing enaio® webclient als Desktop-Anwendung has already been discontinued with previous service releases.
With version 11.10, only the NSIS installer enaio-webclient-app.exe is available for installation.
Profile distribution is also possible for user-specific installations with the NSIS Installer.
HTTPS for enaio® webclient als Desktop-Anwendung
With previous service releases for enaio® webclient, the Electron framework used in enaio® webclient als Desktop-Anwendung was also updated. The Chromium browser used by the Electron framework has also been updated. This Chromium update has also implemented the enhanced security measures adopted by all browser manufacturers, which are intended to prevent CORS attacks and the transmission of login information via non-encrypted channels in production environments. For this reason, NTLM logins in enaio® webclient als Desktop-Anwendung are now only supported on encrypted HTTPS connections. For an NTLM login, enaio® gateway must therefore be configured for HTTPS. Logging in with Basic-Auth on unencrypted HTTP connections is still possible for test purposes.
User Administration in enaio® webclient
Users are assigned the system roles specified in the osrest.web.systemroles.properties configuration file from the <AppConnectorInstallDir>\configuration directory via user management in enaio® webclient. This configuration file is not updated when enaio® appconnector is updated.
You can download the current version of the configuration file for versions 11.0 and 11.10.
Authentication via OpenResty/Keycloak
The previous connection of Keycloak as an identity provider via OpenResty for authentication using OpenID Connect/OAuth2 to is no longer supported and will be replaced by the new 'gateway-ng' service.
'applet' Service
The new service for HTML/JS/CSS frontend components is necessary and is not configured via a YML file. After the update, adjustments must be made to the addresses of display components.
-
-
'Home-URL' of enaio® contentviewer in enaio® enterprise-manager:
http://<service-manager>/applet/contentviewer/index.html?osid={OBJECTIDENT}
The details preview is displayed per default. The content preview is displayed if you add the following: &focusIndexData=false
-
'Service endpoint for direct access' must be checked in the project.
-
-
-
'Home-URL' of enaio® detailsviewer in enaio® enterprise-manager:
http://<service-manager>/applet/detailsviewer/index.html?osid={OBJECTIDENT}&sessionguid={sessionguid}
-
'Service endpoint' and 'Service endpoint for direct access' must be checked in the project.
-
-
-
'Home URL' for the content preview with PDF.js
http://<service-manager>/applet/pdfview/viewer.html?osid={OBJECTIDENT}&pagecount={pagecount}&sessionguid={sessionguid}&servername={servername}&serverport={serverport}&objecttype={objecttype}&q={searchterm}
-
-
The configuration file AxPreview.exe.config for the preview display of .os files must be adapted depending on the configuration.
Example:
<add key="PdfViewerUrl" value=http://<service-manager>/applet/pdfview/viewer.html?osid={OBJECTIDENT}/>
If several servers are integrated, these adjustments must be made for each server.
If one of the components is integrated in projects, the integration must be checked.
A redirect to the new URLs is automatically set up for enaio® gateway. The previously used URLs will continue to work. Users are redirected to the correct pages. In contrast to the previous behavior, enaio® contentviewer displays the details preview by default and not the content preview.
enaio® repository-manager
enaio® repository-manager has been updated and must be reinstalled and reconfigured.
With the new version, KGS components are no longer used and the ArchiveLink and ILM connections are split into two separate services.
enaio® directory-sync
The application to be integrated was renamed for enaio® directory-sync. Configurations must be adapted accordingly. Include enaio-directory-sync.exe instead of enaio-aad-sync.exe.
enaio® directory-sync has been extended and can also synchronize data with LDAP systems in addition to Entra ID.
enaio® directory-sync will replace the automatic action 'XSLT directory synchronization' in a future version.
enaio® capture and enaio® classify
The enaio® capture subprogram, which provides data for further processing in enaio® classify, has been renamed: enaio® capture-transfer-module. Configurations must be adapted accordingly. Include capture-transfer-module.exe instead of capture-to-classify.exe.
enaio® capture-transfer-module has been extended by integrating Kairos AI cloud services via the new 'ai-connector' service. This allows invoice-specific index data to be extracted from PDF files and an invoice conformity check to be carried out.
Automatic Actions/Maximum Number of Hits
The automatic actions 'Media dearchiving', 'Hash check' and 'Signing' are no longer limited by the setting 'Maximum number of hits' - default: 50000.
Configurations of these automatic actions should be checked with regard to runtime and system load.
ABBYY FineReader 12.5
ABBYY FineReader must be updated to version 12.5.
Before updating, the license must be backed up and existing installations must be uninstalled.
Configurations do not need to be adjusted. You do not need a new SMUA license compared to the previous version 12.4.
Elasticsearch
Elasticsearch is still used in version 7.17.8 and is not updated.