Troubleshooting
Problem
Groups exposed from the LDAP to IBM Cloud Pak for Business Automation are not available or not synchronized in the Process Admin Console for the IBM Business Automation Workflow and IBM Business Automation Studio components of the IBM Cloud Pak for Business Automation. The LDAP groups are not properly synchronized when these conditions exist in the environment:
- ROKS authentication is enabled (it is enabled by default)
- Users and groups from LDAP are added to roles in Platform UI Access Control
Symptom
You might observe that groups from your LDAP are missing in the Process Admin Console > Group Management page or do not contain all the expected users. Attempts to synchronize the LDAP one or more groups do not work.
Cause
Starting with IBM Cloud Pak for Business Automation 21.0.3 ROKS authentication is enabled by default. The property roksEnabled in the IBM Cloud Pak foundational services operator ibm-iam-operator. IBM Business Automation Workflow and IBM Business Automation Studio (BAS) delegate interactions with the LDAP to the Identity and Access Management (IAM) SCIM component of IBM Cloud Pak foundational services. When ROKS authentication is enabled, the IAM SCIM queries for users and group and returns the results from two different realms. One realm is named ROKS and another realm named after the CP4BA deployment. IBM Business Automation Workflow and IBM Business Automation Studio are anticipating unique results to be retrieved from the LDAP. When duplicated results are retrieved some multiple realms, IBM Business Automation Workflow and IBM Business Automation Studio does not synchronize the users or groups.
Diagnosing The Problem
There are two steps to confirm that the LDAP groups are not synchronizing due to ROKS authentication.
Step 1: Confirm ROKS authentication is enabled
There are two methods to confirm if ROKS authentication is enabled.
Method 1: Use the OCP console
- Log in to the OCP console
- Navigate to Workflows > Config Maps
- Find the platform-auth-idp configmap in the ibm-common-services namespace
- Check the value of the ROKS_ENABLED property
Method 2: Run the following commands
auth_pod=$(kubectl get pod -n ibm-common-services | grep auth-idp | awk '{print $1}')
oc exec -ti $auth_pod -c platform-identity-manager -n ibm-common-services -- env |grep -i "roks_enabled"
Step 2: Capture a trace while you are executing the groups sync API from the list of Business Automation Workflow Operations (Swagger) APIs.
1.) Prepare to edit your CR yaml file by opening the OCP console or opening a text editor to modify the custom resource file.
2) Modify the CR yaml file with the following:
spec:
...
baw_configuration:
...
logs:
trace_specification: '*=info:WLE.*=all:com.ibm.bpm.*=all:com.ibm.workflow.*=all'
3.)Update the operator with the new configuration.
kubectl apply -f my_icp4a_cr.yaml --overwrite=true
4.) Navigate to the Swagger UI page for IBM Business Automation Workflow. You can access and execute the REST API from the Swagger UI from the URL with the following format:
https://host_name:port_number/ops/explorer
5.) Execute the IBM Business Automation Workflow Operations system login REST API to obtain a CSRF token. Copy the CSRF token value. Refer to the Operations REST API reference documentation regarding the system login REST API.
6.) Execute the IBM Business Automation Workflow Operations system groups_sync REST API. Refer to the Operations REST API reference documentation regarding the system groups_sync REST API.
7.) Capture the Workflow authoring pod logs and upload to the case. The following command can be used to gather the Workflow logs where pod name is one of the Workflow pods. Collect for all of your workflow-authoring-baw-server pods.
kubectl cp <pod-name>:/logs/application/ ./BAW
8.) Check the contents of the trace.log files. Looks for the SCIM results. Check the message to see whether the same group is returned by two different realms.
Example:
[2022-04-20T09:05:25.343+0000] 00000047 id=00000000 com.lombardisoftware.userorg.http.JaxRSRestCallHandler 3 doGet Received response: {"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":2,"Resources":[
{"id":"CN=hugeGroup00xx,OU=Groups,OU=Huge OU,DC=fyre,DC=ibm,DC=com","displayName":"hugeGroup00xx","urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group":{"realmName":"cp4ba-prod-4032"}},
{"id":"hugeGroup00xx","displayName":hugeGroup00xx","urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group":{"realmName":"ROKS"}}]}
Resolving The Problem
Step 1: Complete the following steps to disable the ROKS authentication property ROKS_ENABLED in the Identify and Access Management (IAM) platform-auth-idp configmap within the ibm-common-services namespace.
Method 1: Use the OCP console
Here are the steps you can use to disable ROKS_ENABLED.
1.) Log in to the Red Hat® OpenShift® Container Platform console as a user with cluster administrator access.
2.) From the navigation menu, click Workloads > Config Maps.
3.) Search for platform-auth-idp
4.) Click Edit Config Map
5.) Change the value of ROKS_ENABLED to false
6.) Click Save
7.) From the navigation menu, click Workloads > Deployments
8.) Locate auth-idp
9.) Click Edit Deployment. A window for editing displays
10.) Click Save without making any changes. This step is to reload the auth-idp pods with the latest configmap values.
11.) Click auth-idp.
12.) Wait for some time for the auth-idp pods to redeploy and come to a Ready status.
Method 2: Use the command line
1.) Edit the
platform-auth-idp configmap.
kubectl -n ibm-common-services edit configmap platform-auth-idp
2.) Set the following attribute value to
false.- ROKS_ENABLED
3.) Save and close the configmap.
4.) Restart the
auth-idp pods
kubectl -n ibm-common-services delete pod -l k8s-app=auth-idp
5.) Wait for some time. Then, check the status of the
auth-idp pods. The status must show as 4/4 Running for all the pods.
kubectl -n ibm-common-services get pods | grep auth-idp
Step 2: Use the Swagger UI to execute the IBM Business Automation Workflow Operations groups sync and users sync REST APIs to manually synchronize any users or groups found to be out of sync with IBM Business Automation Workflow or IBM Business Automation Studio.
1.) Navigate to the Swagger UI page for IBM Business Automation Workflow. You can access and execute the REST API from the Swagger UI from the URL with the following format:
https://host_name:port_number/ops/explorer
2.) Execute the IBM Business Automation Workflow Operations system login REST API to obtain a CSRF token. Copy the CSRF token value. Refer to the Operations REST API reference documentation regarding the system login REST API.
3.) Execute the IBM Business Automation Workflow Operations system groups_sync REST API. Refer to the Operations REST API reference documentation regarding the system groups_sync REST API.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"ARM Category":[{"code":"a8m0z0000001iTWAAY","label":"Operate-\u003EBAW Install\\Upgrade\\Setup"}],"ARM Case Number":"TS009626846","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.3;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
21 June 2022
UID
ibm16596133