EMC Documentum ContentManagement Documentum® ContentManagement InteroperabilityServices Version7.3 ReferenceGuide EMC Corporation Corporate Headquarters:

EMC ®®® Documentum ®®®

Content ManagementInteroperability Services

Version 7.3

Reference Guide

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748–91031–508–435–1000www.EMC.com

Legal NoticeCopyright © 2011-2016 EMC Corporation. All rights reserved.EMC believes the information in this publication is accurate as of its publication date.The information is subject to change withoutnotice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NOREPRESENTATIONS ORWARRANTIES OF ANY KINDWITH RESPECT TO THE INFORMATION IN THIS PUBLICATION,AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Adobe and Adobe PDFLibrary are trademarks or registered trademarks of Adobe Systems Inc. in the U.S. and other countries. All other trademarks usedherein are the property of their respective owners.

Documentation FeedbackYour opinion matters. We want to hear from you regarding our product documentation. If you have feedback about how we canmake our documentation better or easier to use, please send us your feedback directly at [email protected].

Table of Contents

Chapter 1 Overview ........................................................................................................ 7About CMIS ..................................................................................................... 7

Chapter 2 Capabilities .................................................................................................... 9Repository Capabilities ..................................................................................... 9

Chapter 3 Bindings.........................................................................................................13Restful AtomPub Binding ..................................................................................13Web Services Binding.......................................................................................15Browser Binding ...............................................................................................15Authentication in the EMC CMIS Implementation................................................17WS-Security UsernameToken Profile 1.1 Authentication in the Web ServicesBinding.........................................................................................................18HTTP Basic Authentication ............................................................................19HTTP Basic Authentication with Tokens in Browser Binding for BrowserClients..........................................................................................................20CMIS Kerberos Overview ..............................................................................20WS-Security Kerberos Token Profile 1.1 in the Web Services Binding ...........21SPNEGO-based Kerberos Authentication....................................................21SPNEGO-based Kerberos Authentication with Tokens for BrowserClients ......................................................................................................22

Chapter 4 CMIS-to-Documentum Mapping......................................................................25Repository Mapping..........................................................................................25Folder Mapping ................................................................................................26Type Mapping ..................................................................................................27Property Type Mapping.....................................................................................28Property Mapping.............................................................................................28Query Mapping ................................................................................................31Format Mapping ...............................................................................................32Allowable Actions Mapping ...............................................................................33ACL Mapping ...................................................................................................34

EMC Documentum Content Management Interoperability Services Version 7.3 Reference Guide 3

Preface

This document is a reference to the EMC Documentum implementation of CMIS (ContentManagement Interoperability Services); specifically its capabilities, its bindings, authentication,and the way in which elements of the CMIS data model map to constructs in the Documentumrepository. This document is not intended to serve as a reference to CMIS itself, nor is it intended toserve as a guide to CMIS development.

Revision historyThe following changes have been made to this document.

Revision date Description

November 2016 Initial publication.

Intended audienceThis reference is for application developers, architects, and other technical professionals who requirespecific information about how the CMIS standard is implemented for the EMC Documentumplatform.

EMC Documentum Content Management Interoperability Services Version 7.3 Reference Guide 5

Chapter 1

Overview

This chapter contains the following topics:

• About CMIS

About CMISEMC Documentum CMIS is an implementation of CMIS that works with Documentum repositories.Content Management Interoperability Services (CMIS) is an OASIS specification that defines adomain model and bindings that enable interoperability among enterprise content management (ECM)systems and applications.

The need for CMIS arose from a recognition that many enterprises have production Enterprise ContentManagement (ECM) systems from multiple vendors, and that the complexity of making these systemswork together is a burden on IT departments and an impediment to developing enterprise-wideapplications. The principal goal of CMIS is to reduce this burden by providing a standard domainmodel for ECM systems, and expose this model through industry-standard web service (SOAP),RESTful AtomPub bindings, and Browser bindings. CMIS enables enterprises to develop applicationsthat are work together with various ECM systems and access the content in those system in a uniformmanner. CMIS also provides a way for independent software vendors to develop applications thatcan be marketed for use with any CMIS-enabled ECM system.

The CMIS domain model is generic to ECM systems provided by different vendors. Therefore, it isnot a goal of CMIS to provide access to all the features of any one ECM system. The CMIS API is notappropriate for all types of ECM applications.

For detailed information on CMIS, refer to the CMIS 1.1 specification and the CMIS 1.1 Errata01 specification.

EMC Documentum Content Management Interoperability Services Version 7.3Reference Guide 7

http://www.oasis-open.org/home/index.php

https://www.oasis-open.org/standards#cmisv1.1

http://docs.oasis-open.org/cmis/CMIS/v1.1/errata01/csprd01/CMIS-v1.1-errata01-csprd01-complete.html


Chapter 2

Capabilities


• Repository Capabilities

Repository CapabilitiesThis section specifies what optional CMIS capabilities are supported for a Documentum repository.These are exposed to consumers by the getRepositoryInfo service or resource. The capabilities maydepend on the enabled features of a particular Documentum repository (such as full-text search).

CMIS capability Description Value for Documentumrepository

capabilityGetDescendants Ability for an application toenumerate the descendants of afolder via the getDescendantsservice.

true

capabilityGetFolderTree Ability for an application toretrieve the folder tree via thegetFolderTree service.

true

capabilityContentStreamUpdatabil-ity

Indicates the support a repositoryhas for updating a document’scontent stream.

enumCapabilityCon-tentStreamUpdates.anytime

A content stream cannot beupdated if the document ischecked out.

If document content is appendedby using append content streamcall, then get content streamoperation returns only thecontent corresponding to thefirst append or set contentoperation performed. To retrieveconsolidated content of all theappend operations of a documentthen streamId has to be passedfor the get content operationwith value ALL. For example,to retrieve the full content of theobject with id 0901e5a280022c60and format crtext:


Capabilities


• In AtomPub binding:<EMC_CMIS_APP>/browser/repo71/root?objectId=0901e5a280022c60&cmisselector=content&streamId=ALL;format=crtext

• In Browser binding:<EMC_CMIS_APP>/browser/repo71/root?objectId=0901e5a280022c60&cmisselector=content&streamId=ALL;format=crtext

capabilityChanges Indicates what level of changes(if any) the repository exposes viathe change log service.

enumCapabilityChanges.none

Documentum does not supportthe change log service.

capabilityRenditions Indicates whether or not therepository exposes renditions ofdocument objects.

enumCapabilityRendition.read

Note that folder renditions are notimplemented.

capabilityMultifiling Ability for an application to file adocument or other file-able objectin more than one folder.

true

capabilityUnfiling Ability for an application to leavea document or other file-ableobject not filed in any folder.

false

Documentum does not supportthis feature.

capabilityVersionSpecificFiling Ability for an application to fileindividual versions (that is, notall versions) of a document in afolder.

false

When moving a document,Documentum will move theCURRENT version.When getting descendants,Documentum will get the latestversion.

capabilityPWCUpdatable Ability for an application to updatethe Private Working Copy (PWC)of a checked-out document.

false

This capability cannotbe implemented becauseDocumentum does not havea PWC feature.

10 EMCDocumentum Content Management Interoperability Services Version 7.3 Reference Guide

Capabilities


capabilityPWCSearchable Ability of the repository to includethe Private Working Copy (PWC)of checked-out documents inquery search scope; otherwisePWCs are not searchable.

false

This capability cannotbe implemented becauseDocumentum does not havea PWC feature.

capabilityAllVersionsSearchable Ability of the repository to includethe non-latest versions of adocument in query search scope;otherwise, only the latest versionof each document is searchable.

true

capabilityQuery Indicates the types of queries thatthe repository has the ability tofulfill.

With Fulltext: enumCapability-Query.bothcombined

Without Fulltext: enumCapabili-tyQuery.metadataonly

capabilityJoin Indicates the types of JOINkeywords that the repository canfulfill in queries.

enumCapabilityJoin.inneronly

capabilityACL Indicates the level of support forACLs by the repository.

enumCapabilityACL.manage

principalAnonymous A preconfigured anonymous user. If set, this field holds the principalwho is used for anonymousrepository access. This principalcan then be passed to the ACLservices to access the servicesas an anonymous user. See theEMC Documentum Platform andPlatform Extensions InstallationGuide.

principalAnyone A preconfigured user thathas defined default privilegescommon to all users.

The dm_world alias. This aliasrepresents all of the users in arepository. Unless more specificpermissions exist for users, theyuse this alias’s default permissionsto access an object.


Chapter 3

Bindings


• Restful AtomPub Binding• Web Services Binding• Browser Binding• Authentication in the EMC CMIS Implementation

Restful AtomPub Binding

AuthenticationThe Restful AtomPub binding as implemented by EMC Documentum CMIS supports the followingauthentications:

• HTTP Basic Authentication, page 19• SPNEGO-based Kerberos Authentication, page 21

HTTPEMC Documentum CMIS implements optimistic locking using the ETag HTTP header, the value ofwhich maps to the Documentum i_vstamp property.

Cache control is implemented using the HTTP ETag header for the Object services.

For non-content stream resources, HTTP PATCH is supported instead of HTTP PUT.

Content RangesThe Restful AtomPub binding implements content ranges as specified in section 14.16 (Content-Range)of RFC 2616.

URI TemplatesEMC Documentum CMIS supports all of the URI templates defined by the CMIS 1.0 specification.


http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Bindings

Atom Feed LinksEMC Documentum CMIS serves the first, last, next and previous links of an atom feed whenappropriate.

Updated Time of FeedsThe updated time on a feed will be computed based on the current time to prevent excessiveperformance cost in attempting to calculate the latest update time in all pages of a feed.

Feed TitlesFeeds will use the following titles (where <TypeName> is the display name of a type definition):

• Type Children Collection• Type Descendants Feed• <TypeName> Type Descendants Feed• <TypeName> Type Children Collection• Query Collection• Checked Out Collection• Folder Children Collection• Object Parents Collection• Relationships Collection• Folder Descendants• Folder Tree• All Versions Feed

Overlapping Elements and PropertiesCertain AtomPub elements duplicate object properties (for example, atom:title and cmis:objectName).When this is the case in a request, the following rules apply:

Atom element Object property Resolution

not specified specified Use property

specified not specified Use element

specified specified Use element

EnclosuresAtomPub enclosures are populated for a contentful document entry.


Bindings

Invalid Boolean Resource ParametersWhen an invalid value is specified in a Boolean parameter (such as includeAllowableActions orincludeACL), the value is treated as false.

Web Services Binding

AuthenticationThe EMC Documentum CMIS Web Services binding supports the following authentications:

• WS-Security UsernameToken Profile 1.1, page 18• WS-Security Kerberos Token Profile 1.1, page 21

Optimistic LockingEMC Documentum CMIS uses the changeToken input and output to implement optimistic lockingusing the Documentum i_vstamp property.

Content RangesEMC Documentum CMIS supports content ranges as described in section 4.3.2 (Content Ranges)of the CMIS specification.

Browser BindingCMIS Browser Binding is based upon JSON (Java Script Object Notation in RFC4627) and patternsused in Web applications. This binding is specifically designed to support applications running in aweb browser but is not restricted to them.

AuthenticationThe Browser binding as implemented by EMC Documentum CMIS supports the followingauthentications:

• Non-browser Clients:HTTP Basic Authentication, page 19SPNEGO-based Kerberos Authentication, page 21

• Browser Clients:HTTP Basic Authentication with Tokens for Browser Clients, page 20SPNEGO-based Kerberos Authentication with Tokens for Browser Clients, page 22


http://docs.oasis-open.org/cmis/CMIS/v1.0/os/cmis-spec-v1.0.html#_Toc243905615

Bindings

Protocol

HTTP is used as the protocol for service requests. HTTP GET is used for reading content and HTTPPOST is used for creating, updating and deleting content. Using just these two HTTP verbs makesit possible to develop applications that rely on built-in browser capabilities such as HTML Formsand typical server configurations. The use of HTTPS is recommended for repositories that containnon-public data.

Data Representation

Browser applications are typically written in JavaScript. A lightweight data representation format isJavaScript Object Notation (JSON). JSON is used to represent the various CMIS objects described bythe data model.

URL Patterns

The URLs used by the Browser Binding must be predictable to simplify client development. The URLpatterns allow objects to be referenced by either object ID or path.

Multipart Forms

Browser applications typically use HTTP multipart forms as described in RFC2388 to create andupdate content. This is useful to update file content with the addition of the FILE attribute. In thisbinding, HTTP POST of multipart/form-data is used to update content streams.

Callback

Modern browsers restrict a JavaScript function from making HTTP calls to servers other than theone on which the function originated. This set of restrictions is called the "same-origin policy". ACMIS client web application and the CMIS repositories it uses may often be deployed to differentservers. This specification allows JavaScript clients to access repositories on other servers, withinthe constraints of the same-origin policy, by using the "JSON with Padding" (JSONP) pattern. Thisbinding introduces a parameter called callback to allow CMIS clients to use this pattern.

A CMIS client web application and the CMIS repositories it uses may often be deployed to differentservers. This specification allows JavaScript clients to access repositories on other servers, within theconstraints of the same-origin policy, by using the "JSON with Padding" (JSONP) pattern. This bindingintroduces a parameter called callback to allow CMIS clients to use this pattern. The callback may beincluded by clients on read operations defined by this protocol that answer a JSON object. The servermust respond to valid read requests containing this token by answering the token, followed by an openparenthesis, followed by the JSON object returned, followed by a close parenthesis. If the parameter isincluded in a request, the server must validate that its value is not empty but the server must not do anyadditional validation of the token, such as, for example, assuring it conforms to JavaScript functionnaming conventions. If the parameter value is empty, or if the parameter is used on a service for whichit is not allowed, then the invalidArgument exception must be used to signal the error.


Bindings

JSONP and Form Requests

Cross-domain requests should use JSONP and callbacks for GET requests and should use HTMLforms for POST requests. A token should be added to each request to prevent cross-site requestforgery (CSRF) attacks. For this purpose, a parameter token must be added to the parameters of aGET request and a control token must be added to the controls of a HTML form. The repositoryshould return a permissionDenied error if the client sends an invalid token. If the client sends anyother form of authentication, such as, Basic Authentication, OAuth, and so on, then the token may beomitted. It is recommended for web applications to always provide a token, even when another formof authentication is in place.

Authentication in the EMC CMIS ImplementationAll CMIS services as implemented in a Documentum repository require authentication. Authenticationis also required to list available repositories that are advertised on a connection broker (historicallycalled docbroker). If the user cannot authenticate across all the repositories, only the authenticatedrepositories are returned in the repository list. Credentials may be in the form of a token. Inaddition, both bindings support Kerberos single sign-on (SSO). However, you cannot use Kerberosauthentication together with the default authentication.

The following are the support authentication for the various bindings:

Binding Authentication

SOAP Binding • WS-Security UsernameToken profile 1.1, page18. This is the default authentication.

• WS-Security Kerberos token profile 1.1 in theWeb Services binding, page 21

AtomPub binding • HTTP basic authentication, page 19. This isthe default authentication.

• SPNEGO-based Kerberos authentication,page 21

Browser Binding • HTTP basic authentication for non-browserclients, page 19. This is the defaultauthentication.

• SPNEGO-based Kerberos authentication fornon-browser clients, page 21

• HTTP basic authentication with tokens forbrowser clients, page 20

• SPNEGO-based Kerberos authentication withtokens for browser clients, page 22


Bindings

WS-Security UsernameToken Profile 1.1Authentication in the Web Services BindingThe WS-Securtiy UsernameToken Profile 1.1 authentication protocol is supported for the webservice binding. For a detailed description of the WS-Security UsernameToken profile, seehttp://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf.

Client SOAP messages should be secured using a WS-Security UsernameToken Profile header. If theauthentication fails, the CMIS implementation will respond with a WS-Security SOAP fault. Thefollowing examples show a WS authenticated request and response.Note: By default, <wsu:Timestamp> is returned in response. You can disable <wsu:Timestamp>from being returned by configuring cmis-security.xml in cmis-ws-binding.jar. For more information,see the comments in cmis-security.xml.

WS Authenticated RequestContent-type: text/xml;charset="utf-8"Soapaction: ""Accept: text/xml, multipart/related, text/html, image/gif, image/jpeg, *;

q=.2, */*; q=.2<?xml version=’1.0’ encoding=’UTF-8’?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/

oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/

oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema"><S:Header><wsse:Security S:mustUnderstand="1"><wsse:UsernameTokenxmlns:ns15="http://schemas.xmlsoap.org/ws/2006/02/

addressingidentity"xmlns:ns14="http://docs.oasis-open.org/ws-sx/

ws-secureconversation/200512"xmlns:ns13="http://www.w3.org/2003/05/soap-envelope"

wsu:Id="XWSSGID-129644497810287092214"><wsse:Username>my-user</wsse:Username><wsse:PasswordType="http://docs.oasis-open.org/wss/2004/01/

oasis-200401-wss-username-token-profile-1.0#PasswordText">my-password</wsse:Password>

</wsse:UsernameToken></wsse:Security></S:Header><S:Body><getRepositoryInfoxmlns="http://docs.oasis-open.org/ns/cmis/messaging/200908/"xmlns:ns2="http://docs.oasis-open.org/ns/cmis/core/200908/"><repositoryId>my-repository</repositoryId></getRepositoryInfo></S:Body></S:Envelope>

WS Authenticated ResponseTransfer-encoding: chunkednull: HTTP/1.1 200 OK


http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf

Bindings

Content-type: text/xml;charset=utf-8Server: Apache-Coyote/1.1Date: Mon, 31 Jan 2011 03:36:17 GMT<?xml version=’1.0’ encoding=’UTF-8’?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/

oasis-200401-wss-wssecurity-secext-1.0.xsd"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/

oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema"><S:Header><wsse:Security S:mustUnderstand="1"><wsu:Timestampxmlns:ns15="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"xmlns:ns14="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"xmlns:ns13="http://www.w3.org/2003/05/soap-envelope"

wsu:Id="XWSSGID-1296444877084-1727713687"><wsu:Created>2011-01-31T03:36:18Z</wsu:Created><wsu:Expires>2011-01-31T03:41:18Z</wsu:Expires></wsu:Timestamp></wsse:Security></S:Header><S:Body><getRepositoryInfoResponsexmlns="http://docs.oasis-open.org/ns/cmis/messaging/200908/"xmlns:ns2="http://docs.oasis-open.org/ns/cmis/core/200908/"><repositoryInfo><ns2:repositoryId>my-repository</ns2:repositoryId><ns2:repositoryName>my-repository</ns2:repositoryName><ns2:repositoryDescription>my-repository</ns2:repositoryDescription><ns2:vendorName>EMC</ns2:vendorName><ns2:productName>Documentum</ns2:productName><ns2:productVersion>6.6.0.030</ns2:productVersion><ns2:rootFolderId>root</ns2:rootFolderId>.....<ns2:cmisVersionSupported>1.0</ns2:cmisVersionSupported></repositoryInfo></getRepositoryInfoResponse></S:Body></S:Envelope>

HTTP Basic AuthenticationHTTP basic authentication is supported for the Restful AtomPub binding and Browser bindingfor non-browser clients in Documentum CMIS. For a detailed description of the HTTP basicauthentication protocol, refer to http://www.ietf.org/rfc/rfc2617.txt.

As credentials passed in clear text in HTTP can be captured and misused, HTTP basic authenticationshould be used with HTTPS to provide encrypted communication. EMC Documentum CMIS supportsthis option.


http://www.ietf.org/rfc/rfc2617.txt

Bindings

HTTP Basic Authentication with Tokens in BrowserBinding for Browser ClientsThe authentication mechanism described in this section addresses the following scenario: A webapplication is hosted on one domain; the CMIS browser binding interface is served from anotherdomain. There is no proxy process on the server that hosts the web application. That is, allcommunication between the application and the repository has to happen in the web browser viaJavaScript. The "sameoriginpolicy" enforced by the web browser prohibits a direct and securetwo-way communication between the application and the repository. To access the repository, a userhas to authenticate and has to authorize the application (and only this application, not all scripts in theweb browser) to make CMIS calls.

JSONP and Form Requests

Cross-domain requests should use JSONP and callbacks for GET requests and should use HTMLforms for POST requests. Browser Binding, page 15 provides more details.

CMIS Kerberos OverviewKerberos SSO is a network authentication protocol designed to provide strong authentication forclient/server applications by using secret-key cryptography.

EMC Documentum supports Kerberos secure Single-Sign-On (SSO) using Microsoft Active ServerDomain Services for Kerberos Key Distribution Center (KDC) services in the following ways:

• In a single domain.• In two-way trusts between multiple domains in the same forest only; that is, cross-forest trustsare not supported.

Note: The CMIS client and server must be in the same domain, whereas Content Server can bein a different domain.

The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (andvice versa) across an insecure network connection. After a client and the server have used Kerberos toprove their identities, they can also encrypt all of their communications to ensure privacy and dataintegrity. Documentum supports the Kerberos SSO authentication feature using Microsoft ActiveServer Domain Services for Kerberos Key Distribution Center (KDC) services.

To support Kerberos authentication, Documentum CMIS provides the server-side JAX-WS handler forSOAP binding and the Servlet filter for AtomPub binding.

Documentum CMIS’s Kerberos SSO differs from Documentum ’s certified Kerberos SSO in thefollowing ways:

• The Kerberos token is used for authentication, but not for message encryption.• Only BASE64 decoding is supported. The full name of EncodingType is:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#BASE64Binary.

For more information about Documentum support for Kerberos SSO, see the EMC DocumentumContent Server Administration and Configuration Guide.

To enable Kerberos SSO on Documentum CMIS, see the EMC Documentum Platform and PlatformExtensions Installation Guide.


http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#BASE64Binary

Bindings

For general information on Kerberos, refer to the following websites:

• http://web.mit.edu/Kerberos/

• http://technet.microsoft.com/en-us/library/bb742516.aspx

WS-Security Kerberos Token Profile 1.1 in the Web ServicesBinding

WS-Security Kerberos Token Profile 1.1 is supported for the web services binding in DocumentumCMIS.

Your Documentum CMIS client must send a SOAP message with a Kerberos token to the DocumentumCMIS server. The token must also be “forwardable” because this Kerberos integration is implementedon a delegated authentication model. In the following example, the Kerberos token is encoded inBASE64 and placed inside of the <wsse:BinarySecurityToken> element of the WS-SecuritySOAP Header:

Each Documentum CMIS request must re-initialize a new service ticket because of the Kerberos V5anti-replay mechanism. That is, the token cannot be reused.<S11:Envelope xmlns:S11="..." xmlns:wsu="...">

<S11:Header><wsse:Security xmlns:wsse="..."><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/

2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ"wsu:Id="MyToken">

boIBxDCCAcCgAwIBBaEDAgEOogcD...</wsse:BinarySecurityToken>...

</wsse:Security></S11:Header><S11:Body>

...</S11:Body>

</S11:Envelope>

SPNEGO-based Kerberos Authentication

The Documentum CMIS server supports HTTP Negotiate Authentication and consumes the SPNEGOtoken as the Kerberos token. Each Documentum CMIS request must re-initialize a new SPNEGOtoken because of the Kerberos V5 anti-replay mechanism. That is, the token cannot be reused. Thetoken must also be “forwardable” because this Kerberos integration is implemented on a delegatedauthentication model.

The Documentum CMIS client must obtain the SPNEGO token for the CMIS service with GSS-APImechanism and generate a request message that includes the following Authorization header:C: GET dir/resourceC: Authorization: Negotiate YIIJJAYGKwYBBQUCoIIJGDCCCRSgDTA

Note: The SPNEGO token must be encoded in BASE64.


http://web.mit.edu/Kerberos/

http://technet.microsoft.com/en-us/library/bb742516.aspx

Bindings

If the Negotiate Authorization header is not provided or the SPNEGO token is incorrect, theDocumentum CMIS server returns a response with following headers:S: HTTP/1.1 401 UnauthorizedS: WWW-Authenticate: Negotiate

SPNEGO-based Kerberos Authentication with Tokens forBrowser Clients

Token based authentication

JSONP and Form RequestsCross-domain requests should use JSONP and callbacks for GET requests and should use HTMLforms for POST requests. Browser Binding, page 15 provides more details.

Login and TokensTokens are obtained from the repository by using a JavaScript script. The repository provides aJavaScript script that the web application includes into its HTML page using the HTML <script> tag.This script provides four functions:

• cmisServiceURL(): This function returns the Service URL.• cmisLogin(callback): This function triggers the login process. The web application must call thisfunction before it calls any other functions. The login process is repository specific. A repositorymay replace the application page in the web browser with a login page and later return back to theapplication page. The function takes a callback function. It is called when the login process iscompleted. The callback function must accept a boolean parameter. The repository must provideTRUE if the login process was successful and FALSE if it was not successful.

• cmisLogout(callback): This function triggers the logout process. The logout process is repositoryspecific. After a successful logout, cmisNextToken() must not return a valid token. The applicationmay call cmisLogin() again to trigger a new login. The function takes a callback function. Itis called when the logout process is completed. The callback function must accept a booleanparameter. The repository must provide TRUE if the logout process was successful and FALSE ifit was not successful.

• cmisNextToken(callback): This function calls the provided callback function with a new token. Theprocess of generating and obtaining the token is repository specific. Whether the repository returnsunique tokens or the same token for a user or for all users is repository specific. The repository shouldsignal an invalid state, such as, no logged in user with an empty token or string. The flow in a webapplication could looks like this: <script src="http://cmis.example.com/cmis.js"/><script>cmisLogin(function(success) {if (success) {displayRootFolder();} else {showLoginErrorMessage();}


Bindings

});function displayRootFolder() {cmisNextToken(function(token) {loadChildren(’/’, ..., token);});...</script>

Authentication with Tokens for Browser Clients in the CMIS specification document for moreinformation.



Chapter 4

CMIS-to-Documentum Mapping


• Repository Mapping• Folder Mapping• Type Mapping• Property Type Mapping• Property Mapping• Query Mapping• Format Mapping• Allowable Actions Mapping• ACL Mapping

Repository MappingRepository Elements Mapping

CMIS Documentum Description

repositoryId Unique repository name as

obtained from connection broker

repositoryName Identical to repositoryId

repositoryDescription Description of repository in

connection broker

vendorName "EMC"

productName "Documentum"

productVersion dm_server_config.r_server_ver-

sion

rootFolderId "root" A fictitious root folder for the

repository.

latestChangeLogToken Not set Change log not supported



CMIS Documentum Description

cmisVersionSupported 1.0

thinClientURI Not set An optional repository-specific

URI pointing to the repository’s

web interface.

capabilities The collection of CMIS capabilities

supported by the repository. See

Repository Capabilities, page 9 .

aclCapability The collection of ACL-related

capabilities supported by the

repository. See ACL Mapping,

page 34.

changesIncomplete Not set Change log not supported

changesOnType Not set Change log not supported

Folder Mapping

Root Folder

CMIS has a single root folder per repository and Documentum has multiple root folders (cabinets) perrepository. To address this difference, the implementation exposes a fictitious root folder that containsall root cabinets. The cmis:objectId of this root folder is root.

Because the root folder is a fictitious object, it is not queryable, and no ACL can be applied to it.Beneath the root folder, only objects of type dm_cabinet can be created.

To create a dm_cabinet (or subtype) object as a child of the root folder, simply create a cmis:folderobject under the root folder, Documentum CMIS automatically translates the cmis:folder object toa dm_cabinet object. Specifying a cmis:folder subtype object other than dm_cabinet under the rootfolder does not create a dm_cabinet (or subtype) and causes an error.Note: A consumer can determine the object types that can exist under the root folder by examiningits cmis:allowedChildObjectTypeIds property.

Folder Multi-filing

CMIS specifies that folders only have one parent. Documentum allows folders to be multi-filed inmultiple folders, creating multiple possible paths to a folder. In cases where the parent or path to afolder is in a response, the implementation returns only the “primary” parent folder or path (that is, thefirst of all the possible paths as determined by Content Server). When accessing an object by path theimplementation locates the object using any folder path.



In determining the parent of an object the parent may be reassigned if the folder’s primary parent isnot accessible (that is, if permission = none).

If a folder has multiple parents and the client navigates from root to leaf, the parent link in the childentry will be directed to the parent that traverses to the child entry. Thus, if a folder has multipleparents, its parent link (cmis:parentId) may be different in different branches. This behavior applies tothe navigation service’s getChildren, getDescendants, and getFolderTree operations with AtomPubbinding only.

Similarly, if a folder has multiple parents and the client navigates from root to leaf, the path for thefolder (the cmis:path property) will be the traversal path from its dynamic parent. Thus, if a folder hasmultiple parents, its path may be different in different branches.

Path SegmentsCMIS allows documents to be addressed by path. In some ECM systems the path to a document isunique, but in Documentum a document cannot be uniquely identified by what would normally beconsidered a path, because identically named objects can reside in the same folder.

The Documentum CMIS implementation therefore exposes unique document path segments whenrequested using a combination of the object_name and r_object_id. This is done for every document,not just those that cannot be addressed by path. The path segments take this form:

with name: 0900000b80001234_docnamewithout name: 0900000b80001234_

getFolderTree Default DepthThe default depth of the getFolderTree resource or service is 2.

Type MappingBase TypesCMIS includes a standardization of base types. The CMIS base types are mapped to the localDocumentum types as shown below:

CMIS Type Documentum (local) type Notes

cmis:document dm_document (and subtypes)

cmis:folder dm_folder (and subtypes)

cmis:relationship dm_relation (and subtypes) An instance of dm_relation, or of a

subtype of dm_relation, where its

definition (that is, its relation name)

is an instance of dm_relation_type.

cmis:policy Not supported.



Only these Documentum types and their corresponding subtypes are supported.

When a base type is used in a service input, the CMIS type must be specified. The equivalent localtypes (dm_document, dm_folder, dm_relation) must not be used as service inputs.

Object types are cached. You can configure object type caching characteristics. EMC DocumentumPlatform and Platform Extensions Installation Guide provides more information.

Property Type MappingCMIS property type Documentum property type Notes

CmisPropertyBoolean DM_BOOLEAN

CmisPropertyDateTime DM_TIME Documentum literals, such as NOW,YESTERDAY and TOMORROW, thatare default values in datetimeproperties are set to NULL.

CmisPropertyDecimal DM_DOUBLE

CmisPropertyHtml DM_STRING

CmisPropertyId DM_ID

CmisPropertyInteger DM_INTEGER

CmisPropertyString DM_STRING

CmisPropertyUri DM_STRING

Property Mapping

General InformationAll property names and query names are case-insensitive in service requests. CMIS services respondwith lowercase local (or custom) properties, and lower camel case CMIS properties.

Document Properties

CMIS property Documentum property Description

cmis:name object_name

cmis:objectId r_object_id

cmis:baseTypeId cmis:document See Type Mapping, page 27.

cmis:objectTypeId r_object_type

cmis:createdBy r_creator_name

cmis:creationDate r_creation_date




cmis:lastModifiedBy r_modifier

cmis:lastModificationDate r_modification_date

cmis:changeToken i_vstamp See Change Tokens, page 30

cmis:isImmutable r_immutable_flag

cmis:isLatestVersion i_has_folder

cmis:isMajorVersion none Determined from r_version_label

cmis:isLatestMajorVersion none Computed

cmis:versionLabel r_version_label Numeric label

cmis:versionSeriesId i_chronicle_id

cmis:isVersionSeriesCheckedOut none Determined from r_lock_owner

cmis:versionSeriesCheckedOutBy r_lock_owner

cmis:versionSeriesCheckedOutId none Always Not set

cmis:checkinComment log_entry

cmis:contentStreamLength r_full_content_size

cmis:contentStreamMimeType a_content_type

cmis:contentStreamFileName object_name Read-only

cmis:contentStreamId i_contents_id

Behavior when Property Filter is not Set

When the property filter is Not set in a request, CMIS will return all CMIS properties (thatis, all properties in the CMIS namespace), with the exception of cmis:isLatestMajorVersion.This property is excluded for performance reasons (that is, it is a computed value that isexpensive to calculate). To get the cmis:isLatestMajorVersion property, the consumer can setfilter=cmis:isLatestMajorVersion or filter=*.

Folder Properties




cmis:baseTypeId cmis:folder See Type Mapping, page 27.




cmis:objectTypeId r_object_type

cmis:createdBy r_creator_name

cmis:creationDate r_creation_date

cmis:lastModifiedBy r_modifier

cmis:lastModificationDate r_modification_date

cmis:changeToken i_vstamp See Change Tokens, page 30.

cmis:parentId i_folder_id

cmis:path r_folder_path

cmis:allowedChildObjectTypeIds See Type Mapping, page 27.

Relationship Properties




cmis:baseTypeId cmis:relationship See Type Mapping, page 27.

cmis:objectTypeId none

cmis:createdBy none

cmis:creationDate none

cmis:lastModifiedBy none

cmis:lastModificationDate none

cmis:changeToken i_vstamp See Change Tokens, page 30.

cmis:sourceId parent_id

cmis:targetId child_id

Change TokensThe changeToken property is used for optimistic locking and/or concurrency checking to ensure thatuser updates do not conflict.

For an invocation of any update method on an object (updateProperties, setContentStream,deleteContentStream), we suggest that the client application provide the value of the changeToken



property as an input parameter. If the client application sets the changeToken property, the value mustmatch the value that the repository provides for the changeToken property of that object. Otherwise,the repository throws an updateConflictException.

Note that setting the changeToken property is not mandatory. If the client application does not set thisproperty for an update method, the repository does not reject the request.

Query MappingQueryable TypesThe types cmis:document and cmis:folder are queryable; the type cmis:relationship is not queryable.

Type Queryable

cmis:document true

cmis:folder true

cmis:relationship false

Note: All properties of an object of type cmis:relationship are non-queryable because cmis:relationshipis a non-queryable type.

Type Names in QueriesOnly type query names can be used in CMIS SQL queries. For the base types, the query name isequivalent to the CMIS name. Local base type names (such as dm_document, dm_folder, dm_relation)cannot be used in queries. (For information on Documentum types, refer to the EMC DocumentumSystem Object Reference.)

All type names and query names are case-insensitive for service inputs (as are (column names, tablenames and reserved keywords). When responding, the CMIS services responds with lowercase typenames.

Properties not Allowed in WHERE ClauseSome CMIS properties are computed, rather than mapped to a single persistent Documentum property.In some cases, the Documentum CMIS implementation may not support including these computedproperties in the WHERE clause of a query. For example, because cmis:isMajorVersion is computedfrom multiple Documentum properties, the following query is not supported:SELECT * FROM cmis:document WHERE cmis:isMajorVersion=true

These cmis:folder and cmis:document properties cannot be used in the WHERE clause:

• cmis:baseTypeId• cmis:objectTypeId• cmis:isMajorVersion• cmis:isLatestMajorVersion



• cmis:isVersionSeriesCheckedOut• cmis:versionSeriesCheckedOutId• cmis:contentStreamMimeType• cmis:contentStreamFileName• cmis:allowedChildObjectTypeIds

Search QueriesQuery of both metadata and full-text content of documents are supported and can be combined in asingle query. The following is an example of a simple search query:SELECT * FROM cmis:document WHERE CONTAINS(’documentum’)

LimitationsNote the following limitations on EMC Documentum CMIS queries:

• Duplicate column aliases are not supported in CMIS queries, because during the SQL to DQLtranslation and conversion process, ambiguity that limits alias use is introduced. For example,the following query would not be supported because two different columns use the same alias(“id_or_name”):

SELECT cmis:objectId AS id_or_name, cmis:name AS id_or_name FROM cmis:document

• Due to a limitation of the DQL interpreter in Documentum, a table alias cannot be used incombination with an asterisk when querying versions of Content Server prior to 6.5 SP3. Forexample, this query is not supported when executed against Content Server 6.5:

SELECT doc.* FROM cmis:document AS doc

Note: However, provided that specific properties are listed in the query, a table alias can be usedwith any Content Server version.

• International characters in table names or column names are not supported.

Format MappingFormat and MIME TypeCMIS content is categorized by MIME type, whereas Documentum content is mapped to a formatconfigured in repository metadata. In Documentum, the dm_format table stores the mapping betweenformats and the corresponding MIME types. Typically, when an object is accessed through CMIS,its MIME type is retrieved from the dm_format table according to the object’s format. Similarly,when an object is stored into Content Server through CMIS, its format is retrieved from the tableaccording to the MIME type.

Multiple formats can be mapped to a single MIME type. For example, the excel8book andexcelformats are mapped to the same MIME type application/vnd.ms-excel in the dm_formattable when you use the default configuration. When an object is read from Content Server through



CMIS, the process is straightforward. The format’s corresponding MIME type will be used. Whenan object is stored into Content Server through CMIS, and client provides a MIME type that can bemapped to multiple formats, the CMIS server must determine which format to use. In this case,the CMIS server uses the MIME type/format mapping table in the mapping.xml file (located atWEB-INF/classes, or under APP-INF in EAR file deployments) to determine the format. For example,if an entry maps the MIME type application/vnd.ms-excelto the excel8book format inmapping.xml, and the client provides application/vnd.ms-excel as an object’s MIME type, itsformat will be excel8book.

If the MIME type of the object is not specified in mapping.xml, the mapping in the dm_format tablewill be used to determine the format. One of the formats matching the MIME type will be selected asthe format of the object. The result may vary depending on the environment, such as the databasewhere the dm_format resides, and the collation. To get a consistent result, it is highly recommendedthat you specify the MIME type and the corresponding format in mapping.xml.

When you access an object from Content Server through CMIS, if the format of the object doesnot have a MIME type specified in the dm_format table, the cmis:contentStreamMIMETypeproperty of the CMIS object will be populated with the “value not set” state. When you store anobject into Content Server through CMIS, if the MIME type of the object does not have a formatspecified in the dm_format table, the object is treated as binary. The MIME type for binaries isapplication/octet-stream.Note:

• The format/MIME type mapping in mapping.xml takes precedence over the mapping in thedm_format table.

• MIME types are cached. You can configure MIME type caching characteristics. EMCDocumentum Platform and Platform Extensions Installation Guide provides more information.

Allowable Actions Mapping

Mapping CMIS Allowable Actions to PermissionsCMIS allowable actions enable an application to determine which service operations can be performedon a specified object. The following table shows mappings between CMIS allowable actions andpermissions. Other factors may affect the ability to apply a service operation to an object.

For more information on CMIS and Documentum permissions, see ACL Mapping, page 34.

CMIS Allowable Action Required permission(s)

canGetDescendents.Folder browse

canGetChildren.Folder browse

canGetParents.Folder browse

canGetFolderParent.Object browse

canCreateDocument.Folder cmis:write

canCreateFolder.Folder cmis:write



CMIS Allowable Action Required permission(s)

canCreateRelationship.Source relate

canCreateRelationship.Target relate

canGetProperties.Object browse

canViewContent.Object cmis:read

canUpdateProperties.Object cmis:write

canMove.Object cmis:write, change_location

canMove.Target cmis:write

canMove.Source cmis:write

canDelete.Object delete

canSetContent.Document cmis:write

canDeleteContent.Document cmis:write

canAddToFolder.Object cmis:write, change_location

canRemoveFromFolder.Folder cmis:write

canCheckout.Document version

canCancelCheckout.Document version

canCheckin.Document version

canGetAllVersions.VersionSeries cmis:read

canGetObjectRelationships.Object browse

canGetACL.Object browse

canApplyACL.Object change_permit

ACL Mapping

About ACLs

The CMIS 1.0 specification states that an implementation can support a set of CMIS basic permissionsand/or a set of repository-specific permissions. The Documentum implementation supports the CMISbasic permissions and extends the CMIS permissions with a set of repository-specific permissionsthat map directly to Documentum permissions.

In the Documentum repository, when an object is created an ACL is either explicitly assigned to it bythe user or a default ACL (which is configurable) is assigned to it by Documentum. This repositorybehavior is not changed in by the CMIS implementation.



The (fictitious) root folder of a Documentum repository has no ACL.

CMIS Basic and Documentum Permissions

A CMIS client has the option of getting the ACL of an object with just the CMIS-defined basicpermissions, or with the Documentum permission set. The default behavior of Documentumimplementation for the getAcl service, as well as for services that have an includeACL parameter, is toreturn the CMIS basic permissions.

ACL Type Mapping

The following table shows the mapping between CMIS ACL-related types and properties toDocumentum types and properties.

CMIS Type/Property Documentum Type/Property Notes

CmisAccessControlListType dm_acl

CmisACLType.exact A value of false indicates that there

are security constraints applied

to this object other than those

designated by the CMIS ACL

object.

CmisAccessControlEntryType An ACL entry. There is no

direct correspondence to the

Documentum type.

CmisAccessControlEntryType

.permission

r_accessor_permit A Documentum basic or extended

permission.

CmisAccessControlEntryType.di-

rect

A value of true indicates that the

ACE is directly assigned to the

object; that is, it is not derived.

CmisAccessControlPrincipalType r_accessor_name A user, group, role, or

Documentum-specific accessor.

Permissions Mapping

Documentum permissions are of two types: basic permissions, which are hierarchical, and extendedpermissions, which are composite. This distinction is applicable for CMIS as well. The cmis:readand cmis:write permissions map to the Documentum read and write permissions, and each of themincludes all permissions below them in the basic permission hierarchy. The cmis:all permissionincludes all basic and extended permissions.



Basic Permissions (hierarchical)

CMIS Permission Documentum Permission

none none

browse browse

cmis:read read

relate relate

version version

cmis:write write

delete delete

Extended Permissions (composite)

CMIS Permission Documentum Extended Permission

change_location change_location



CMIS Permission Documentum Extended Permission

change_owner change_owner

change_permit change_permit

change_state change_state

change_folder_links change_folder_links

delete_object delete_object

execute_proc execute_proc

ACL Representation with only CMIS Basic Permissions<cmis:acl><cmis:permission>

<cmis:principal><cmis:principalId>dm_world</cmis:principalId>

</cmis:principal><cmis:permission>cmis:read</cmis:permission><cmis:direct>true</cmis:direct>

</cmis:permission><cmis:permission>

<cmis:principal><cmis:principalId>dm_owner</cmis:principalId>

</cmis:principal><cmis:permission>cmis:write</cmis:permission><cmis:direct>true</cmis:direct>


<cmis:principal><cmis:principalId>docu</cmis:principalId>

</cmis:principal><cmis:permission>cmis:read</cmis:permission><cmis:direct>true</cmis:direct>

</cmis:permission></cmis:acl>

ACL Representation with Documentum Permissions<cmis:acl><cmis:permission>

<cmis:principal><cmis:principalId>dm_world</cmis:principalId>

</cmis:principal><cmis:permission>cmis:read</cmis:permission><cmis:permission>execute_proc</cmis:permission><cmis:permission>change_location</cmis:permission><cmis:direct>true</cmis:direct>


<cmis:principal><cmis:principalId>dm_owner</cmis:principalId>

</cmis:principal><cmis:permission>delete</cmis:permission><cmis:permission>execute_proc</cmis:permission>



<cmis:permission>change_location</cmis:permission><cmis:direct>true</cmis:direct>


<cmis:principal><cmis:principalId>docu</cmis:principalId>

</cmis:principal><cmis:permission>version</cmis:permission><cmis:direct>true</cmis:direct>

</cmis:permission></cmis:acl>


Documents

EMC Documentum ContentManagement Documentum® ContentManagement InteroperabilityServices Version7.3 ReferenceGuide EMC Corporation Corporate Headquarters: