Monday, 25 April 2016

Installing OnCommand Workflow Automation 3.1 (on Windows 2012 R2)

A sort-of-update of this post (same but different); I needed WFA running on 2012 R2 to take advantage of some PowerShell DNS cmdlets available only in Server 2012+. The following is a quick from scratch install guide here using VMware Workstation as the host hypervisor.

Hardware and Basic Components

OS: Windows Server 2012 R2 Standard
Hardware: 4 GB RAM (3 GB is the minimum) and 2 vCPU
Browser 1: Google Chrome (Flash Player is pre-installed)
Browser 2: Internet Explorer 11 + download latest Adobe Flash Player
Local Admin User: LAB\WFA


.NET 4.0 and PowerShell 3.0 don’t need adding to 2012 R2, since it comes with .NET 4.5 and PowerShell 4.0. The following commands in PowerShell can be used to verify this>

dir ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full’

Bizarrely though, you still need to enable the .NET Framework 3.5 Feature (via Administrator: Windows PowerShell and requires the installation media)>

Install-WindowsFeature Net-Framework-Core -Source D:\Sources\sxs

Part 1: Setting up the Windows Server

1.1) Deploy the server using bootable Windows Server 2012 R2 installation media - since this is very straightforward to do, I will not detail it here. In the following walkthrough we use an evaluation edition.
1.2) Install VMware tools
1.3) From Administrator: PowerShell, the following commands will rename the server, rearm the eval, and restart the computer>

rename-computer MSWFA1
slmgr.vbs /rearm

1.4) From Administrator: PowerShell, verify eval has time left, set IP addressing, set DNS server, and join computer to the domain, and restart>

slmgr.vbs /dlv
New-NetIPAddress -IPAddress -InterfaceAlias "Ethernet" -DefaultGateway -AddressFamily IPv4 -PrefixLength 22
$IntIndex = (Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "Ethernet*").InterfaceIndex
Set-DNSClientServerAddress -InterfaceIndex $IntIndex -ServerAddress ("")
Add-Computer -DomainName lab.priv

Note: In this lab there’s only one DNS server, for more just add them separated by commas in the brackets after -ServerAddress.

1.5) Login as with domain administrator account and run the below to add the LAB\WFA user to the local administrators (we add the group LAB\StorageAdmins of which LAB\WFA is a member)>

$Computer = hostname
$group = [ADSI]"WinNT://$Computer/Administrators,group"

1.6) Disable Certificate Revocation for the SYSTEM User using PowerShell (if you run the NetApp WFA Server service using domain credentials like LAB\WFA, you should disable certificate revocation for that user)>

REG ADD "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" /v State /t REG_DWORD /d 0x00023e00 /f

IMPORTANT: If you run the NetApp WFA Server service using domain credentials like LAB\WFA, you should disable certificate revocation for that user. This can easily be done when logged into the server as that user with>

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" /v State /t REG_DWORD /d 0x00023e00 /f

Note: Generally, the most common slow running workflow issues in WFA with PowerShell commands are due to CRL Checking. An interesting link which I came across but not needed to add to my build is

1.7) Disable the Windows Firewall on the WFA server using PowerShell>

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

Installing OnCommand Workflow Automation 3.1

Note: Refer to the “OnCommand Workflow Automation 3.1: Installation and Setup Guide for Windows” for full instructions.

Logged in as LAB\WFA (note that the instructions do say log in to Windows using the default local administrator account, but many organizations will disable this), you can either install WFA 3.1 interactively by right-clicking the WFA install executable and selecting “Run as administrator” and answering the prompts -

Image: Starting WFA 3.1 Interactive Installation

- or silent install via the DOS Administrator: Command Prompt (which is the method used here) as in the example below (navigate to the folder containing the EXE):


Note 1: Replace YourPassword as required.
Note 2: The default ports 80 and 443 are specified here.
Note 3: WFA_ENABLE_HTTP is set to 0 in the above (the default) which allows only HTTPS for external communication.
Note 4: You’ll know the install is complete when the NetApp WFA Server service starts (see NA_WFA_SRV.exe in Windows Task Manager), and the install log should say:

MSI (s) (CC:C4) [14:17:46:786]: Product: OnCommand Workflow Automation -- Installation operation completed successfully.

Image: NA_WFA_SRV.exe and mysqld.exe running in task manager

What Comes Next?

Log into WFA via http(s)://WFA_Server_DNS_Name_or_IP and follow the WFA Setup Wizard (or not - can re-run Setup Wizard from the Administration menu later). And complete the WFA configuration to your hearts content.

Further Configuration Ideas (also see the original post)

1) Disable IE ESC on the server (so we can test the WFA site from the WFA server) via the Administrator: Windows PowerShell>

$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
$UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0
Stop-Process -Name Explorer

2) Replace the Self-Signed SSL Certificate - see How to Replace the Self-Signed SSL Cert for WFA 3.1.
3) Disabling HTTP Access to OnCommand Workflow Automation

By default, OnCommand Workflow Automation (WFA) can be accessed by using both HTTP and HTTPS. You can enable HTTPS-only access if you want to secure access to WFA. Before you begin you must have logged in to the WFA host system as an administrator. Enabling HTTPS-only access does not automatically redirect HTTP to HTTPS.

Run the below in PowerShell>

cd (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\NA_WFA_SRV\Parameters\Java' | select -ExpandProperty Options | where {$_ -match '-Djboss.home.dir'}).split('=')[1]
cd ../bin
Import-Module ../PoSH/Modules/WFAWrapper/WfaConfig.psm1

Set-WfaConfig -Name HTTPAccess -Enable $false

And test from a remote client that access over http to {WFASERVER/IP} is not possible but https is.


  1. Hello Vidad,

    NetApp 7Mode, how to add AD group permission to a folder using .net API or NetApp CLI

    I need to add a AD group (read/write) access to the folder created inside the cifs shares.

    I knew fsecurity will show the details like which are all AD groups have access to particular folder, but I want to write the details into netapp

    please do the needful.

    Model: FAS8020
    NetApp Release 8.2.3P4 7-Mode

    With Thanks & Regards

    1. Hello Amjath, I did a post a while back on "Using Data ONTAP APIs (PowerShell) to Set ACLs" (see: Check the WFA communities though, I know there's WFA workflows to set DACLs out there. Cheers VC