Server Configuration

In this document you will discover how to manage a Server supporting Collaborative Modeling features.

1. Cdo-server.xml File

The main configuration file used by the Team for Capella Server is the cdo-server.xml file.

The Team for Capella Server bundle comes as a standard Eclipse application. In the installed package, locate the Configuration folder and open it.

10. Server Configuration html 4af63c08

In this folder, locate the cdo-server.xml file and open it.

10. Server Configuration html m2e903fb5

Here is a commented extract of the ''‹cdo-server.xml›'' delivered with Team for Capella:

10. Server Configuration html m75fa66e9

Highlighted elements can be changed to customize the Team for Capella Server.

Note that many repository configuration options can not be changed anymore after the repository has been started the first time or if some data have been exported once to the server. If you need to change something in this configuration afterwards, you should then first delete the database files (files with db extension). A typical example is changing the name of the repository. The only elements you can change in the configuration file afterwards are Type of access control : userManager, securityManager, ldap or none and the acceptor.

2. Authenticated Configuration

To activate the authenticated server you have to set the line below in the cdo-server.xml file before the <store > tag. <userManager type="auth" description="usermanager-config.properties"/>

usermanager.properties is a path to the authenticated server configuration file. The path can be absolute or relative to the cdo-server.xml file.

users.file.path=users.properties
# ldap configuration
auth.type=ldap
auth.ldap.url=ldap://127.0.0.1:10389
auth.ldap.dn.pattern=cn={user},ou=people,o=sevenSeas
auth.ldap.filter=
auth.ldap.tls.enabled=false
auth.ldap.truststore.path=
auth.ldap.truststore.passphrase=
# openID Connect configuration
#auth.type=openidconnect
#auth.openIDConnect.discoveryURL=https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
#auth.openIDConnect.tenant=organizations
#auth.openIDConnect.clientID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
#auth.openIDConnect.technicalUsers.file.path=technicalUsers.properties

  • users.file.path is the name of the file containing the users. This file has to be copied into the root server installation folder. You can add new users by modifying the users.properties file.

  • auth.xxx corresponds to the LDAP configuration or the OpenID Connect configuration. The properties are prefixed by auth. Beware to uncomment at most the LDAP or the OpenID Connect configuration.

The file users.properties contains entries which keys are the logins and values are the passwords. Note that space must be escaped with \ else it will be considered as a key-value separator. Examples:

admin=admin
John\ Doe=secret

This is the default mode, when Team for Capella is installed the server is set with a file authentication configuration.
You must not escape spaces in the login field required to connect to remote model (see Connect to remote model section).
The same applies when you create a new user through the "security model" (see Access Control section).

10. Server Configuration html 4af6785

As access control modes are exclusive, other modes must be commented in the cdo-server.xml file:

<!-- <securityManager type="collab" .../> -->
<!-- <authenticator type="ldap" .../> -->

The server must be restarted to take into account the modifications done in the cdo-server.xml file.

On Client side, use the User Management view available in all Team for Capella clients. When using this view, the server does not need to be restarted after changes in the user accounts

3. User Profiles Configuration

To activate the user profile server you have to set the line below in the cdo-server.xml file before the <store > tag. The user profiles model is created at the first server launch.
Once activated, you must see this during the Team for Capella Server starting:

11. Access Control (User Profiles) html m4619544b

<securityManager type="collab" realmPath="userprofile-config.properties" />

userprofile-config.properties is a path to the user profile configuration file. The path can be absolute or relative to the cdo-server.xml file.

realm.users.path=users.userprofile
administrators.file.path=administrator.properties
# ldap configuration
auth.type=ldap
auth.ldap.url=ldap://127.0.0.1:10389
auth.ldap.dn.pattern=cn={user},ou=people,o=sevenSeas
auth.ldap.filter=
auth.ldap.tls.enabled=false
auth.ldap.truststore.path=
auth.ldap.truststore.passphrase=
# openID Connect configuration
#auth.type=openidconnect
#auth.openIDConnect.discoveryURL=https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
#auth.openIDConnect.tenant=organizations
#auth.openIDConnect.clientID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
#auth.openIDConnect.technicalUsers.file.path=technicalUsers.properties

  • realm.users.path is the name of the resource that contains the user profile model.

  • administrators.file.path is a path to the administrators file. The path can be absolute or relative to the cdo-server.xml file. This file is only used to initialize administrators in the user profile model during the first start of the repository with the User Profile mode enabled (repository creation for example). It is mandatory because the definition of the user profile can only be done by an administrator.

  • auth.xxx corresponds to the LDAP configuration or the OpenID Connect configuration. The properties are prefixed by auth. Beware to uncomment at most the LDAP or the OpenID Connect configuration.

Be aware that once the server has been launched with the User Profile mode enabled, modifications on this file will have no effect. If you want to manage the list of administrators, please have a look at User Pofiles documentation and especially at the Promote a User to Super User section if you want to promote an existing user to administrator. On the other hand, you can also make backups (shared projects and User Profiles model), stop the server, delete the database, modify the administrators files, restart the server and re-export your data.

As access control modes are exclusive, other modes must be commented in the cdo-server.xml file:

<!-- <userManager type="auth" .../> -->
<!-- <authenticator type="ldap" .../> -->

The server must be restarted to take into account the modifications done in the cdo-server.xml file.

4. Not Authenticated Configuration

This configuration allows to work with a CDO server without authenticating from a client.

Just comment securityManager, userManager and authenticator tags in the cdo-server.xml file:

<!-- <securityManager type="collab" .../> -->
<!-- <userManager type="auth" .../> -->
<!-- <authenticator type="ldap" .../> -->

The server must be restarted to take into account the modifications done in the cdo-server.xml file.

5. Activate LDAP authentication

5.1. Activate LDAP authenticator

You can activate LDAP authentication in three different ways:

  • As an authenticator, the user must only be declared in the LDAP directory.

  • In combination with authenticated server. In that case, the authentication requires that the user is declared in the user file and is authenticated with the LDAP directory.

  • In combination with user profile server. In that case, the authentication requires that the user is defined in the user profile model and is authenticated with the LDAP directory.

The server must be restarted to take into account the modifications done in the cdo-server.xml file.

These ways are excluding themselves.

To activate LDAP authentication, as exclusive authenticator, the following authenticator tag must be added to the repository configuration in cdo-server.xml.

<authenticator type="ldap" description="ldap-config.properties" />

ldap-config.properties is a path to a properties file containing the LDAP authenticator configuration. This path may be relative to the CDO server configuration file or absolute.

As access control modes are exclusive, other modes must be commented in the cdo-server.xml file:

<!-- <userManager type="auth" .../> -->
<!-- <securityManager type="collab" .../> -->

5.2. Configure LDAP authenticator

The LDAP authenticator’s configuration file is a properties file whose content could look like the following one:

ldap.url=ldap://127.0.0.1:10389
#ldap.url=ldaps://127.0.0.1:10389
ldap.dn.pattern=cn={user},ou=people,o=sevenSeas
ldap.filter=
ldap.tls.enabled=true
ldap.truststore.path=trusted.ks
ldap.truststore.passphrase=secret

where :

  • ldap.url is the URL of the LDAP server, typically in the form <ldap or ldaps>://<IP_address or domain_name>:<port>

  • ldap.dn.pattern is the pattern to define the LDAP query used to bind a user. It must contain a {user} part which will be replaced with the login provided by the user.

  • ldap.filter is the LDAP query used to filter users by checking some attributes (optional). Different patterns are available to define this filter. For instance with the Apache DS sample (To download it, you can save the target of this link), to grant access to users having an email, the ldap filter pattern would be: mail=*. As another example, to filter user (from a directory named «Users») members of a group named «grp1» in the domain «MyCompany.com» the filter to declare will be : memberOf=CN=grp1,CN=Users,DC=MyCompany,DC=com.

  • ldap.tls.enabled is used for TLS enabling : true to enable TLS, false otherwise (non-SSL mode or use of deprecated LDAPS protocol). The default value is true.

  • ldap.truststore.path is the absolute path to a certificate truststore (useful for self-signed certificates)

  • ldap.truststore.passphrase is the truststore’s passphrase (useful for self-signed certificates)

When the LDAP authenticator is used in User Profile or Authenticated configurations, those properties property keys must be prefixed by the auth. and the auth.type=ldap is needed to activate the LDAP authentification.

Unlike the other two configuration ways (with «user profile server» and «authenticated server»), in the «exclusive authenticator configuration», the properties are not prefixed by auth.

If the LDAP certificate has been signed by an official Certificate Authority it is not required to set the trust store path as the JVM already trusts the CA.

If you need to generate a self-signed certificate or need to create a trust store from an existing certificate please refer to the following section.

5.2.1. Use a self-signed or non CA-authentified certificate

In case the certificate is self-signed or the CA used in your certificate is not managed by the jvm, you will need to generate a truststore and reference this truststore from the configuration file.

Follow the Export and TrustStore creation steps to create the trust store.

5.2.2. Example of LDAP using multiple patterns

# ldap configuration
ldap.url=ldap://ldap.myCompany.com:389
ldap.dn.pattern=uid={user},ou=group1,o=orga1,dc=mycompany,dc=fr
ldap.dn.pattern.1=uid={user},ou=group2,o=orga1,dc=mycompany,dc=fr
ldap.dn.pattern.2=uid={user},ou=groupN,o=orgaM,dc=mycompany,dc=fr

ldap.tls.enabled=false

5.3. Configure LDAP with a manager

Some LDAP does not support anonymous binding (if your LDAP server doesn’t even allow a query without authentication), then Capella would have to first authenticate itself against the LDAP server, and Capella does that by sending the «manager» DN and password. Using this specific connection, the user credentials (given by the user in the authentication popup) can be looked for in the LDAP tree.

This manager credentials needs to be provided in the properties file as it will not be asked to the user. These credentials are provided with the following properties:

  • ldap.manager.dn : The login of the manager.

  • ldap.manager.password : The password of the manager.

The search for the user himself in the LDAP is provided with the following properties:

  • ldap.user.search.base : search pattern working like the ldap.dn.pattern field.

  • ldap.user.search.filter : search filter working like the ldap.filter filed.

5.3.1. Example of LDAP configuration with a manager

# ldap configuration
ldap.url=ldap://ldap.myCompany.com:389
ldap.user.search.base=dc=myCompany,dc=com
ldap.user.search.filter=(&amp;(objectClass=account)(cn={user}))

# The manager credentials are useful for LDAP requiring authentication to run search filters
ldap.manager.dn=uid=manager,ou=People,dc=myCompany,dc=com
ldap.manager.password=DerfOcDoocs6

ldap.tls.enabled=false

5.4. Configure LDAP with Active Directory

An LDAP using Active Directory provides a field sAMAccountName that is usually used as a key (like the "cn" field). Users can be identified using this field associated with a domain name after an "@" as separator. This leads to this pattern: sAMAccountName@DomainName. As the user identifies himself by providing only his identifier, not the domain name, the corresponding pattern is: {user}@DomainName.

5.4.1. Example of LDAP configuration with Active Directory

For instance, if the domain name is "MyCompanyDomain" then the LDAP pattern will be: ldap.dn.pattern={user}@MyCompanyDomain

# ldap configuration
ldap.url=ldap://ldap.myCompany.com:389
ldap.dn.pattern={user}@MyCompanyDomain

ldap.tls.enabled=false

5.4.2. Example of LDAP configuration with a manager and Active Directory

# ldap configuration
ldap.url=ldap://ldap.myCompany.com:389
ldap.user.search.base=dc=myCompany,dc=com
ldap.user.search.filter=(&amp;(objectClass=organizationalPerson)(name={user}))

# The manager credentials are useful for LDAP requiring authentication to run search filters
ldap.manager.dn=manager@myCompany.com
ldap.manager.password=managerPassword

ldap.tls.enabled=false

5.4.3. Additional information

Sometimes, the structure of an Active Directory is not trivial and the exact path of a user in the Active Directory tree is not obvious. Here are some usefull command to get information about the Active Directory structure to reach the user "testUser" (testUser@myCompany.com)

dsquery * -filter "samaccountname=testUser" -attr *
dsquery group -name "groupname"
dsquery * -filter "samaccountname=testGroup" -attr *
dsquery * -filter "cn=testGroup" -attr *

How to complete the filter with the group

(& (objectClass=organizationalPerson)(sAMAccountName={user}) (memberOf=CN=grp1,CN=Users,DC=MyCompany,DC=com))

Usefull links:

6. Activate OpenID Connect authentication

With a server set with an OpenID Connect Connect authentication, the user will be able to authenticate using the UI provided by the OpenID Connect Platform. Instead of having the default dialog where the user enters his login password, here the embedded T4C web server will display a popup web browser interacting with the OpenID Connect platform.

For instance, for a server set with Microsoft Entra ID, here is the user experience when the user clicks on the «Test Connection» button of the Connection wizard. A web browser is displayed and present a Sign-in interface provided by Microsoft Entra ID.

10. Server Configuration OpenID authentication1

Then, the user follows the authentication process through the different web pages provided by the OpenID Connect platform depending on how it is configured.

10. Server Configuration OpenID authentication2

Finally, the user will be presented a web page displaying if the authentication was successful or not. The user can close the browser and continue as usual. In this page, a «Logout» hyperlink allows to logout the current user. The end-user is redirected to the sign-in page and may sign-in with another login.

10. Server Configuration OpenID authentication3

Technical views such as CDO views or Administration views still authenticate with basic login/password credentials. See Configure OpenID Connect authenticator to know how to configure this credentials.

6.1. Configure Team for Capella server

6.1.1. Activate OpenID Connect authenticator

You can activate the OpenID Connect authentication:

  • As an authenticator, the user must only be declared on the OpenID Connect platform.

  • In combination with user profile server. In that case, the authentication requires that the user is defined in the user profile model and is authenticated with the OpenID Connect server.

  • In combination with authenticated server. In that case, the authentication requires that the user is declared in the user file and is authenticated with the OpenID Connect server.

For the combination with both «user profile server» and «authenticated server», the user name to configure in Team For Capella must correspond to the attribute "Name" of the user in the OpenID Connect authentication platform.

The server must be restarted to take into account the modifications done in the cdo-server.xml file.

To activate the OpenID Connect authentication, as exclusive authenticator, the following authenticator tag must be added to the repository configuration in cdo-server.xml. Make sure the other tags are commented.

<authenticator type="openidconnect" description="openid-config.properties" />

openid-config.properties is a path to a properties file containing the OpenID Connect authenticator configuration. This path may be relative to the CDO server configuration file or absolute.

As access control modes are exclusive, other modes must be commented in the cdo-server.xml file:

<!-- <userManager type="auth" .../> -->
<!-- <securityManager type="collab" .../> -->

Finally, the OpenID Connect authentication requires a web server in order to securely communicate with the OpenID Connect platform. If the CDO server is configured with the OpenID Connect authentication mode, then it will require to activate the embedded web server for this secure communication.

6.1.2. Configure OpenID Connect authenticator

<installation folder>/server/configuration/openid-config.properties is the OpenID Connect authenticator’s configuration file. It is a properties file whose content could look like the following one:

openIDConnect.discoveryURL=https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
openIDConnect.tenant=organizations
openIDConnect.clientID=79bce8de-7542-4b90-bf18-XXXXXXXXXXXX
openIDConnect.technicalUsers.file.path=technicalUsers.properties

where :

  • openIDConnect.discoveryURL is the URL of the OpenID Connect metadata document (RFC) that contains the information required for the authentication.

  • openIDConnect.tenant controls the type of user profile that will be able to authenticate.

  • openIDConnect.clientID is the application ID that the OpenID Connect platform assigned to your application.

  • openIDConnect.technicalUsers.file.path is a relative path to a properties file that contains credentials(login, password) used for technical views such as CDO views or Administration views.

6.1.3. Configure embedded web server for OpenID Connect authentication

As presented before, the OpenID Connect Authentication requires a web server in order to authenticate securely. This is the same web server as the one providing the web services (REST API) for repository management. See in the dedicated section how to install and activate this experimental feature.

To activate the OpenID Connect support, you need then to set the value of the admin.server.jetty.auth.openidconnect.enabled property to true in <installation folder>/server/configuration/fr.obeo.dsl.viewpoint.collab.server.admin/admin-server.properties.

Note that if you do not have the Team for Capella server and all the Team for Capella clients installed on the same machine, you will need to configure the web server in https mode. Indeed, this is a security required from the OpenID Connect platform. So,

  • if the Team for Capella server is local to the Team for Capella client you may use http protocol with localhost. This is the default configuration.

  • if the Team for Capella server is installed on a different machine than the Team for Capella client you must configure the admin server with https.

To configure the admin server with https, do the following changes in <installation folder>/server/configuration/fr.obeo.dsl.viewpoint.collab.server.admin/admin-server.properties

# Jetty configuration
admin.server.jetty.https.enabled=true

# The next three line will be needed if the '${admin.server.jetty.https.enabled} option is set to true.'
admin.server.jetty.ssl.host=0.0.0.0
admin.server.jetty.ssl.port=8443
admin.server.jetty.ssl.keystore.path=${currentDir}/<keystoreFile>
admin.server.jetty.ssl.keystore.passphrase=<password>

6.2. Configure the client for OpenIdConnect

Once the authentication with OpenIDConnect succeded the T4C client browser will call T4C admin server on redirect URI passing some information inside cookies. So The T4C client browser needs to trust the URL and authorize cookies.

On windows, the configuration is done in Internet properties.

  • Open Internet properties

  • Select Security tab

  • Select Trusted sites then Sites button

  • Add the T4C admin server URL for example https://yourDNS

OpenIDConnect clientInternetOptions1

  • Select Privacy tab

  • Click Sites button

  • Allow the T4C admin server URL for example https://yourDNS

  • Click Settings button

  • Allow the T4C admin server URL for example https://yourDNS

OpenIDConnect clientInternetOptions2

6.3. Configure the application on the OpenID Connect platform

On the OpenID Connect platform, there is one property that requires to be properly set: the redirect URI. Indeed, the embedded web server expects that the redirect URI is the page /auth/redirect. This means that the redirect URI must be set to

  • either http://localhost:8080/auth/redirect if the Team for Capella server is local to the Team for Capella client

  • or https://<IP admin server>:8443/auth/redirect if the Team for Capella server is installed on a different machine than the Team for Capella client.

6.3.1. Configure OpenID Connect authenticator with Microsoft Entra ID

If your OpenID Connect platform is Microsoft Entra ID, here is a quick way to find how to configure the OpenID Connect authenticator in Team for Capella.

First, the openIDConnect.discoveryURL is provided by the OpenID Connect platform itself, not by your application. For Microsoft Entra ID, this protocol is presented in the online documentation. On the same page, there is a list of the different values the openIDConnect.tenant.

For the openIDConnect.clientID, you will need to look for it in the application you created in Microsoft Entra ID in order to use it for authentication from Team for Capella. From the Microsoft Entra ID home page, you can select App registration. Select your application for Team for Capella. From the overview, you can see the Application ID.

10. Server Configuration OpenID authentication4

Note that from this menu, you must set the redirect URI from the menu Authentication. In Platform configuration add a Web platform and set the redirect URI.

10. Server Configuration OpenID authentication5

The last property, openIDConnect.domainURL, depends on the location/address of the web server and is not linked with the OpenID Connect configuration.

On your application, do not forget to add the users that will be able to authenticate to the application:

10. Server Configuration OpenID authentication6

It is also recommended to create a conditional access policy (Security/Conditional Access) so you can set a timeout to the session once users are authenticated. You can also define how users are grant access (for instance with multi-factor authentication).

10. Server Configuration OpenID authentication7

Note that to be able to add conditional access policies, you need to disable the security defaults.

10. Server Configuration OpenID authentication8

Note that the following options must be activated because the authentication uses the implicit grant

  • Access tokens (used for implicit flows)

  • ID tokens (used for implicit and hybrid flows)

10. Server Configuration OpenidConnect implicitFlowChecks

7. Audit mode

The Audit mode aims to configure the server so it keeps tracks of all versions of each object in the CDO Server database. It is required for comparing different versions of the model for example. There are two different auditing configurations: Audit and Audit with ranges.

This Audit with ranges mode has been the default mode between Team for Capella 1.3.0 and Team for Capella 5.0.0.

The Audit mode is the default mode since Team for Capelle 5.1.0 to improve user-side performances (export, export with override, semantic browser refresh, …​)

The difference between the two modes is in the storage of lists: when the with ranges variant is used, the database stores only the delta between each versions of lists. This implies to load all preceding revisions of a list to compute a given state. But for some situations, it can slow the growth of the database. An analysis of the project can lead to a recommendation to switch to this mode.

When using the auditing modes, the size of the database might need to be monitored. If the database size grows bigger than 4 GB, the user might need to clear it if he encounters performance issues. That is to say, importing the models from the server, clearing the database and then importing the models back in the new database. Be aware that after doing this operation he will not be able to compare new commits against the commits done before the clearance. Some benchmarks have been done, after 10 000 commits modifying semantic and graphical elements this size have never been reached. In this context, modification and saving model times increase slightly compared to a server that does not have audit mode enabled. However both operations still feel smooth for the user.

Be aware that it is not possible to switch between «Audit», «Audit with ranges» or "non «Audit» modes on a CDO server that holds models. The switch has to be done on a empty CDO server database.

In order to disable the Audit mode you have to change cdo-server.xml to:

  • Set the audit mode property to false (default value is true).

<property name="supportingAudits" value="true"/>

  • Change the mapping strategy to horizontalNonAuditing (default value is horizontalAuditing).

<mappingStrategy type="horizontalNonAuditing">

  • Remove or comment the property withRanges in the mapping strategy properties.

<mappingStrategy type="horizontalNonAuditing">
	...
	<!-- property name="withRanges" value="false"/ -->
</mappingStrategy>

In order to (re-)activate the Audit mode you have to change cdo-server.xml to:

  • Set the audit mode property to true (default value is true).

<property name="supportingAudits" value="true"/>

  • Change the mapping strategy to horizontalAuditing (default value is horizontalAuditing).

<mappingStrategy type="horizontalAuditing">

  • Add the property withRanges in the mapping strategy properties.

<mappingStrategy type="horizontalAuditing">
	...
	<property name="withRanges" value="false"/>
</mappingStrategy>

In order to activate the Audit with ranges mode you have to change cdo-server.xml to:

  • Set the audit mode property to true (default value is true).

<property name="supportingAudits" value="true"/>

  • Change the mapping strategy to horizontalAuditingWithRanges (default value is horizontalAuditing).

<mappingStrategy type="horizontalAuditing">

  • Add or modify the property withRanges in the mapping strategy properties.

<mappingStrategy type="horizontalAuditing">
	...
	<property name="withRanges" value="false"/>
</mappingStrategy>

8. Activate WebSocket connection

It is possible to activate a WebSocket connection between the client and the CDO server. Both client and server have to be configured accordingly.

8.1. Client configuration

On client side, users will have to use WS or WSS connection types regarding the configuration of the server.

The client side configuration will depend on the global deployment of the current server and the use of the WS and WSS connection types.

Then a user will have to use the following parameters to connect to the repository:

  • Repository Host: localhost or ip/url of the server,

  • Port Number: 8080 (value of admin.server.jetty.port or admin.server.jetty.ssl.port if HTTPS is enabled, or specific proxy port if Team for Capella is deployed behind a proxy)

  • Repository Name: repoCapella

  • Connection type: WS (WSS if Jetty has been deployed in HTTPS or is behind an HTTPS proxy)

When the REST Admin server runs in HTTPS mode, it will be configured with a certificate.

8.1.1. Add certificate in Capella client JRE

You need to add the public certificate into the JRE of the T4C client. The JRE is located in <T4C client>/jre

Assuming that the private certificate has been provided by the customer. The public certificate can be generated directly from the private.

You can use keytool to generate the public certificate or use Keystore explorer that can be download from https://keystore-explorer.org/

With Keystore explorer

  • Open the certificate.jks used by the t4c server

  • Select the certificate and export it. You get a certificate.cer file

  • Open Keystore explorer and import capella/jre/lib/security/cacert

  • Click on import a trusted certificate and select certificate.cer

  • If the certificate is structured in tree with a root certificate import all certificates

  • Do not forget to save

What if a Web Application Server(WAF) or a proxy stands between the T4C client and the T4C server

Context: the installation architecture is

  • T4C client on client VM

  • a WAF proxy that accept 443 connection

  • a T4C server on server VM that accepts 8443

Issue when clicking test connection from the T4C client : unable to find valid certification path to requested target

Analysis

The certificate is configured on the server. Is it the same certificate that is installed on the client JRE?

To check that

  • From the client, open a Navigator and enter the address https://t4cServerDNS:443

  • Open or export the certificate from the navigator url toolbar or from the navigator settings

  • Check the certificate serial number

  • From the server, open Keystore explorer. You can download it from https://keystore-explorer.org/

  • Open the certificate.jks used by the t4c server

  • Check the certificate serial number

  • Expected : if serial numbers are not the same it is logical to have the issue

Pay attention to compare the proper serial number because sometimes the certificate used by the server contains a root certificate and other dedicated certificate

Solution

To solve the issue, we need to add the certificate used by the WAF in the client JRE cacert

  • In the client VM, from the navigator, download the root certificate returned by the WAF using your navigator (directly from the url toolbar or using settings)

  • Open Keystore explorer and import capella/jre/lib/security/cacert

  • Click on import a trusted certificate and select the download certificates

  • If the certificate is structured in tree with a root certificate import all certificates

  • Do not forget to save

Restart capella and recheck the connectionSSL connection

8.1.2. Autosigned or untrusted certicate

If this certificate is self-signed or untrusted, the following system properties can be added in the client capella.ini file in order to configure the security checks:

  • Trust any certificate (self-signed for example): -Dfr.obeo.dsl.viewpoint.collab.https.jetty.ssl.context.trustall=true

  • Endpoint Identification Algorithm: -Dfr.obeo.dsl.viewpoint.collab.https.jetty.ssl.context.endpointIdentificationAlgorithm

  • TrusStore passphrase: -Dfr.obeo.dsl.viewpoint.collab.https.jetty.ssl.context.passphrase

  • TrusStore URI: -Dfr.obeo.dsl.viewpoint.collab.https.jetty.ssl.context.trust

  • TrustStore type: -Dfr.obeo.dsl.viewpoint.collab.https.jetty.ssl.context.trust.type

  • Trust Manager Factory Algorithm: -Dfr.obeo.dsl.viewpoint.collab.https.jetty.ssl.context.trust.manager.factory.algorithm

Those properties are used to configure the Jetty’s org.eclipse.jetty.util.ssl.SslContextFactory).

Additional properties might be needed, see server configuration section.

8.2. Tools configuration

When WebSocket transport is activated on the server, the importer and other tools must be configured accordingly to be successful. The same configuration than the client needs to be done in the -vmargs section of the tools script (importer.bat, maintenance.bat, exporter.bat, …​).

8.3. Server configuration

The REST Admin Server and the CDO Server need to be configured to enabled the Net4J WebSocket-based transport:

  • the property admin.server.jetty.net4j.enabled=true in <TeamForCapella installation folder>/server/configuration/fr.obeo.dsl.viewpoint.collab.server.admin/admin-server.properties allows to deploy the Net4J Websocket servlet.

  • a specific acceptor must be added in the cdo-server.xml with type ws or wss.

    • <acceptor type="ws"/> is the simplest and default WebSocket-based acceptor. Additional configurations are explained below.

    • It can be used to replace the default acceptor (<acceptor type="tcp" listenAddr="0.0.0.0" port="2036"/>) or as an additional one.

The move from a Websocket-based transport to a SecuredWebsocket-based transport can be done through Jetty configuration by enabling HTTPS, or with the use of an HTTPS reverse proxy server (Nginx or Apache for example).

8.4. Optional configuration

Here is a list of optional settings which will impact both server and clients configurations:

  • change the acceptor name to be specific to your product: from ws://1.2.3.4:8080/net4j/@default to ws://1.2.3.4:8080/net4j/@YourAcceptorName

    • server: change the acceptor tag in the cdo-server.xml to be <acceptor type="ws" name="YourAcceptorName" />

    • client: -Dfr.obeo.dsl.viewpoint.collab.net4j.ws.acceptor=YourAcceptorName (same value than name attribute of the acceptor tag used on the server side).

  • change the HTTP REST endpoint from the default value (/net4j) to the path of your choice: from ws://1.2.3.4:8080/net4j/ to ws://1.2.3.4:8080/your/path/

    • server: set admin.server.jetty.net4j.path=your/path

    • client: -Dfr.obeo.dsl.viewpoint.collab.net4j.ws.path=your/path

  • have basic authentication on the Net4J servlet (same credentials than the one used for the other servlets, see openapi/):

    • for tests purpose only: login passwords might be available from the installation details of the eclipse platform and in the executable companion .ini file.

    • server: admin.server.jetty.net4j.remove.public.constraint=true

    • client:

      • declare the login: -Dorg.eclipse.net4j.internal.ws.WSClientConnector.clientBasicAuth.login=sampleuser

      • declare the password: -Dorg.eclipse.net4j.internal.ws.WSClientConnector.clientBasicAuth.password=samplepassword

9. Activate SSL connection

It is possible to activate a SSL connection between the client and the CDO server.

Both client and server have to be configured accordingly.

On server side a keystore has to be set/ up and, on client side, a trust store containing the key store public key has to be set up. See chapter Managing certificate to generate keystore and truststore.

9.1. Client configuration

Add the following lines in the client capella.ini file:

-Dorg.eclipse.net4j.tcp.ssl.passphrase=secret
-Dorg.eclipse.net4j.tcp.ssl.trust=file:///<trusted.ks absolute path>

9.2. Tools configuration

When SSL is activated on the server, the importer and other tools must be configured accordingly to be successful. Add the following lines in the script files (importer.bat, maintenance.bat, exporter.bat):

-Dorg.eclipse.net4j.tcp.ssl.passphrase=secret ^
-Dorg.eclipse.net4j.tcp.ssl.trust=file:///<trusted.ks absolute path> ^

9.3. Server configuration

In the cdo-server.xml configuration file the acceptor has to be configured to accept SSL connections <acceptor type="ssl" listenAddr="0.0.0.0" port="2036"/> Set the acceptor type to ssl.

Add the following lines in the server ini file:

-Dorg.eclipse.net4j.tcp.ssl.passphrase=secret
-Dorg.eclipse.net4j.tcp.ssl.key=file:///<server.ks absolute path>

10. Managing certificate

Keytool can be used to create and manage certificates and stores. This tool is provided with the JDK and its documentation is available here.

10.1. Generate a keystore

The keystore contains certificate information, private and public key. To generate it use the following command:

keytool -genkey -ext SAN=IP:<server IP> -keyalg "RSA" -dname o=sevenSeas -alias keystore_alias -keystore server.ks -storepass secret -validity 730 -keysize 4096

-ext: For example, <server IP> may be the LDAP server for SSL connection between CDO server and LDAP server or may be the CDO Server for SSL connection between client and CDO server.

-dname: optional. It initializes the metadata of your organization.

10.2. Sign your certificate from a certificate authority(optional)

This step is optional and you may then proceed with Export certificate from a keystore. For that step, you have to give your certificate signature request(server.csr) to your certificate authority(CA) which, in return will provide a signed certificate(server.crt).

keytool -certreq  -alias keystore_alias -file server.csr -keystore "server.ks"

The two steps below allow to import root certificate and intermediary certificate.

keytool -import -alias Root_CA -keystore server.ks -file Root_CA.cer
keytool -import -alias Server_CA -keystore server.ks -file Server_CA.cer

Then, import the signed certicated into the server.ks keystore.

keytool -import -alias keystore-signed -keystore server.ks -file server.crt

10.3. Export certificate from a keystore

To export a certificate from an existing keystore the following command can be used :

keytool -export -keystore server.ks -alias keystore_alias -file server.cer

This command asks for the store’s passphrase and then create a server.cer file containing the certificate previously created.

10.4. Create a truststore from a certificate

It is advised to not export the whole keystore on clients. Creating a truststore containing only the certificate and public key is recommended. This truststore is intended to be deployed on clients which need to connect to the server.

keytool -import -file server.cer -alias keystore_alias -keystore trusted.ks -storepass secret

This command creates a new truststore in file trusted.ks. This truststore contains the server’s public key, it can be copied on client machines and referenced via the truststore.path configuration key.

The truststore is protected with secret as a passphrase.

11. Team for Capella Server: the REST Admin Server

The Team For Capella server is composed of the CDO repositories server and an HTTP Jetty server.

By default, the Jetty admin server is automatically started with the CDO server on port 8080. The admin server is used :

  • to manage repositories with the REST Admin API

  • by applications (importer, maintenance application, console application) to execute code on server

schema architecture detailed

You can find more information in the file <TeamForCapella installation folder>/server/configuration/fr.obeo.dsl.viewpoint.collab.server.admin/admin-server.properties : it contains all the admin server configuration information.

11.1. REST Admin API

The REST Admin Server provides a whole set of services to manage the projects, the models and the users. The documentation is available at the URL http(s)://<admin server IP>:<admin server port>/doc

A swagger documentation is available at the URL http(s)://<admin server IP>:<admin server port>/openapi. It can be enabled or disabled with the admin.server.jetty.servlets.admin.docandopenapi.enabled property

11.2. Credentials Management

The first time the server is launched, a default «admin» user and its associated default token are created in the Eclipse secure-storage of the user that started the CDO server. The «admin» credentials are stored in a dedicated node used by the server. The token is hashed and encrypted. A secret.txt file, containing the token, is created in the same folder than admin-server.properties file. It can be used in third party application to authenticated with the admin server. Do not forget to remove this file as soon as you can.

Moreover, the admin credentials are also added in the secure storage for the application needs (importer, exporter, etc) in a dedicated node. The credentials are encrypted.

This way once the server has been started the first time, there is no additional step. The applications can automatically be used, being authenticated with the admin server with the «admin» user.

Nevertheless, it is possible to manage the user and the user token with the Credentials application

By default, the secure storage is created or retrieved from the home of the system user currently executing the application:

  • Windows:

    • %USERPROFILE%\.eclipse\org.eclipse.equinox.security\secure_storage

    • C:\Users\someUser\.eclipse\org.eclipse.equinox.security\secure_storage

    • Specific case when Jenkins service is launched as Local System (not recommended): C:\Windows\System32\config\systemprofile\.eclipse\org.eclipse.equinox.security\secure_storage

  • Linux:

    • ~/.eclipse/org.eclipse.equinox.security/secure_storage

    • /home/someUser/.eclipse/org.eclipse.equinox.security/secure_storage

  • macOS:

    • ~/.eclipse/org.eclipse.equinox.security/secure_storage

    • /Users/someUser/.eclipse/org.eclipse.equinox.security/secure_storage

    • Location can depend from the configuration of your operating system.

It is also possible to change the location of the secure storage with the use of the -eclipse.keyring program argument in both TeamForCapella/server/server.ini and TeamForCapella/capella/capella.ini. The secure storage must be shared between server-side client, tools and server in order to be able to use it from the Scheduler jobs. For example to use a fixed secure storage located in TeamforCapella/.eclipse/secure_storage:

-eclipse.keyring
../.eclipse/secure_storage

The -eclipse.password option can be used with -eclipse.keyring, it allows to use the content of the specified file as the default password instead of saving the password in the secure storage. On Linux, this helps to overcomes issues related to passwords management by secure storage and the use of the default PasswordProvider.

-eclipse.password
../.eclipse/password

12. Team for Capella Server Installation Types

12.1. Quick Installation (1 Server, 1 Repository)

Installation process and details are described in the Installation Guide for Team for Capella.

Moreover, do not install any viewpoint except PROPERTIES KEY/VALUES-typed viewpoint. Ask to viewpoint providers whether their viewpoint is compatible with Team for Capella.

If the viewpoint is compatible with Team for Capella, deploy the viewpoint on every Team for Capella client and the importer used by server. Clean and export models again after a viewpoint installation.

12.2. Configuration with 1 Server, n Repositories, N Models

12.2.1. Introduction

This is the recommended configuration to work with several projects.

  • Advantages:

    • Only one instance of the Team for Capella Server (RAM consumption is limited),

    • Configuration/Management is easier than with n servers,

    • This configuration looks like the one used for DOORS and Git,

    • Repositories are independent: with the server stopped, a repository can be removed without impact on the other repository(ies),

  • Drawbacks:

    • When the only server is stopped, no project is available. This can happen when one model is detected as corrupted by the "Projects – Import" job,

    • User accounts are linked to a server instance (if an user has an account on the server, he can connect to models of all repositories),

    • Some configuration must be done (unlike the default configuration).

12.2.2. How to Add a New Repository

Hypothesis: the repository is added to a just installed version.

Add a new repository to the Team for Capella Server:

  • Open TeamForCapella\server\configuration\cdo-server.xml:

12. Guidelines html m31227d3d

Note the 2 default repositories (content is collapsed in this screenshot),

  • "repoCapella", this repository is stored in a data base(h2),

  • "repoCapellaMem", this repository is stored in memory (it is only an example, this repository should not be used and can be deleted).

12. Guidelines html 7df18b5

Notes:

  • The last changed argument gives the data base files names and location (here, files with be prefixed with "capella" and stored in "repoCapella_newProject" folder,

  • For file backup/copy purposes, It is better to have each repository stored in its own folder,

  • The default repository ("repoCapella") name and location should also be changed,

  • Avoid space character in repository name (and generally special characters),

12. Guidelines html m2c0de056

Add a new job to Team for Capella Scheduler (Jenkins) to manage the new repository:

12. Guidelines html 4ee9bd38
12. Guidelines html 1a79556a
12. Guidelines html m192db20f

Check the configuration is working: Start the Team for Capella Server using the "Server – Start"job (click on 12.Guidelineshtml72552451)and open the TeamForCapella\server\ folder

db and workspace folders should have been created:

12. Guidelines html 1b3c376
12. Guidelines html 741afd0f
12. Guidelines html 7f3d0535

12.3. Configuration with N Servers, N Repositories, N Models (1 Scheduler)

12.3.1. Introduction

  • Advantages:

    • If a server is stopped (for example if a database corruption occurs), only projects stored on this server are unavailable,

    • User accounts can be different between server instances,

  • Drawbacks:

    • Several instances of the Team for Capella Server (RAM consumptiondepends on the number on the number of servers used),

    • Configuration/Management is more complex than with only one server,

12.3.2. How to Add a New Server

Hypothesis: the server is added to a just installed version, by default it will only contain the default repository "repoCapella".

  1. Create a new Team for Capella server instance,

    1. Do a copy of the TeamForCapella\server folder to newServer (for example),

    2. Change the cdo server port in the TeamForCapella\newServer\configuration\cdo-server.xml(for example 2037): 12. Guidelines html 36c0d96c

    3. Change the http server port in the TeamForCapella\newServer\configuration\admin-server.properties(for example admin.server.jetty.port=8081):

  2. Add new jobs to Team for Capella Scheduler (Jenkins),

    1. Launch Jenkins,

    2. Using a web browser, connect to "http://localhost:8036",

    3. Duplicate all the jobs you need. (In Jenkins use «New item» button and fill «Copy from» field.)

    4. For every job, in the build part of the job, add -httpPort <admin server port> parameter to refer to the right instance of the admin server. (for example -httpPort 8081)

    5. For «Server - Run» job, in the build part of the job, change the path of the server

      12. Guidelines html m18fa4098

    6. «Backup and restore» and «Diagnostic and repair» jobs, in the build part of the job, add -port <cdo repository port> parameter to refer to the right instance of the cdo server(for example -port 2037)

      10. Server Configuration html m59c024c6

13. How to stop the server

The main methods to close the server are the following:

  • Launch the dedicated Scheduler job: Server – Stop (recommended method)

  • directly command.bat -command cdo -commandParams stopserver

To avoid database corruptions, the server must in no way be closed these ways:

  • Using the “Abort” button on the Server – Start job of the Scheduler,

  • Especially on Windows 2008 Server 64 bits platforms:

    • Closing the command prompt running the server (if any) by clicking on the Windows close button,

    • Leaving the server close when the user logs out or the computer stops (to avoid this problem, it is advised to launch the Scheduler as a service so the server is not closed on log out).

14. How to reset the server

To restart with a clean server or after a database corruption, it can be useful to reset the server:

  • Stop the server using the Scheduler,

  • Remove the folder workspace from the server folder,

  • Remove the folder db-auditing from the server folder (value for the default repository, check the dataSource elements of your cdo-server.xml file).

  • Start the server,

  • Export the needed models from a Team for Capella Client (using the “Import Job” result artifacts for example).

Note that it is also possible to restore the database from the result artifacts of the Database – Backup job, refer to the Capella client Help Contents in chapter Team for Capella Guide > System Administrator Guide > Server Configuration > Reinitialize database.

15. How to Improve Export Performances

The following line is used to configure the database (in cdo-server.xm):

To improve performances when exporting big models to the repository, change LOG=1 by LOG=0. When exports are done, return to the original value (LOG=1 is useful to avoid database corruptions when the server process is killed).

16. Reinitialize database

You have three ways to reinitialize data in a database.

  • Use the Database – Restore job

  • Restoring a database backup

  • Exporting backed up projects to a given repository

16.1. Restore database from database backup

The use of the Database – Restore job should be preferred but it is still possible to manually do the same operation.

This operation should be used to restore a database from the file generated by the Database – Backup job (this file has a pattern like: repoCapella.20151105.171109-sql.zip).

The database will be restored in exactly the same state as it was when the backup was performed:

  • Existing durable locks will also be restored,

  • A corrupted database will be restored in the same corrupted state.

16.1.1. How to manually restore a DB backup

  1. Edit "server.ini" file

  2. Change the vmarg property collab.db.restore to true as follow: -Dcollab.db.restore=true

  3. Specify the backup file location with the -Dcollab.db.restoreFolder parameter (default value is db.restore in the server)

  4. Put the .zip backup file in the specified directory.

Example with db.restore:

  1. Stop the server using the Server – Stop job

  2. Start the server using the Server – Start job

  3. If everything went well, you will get a log like the following one in the server’s console:

    !ENTRY com.thalesgroup.mde.melody.collab.server.repository.h2 1 0 2020-04-22 18:39:32.409
!MESSAGE Restore repoCapella processing starts.

!ENTRY com.thalesgroup.mde.melody.collab.server.repository.h2 1 0 2020-04-22 18:39:33.977
!MESSAGE Restore repoCapella restored database from : C:\TeamForCapella\server\..\scheduler\jenkins_home\jobs\Database - Backup\builds\7\archive\repoCapella.20200422.182742-sql.zip

!ENTRY com.thalesgroup.mde.melody.collab.server.repository.h2 1 0 2020-04-22 18:39:33.980
!MESSAGE Restore repoCapella processing ends. The file has been moved to C:\TeamForCapella\server\..\scheduler\jenkins_home\jobs\Database - Backup\builds\7\archive\repoCapella.20200422.182742-sql.zip.restored

!ENTRY org.eclipse.emf.cdo.server.db 2 0 2020-04-22 18:39:35.537
!MESSAGE Detected crash of repository repoCapella

!ENTRY org.eclipse.emf.cdo.server.db 1 0 2020-04-22 18:39:35.614
!MESSAGE Repaired crash of repository repoCapella: lastObjectID=OID248, nextLocalObjectID=OID9223372036854775807, lastBranchID=0, lastCommitTime=1 586 948 133 861, lastNonLocalCommitTime=1 586 948 133 86

The .zip backup file will be suffixed by .restored or .error if the restore failed. This behavior can be disabled with the use of -Dcollab.db.restore.rename.source.file=false.

Restore process only supports textual script backup with the name that ends with –sql.zip.

If you want to remove restored locking sessions from the database, use the Durable Locks Management view (see the Server Administration part of this documentation).

16.2. Restore database from projects backup

This way gives more control on the restoration as you may delete the repository and the repository is restored project by project. To restore projects in a repository:

  • close the server

  • delete file corresponding to the repository in the database folder. See how you configured the cdo-server.xml file to have the information.

  • restart the server

  • export the projects to the server with a Team For Capella client. Those projects are taken from the last valid «Projects - Import» job execution.

17. How to externalize configuration in a specific folder

  • To externalize workspace → use the eclipse runtime arguments "-data path_to_folder " in the files capella.ini, importer.bat and command.bat.

Example:

server/server.exe -data C:/data/TeamForCapella/server/workspace
capella/importer.bat -data C:/data/TeamForCapella/server/importer-workspace
capella/command.bat -data C:/data/TeamForCapella/server/command-workspace

  • To externalize configuration folder → copy the folder configuration to the expected path and use the eclipse runtime arguments "-configuration path_to_folder ".

Example:

server/server.exe -configuration C:/data/TeamForCapella/server/configuration
tools/importer.bat -configuration C:/data/TeamForCapella/server/configuration
tools/command.bat -configuration C:/data/TeamForCapella/server/configuration

  • To externalize cdo-server.xml → use the jvm arguments from the server.ini "-Dnet4j.config= path_to_file " .

Example:

-vmargs -Dnet4j.config=C:/data/TeamForCapella/server/configuration/cdo-server.xml

  • To externalize users.properties → update the description property of the <usermanager> element from the cdo-server.xml file.

Example:

Line 18 : <userManager type=«auth» description="C:/data/TeamForCapella/server/usermanager-config.properties" />

  • To externalize db folder → update jdbc url from the cdo-server.xml file editing the value of the attribute url from the tag <dataSource/>.

Example:

<dataSource uRL="jdbc:h2:C:/data/TeamForCapella/server/db/h2/capella;LOG=0;CACHE_SIZE=65536;LOCK_MODE=0;UNDO_LOG=0" (…)

  • Move jenkins_home

Update scheduler/conf/context.xml to change the attribute Environment JENKINS_HOME with the path of the jenkins_home folder :

  • Restart scheduler

  • [Optional: in case you do not user embedded scheduler] To externalize backup and restore folder → use the jvm arguments from the server.ini file: "-Dcollab.db.backupFolder= path_to_file " and "-Dcollab.db.restoreFolder= path_to_file " .

Example:

-vmargs -Dcollab.db.backupFolder=C:/data/TeamForCapella/server/db.backup
-Dcollab.db.restoreFolder=C:/data/TeamForCapella/server/db.restore

To directly externalize all previous file, you can edit server.ini file

Example: To externalize all files in the folder C:\data\TeamForCapella\server

1) Update server.ini

-console
-data
 C:/data/TeamForCapella/server/workspace 
-configuration
 C:/data/TeamForCapella/server/configuration
-vmargs
-Dnet4j.config= C:/data/TeamForCapella/server /configuration
-Dcollab.db.backup=false
-Dcollab.db.restore=false
-Dcollab.db.backupFolder= C:/data/TeamForCapella/server /db.backup
-Dcollab.db.restoreFolder= C:/data/TeamForCapella/server /db.restore
-Dcollab.db.backupFolderMaxSize=1G
-Dcollab.db.backupFrequencyInSeconds=900
-Dosgi.requiredJavaVersion=17
-Xms128m
-Xmx2000m
-XX:PermSize=128m

  • Update "-data" and "-configuration" of command.bat and importer.bat

18. How to Change Ports Values

See Server configuration section → Cdo-server.xml File

See Jenkins installation section → Change the Port Used by Jenkins.

See Team For Capella Web server section → Change the Port of the admin server

By convention we could use 12036 for a server that listens to the port 2036 (defined in cdo-server.xml), 12037 for the server that listens to 2037, 12038 for 2038 etc…

12. Guidelines html 6b2faa2d

  • Edit configuration of all jobs setup in the scheduler that use the OSGI console

  • Connect to scheduler admin site

  • Go to "Backup database" configuration

  • Edit the build command line to replace "…command.bat localhost port_value" by the expected port

Ex: command.bat localhost 12036 capella_db backup

  • Go to "Server – Stop" configuration

  • Edit the build command line to replace "…command.bat localhost 12036 close" by the expected port

Ex: command.bat localhost 12036 close

  • Go to "Import projects" configuration

  • Edit the build command line to replace "…importer.bat –archivefolder…" by the expected port

Ex: importer.bat –consoleport 12036 –archivefolder

  • This is needed if the importer has to stop the server on import failure

If you have several jobs using the OSGI port value, you can create an environment variable to store it in a single place.

19. How to Increase the Size of Description and Documentation Columns

When very long text are written in Description or Documentation fields, an error of the following type can occur when saving a remote project or exporting a local project to the server:

[ERROR] org.h2.jdbc.JdbcSQLException: Value too long for column DESCRIPTION VARCHAR(32672)

To avoid this problem, change the file server/configuration/cdo-server.xml to use:

<dbAdapter name="h2-capella" /> instead of <dbAdapter name="h2" />

Fields description and documentation will be stored in CLOB instead of VARCHAR.

h2-capella is the default value in cdo-server.xml.

19.1. Customize commit description length

The system property fr.obeo.dsl.viewpoint.collab.common.commit.description.max.length can modify the length of the commit message. By default the value is the Integer maximum value. This property needs to be set to the same value on the client and the server.

This default Integer maximum value length is due to com.thalesgroup.mde.melody.db.h2.H2Adapter that consider the commit comment as a CLOB. Note that this is a custom H2Adapter for Team for Capella. It replaces the default org.eclipse.net4j.db.h2.H2Adapter that expects a VARCHAR for the comment description DB field limiting the length of the message to 255 characters. If the commit description is longer than the accepted max length, it will be truncated before commit to match the max length in core wizards, actions and session save operations. For components extending the collaborative layer, if they directly call setCommitComment() and commit() methods on the CDO transaction, they can use fr.obeo.dsl.viewpoint.collab.common.internal.commit.CommitCommentUtil.fitCommitDescriptionLength(String) to fit their commit comment. -1 can be used to remove the limitation. Otherwise only values greater than or equals to 10 are accepted. "Xxxxxxxxxx" will become "Xxxx […​]". If the property value if -1, it will take the system dependent SWT widget Text.LIMIT length.