Troubleshooting
Problem
Some versions of IBM Cloud Platform Common Services can cause problems for IBM Cloud Pak for Business Automation customers that use a large enterprise LDAP. One major problem that occurs is the deactivation of LDAP groups in Business Automation Workflow components of IBM Cloud Pak for Business Automation (Business Automation Studio, Business Automation Workflow, and Business Automation Application).
Symptom
Some or all groups from the LDAP cannot be found in search results within Process Admin Console.
Cause
IBM Cloud Pak for Business Automation versions 21.0.3 and newer delegate SCIM responsibilities to interact with the configured LDAP connections to IBM Cloud Pak Common Services (foundational services) Identity and Access Management (IAM) service.
The group replication process in Business Automation Workflow is triggered when the server starts up (when the pods are started). This group replication process in Business Automation Workflow issues a call to the IAM SCIM service to retrieve all groups from the configured LDAP connections. If this SCIM request fails to return any groups previously known to Business Automation Workflow, then Business Automation Workflow assumes that these LDAP groups are deleted from the LDAP. Therefore, Business Automation Workflow deactivates the groups in the database. Deactivated groups are not searchable in Process Admin Console and other consoles within Business Automation Workflow.
For customers with large enterprise LDAPs, the SCIM request to retrieve all groups might fail. When the SCIM request fails, then previously active LDAP groups are deactivated in Business Automation Workflow.
Many versions of IBM Cloud Pak Common Services (foundational services) lack the functionality and configuration options to make the SCIM request to retrieve all groups from the LDAP successfully. Some of these configuration options include the following:
- Support for multi-value group filter (added in Common Services 3.19)
- Configuring a custom search base for LDAP group entities (added in Common Services 3.21)
- Server-side pagination support (added in Common Services 3.21)
- Nested search support (added for Tivoli Directory Server and Security Directory Server in Common Services 3.22, added for Microsoft Active Directory in Common Services 3.20)
Diagnosing The Problem
In the Business Automation Workflow application liberty-message.log file, you observe the following error:
[2023-02-14T23:52:22.730+0000] 0000006a com.lombardisoftware.client.delegate.SecurityDelegateDefault E CWLLG2229E: An exception occurred in an EJB call. Error: Error in GET https://internal-nginx-svc.cp4ba-demo.svc:12443/teamserver/rest/graphql?query=%7B+userTeams%28user%3A%22CN%3Dhugeuser0001,OU%3DUsers0xxx,OU%3DUsers,OU%3DHuge+OU,DC%3Dfyre,DC%3Dibm,DC%3Dcom%22%29+%7B+items+%7B+uuid+distinguishedName+displayName+description+%7D%7D%7D&trace=BPM-13407268-90a1-44cd-b91c-0b65f38a085c: 504
com.lombardisoftware.core.TeamWorksException: Error in GET https://internal-nginx-svc.cp4ba-demo.svc:12443/teamserver/rest/graphql?query=%7B+userTeams%28user%3A%22CN%3Dhugeuser0001,OU%3DUsers0xxx,OU%3DUsers,OU%3DHuge+OU,DC%3Dfyre,DC%3Dibm,DC%3Dcom%22%29+%7B+items+%7B+uuid+distinguishedName+displayName+description+%7D%7D%7D&trace=BPM-13407268-90a1-44cd-b91c-0b65f38a085c: 504
at com.lombardisoftware.userorg.http.JaxRSRestCallHandler.doGet(JaxRSRestCallHandler.java:472)
at com.lombardisoftware.userorg.http.JaxRSRestCallHandler.doGet(JaxRSRestCallHandler.java:429)
at com.lombardisoftware.userorg.umsteams.UMSTeamsModule.getTeamsOfUser(UMSTeamsModule.java:704)
at com.lombardisoftware.server.core.GroupCore.updateUMSTeamMembershipImpl(GroupCore.java:2603)
at com.lombardisoftware.server.core.GroupCore.updateUMSTeamMembershipOfCurrentUser(GroupCore.java:2488)
at com.lombardisoftware.server.ejb.security.SecurityCore.refreshGroupMembershipAtLogin(SecurityCore.java:296)
at com.lombardisoftware.server.ejb.security.SecurityCore$1.doIt(SecurityCore.java:244)
at com.lombardisoftware.server.ejb.security.SecurityCore.executeWithUserLock(SecurityCore.java:2041)
at com.lombardisoftware.server.ejb.security.SecurityCore.initializeNewLogin(SecurityCore.java:241)
Resolving The Problem
Careful considerations of the LDAP connection configuration are required to make SCIM operations against large enterprise LDAPs with thousands of groups successful for CP4BA Workflow components. To take advantage of the configuration options in IBM Cloud Pak Common Services (foundation services), specific versions are required.
It is recommended that the following configuration options are carefully considered.
- Configure a group search base. Restrict group searches to one or more branches of the LDAP (see IBM Cloud Pak Common Services IAM APIs > Directory Management APIs)
- Configure a group search filter. Identify a search pattern that can be used to restrict results to a targeted subset of groups within the LDAP (see IBM Cloud Pak Common Services IAM > Configuring LDAP connection)
- Enable server-side pagination of SCIM searches (see IBM Cloud Pak Common Services IAM APIs > Directory Management APIs)
IBM Cloud Pak for Business Automation 21.0.3 (LTSR version) currently supports Common Services 3.19.x, but not Common Services 3.20, 3.21, 3.22, and onward. CP4BA 21.0.3 IF019 introduces usage of Common Services 3.19.9, which provides the configuration options that need to be configured to make the group replication process execute successfully.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"ARM Category":[{"code":"a8m3p0000006xWwAAI","label":"Other-\u003ECloudPak4Automation Platform-\u003EFoundation Services-\u003EIdentity and Access Management"}],"ARM Case Number":"TS012138269","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
01 May 2023
UID
ibm16957660