Scribd
Upload
125 views

BPMSecurity WSTE

BPM Security & LDAP - Concepts and Troubleshooting

Uploaded by

Venkat
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
125 views

BPMSecurity WSTE

BPM Security & LDAP - Concepts and Troubleshooting

Uploaded by

Venkat
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

IBM Software Group

BPM Security & LDAP - Concepts


and Troubleshooting
Sridhar Edam , Shinsou (Al) Wang
[email protected] , [email protected]
BPM L2 Support Engineers
06/11/2013

WebSphere Support Technical Exchange

IBM Software Group

Agenda
Introduction - background of BPM security LDAP configuration.
Security Providers
User and Group Tables
Entity type mapping
BPM user Cache
Configuration files
Common Problems and solutions
Mustgather
References
Questions

WebSphere Support Technical Exchange

IBM Software Group

Introduction
 BPM integrates with user repositories which enables utilizing the existing
organizational structure to facilitate its human workflow processing.

 The human centric workflow is designed to route the tasks based on the
design of a Business Process (BPD). An LDAP integration facilitates using
the existing organizational tree to be used for such routing.

 This presentation will focus on concepts , scenarios and troubleshooting of


LDAP integration with BPM.

WebSphere Support Technical Exchange

IBM Software Group

security providers

Default File Based Repository


a. Websphere default security provider for users and Groups

User Repository
a. LDAP based repository. External to WAS

BPM Internal Security Provider


a. BPM internal users stored in the database

WebSphere Support Technical Exchange

IBM Software Group

BPM User and Group Tables


LSW_USR - store default user, BPM internally created user.
LSW_USR_XREF - all available user, historical user.
LSW_USR_GRP_XREF - where LDAP group is/ Ad-hoc group
LSW_USR_GRP_MEM_XREF - defines the relation between user and group
LSW_GRP_GRP_MEM_XREF - defines the hierarchy of group.
When does the group table gets populated?
a) startup b) Manual synch c) system components requesting a JMS cache reset
Sample of Group Sync after starting of the system:
[10/29/12 11:03:24:575 PDT] 00000001 WsServerImpl A WSVR0001I: Server server1 open
for e-business
...
[10/29/12 11:05:34:984 PDT] 00000044 wle
I CWLLG0446I: Group Alsgroup is
being checked for new updates
...
Sample of When user log in to Portal
[10/29/12 11:05:35:078 PDT] 00000044 wle_security I CWLLG1088I: Initializing session is
done for user alwangaa

WebSphere Support Technical Exchange

IBM Software Group

BPM security tables

WebSphere Support Technical Exchange

IBM Software Group

BPM security tables

WebSphere Support Technical Exchange

IBM Software Group

BPM User Cache


When does user gets cached into BPM?
a)full sync
b)log in
c)Process Admin search.
*If user is not known to BPM, error might occurs when routing task to
it.

WebSphere Support Technical Exchange

IBM Software Group

WAS - LDAP Mapping

WebSphere Support Technical Exchange

IBM Software Group

LDAP Search Filters


 http://bpmwiki.blueworkslive.com/display/commwiki/Configure WLE 7.1 LDAP Filters

WebSphere Support Technical Exchange

10

IBM Software Group

BPM security configuration files


security.xml

wimconfig.xml (wim = Websphere identity manager)

WebSphere Support Technical Exchange

11

IBM Software Group

BPM security configuration files (Contd)


admin-authz.xml
Stores WAS Administrative user roles.

WebSphere Support Technical Exchange

12

IBM Software Group

Common Problems and Solutions


 Redlight for an App in Process Designer.
Network connection issue will result Process Designer displaying red-light.
A Process App opened in process designer initiates a deploy of that App into process Center.
Lacking WAS Admin Roles when developing application with Advanced content will result redlight as
well.
http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0mx/topic/com.ibm.wbpm.admin.doc/topics/deploying
_introduction.html

 Unable to login to any BPM console including WAS Admin console when repository is down
http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.wim.doc%2F
UnableToAuthenticateWhenRepositoryIsDown.html

 Switching Login attribute may result new users generated on LSW_USR_XREF table.
 Process Admin does not show groups from LDAP after configuration.
Process Admin synchronizes all visible group by sending a query * for group. If LDAP is configured
not accepting wild card character. LDAP timeout.

 Active Directory may have a default value for a maximum search result. Change MaxPageSize
according to attaching technote:
http://www-01.ibm.com/support/docview.wss?uid=swg21439593

WebSphere Support Technical Exchange

13

IBM Software Group

Common Problems and Solutions (continued)


 Error during start up (com.ibm.websphere.wim.exception.MaxResultsExceededException:
CWWIM1018E '4501'search results exceeds the '4500' maximum search limit.
a) wimconfig has a variable of maxSearchResults which can be changed.
b) We also recommend using search filter

 SqlIntegrityConstraintViolationException gets thrown during group replication process. Additionally,


upon server startup, LDAP groups are not visible from WebSphere Application Server Administrative
Console and Process Admin Console.
http://www-01.ibm.com/support/docview.wss?uid=swg21619620

 JS API tw.System.org.FindUserByName() throws NPE when user has not log on to BPM.
http://www-01.ibm.com/support/docview.wss?uid=swg1JR42912

 Adding a new user to LDAP but it is not visible in BPM.


Check the users DN with filter

 LDAP group name longer than 255 char will result a sql error.
 WAS ldapsearch utility
http://www-01.ibm.com/support/docview.wss?uid=swg21113384

WebSphere Support Technical Exchange

14

IBM Software Group

BPM mustgather
Trace Strings.
*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:co
m.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all:WLE.wle_security=finest

Config tree
The profile config directory that stores the profile configuration in XML files
In an ND environment , config directories from both DMGR and Federated Nodes.

Contents of the xref tables


The user and group information is stored in the database tables.
The XREF tables replicate user and group information from LDAP as well.

WebSphere Support Technical Exchange

15

IBM Software Group

References
 http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0mx/topic/com.ibm.wbpm.ad
min.doc/topics/deploying_introduction.html

 http://www-01.ibm.com/support/docview.wss?uid=swg21439593
 http://www-01.ibm.com/support/docview.wss?uid=swg21113384
 http://www-01.ibm.com/support/docview.wss?uid=swg21619620

WebSphere Support Technical Exchange

16

IBM Software Group

Summary

 Different repositories supported by BPM


 Understanding the configuration files & DB tables used by BPM helps
narrowing down the issues.

 Using of LDAP Filters is key to organize BPM users / groups and


improving performance.

 Key items to be looked at when switching LDAP


 Common known problems and solutions described to resolve such
occurrences

WebSphere Support Technical Exchange

17

IBM Software Group

Additional WebSphere Product Resources




Learn about upcoming WebSphere Support Technical Exchange webcasts, and access
previously recorded presentations at:
http://www.ibm.com/software/websphere/support/supp_tech.html

Discover the latest trends in WebSphere Technology and implementation, participate in


technically-focused briefings, webcasts and podcasts at:
http://www.ibm.com/developerworks/websphere/community/

Join the Global WebSphere Community:


http://www.websphereusergroup.org

Access key product show-me demos and tutorials by visiting IBM Education Assistant:
http://www.ibm.com/software/info/education/assistant

View a webcast replay with step-by-step instructions for using the Service Request (SR)
tool for submitting problems electronically:
http://www.ibm.com/software/websphere/support/d2w.html

Sign up to receive weekly technical My Notifications emails:


http://www.ibm.com/software/support/einfo.html

WebSphere Support Technical Exchange

18

IBM Software Group

Connect with us!


1. Get notified on upcoming webcasts
Send an e-mail to [email protected] with subject line wste
subscribe to get a list of mailing lists and to subscribe

2. Tell us what you want to learn


Send us suggestions for future topics or improvements about our
webcasts to [email protected]

3. Be connected!
Connect with us on Facebook
Connect with us on Twitter

WebSphere Support Technical Exchange

19

IBM Software Group

Questions and Answers

WebSphere Support Technical Exchange

20

You might also like