Professional Documents
Culture Documents
Technical Training
/ ~\
~~\
II
Preface
Formatting Conventions
5
6 7
13
The current training material is indented as a introduction to administer CQ 5.x in a working environment. The latest available release is 5.3. Training material will be accordingly adapted to further product releases. Except Exercise 1, all other exercises have as a prerequisite a running CQ 5.x Author instance. Exercise 1 will lead you through the steps needed to install such an instance. Additional requirements are listed in the corresponding exercises.
The current exercise book contains some exercises which will be covered during training
reinforcing the topics discussed during class. In the Appendix, you may find additional exercises which can help you with different installation platforms.
Goal
The following instructions explain how to install and start an Author instance. This is important because you will use this Author instance throughout this training to perform typical development tasks. To successfully complete and understand these instructions, you will need:
A CQ5 quickstart JAR
A valid CQ5 license key
Approximately 1 GB of RAM
MS Windows users, please do not use spaces in your newly created folder structure (e.g. C:/this
is bad/cq5/author). This will cause CQ5 to error.
Preface
Formatting Conventions
EXERCISE 1 - Install & Start an Author Instance
EXERCISE 2 - Edit a Page
5
6 7
13
Instances
EXERCISE 7 - Activate Tree
38 47
49
52 55
69
71
74
76
81
EXERCISE 16 - Automating Package Manager with cURL EXERCISE 17 - Creating Custom Log Files
86
91
95
111
120
Copyright 2010, Day Software AG, Switzerland Day Company Confidential Rev1.220101005
First of all, you may want to know which parameters are available to the server prior to
installation. Therefore, enter following command to investigate a complete list of optional
parameters:
You can now install/start CQ5 from the command line while increasing the Java heap size, which will improve performance. Please see image below for an example of the
command line.
In the appearing Login screen, enter the default administrator's credentials (admin/
admin) then click OK.
The Welcome screen appears, displaying you the different possibilities to continue. For the next exercise, we'll access the Websites console.
CRXDE Ute
Rc.plt:ation
do-s.day,om
d~ri.'j:ay"com
Goal
The following instructions explain how to navigate to and edit a page. This is important
because you will use the the Websites Administrator Console to create and publish
content throughout the course. In addition, you should understand the interfaces used by
your author community.
Console
Websites
Description
Access all the pages in your website; create, edit, and delete pages; start
a workflow; activate and deactivate pages; restore pages; check external
Assets
US0l Adrr;in,:;tratiort
and
Manage pages that are
Workflow:;
an easy to use
graphical
Adrmnstration
To Edit a page:
After you open the page, you can start to add content. You do this by adding new or editing existing paragraphs (also called components).
To insert a new paragraph, double-click the area labeled Prag cOllponents or assets here... or drag a component from the floating toolbar (called sidekick) to insert a new paragraph.
This area appears wherever new content can be added, such as at the end of the list if
other paragraphs exist or at the end of a column.
4. Drag the Text & i mage icon from the sidekick to the center of the dotted rectangle and
drop it in. The green check mark will tell you that the drag-and-drop is allowed.
5. Double-click the thumbnail placeholder for the component to open the dialog box.
Ar.,mPlddn:~I~it
"..~
~,;)n~,
6. Click the Illage tab to open the Image pane of the dialog box. Drag-and-drop an image from the Content Finder to the dialog box.
Goal
The following instructions explain how to browse the application/server interfaces
associated with a CQ5 installation. This will enable you to use their administrative/
configuration capabilities. To successfully complete and understand these instructions, you will need:
II A running CQ5 Author instance
1. Enter the URL http://localhost:4502/admin in your favorite Web browser's address bar.
2. Enter the default administrators credentials (admin/admin) in the dialog - then click
OK. The CQSE main console appears.
http:rllocalhost:45Q2/admri
jcr:created
)cr:createdBy
String
)cr:content management
bod
cq:PageContent
cq:Page cq:Page
Cot1gratulatio"s! You have successfully logged into the CRX application and have browsed
2. Enter the default administrators credentials (admin/admin) in the dialog - then click OK. The Apache Felix Web Management Console appears, showing you the Bundles application.
3. Follow the link lece"trequests - then click on the Clear link to remove recent requests
2. In the upper right corner, click on the drop-down box displaying your user name
(admin), then select Login_ Enter the default administrators credentials (admin/admin) in
the appearing dialog, while continuing to use the crx.default workspace - then select OK.
This will take you to CRXDE Lite with appropriate privileges and permissions.
Goal
As you may already observed, all interfaces in CQ are sharing the same credentials for
the admin user. The following instructions explain how to change the default passwords of CQ. This is important because it is part of the security checklist that will ensure your
primary security concern you will focus on in this exercise is the simple changing of passwords, so that you may setup a team development environment as soon as the class
is over.
When considering a standard CQ installation, there are three password changes and one
configuration you need to alter. If you consider a standard installation, and the elements involved, it actually becomes quite clear. Reflect on the image below:
COSE
launcl'ad
lFelixlSling)
coiifig
'\
CRX
"'
Change Password:
Old PEi55V)ord:
Nl''-V'1 P assv'Jord:
Confirrn:
~~~~~
'0)
Note: ''our brO'i'iSer 'Nii! ask \IOU re'.,wthenticte after the change.
e.g. http://ocalhost:4502/crx
2. Follow the Log In link.
Nodi!'-T'Tpe .\dvnF~:;_tr-,_'Stnn
ad~n
anbSvmou$
aparkergeometrixx. cClm
author
e.g. http://local
2. Enter the default administrator credentials - then select OK.
User Name:
Password:
3. Select Configuration.
Console
Launchpad configuration
4. From the Configurations drop-down box, select the entry named Apache Felix OSc-i
1. Select CRX Sling Client Repository (second entry, with the long ID) from Configuration
2. Enter the new password in the field labeled Adllin Password (training_crx) - then click
the Save button.
accsses
JNDI
UR:.
J\lDI
I\ame
DatJ':
Na:-ne of the
to access,
Usrld
Password
Admin
Userld
Admin
Password
NOTE
It may take a minute or two for the changes to the CRX Sling Client Repository configuration to populate thoroughly.
Goal
aSCi is a fundamental element in the technology stack of CQ5. It is used to
control the composite bundles of CQ and their configuration.
This allows easy management of bundles as they can be stopped, installed, started individually. The interdependencies are handled automatically. Each
aSCi Component (see the aSCi Specification) is contained in one of the various bundles.
ti
5. Fill in the dialog box:
.. Name: conftg
Ii Type: slng:Folder
Name:.
~
l'f:
~;
OJ(
Now you must add properties to the com.day.cq.wcm.core.impI.VersionManagerlmpl node. You add properties by
fype: Boolean
.. Value: checked (true)
Mixir,
Deelop Re$tc
Stppo
I?roe-rteo
T""
'~,maroge.miloc Smng
Vall.e
veoom.a~;i:.rPl-~5::ingU
~n
ir.
fil~
Congratulations! You have successfully configured an aSCi bundle! Now go back to the CQ5 Author interface and use the sidekick to create more than 5 versions
of any page. Notice what happens to the list of versions once you have more
than 5 versions.
Return user input (for example, form input from the publish environment to the
author environment (under control of the author environment).
been preconfigured.
The replication agent "packages" the content and places it in the replication queue.
The colored status indicator is set for the individual pages in the SiteAdmin
console (Websites tab)
The content is lifted from the queue and transported to the publish environment
using the configured protocol
Normally, the configured protocol is HlTP.
A servlet in the publish environment receives the request and publishes the
received content.
Use for Reverse Replicatio.-: Indicates whether this agent will be used for reverse replication; returns user input from the publish to author environment
6. Choose the rransport Tab
7. Make sure that the server and port specified in the URI are correct for the first Publish instance.
8. Verify that the specified User and Password are correct to access the first
Publish instance.
9. Click OK to save the settings.
name (or alias) and context path to the target instance here.
For example:
A Default Agent may replicate to http://localhost:4505/bin/receive?
method.
15. Select the Transport Tab and set the URI to the correct values for the second
Publish instance. Also make sure that the User and Password are correct for the
second Publish instance.
16. Click OK to save the settings.
The following settings are only needed if a proxy is configured in the network.
Proxy Host: Hostname of the proxy used for transport.
connection. Socket TllMeout: Timeout (in milliseconds) to be applied when waiting for traffc after a connection has been established. Protocol Version: Version of the protocol; for example "1.0" for HTIP /1.0.
3. Double-click the link to agents for the appropriate environment (either the
left or the right pane); for example, Agents on author. The resulting window shows an overview of all your replication agents for the author environment, including
;;lI
Goal
From the Websites tab you can activate the individual pages. When you have
entered, or updated, a considerable number of content pages - all of which are resident under the same root page - it can be easier to activate the entire tree in one action. You can also perform a Dry Run to emulate an activation and
Path. The Start Path specifies the path to the root of the section you want to
activate (publish). This page, and all pages underneath, will be considered for
Goal
The Dispatcher is Day's caching and/or load balancing tool. Using the Dispatcher also helps protect your application server from attack. Therefore,
you can increase protection of your CQ instance by using the Dispatcher in
documentation.
II Install the Dispatcher module appropriate to the chosen web server and
temporary directory. The Dispatcher files are located on the memory stick under /distribution/dispatcher.
2. Add the Dispatcher to the list of available ISAPI filters (by adding the DLL to
Inside the Internet Service Manager, right click the root node of the appropriate
website, then open its Properties dialog.
To activate the changes you have to restart liS. Either from the liS control
window or from a command window:
net stop w3svc - will stop the liS web publishing service
Congratulations! You have successfully integrated the Dispatcher with the liS web
server.
LoadModule to load the module 011 start up. Dispatcher-specific configuration entries, including
DispatcherConfig,DispatcherLog and DispatcherLogLevel.
#
# configure the minimal setting for the dispatcher
# if turned to i, request to / are not handled by the dispatcher # use the mod alias then for the correct mapping DispatcherDeclineRoot 0
# Defines whether to use pre-processed URLs: # 0 - use the original URL passed to the web server. # i - the dispatcher uses the URL already processed by the handlers # that precede the dispatcher # (i.e. mod_rewrite) instead of the original URL passed to the web
server.
Goal
Now that we have integrated the CQ5 Dispatcher with the web server, we must
configure the Dispatcher so that it can find its associated Publish instances, knows which pages to cache and where to cache them.
In this exercise we will configure the Dispatcher with appropriate settings to
cache pages as desired, and define a Dispatcher Flush agent to invalidate the
cache in response to content update. To successfully complete and understand these instructions, you will need:
A running CQS Author instance
A running CQS Publish instance
can change the name and location of this file during installation. The
dispatcher.any file is independent of web server and operating system, so the
following instructions are appropriate to both liS and Apache. The only difference between the two configurations is the usage of the property /
homepage, which is used only by liS.
fo configure the Pispatcher:
1. Open the dispatcher.any file with the text editor of your choice.
2. Make sure the /farms section matches your infrastructure. The /farms section defines a list of farms or websites. Each /farms section defines:
A set of load-balanced renderers. The IP addresses and ports of the publish instances to serve and cache content
from.
II
3. Verify the list of client headers in the dientheaders section.
/farms
t
# first farm entry (label is not important, just for you
convenience)
/website
t
# client headers which should be passed through to the render
instances
/clientheaders
t
"user-agent" "authorization"
"referer"
"accept-encoding" "accept-language" "accept" "host" "if-match" "if-none-match" " if-range" "if-unmodif ied-since"
"max-forwards"
"from"
"proxy-authorization" "proxy-connection"
"cq-action" "cq-handle" "handle" "action"
"range" "cookie"
"cqstats"
~
dispatcher configuration). You can define several renders within a farm for load balancing.
/farms
t
# first farm entry (label is not important, just for you
convenience)
/website
t
# the load will be balanced among these render instances
/renders
t
/publish1
t
# hostname or IP of the render
/hostname "127.0.0.1"
# port of the render /port "4503"
L
/publish2
t
# hostname or IP of the render
/hostname "127.0.0.1"
# port of the render
/ port "4504"
l l
Using filters, you can specify which requests are accepted by the Dispatcher
module. All other requests are sent back to the server, where they are offered to the other modules that run on the web server.
7. Adapt the filter properties to allow or deny access to certain paths.
NOTE
Day Software best practices suggest that you deny access to Ilibs, letc, Icrx, ladmin, Ivar, I tmp, Ihome, lapps and any other URis that should not be accessible from outside. Please see the Security Checklist for further considerations when restricting access using the Dispatcher.
/farms
t
/website
t
/docroot: This link points to the document root of the web server.
/statfile and /statfileslevel define which parts of the website tree are
invalidated when pages are activated.
The docroot link points to the document root of the web server. This is where
the Dispatcher stores the cached documents, and this is where the web server
looks for them. If you use multiple render farms, you have to define a different
document root on the web server for each farm, and specify the corresponding
link here.
8. Define the location of the web server cache to the Dispatcher.
/farms
t
/website
t
/cache
t
# the cacheroot must be equal to the document root of
the webserver
# /docroot "C:/lnetpub/wwroot"
/docroot "":Apache_document_root:;"
9. Configuration of the Dispatcher is not yet complete, but at this point we can test the configuration of the Dispatcher with the web server. Save your changes
to the dispatcher.any file.
authenticated documents.
/allowAuthorized "0"
The rules property defines which documents are cached, though the Dispatcher never caches a document in the following circumstances:
If the HTIP method is not GET.
Other common methods are POST for form data and HEAD for the HTIP header.
The web server needs the extension to determine the document type (the MIMEtype).
/statfileslevel "2"
/ allowAuthorized "0"
/rules
t t
/0000
/glob "*"
/type "allow"
10001 t
i glob "i en/news I *"
/type "deny"
10003
5. Open the friggers tab. Make sure only the On Modification parameter is checked.
Goal
As data is never overwritten in a tar file, the disk usage increases even when only updating existing data. When optimizing, the Tar Persistence Manager copies data that is still used from old tar files into new tar files and deletes the
old tar fi les that contain only old or redundant data.
This exercise will show you multiple ways to optimize the Tar PM. To successfully complete and understand these instructions, you will need:
A running CQS Author instance
Since our repository has only i tar file (we haven't made enough changes to the repository), the optimization will have no effect.
It
Goal
Online repository backup lets you create, download and remove backup files. It is a "hot" or "online" backup feature and therefore can be executed while the repository is being
used normally in the read-write mode. Backup files are saved in the ZI P compression
format.
In this exercise, you will create a "hot" backup of your Author repository. To successfully
complete and understand these instructions, you will need:
II A running CQ5 Author instance
This method works as a hot or online backup, so you can perform this backup while the
repository is running. The repository is usable while the backup is running, however
performance of the repository will decrease. This method works for the default, TarPMbased CRX instances.
Backup files are saved in the Zi P compression format. By default, they are saved in the
parent folder of the folder where the quickstart .jar is running. You can change the
location where CRX saves backup files.
fo create a backup:
3. Go to the following URL: http://localhost:4502/crx.This will take you to the CRX Main Console.
4. Log in as the administrator.
5. Click Repository Configuration
The online documentation provides deeper information regarding this crucial topic, including different scenarios like backing up an clustered node, etc. Check it out under http://dev.day.com/content/docs/en/crx/2-0/administering/backup_and_restore.html.
Congratulations! You have successfully created a full backup of your Author repository without taking the instance down.
The first thing we need to do is decide on the central, network-accessible location where we will put the shared journal. In general you would have the
shared path pointing to a mounted networks drive (via NFSjSAN), but for our purposes, any central location will do. For example, we can choose C\cq
\shared.
1. Make sure that the node that will become the llaster, the node running on
port 4502 is not running.
C\cq.
3. We will tell the llaster node where to find its shared journal. Navigate to
-clnstaIlDir::jrepository.
4. Open repository.xlll with a text editor.
5. Find the Cluster elelle"t and make the following changes:
5. Notice that this instance believes that it is the master of its own cluster. Notice the shared path points to its own repository.
User-m: admin I Workspace: uK.default I ,Ul.f.-LH!,I! I ;~i~~'.i.t;.b...W.QJ.-.k:,p'.g.i;.t;, I !n:,p'.tx.~.!u;.ell, ?oiiJ:!t.et"~
ldi:,itit'i
df9bZ55a~'~~..()5.4 b d9- 3 :;f"-f,:~62 ~.",6,jl.",,8 'of,rido,/,:$ ;..p 5,1 IOCllhost:45G.. c: \cq\'-J uthr2\cn;. QUI..:.,:t.: ,i\xe p ositor\( C: \cq\a uth;)t:'\crx -QIJickstartVe p o,,;;oi-y \,,,l ared
os
Host
P,:opositorv Horne
Sh,red path
No siai/es conri-:ted
Shared p.,rth
6. Enter the shared path of our new cluster into the shared path input field.
Naster"
Idetit1'
os
Host
Repositor~f Horn!?
loc,:ilhost:4504
C :\cq\author2\crx -qui ck ;;taii:\repos tory
shared path
No ,:iiies connected (;b,.t~~~-
Shaled inith
!c/cq/shared
7. CI ick Join.
The join will take a few minutes as the Slave repository is being rewritten with
the information from the Shared Journal.
.
Goal
The following instructions explain how to create a CQ package that will combine all elements of the Training project, minus all jpegs. This is a good
example of packaging application content, which you could then distribute to team members for review. To successfully complete and understand these
instructions, you will need:
ions
in the package, such as a description, a visual image, or an icon. These properties are for the content package consumer for informational purposes
only.
Build packages
Upload packages
Install packages
Download packages from the package share library Download packages from CQ to a local machine
Apply package filters
5. Enter the package "Group Name" (training) and "Package Name" (trainingproject).
tranng
tranlng-proJ8ct
7. Add the Component Filter Definition to the paragraph system Component then open (e.g. double-click).
8. Enter the "Root Path" (lapps/training) and a "Rule" that excludes all jpegs
JSP
A /apps/ti-airiing/componen ts/content coilLplex./, content. Eml .l /apps/tra.ining,/components/content /comple:.:/complex, JSP A /apps/training/'components/content,/comple::.::/dialog, XJnl .l /apps,..ti-aining/components/content./complex/design_dialog, xml .l /apps/training/components/content/cOJlLplex/_c~edi tConf ig. xrri! A /apps/training/components/con ten t/search
.l /apps/training/components/content/search/, content. xml .l ,/apps/training/components/content/search/seai'ch. JSP
. /apps/training/training-widgets J s
10. Download the package by entering the URL of the package's ZiP in your Web browser's address bar.
filter definition, built the package, and have downloaded the package, which you can now share with your CQ development team.
85
~response/ ~data/
+ -- - - - - - - - - - -+ - - - - - - - - - - -- - - - - - - - - -- - - - - - - - - - - - - - -- - - --+
+- -- - - - - - - - - -+- - - - - - - - - - - - - - - - - - - - - - - - -- - -- - - - -- - - - - - --+
I Arguments I Comment I
I cmd=help I print this help I
cmd=rm I remove a package
name I package name I (group) I group name (optional) I +- - - -- - - - - - - -+- - -- - - - -- - -- - - -- - - - - -- - ---- -- - - - - - - -- - ---+ I cmd=ins I installs a package I name I package name I (group) I group name (optional) I
cmd=unins I uninstalls a package
name I package name I (group) I group name (optional) I + --- --- - - - - --+- - -- - - - ----- - - - - - - - - -- - - - -- ---- - - -- -- - - --+ I GET I downloads a package.
I I ( content-disposition header contains
~/data?
~status code=" 200"?ok~/status?
~/response? ~/crx?
4. Install a package. Enter the following command to install the package you just
uploaded.
~/request?
1-- A / content/dam/photos/img4. jpg /j er: content/renditions/ cq5dam. thumnail. 48.48. png / j cr: content
j cr: content
1-- A /eontent/dam/photos/img4. jpg/jer: content/renditions/original 1-- A /content/dam/photos/img4. jpg/jer: content/renditions/original/
~/log? ~/data?
~status code="200"?ok~/status?
~/response? ~/crx?
Goal
Various CQS log files provide detailed information about the current system
state. In addition to the default system log files you can also create and customize your own log files. They can help you better track messaged
produced by your own applications and to separate them from the default log
entries.
In this example, we will generate a new log file and monitor only messages
produced by a specific set of CQS modules. To successfully complete and
1. Open CRXDE Lite so that you can define a new configuration for the custom log file. You can also use CRXDE or CRX Content Explorer to achieve the same
results.
Create the Loggit'g Logger
3. Under /apps/geometrixx/config, create a node for the new Apache Sling Logging Logger Configuration. Right-click on the new config node and Select
New... Node.
Nal1e:
fype:
sling:OsgiConfig
orQ,apoche,sliii
l'iri:i." ,mom. liio'
IX_
org,apacne,felix
com,
da
Do Up Do
Cm
Pr~~_"
:N"
~""g.~,'if.q.m~.Io.tic
S 'i,~,~,~.~.~.~1
5 Qi\l.~'i,'S~.~~.ln,rima St'iIiJ "",,~,l;QI~~-re,,,wr,Oo fals faIr; trY\
A logging writer is only necessary when a configuration that is different to the default. The default writer will select a default size of 10MB and 5 as the default
number of files.
5. Under /apps/geometrixx/config, create a node for the new Apache Sling
Logging Writer Configuration. Right-click on the config node. Select New... Node.
. .
Name:
fype:
sling:OsgiConfig
. .
.
Name:
fype:
Value:
String
../Iogs/training.log
org .apache.sl i ng .commons.log. fi Ie .size
. . .
Name:
fype:
Value:
String 1mb
Name: org.apache.sling.commons.log.file.number
Goal
This exercise describes how to configure and manage user authentication and
authorization within the CQ5 scope. To successfully complete and understand these
instructions, you will need:
Users: A user models either a human user or an external system connected to the system.
The user account holds the details needed for accessing CQ. A key purpose of an
account is to provide the information for the authentication and login processes -
allowing a user to log in. Each user account is unique and holds the basic account
details, together with the privileges assigned. Users are often members of Groups, which simplify the allocation of these permissions and/or privileges.
G-roups: Groups are collections of users and/or other groups; these are all called Members
of a group. Their primary purpose is to simplify the maintenance process by reducing the number of entities to be updated, as a change made to a group is applied to all members of the group.
Both users and groups can be configured using the Security Console. You can manage all users, groups, and associated permissions using the Security Console. All the procedures described in this section are performed in this window.
Hide
Edit y
L. m
admit'
r~1'
admir
v PUD.
l Sort
f"lcx,
admil'strators
a rlOnvrrOl.$
adiriristratol$
arorvrrOt:$
So
m
A!sor Parker
author
oortribl.tor
aLtbo,
ContribLtors
e,,'C!''C~
Jo1'l' l:
l'11'e
~'Crjl
First, we will create 2 user accounts. After that, we create a group and assign some
project specific restrictions to it. Finally, we add the new users to this group.
1. In the Security window tree list, click Edit) Create) Create User.
Create U;r
a
Create
Activate
administratois
anonymous
adrri 11 istrawr:;
arlOnyil)
Alisol1 Parkr
aiArlor
Deactivate
31.trlor
2. The Create User dialog box appears. Enter the required details and click Create:
7. ci ick the Page Perllissions tab. You wi" notice that John has no access to any part of
8. Click the Replication Privilege tab. You will note the same. John has no rights to
replicate/activate pages.
9. Click the Privileges tab. You will note that he does not have privileges to modify the
hierarchy.
10. No users are specified as potential impersonators of John.
S ~uthor author
is contributor Contributors
is everyone everyone
':'JEnglish (t _::Fran~ais
0J-',:::'Italiari
:ZyJB:iiti
"''' ::i;~!User Generated Content ,.t ,''-'-'-'-:Wiki Content
Qtmp
);'':ihome
We want now create a group with some access rights you could use in future projects, then put the created user(s) into this group. The requirement list for this group members
looks like:
. Provide access only to the consoles Websites and Iligital Assets. That means, denied
access to the other ones (fools, Users, Workfow, fagging).
. Members of this group are allowed to modify content of already existing pages located under Geometrixx ~ English, add new paragraphs and delete them.
. Pages located under Geometrixx ~ French (Franais) should be accessed in read-only mode.
. Page Geometrixx ~ German (Deutsch) is not accessible at all (not visible) to members
of the group.
2. Click the Page Pen-Missions tab. The tree map will open.
3. it's a good idea to provide read-access to entire repository. Project-specific restrictions can be easily added at a later time point. Select the node CQ. Per default, users have all
access rights denied. To provide read access to the root node (CQ), double-click under
the column Itead and select "allow" from the appearing drop-down box. Since access rights are automatically inherited to child nodes, all members of the legal group have
now read access to all nodes in the CRX repository.
4. Click Save.
5. Navigate in the tree map to the page you want to add permissions. In our case: CO/
content/Geometrixx Demo Site/English.
6. Click the page in the tree. Notice the permissions specified on the right.
7. Double-click under the column Modify and select "allow" from the drop down list.
8. Do the same for the columns Create and Pelete. The red corner indicates that the item listed has not yet been saved.
9. Save.
10. Navigate to CQ/content/Geometrixx Demo Site/Deutsch and select "denyN in the f:ead
column.
11. Save.
12. Set Modify rights to "denyN on node CQ/etc/Designs to restrict general usage of all designs or select the appropriate design you want to constrain. Make sure, Read access to designs is still granted, otherwise, page content cannot be correctly rendered.
13. Click Save to persists your modifications into the CRX repository.
6. Now let's modify the replication privileges for the French branch. Click Add and select
the page CQlcontent/Geometrixx Demo Site/Franais. Veny replication privi leges to it.
7. Repeating previous step, Allow replication to CQ/content/Geometrixx Demo Site/
Franais/products.
8. Click Save.
m. admin Adminjstratot
tp. administrators administrators
a anonymous anonymous
ff aparker~geornetrixx,CDm Alison Parker
. author author
at contributor Contributors
. everyone everyone
fl workflow-users workflow-users
As you can see, you can provide fine-grained replication privileges not only for an entire tree branch, but even on page leveL.
Users without replication privilege granted still have access to the Activate!eactivate
buttons. Clicking on them will not have the desired effect immediately. Instead, a
workflow is started which puts the requested action in the inbox of a privileged user requesting him to approve and finish the action.
Setting standard privileges:
Standard privileges included in the installation of CQ WCM are for modifying the
hierarchy; in other words, creating or deleting pages. The list of privileges available may be extended for your project.
1. Select the Legal group from the list, double-click to open, and click Privileges.
2. The Hierarchy ModHication privileges will be shown. Make sure Veny is selected.
3. If necessarily, click Save.
l7eny access rights to consoles:
6. Follow the link New ACE. The section Local Access Control Policies changes its
appearance.
Sclei-L,
re,,:write
jcr.illl jC. rerr.oveChldNoes
7. Click the Srowse button. A new window labeled Principal Srowser appears, displaying all available users and groups.
8. Select the Legal group and click the Select button. The window Principal Srowser
closes and the selected group Legal is shown in the column PrincipaL.
12.Repeat steps 3 - 10 to modify the access rights to the other console buttons. The
console buttons are represented in CRX by following nodes:
lIibs/wcm/core/content/siteadmi n
Admin
/Iibs/wcm/core/content/damadmin
/Iibs/wcm/core/content/misc
/Iibs/cq/secu rity /content/adm in
Tools
Security (Users)
Workflow
II ibs/cq/workflow /content/console
/Iibs/cq/tagging/content/tagadmi n
Tagging
After you browsed some pages, you can finish impersonation by clicking the
im personated user's name and select Revert to self.
1. In the Security window, select Jane Smith (jsmith). If you want to delete multiple
Goal
You can configure LDAP authentication as a JAAS Uava Authentication and
Authorization Service) module. For this, you need to specify the JAAS
configuration file to the virtual machine.
This exercise will show you how to integrate with an LDAP server and import users from the LDAP server to the CQ5 instance. To successfully complete and understand these instructions, you will need:
II A running CQ5 author instance
II An LDAP server
Extract the zip archive to the C:\ drive. As a result, you'll have the LDAP server
installed in C:\openldap. Open a command shell (Start # Run..., type in cmd, hit
enter. In the command shell, change directory to the OpenLDAP folder by
2. Then enter the command slapd -d 1 which starts the LDAP server. The LOAP
server has fully started when you see the following line at the end of the command shell window:
Anonymous bnd
User Info
ON:
Password:
. .
Host: Port:
localhost 389
9. You will see the defined users and groups that will be imported into CQ5.
.iUserManager class="com. day. crx. core. CRxuserManagerlmpl "'? .iparam name="usersPath" value=" /home/users" I'? .iparam name="groupsPath" value=" /home/groups" I;:
JAAS works on the basis of "LoginModules". In a JAAS configuration file you can
define a sequence of login modules.
An incoming request will be accepted by the first defined login module for
authentication. If the login module cannot authenticate, the request will be passed on to the next login module in the list of definitions.
com.day.crx.core.CRXloginModule suffcient;
Only if the user of the request cannot be found among the local CRX users, the request will be handed over to the next login module, which is the LDAP login
module:
J;
cache.rnaxsize=" 100" ;
NOTE
The IdapJogin.conf configuration information used for this exercise is specific to the LDAP server provided for this exercise. You configuration information will be different and specific to your directory server.
7. Restart CQ5 for the changes to take effect. From the command line start CQ5 with the following option:
java - Djava.security.auth.login.config=crx-quickstartl server l etcl Idap_login.conf -jar cq-author-4502Jar
CRX logs a message (default logging config) confirming which authentication configuration will be used:
default Repository Login-configuration
external JAAS login-configuration
Human Resources, Products and Management. All groups are member of the Authors group.
The users themselves are distributed over the department-specific groups;
none of them is explicitly in the Authors group, but implicitly, since their specific groups themselves are members of the Authors group.
II
5. Examine the Idap.log and error-log files from CRX to debug for errors.
The online documentation provides you comprehensive information regarding LDAP
urrent/admin ng/ldap....authentication.html .
Congratulations! You have successfully integrated CQ5 with an LDAP server and
relevant to project managers and system administrators to ensure that their projects will not face performance challenges when launch time comes.
experience of the development team. While your project may ultimately not
require all of the allocated time, it is good practice to always plan for
performance optimization in that suggested range.
Whenever possible, a project should first be soft-launched to a limited audience
in order to gather real-life experience and perform further optimizations,
Once you are "live", performance optimization is not over. This is the point in time when you experience the "real" load on your system. It is important to plan for additional adjustments after the launch.
Since your system load changes and the performance profiles of your system
shifts over time, a performance "tune-up" or "health-check" should be
Simulate Reality
If you go live with a Web site and you find out after the launch that you run into
performance issues there is only one reason for that: Your load and
Simulating reality is diffcult and how much effort you will reasonably want to invest into getting "real" depends on the nature of your project. "Real" means
not just "real code" and "real traffc", but also "real content", especially
regarding content size and structure. Keep in mind that your templates may
behave completely different depending on the size and structure of the
repository.
Establish Solid Goals
There are a certain number of issues that frequently contribute to performance issues which mainly revolve around (a) dispatcher caching ineffciency and (b) the use of queries in normal display templates. JVM and as level tuning usually
Your best friends during a usual performance optimization exercise are the
request.log, component based timing, and last but not least - a
Java profiler.
Components.
.. e.g. /content/training/en/company
3. Review the response times directly related to the previous step's request.
A Page request of /content/training/en/company
Components.
II e.g. /content/training/en/company
~~(!iv claS5="toolbar")-~;sc.ril)t type="te:-tr javascr ipt ,,)co. rCM. edit (( "path": "/content/traning/en/company/ jcr: content/toolbar" r "type
-(I sc.ript)-
-(/div:;
-(iv class="disc lairner":;dsc laimer.(/ (h.".;" -z/div).
Web browser.
5. Investigate the visual output to identify any Component that may be causing
a slow response time.
1. Navigate to the helper tool rlog.jar located in .:cq-install-dir;: /crxquickstart/opt/helpers using your command line.
2. Enter the command java -jar rlog.jar in your command line to get help concerning possible arguments.
Again, this is to aid you in reviewing the performance of specific Pages, so that you may meet your project's performance goals.
fo investigate a systell where sOlle processes are really sloYl but not blocking:
A simple CPU profiling tool is included with CRX 2.0.x. To start it, open:
http://localhost:4502/crx/diagnostic/prof. jsp
1. Set the sample interval and stack depth (or use the default)
2. Click "Start Collecting" and wait to collect data while your slow process executes
3. Click "Stop" to stop data collection
Goal
If an application opens JCR sessions explicitly, it is the responsibility of the developer to ensure the proper closure of these sessions. If not, such sessions will not be subject of garbage collection and thus will stay in memory, causing
above listed symptoms. Each JCR session (CRXSession) creates and maintains its
1. Discover the process id for the CQ5 process by issuing the following
2. Run following command to determine the overall number of current CRXSessions held in memory:
This will generate a new file output.txt that contains the stack trace of unclosed
sessions, sorted by stack trace content. Each stack trace is one line, and 'compressed' a bit (repeated prefixes are removed). The session id is at the end of the line.
corn. day. crx. j 2ee. JCRExplorerServlet. login (JCRExplorerServlet. java: 521)
ResourceServlet. spoolResource (ResourceServlet. java: 148)
java.lang.Thread.run(Thread.java:595): session# 10023
This example means session #10023 was not closed, and the stack trace
included the given lines when the session was opened. Based on this output you should be able to find the defect code location and fix the problem.
Congratulations! You have successfully found and analyzed unclosed JCR
sessions.
a. Navigate to /apps/geometrixx.
b. Right-click on the geometrixx node.
c. Select Create and follow the arrow to Create Node.
Ji~..."
r~
config sling:Folder
p~ enter !"rx ii~ aM ~ i'1l.
i..me:
typ:
CNce
Goal
Sometimes it makes sense to analyze the network traffc between the client
(web browser) and the server (CQ5) to detect possible bottlenecks. For this purpose we use a tool provided out-of-the-box by CQ5 : proxy.jar.
This tool redirects all HTIP requests to/from the server. This utility, which logs the complete HTTP conversation, is installed as a proxy between a client and a server.
Proxy.jar is not aware of the underlying application protocol. It simply dumps the complete communication stream including content and headers. This
means, you can use the application to analyze traffc of any protocol e.g., SMTP,
LDAP, HTTPS, etc. Proxy.jar can also be used as a simple port forwarding proxy
Check for cookies and their values Check for HTTP request and response headers and their values
Check if "Keep-Alive" works
In this example, we will install proxy.jar between the browser client and CQ5.
To successfully complete and understand these instructions, you will need:
A running CQS Author instance
proxy.jar from -(lnstalIDir /crx-quickstart/opt/helpers proxytext.zip content package containing a sample template for use with
proxy.jar
http://localhost:4502/crx
2. Login as admin.
Description
Host of running C05 instance, e.g. "Iocalhost'
The port used by CQ5 instance on which proxy. jar wil forward all
requests.. e.g. "4502".
on which proxy. jar is listening.
e.g. "44",
Decription
Quiet Mode
Use it if you don't want proxy.jar to
outputtng to the console slows down the connection), you can redirect the
output to a log file with this option.
~b
Binary Mode
This
output wil
option helps you look for specfic byte combrnations in the traffic. The contain hexadecimal and cnaraceroutput.
-t
log entries
option adds a timestamps to each log entry. The time resolution is in checking single requests. Use the Timestamps option if you run proxy .j ar over a longer time period.
-Iogfle dlename;:
Dumps the conversation into a log file, even if in "Quiet Mode -q".
-I c:umlndention~
Add Indention
For better readabilty, each active connecion gets. indented. If the default 16 levels do not suit you fine, you can change the amount by adding the
..umlndentions;: you want.
3. Open the log file proxytest.log and analyze a section of log entries. Keep in
mind that we used a simple script displaying some text and a .png image. So
we should see two connections for this related request. Any other connections
The start of the first connection (0) requesting the main HTML page. The HTTP header fields are listed:
C-O-#OOOOOO -~ (GET /proxytest.html HTTP/I.l ) C-0-#000030 -~ (Host: localhost:4444 ) C-0-#000052 -~ (USer-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US;
rv:I.9.lb3) Gecko/20090305 Firefox/3.lb3 )
The client requests a "Keep Alive" connection (wants to send multiple requests over the same connection):
C-0-#000355 -~ (Keep-Alive: 300 ) C-0-#000372 -~ (Connection: keep-alive
This proxy tool is also useful to verify if cookies are properly set or not. Here
we see a generated cookie named JSESSIONID. This cookie is automatically
%253AI;
ys-cq-cf-tabpanel=o)
C-0-#00067 8 -~ (%3AactiveTab%3Ds%253AcfTab-Images;
The above exercise is simple and the log entries should be easy to analyze,
since the two connections occur one after the other (first HTML request, then
the browser realizes that it has an image to request and opens a second connection). Generally, a normal page generates many parallel requests for
images, css, javascript files, etc., each of which are referenced within the HTML
stream. So the log entries will overlap on parallel open connections. In that case, it's recommended to start the proxy with option "-i", (add indentions) to
get better readability.
Congratulations! You have successfully analyzed a conversation between a CQ5
As with any upgrade, you should carefully consider value versus risk for your
deployment. This includes testing the planned upgrade to ensure it passes your acceptance tests.
development tools
CQS Platform: CRXDE support package for CRXDE Lite and CRXDE
The recommendation not to upgrade the Apache Sling and Felix frameworks, or any other application components, ensures that the stability of the CQ5
CRXDE Lite was a separate web application in CQ 5.3 (CRX 2.0). It is now
integrated into the main CRX web application.
Icrx
referencing the following file from the unpacked CRX 2.1:
crx-quickstart/ server /webapps / crx-explorer _crx.war
Console (http://-:host:; :-:port:; /system/console) and check if all the bundles have been
started. If a restart does not help, please start the bundles manually.
accessing:
CRX
for example, http://localhost:4502 /crx /index.jsp The version details on the welcome screen will now show 2.1.
CRXDE Lite
CQ
use CQ to access your content, check everything is operating as expected.
CAUTION
You must test the operation of the upgraded instance; highly customized
After doing so you will be able to see in the finder the file
mod_dispatcher.so in the /usr/libexec/apache2/ folder
indude
!ib Hbexec
II airportd
Apr 20, 20lD 9:02 AM Mar 19, 2010 4:09 I'M Apr 20, 20lD 9:02 AM Apr 20, 2010 9:07 AM Feb 11,2010 3:34 AM Today, 1:44PM
Today, 136 PM
Oct 16,2009 5:11 AM
hupd.exp
II Ubphp5,so
II mod_actionsso
II mod_aHauo
II mod_as,so
II mod_auth_basic50
II mod3lUlh_digesi.SO
II mcd_aUlhIUIMll,SO
II mod_auth,ullx:Lso
Dec 9,20097:25 I'M Dec 9, 2009 725 PM Dec 9, 2009 725 PM Dec 9, 2009 725 PM
Dec 9, 2009 7:25 PM
Dec 9. 2009 7:25 PM
II mod_authn_dbm"o
II mO(Cauthn_defaulLSo
II mod_aulhn_fe,so
Dec 9.20097:25 PM
Dec 9, 2009 7:25 PM
II m()tauthz_dbm,so
II mod_aulhz_defauILSO
and copy the dispatcher.any file from the unpacked dispatcher archive to
this location.
Configuring httpd.conf
Tell Apache about the Dispatcher. In the folder /private/etc/apache2 you will
find the httpd.conf file (we are using the default apache server that comes with
MacOS X). You can also use the httpd.conf file attached that comes with the
Follow the instructions in Exercise - Add the Dispatcher to the Apache WebServer with the following exceptions:
The http server process has to have read/write access to that folder in order to write the cache files. You can of course choose another folder but then you have to be sure that the httpd server daemon has read and write access to it (chown,
chgrp).
1. You must create this folder using a terminal window. Enter the following
commands:
cd / Library /WebServer /
then this
mkdir cache
Restart Apache
1. Launch your system preferences
If you see Web Sharing already running, stop it and relaunch it so that your
Apache server can get the new configuration loaded
Password p.iS5
Contall
server so that we can test our CQ5 configuration. For that we will use the Apache Directory Studio.
We could use probably the LDAP Enabler application but then we would have to
enter everything by hand. The Apache Directory Studio lets us import Idif files.
NOTE
Actually, you can use any other application that allow you to import Idif files.
CAUTION
Don't close the LDAP Enabler application though, cause then you'll be shutting down the
LDAP server.
correctly. If the test is successful, a message should appear saying that "the authentication was successful".
9. If the was successful, click on Finish, all the other parameters used are defaults.
10. Our connection is verified and we can check the LDAP browser. The LDAP browser is will be partially hidden by the LDAP connection window so minimize the LDAP window or just click on the window that is underneath.
See figure below:
; Opel'Ciirinean