A sort-of-update
of this post (same but different); I needed WFA running on 2012 R2 to take
advantage of some PowerShell DNS cmdlets available only in Server 2012+. The
following is a quick from scratch install guide here using VMware Workstation
as the host hypervisor.
Hardware and Basic Components
OS: Windows
Server 2012 R2 Standard
Hardware: 4 GB RAM (3 GB is the minimum) and 2 vCPU
Browser 1: Google Chrome (Flash Player is pre-installed)
Browser 2: Internet Explorer 11 +
download latest Adobe Flash Player
Local Admin User: LAB\WFA
Pre-Requisites
.NET 4.0 and PowerShell 3.0 don’t need
adding to 2012 R2, since it comes with .NET 4.5 and PowerShell 4.0. The
following commands in PowerShell can be used to verify this>
dir ‘HKLM:\SOFTWARE\Microsoft\NET
Framework Setup\NDP\v4\Full’
$Host
Bizarrely though, you still need to
enable the .NET Framework 3.5 Feature (via Administrator:
Windows PowerShell and requires the installation media)>
Install-WindowsFeature
Net-Framework-Core -Source D:\Sources\sxs
Part 1: Setting up the Windows Server
1.1) Deploy the server using bootable Windows Server 2012 R2
installation media - since this is very straightforward to do, I will not
detail it here. In the following walkthrough we use an evaluation edition.
1.2) Install VMware tools
1.3) From Administrator: PowerShell, the following commands will rename
the server, rearm the eval, and restart the computer>
rename-computer MSWFA1
slmgr.vbs /rearm
restart-computer
1.4) From Administrator: PowerShell, verify eval has time left, set IP
addressing, set DNS server, and join computer to the domain, and restart>
slmgr.vbs /dlv
New-NetIPAddress -IPAddress 10.0.1.30 -InterfaceAlias
"Ethernet" -DefaultGateway 10.0.0.1 -AddressFamily IPv4 -PrefixLength
22
$IntIndex = (Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias
"Ethernet*").InterfaceIndex
Set-DNSClientServerAddress -InterfaceIndex $IntIndex
-ServerAddress ("10.0.1.10")
Add-Computer -DomainName lab.priv
restart-computer
Note:
In this lab there’s only one DNS server, for more just add them separated by
commas in the brackets after -ServerAddress.
1.5) Login as with domain administrator account and run the below to add
the LAB\WFA user to the local administrators (we add the group
LAB\StorageAdmins of which LAB\WFA is a member)>
$Computer = hostname
$group =
[ADSI]"WinNT://$Computer/Administrators,group"
$group.psbase.Invoke("Add",([ADSI]"WinNT://LAB/StorageAdmins").path)
1.6) Disable Certificate Revocation for the SYSTEM User using PowerShell
(if you run the NetApp WFA Server
service using domain credentials like LAB\WFA, you should disable certificate
revocation for that user)>
REG ADD
"HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing" /v State /t REG_DWORD /d 0x00023e00 /f
IMPORTANT:
If you run the NetApp WFA Server service
using domain credentials like LAB\WFA,
you should disable certificate revocation for that user. This can easily be
done when logged into the server as that user with>
REG ADD
"HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing" /v State /t REG_DWORD /d 0x00023e00 /f
Note: Generally, the most common slow running workflow
issues in WFA with PowerShell commands are due to CRL Checking. An interesting
link which I came across but not needed to add to my build is https://blogs.msdn.microsoft.com/timomta/2013/06/24/how-to-script-disabling-crl-checking-with-netsh-and-powershell/.
1.7) Disable the Windows Firewall on the WFA server using PowerShell>
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled
False
Installing OnCommand Workflow Automation 3.1
Note:
Refer to the “OnCommand Workflow Automation 3.1: Installation and Setup Guide
for Windows” for full instructions.
Logged in as LAB\WFA (note that the
instructions do say log in to Windows using the default local administrator
account, but many organizations will disable this), you can either install WFA
3.1 interactively by right-clicking the WFA install executable and selecting
“Run as administrator” and answering the prompts -
Image:
Starting WFA 3.1 Interactive Installation
- or silent install via the DOS Administrator: Command Prompt (which is
the method used here) as in the example below (navigate to the folder
containing the EXE):
WFA-x64-v3.1.0.0.2P2-B3650164.exe /s
/v"WFA_ADMIN_USERNAME=admin WFA_ADMIN_PASSWORD=YourPassword
WFA_ADMIN_CONFIRM_PASSWORD=YourPassword WFA_INSTALL_SITE=lon
WFA_INSTALL_ORGANIZATION=lab WFA_HTTP_PORT=80 WFA_HTTPS_PORT=443
WFA_ENABLE_HTTP=0 INSTALLDIR=\"C:\Program Files\NetApp\WFA\"
DATABASEDIR=\"C:\Program Files\NetApp\WFA\Database\" /qn /l*v
install.log"
Note
1: Replace YourPassword as required.
Note
2: The default ports 80 and 443 are specified here.
Note
3: WFA_ENABLE_HTTP is set to 0 in the above (the default) which allows only
HTTPS for external communication.
Note
4: You’ll know the install is complete when the NetApp WFA Server service
starts (see NA_WFA_SRV.exe in
Windows Task Manager), and the install log should say:
MSI
(s) (CC:C4) [14:17:46:786]: Product: OnCommand Workflow Automation -- Installation operation completed
successfully.
Image:
NA_WFA_SRV.exe and mysqld.exe running in task manager
What Comes Next?
Log into WFA via http(s)://WFA_Server_DNS_Name_or_IP
and follow the WFA Setup Wizard (or not - can re-run Setup Wizard from the
Administration menu later). And complete the WFA configuration to your hearts
content.
Further Configuration Ideas (also see the original post)
1) Disable IE ESC on the server (so we
can test the WFA site from the WFA server) via the Administrator: Windows
PowerShell>
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed
Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
$UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed
Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name "IsInstalled"
-Value 0
Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value
0
Stop-Process -Name Explorer
2) Replace the Self-Signed SSL
Certificate - see How
to Replace the Self-Signed SSL Cert for WFA 3.1.
3) Disabling HTTP Access to OnCommand
Workflow Automation
By
default, OnCommand Workflow Automation (WFA) can be accessed by using both HTTP
and HTTPS. You can enable HTTPS-only access if you want to secure access to
WFA. Before you begin you must have logged in to the WFA host system as an
administrator. Enabling HTTPS-only access does not automatically redirect HTTP
to HTTPS.
Run the below in PowerShell>
cd (Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Apache Software
Foundation\Procrun 2.0\NA_WFA_SRV\Parameters\Java' | select -ExpandProperty
Options | where {$_ -match '-Djboss.home.dir'}).split('=')[1]
cd ../bin
../PoSH/profile.ps1
Import-Module ../PoSH/Modules/WFAWrapper/WfaConfig.psm1
Set-WfaConfig -Name HTTPAccess -Enable $false
And test from a remote client
that access over http to {WFASERVER/IP} is not possible but https is.
Hello Vidad,
ReplyDeleteNetApp 7Mode, how to add AD group permission to a folder using .net API or NetApp CLI
I need to add a AD group (read/write) access to the folder created inside the cifs shares.
I knew fsecurity will show the details like which are all AD groups have access to particular folder, but I want to write the details into netapp
please do the needful.
Model: FAS8020
NetApp Release 8.2.3P4 7-Mode
With Thanks & Regards
Amjath
Hello Amjath, I did a post a while back on "Using Data ONTAP APIs (PowerShell) to Set ACLs" (see: http://www.cosonok.com/2015/10/using-data-ontap-apis-powershell-to-set.html.) Check the WFA communities though, I know there's WFA workflows to set DACLs out there. Cheers VC
Delete