Direct links to fixes
APAR status
Closed as program error.
Error description
When you start the server of your IBM Business Process Manager (BPM) environment, you find the the following error in the SystemOut.log file: [4/21/15 18:43:45:501 AST] 0000008d EmbeddedECMIn E CWTDS1100E: An error occurred while validating or creating the default configuration for the IBM BPM document store. CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'tw_admin'. Explanation: The technical user defined in the BPM role type 'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM' domain. Action: Revert the recent user registry configuration changes and follow the instructions of the 'Administering the technical user for the IBM BPM document store' topic in the IBM BPM Information Center to ensure the technical user keeps access to the IBM BPM document store. In some cases, the error text is slightly different, but the explanation and action are the same, for example CWTDS0022E: The configuration was changed in a way that the technical user 'tw_admin' of the IBM BPM document store fails to change the object 'Domain'. In addition, you observe that the Event Manager does not start. For example, no tasks can run. When this error occurs on a online process server, the process server is not visible in IBM Process Center.
Local fix
When you change the user repository or delete users from the repository, make sure there is at least one user who is allowed to connect to the IBM BPM document store at any time. You can use the maintainDocumentStoreAuthorization admin command to modify the set of users who are allowed to work with IBM BPM document store. For example, use the special keyword #AUTHENTICATED-USERS to temporarily authorize all users who successfully authenticate to the IBM BPM document store by using the following wsadmin command: AdminTask.maintainDocumentStoreAuthorization('[-deName <DE name> -add #AUTHENTICATED-USERS]') When all authenticated users are allowed to access the document store, you can modify the user registry. After you finish modifying the user registry configuration, restrict access to one or two users again.
Problem summary
To enable communication with the IBM BPM document store, you define a technical user by mapping the EmbeddedECMTechnicalUser authorization role type to an authentication alias, which in turn is mapped to a user. All communication with the IBM BPM document store is done on behalf of this user. However, authorization to the IBM BPM document store is based on unique IDs. Only the user with a particular unique ID can manage the IBM BPM document store and access its documents. If you change your user registry configuration, for example by removing the file-based repository so that you use only an LDAP server in federated repositories, a user with the same user ID and password in the LDAP cannot access the IBM BPM document store. Even though the user has the identical name, the unique ID has changed and this change is why the document store considers this user different. The error can also arise when you delete the technical user from the file-based repository and re-create the user with this name. The re-created user has a different unique ID and is, therefore, not authorized to communicate with the IBM BPM document store.
Problem conclusion
A fix is/will be available for IBM BPM that extends the existing admin task getDocumentStoreStatus to help you determine the user who is allowed to access the document store. If you are locked out, run the admin command again with the new option: -authorizationDetails. For example, to run the getDocumentStoreStatus command for a deployment environment named 'DE1' call: AdminTask.getDocumentStoreStatus([ '-deName', 'DE1', '-authorizationDetails']) The following examples of the admin command's output include instructions about how to repair the user registry and security configuration to unlock the IBM BPM document store connection. Example 1 You changed the ECM technical user role mapping, but you have not updated the IBM BPM document store authorizations. In this case, you will see CWTDS2067E, CWTDS2070I, and CWTDS2071I messages: CWTDS2067E: The 'tw_admin' technical user is not authorized to update the 'Domain' object. CWTDS2070I: The unique ID of user uid=tw_admin,o=defaultWIMFileBasedRealm is 7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb. CWTDS2071I: A user or group with the unique ID 2db3d211-af0c-4d59-a7be-e0718c584a2a and name uid=tw_admin_old,o=defaultWIMFileBasedRealm has access to the IBM BPM document store. CWTDS2070I indicates that the ECM technical user is ?uid=tw_admin,o=defaultWIMFileBasedRealm?. CWTDS2071I indicates that the user who is authorized to communicate with the IBM BPM document store is 'uid=tw_admin_old,o=defaultWIMFileBasedRealm', which is different from the user who is configured as technical user. You can solve the lockout issue by completing the following steps: 1. Revert theEmbeddedECMTechnicalUser authorization role mapping to use the former admin tw_admin_old: In the administrative console, choose Deployment Environments > <Deployment Environment Name> > Business Integration Security, and check the EmbeddedECMTechnicalUser role. Make sure it is bound to an authentication alias that is mapped to the old user: tw_admin_old. 2. Make sure the change is synched with all nodes. 3. Restart the environment. 4. Use the admin script maintainDocumentStoreAuthorization to authorize the new admin. For example, to add a new authorization for user 'tw_admin' in Deployment Environment DE1, use the following admin command:AdminTask.maintainDocumentStoreAuthorization(['-deName', 'DE1', '-add', 'tw_admin']) For more information about the maintainDocumentStoreAuthorization command, see ?maintainDocumentStoreAuthorization command? at http://www.ibm.com/support/knowledgecenter/SSFPJS_8.5.0/com.ibm. wbpm.ref.doc/topics/rref_maintaindocstoreauth.html 5. Change the role mapping to use the new admin role and synch nodes. 6. Restart the environment. Example 2 You removed the technical user from the user repository, but you did not transfer the IBM BPM document Store authorizations to an existing user. In this case, you see CWTDS2067E, CWTDS2070I, and CWTDS2072W messages: CWTDS2067E: The 'tw_admin' technical user is not authorized to update the 'Domain' object. CWTDS2070I: The unique ID of user uid=tw_admin,o=defaultWIMFileBasedRealm is 7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb. CWTDS2072W: A user or group with unique ID 2db3d211-af0c-4d59-a7be-e0718c584a2a has access to the IBM BPM document store. However, a user or group with this unique ID is not found in the current user repository. CWTDS2070I reports the unique name and unique ID of the ECM technical user. CWTDS2072W lists the unique ID of the user who may access the document store, but the user name for this ID cannot be determined because the user has been removed from the user repository. To resolve this problem, complete the following steps: 1. Re-create the former user in the user registry and make sure that user has the unique ID reported in the CWTDS2072W message. 2. Re-create an authentication alias for that user and add it to the admin group. 3. Complete the steps in Example 1. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR52438: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR52438 , and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR52438
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-01-29
Closed date
2015-03-16
Last modified date
2015-04-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 August 2023