Product Readmes
Abstract
Some individual fixes in this IBM Business Process Manager V8.5.0 Fix Pack 2 (8.5.0.2) require additional configuration steps to complete the installation. Configure the individual fixes by searching for the APAR number and following the respective instructions.
Content
IBM Business Process Manager Standard, IBM Business Process Manager Express, and IBM Business Process Manager Advanced are referred to collectively as the IBM Business Process Manager products.
Tab navigation
| Interim fix (APAR) | Description | Task to enable the function |
| JR47596 When using Process Inspector, adding, or removing large (LDAP) groups to or from participant groups takes a long time | This fix introduces a new configuration setting that allows you to specify that the members of a group are to be determined from the DB only. The setting avoids LDAP access. As a result, the speed of loading group members into the cache is increased. In addition, a new cache reset mechanism is included that resets the cache for a specific entry (such as a group), thereby avoiding frequent cache reloads. | Include the following setting in the 100Custom.xml files for Process Center and Process Server: <server> <group-member-cache-source merge="replace">DB</group-member-cache-source> </server> For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR47860 Missing task timer executions, stuck instances because of queue full condition | This fix enhances the Event Manager so that Event Manager tasks that were retried until reaching the re-execute-limit can be resumed by the administrator when the exceptional situation is resolved. With this interim fix, upon reaching the re-execute-limit, the respective Event Manager task is put on hold. In addition, a task is created and assigned to the EM administrator (as specified via notify-error in the 80EventManager.xml). | To resume Event Manager tasks that are on hold, use the new BPMReplayOnHoldEMTasks administrative command, which allows replaying such Event Manager tasks so that they can be scheduled by the Event Manager again. For more information, see BPMReplayOnHoldEMTasks command. NOTES: -The system could be configured so that the EM administrator is notified about such tasks by email. Therefore, the EM administrator could be notified about the exceptional situation. - Before replaying on-hold Event Manager tasks, analyze the root cause that led to the on-hold Event Manager tasks. Replay on-hold Event Manager tasks after the root cause is identified and resolved. - When an Event Manager task is replayed, the associated notification task for the administrator is deleted. - If there is a large number of on-hold Event Manager tasks in the system, don't replay all Event Manager tasks at once. Start with replaying a chunk of 100 Event Manager tasks. Then replay a larger chunk. As long as the performance is satisfactory, keep increasing the chunk until all on-hold Event Manager tasks are replayed. IMPORTANT: Replaying too many on-hold Event Manager tasks in one chunk can create a lot of load on the system. To cope with this load, the system must be tuned carefully. Replay on-hold Event Manager tasks during times with low system load. |
| JR47929 Disable default values in the XPath selection of base types | When the custom property of this fix is set, the BPEL engine makes the XCI XPath Engine ignore the default values of basic types when evaluating XPath expressions. For example, with a value of 3 an object can be read as <XXX:timeStamp>YYYY-MM-DDT11:22:33.034Z</XXX:timeStamp> Although with a value of 0 the same object can be read as <XXX:timeStamp>YYYY-MM-DDT11:22:33Z</XXX:timeStamp> | To enable the XCI XPath Engine to ignore the default values of basic types when evaluating XPath expressions, add the XPathExpressionEvaluation custom property and give it the disableDefaultValues value: 1. In the administrative console, for each application cluster member (Standard and Advanced) or for the stand-alone server (Express), go to the Java virtual machine custom properties page: Servers > Server Types > WebSphere application servers > server_name. 2. In the Server Infrastructure section, click Java and Process Management > Process definition > Java Virtual Machine > Custom Properties. 3. Add the XPathExpressionEvaluation custom property and give it the disableDefaultValues value. 4. Save the changes and, in an ND environment, synchronize the changes to the managed nodes. 5. Restart the application cluster (Standard or Advanced) or stand-alone server (Express). |
| JR48052 The Process Admin Event Manager Monitor page is very slow | Instead of showing all event jobs on the Process Admin Console "Event Manager > Monitor" page, you can define a threshold in the 100Custom.xml file to reduce the number of shown event jobs. If a threshold is defined, there is a button to retrieve all event jobs as needed. If no valid threshold is defined, all event jobs are shown. | For example, for an event job threshold definition for the Process Admin Console, modify the 100Custom.xml files for Process Center and Process Server: <server> <process-admin-console merge="mergeChildren"> <event-job-threshold merge="replace">100</event-job-threshold> </process-admin-console> </server> For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR48172 Provide admin scripts to synchronize users and groups memberships between VMM including LDAP directories and the IBM BPM DB | Each of the following scripts might imply execution times that exceed the default timeout setting for wsadmin script execution. Change the default to reflect the execution time required in your setup by opening the <profile_root>/properties/soap.client.props file and changing the value for com.ibm.SOAP.requestTimeout. For example, set it 0 to imply no timeout. TIP: Consider running scripts during idle time because they might impose a high load on the system. | User synchronization Two new administrative scripts are provided to trigger user synchronization between the user registry and the IBM BPM DB. Versions are available for both Windows and Linux environments and can be found at <profile_root>/properties/soap.client.props. -To synchronize a set of specified users, use the following script: usersSync.[bat|sh] [options...] <userID1> <userID2> ... <userIDn> Options: -?, -help This help message -u <username>, -username <username> user name of admin user -p <password>, -password <password> user password (unencrypted) -host <host> server host name, must be used with port -port <port> server SOAP port number userIDn: a list of user IDs which are to be synchronized. To execute the script, change to the directory containing the script and trigger the execution. The script execution result indicates the number of synchronized users. Users that are not available in the user registry are skipped from synchronization. -To synchronize all users in the user registry, use the following script: usersFullSync.bat [options...] Options: -?, -help This help message -u <username>, -username <username> user name of admin user -p <password>, -password <password> user password (unencrypted) -host <host> server host name, must be used with port -port <port> server SOAP port number To execute the script, switch to the directory containing the script and trigger the execution. The script execution result indicates the number of synchronized users. NOTE: Executing usersFullSync inserts ALL users available from the WAS user repository into the IBM BPM DB. For increased performance, both scripts use VMM interface calls, in case Federated Repositories (VMM) are configured for security. If VMM is used with LDAP directories, tune your LDAP configuration in wimconfig.xml to allow for the potential retrieval of all users in one VMM query. Consult the VMM tuning documents. In particular, select an appropriate setting for configurationProvider->maxSearchResults and consider adapting other values, such as ldapServers->connectTimeout, attributesCache->cacheSize. The wimconfig.xml file is located at <profile_root>/config/cells/<cell>/wim/config/wimconfig.xml. Group membership synchronization Two new administrative scripts are provided to trigger synchronization for (direct and indirect) user members of groups between the user registry and the IBM BPM DB. Versions are available for both Windows and Linux environments and can be found at <profile_root>/bin. NOTE: Synchronization for group membership takes into account users that -Are already in the IBM BPM DB -Either logged in to IBM BPM after installing this interim fix or have been synchronized to IBM BPM by using one of the previously mentioned user synchronization scripts. All other users are not considered as group members when applying the synchronization scripts for group membership. Consider whether your setup is appropriate for using the scripts. To synchronize group membership for the resolved (direct and indirect) user members of a set of specified groups, use the following script: syncGroupMembershipForGroups.[bat|sh] [options...] <groupName1> <groupName2> ... <groupNameN> Options: -?, -help This help message -u <username>, -username <username> user name of admin user -p <password>, -password <password> user password (unencrypted) -host <host> server host name, must be used with port -port <port> server SOAP port number groupNames: a list of group names the members of which are to be updated for membership. NOTE: In the context of a group, the group membership is synchronized for the members of the group with respect to this group. To execute the script, go to the directory containing the script and trigger the execution. The script execution result indicates the number of synchronized groups. Groups can be skipped from synchronization for a number of reasons: -Groups are not available in the user registry -Groups with a (short) name occur more than once in the user registry -Groups are already defined with the same (short) name in IBM BPM as non-security groups, such as groups created from the Process Admin Console To synchronize group membership for the user members of all available groups, use the following script: syncGroupMembershipForAllGroups.[bat|sh] [options...] Options: -?, -help This help message -u <username>, -username <username> user name of admin user -p <password>, -password <password> user password (unencrypted) -host <host> server host name, must be used with port -port <port> server SOAP port number To execute the script, go to the directory containing the script and trigger the execution. The script execution result indicates the number of synchronized groups. Groups can be skipped from synchronization for a number of reasons: -Groups with a (short) name occur more than once in the user registry -Groups are already defined with the same (short) name in IBM BPM as non-security groups, such as groups created from the Process Admin Console For increased performance, both scripts use VMM interface calls, in case Federated Repositories (VMM) are configured for security. The scripts require that the VMM entity type Group is extended to include an additional property representing either -The set of (direct and indirect) user members of the group (referred to as "groupusermember") -The set of direct (user or subgroup) members of the group (referred to as "groupmember"). Complete the following configuration steps: 1. Check whether attached LDAP directories expose an attribute for a group entry that lists all (direct or indirect) user members. For instance, the Tivoli Directory Server exposes for a group entry the "ibm-allmembers" attribute, which can be directly queried to retrieve all user members of the group. If such an attribute exists, make sure it is configured for user member retrieval (see step 3). In case no such attribute exists, use in the steps below the LDAP attribute by which (user or subgroup) members of a group entry are identified in the LDAP directory, for instance "members" or "uniqueMembers". 2. Define a VMM property for identifying either -All user members of a Group entity -The direct user and subgroup members of a Group entity Extend the VMM entity type Group to include an additional property with name "groupusermember" or "groupmember". For this, include or extend the file wimxmlextension.xml at the location <profile_root>/config/cells/<cell>/wim/model. The file is to contain the extension definition: <sdo:datagraph xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim"> <wim:schema> <wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="STRING" multiValued="true" propertyName="groupusermember"> <wim:applicableEntityTypeNames>Group</wim:applicableEntityTypeNames> </wim:propertySchema> </wim:schema> </sdo:datagraph> or <sdo:datagraph xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim"> <wim:schema> <wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="STRING" multiValued="true" propertyName="groupmember"> <wim:applicableEntityTypeNames>Group</wim:applicableEntityTypeNames> </wim:propertySchema> </wim:schema> </sdo:datagraph> 3. For every LDAP directory configured for VMM, define the mapping between the VMM property name "groupusermember" or "groupmember" and the corresponding available LDAP attribute, for example "ibm-allMembers" or "uniqueMembers", respectively. For this, include in <profile_root>/config/cells/<cell>/wim/config/wimconfig.xml (in a cluster, on the deployment manager for every server of the cluster) the entry: <config:repositories xsi:type="config:LdapRepositoryType" ...> ... <config:attributeConfiguration> ... <config:attributes name="ibm-allMembers" propertyName="groupusermember"> <config:entityTypes>Group</config:entityTypes> </config:attributes> ... </config:attributeConfiguration> </config:repositories> or <config:repositories xsi:type="config:LdapRepositoryType" ...> ... <config:attributeConfiguration> ... <config:attributes name="uniqueMembers" propertyName="groupmember"> <config:entityTypes>Group</config:entityTypes> </config:attributes> ... </config:attributeConfiguration> </config:repositories> 4. For every LDAP directory configured for VMM, tune your LDAP configuration in wimconfig.xml to allow for potential retrieval of all groups in one VMM query. Consult the VMM tuning documents. In particular, select an appropriate setting for configurationProvider->maxSearchResults and consider adapting other values, for example ldapServers->connectTimeout, attributesCache->cacheSize. 5. Enable using the "groupusermember" or "groupmember" property by BPM. Include in the 100Custom.xml file the entry: <common merge="mergeChildren"> <security> <vmm-options> <group-user-member-prop merge="replace">groupusermember</group-user-member-prop> </vmm-options> </security> </common> or <common merge="mergeChildren"> <security> <vmm-options> <group-member-prop merge="replace">groupmember</group-member-prop> </vmm-options> </security> </common> For more information, see The 99Local.xml and 100Custom.xml configuration files and Commands (wsadmin scripting). |
| JR48345 The dynamic packages for the null/empty namespace cannot be loaded in eager parsing mode | To allow null or empty namespaces with eager parsing mode, add the com.ibm.ws.bo.useNoNamespaceInEagerMode JVM custom property and set to "true": 1. In the administrative console, for each application cluster member (Standard and Advanced) or for the stand-alone server (Express), go to the Java virtual machine custom properties page: Servers > Server Types > WebSphere application servers > server_name. 2. In the Server Infrastructure section, click Java and Process Management > Process definition > Java Virtual Machine > Custom Properties. 3. Add the com.ibm.ws.bo.useNoNamespaceInEagerMode JVM custom property, set the value to "true". 4. Save the changes and, in an ND environment, synchronize the changes to the managed nodes. 5. Restart the application cluster (Standard or Advanced) or stand-alone server (Express). | |
| JR48395 Introduction of the capability to detect infinite loops in customer-written JavaScript activities JR51504 JavaScript loop detection does not catch loops that spend most of the time in Java code | This new feature helps with looping JavaScript in IBM BPM. IBM BPM monitors the number of running JavaScript instructions in each Script activity. The JavaScript runtime notifies the IBM BPM engine when the instruction counter reaches a limit that is set by the IBM BPM engine. After the number of run JavaScript instructions have reached the limit, the IBM BPM engine checks how long the Script activity has been running and can throw a warning or error message. NOTES: -Calls to Java methods or IBM BPM JavaScript API calls, such as tw.system.executeServiceByName, count as one instruction. -JavaScript code within managed server-side files that server-side components refer to count as multiple instructions and not as just one instruction. -The instruction limit is set by instruction-threshold. This is an integer representing 1000 instructions. By default, it is set to 250 (250,000 instructions). -When the execution time is checked if it is greater than loop-detection-duration a warning or error is thrown. This is an integer in seconds and defaults to 20. If the "loop-detection-exception" value is set to "false", one of the following messages is written to the SystemOut.log file: "CWLLG2261W: Infinite loop suspected after {0} seconds in ''UKNOWN'' activity. If this script is not in a loop, increase the loop-detection-duration property." "CWLLG2263W: Infinite loop suspected after {0} seconds in ''{1}'', for BPD ''{2}'', script activity ''{3}''. If this script is not in a loop, increase the loop-detection-duration property. "CWLLG2265W: Infinite loop suspected after {0} seconds in service ''{1}''. If this service is not in a loop, increase the loop-detection-duration property." If the "loop-detection-exception" value is set to "true", one of the following messages is written to the SystemOut.log file and the script is terminated: "CWLLG2262E: Infinite loop detected after {0} seconds, ''UKNOWN'' activity terminated. If this script is not in a loop, increase the loop-detection-duration property.") "CWLLG2264E: Infinite loop detected after {0} seconds in ''{1}'', for BPD ''{2}'', script activity ''{3}'' terminated. If this script is not in a loop, increase the loop-detection-duration property. "CWLLG2266E: Infinite loop detected after {0} seconds, service ''{1}'' terminated. If this service is not in a loop, increase the loop-detection-duration property." | You can configure the JavaScript loop detection parameters in the 100Custom.xml files for Process Center and Process Server. This example shows you how to set the timeout to trigger errors and terminate the script after at least 90 seconds have passed: <common merge="mergeChildren"> <javascript-engine> <loop-detection-duration merge="replace">90</loop-detection-duration> <loop-detection-exception merge="replace">true</loop-detection-exception> <instruction-threshold merge="replace">250</instruction-threshold> </javascript-engine> </common> For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR48484 LDAP displayname attribute is no longer retrieved for use by IBM BPM as the fullname | For IBM BPM V8.0.0.0, where the user's full name was derived from was changed from the "displayname" attribute to the LDAP "cn" attribute. If you prefer the previous behavior, interim fix JR48484 provides a new setting to enable you to revert to deriving the user's full name from the "displayname" attribute. | To derive the user's full name from the "displayname" attribute, complete the following steps: 1. Add the following configuration change in each appropriate 100Custom.xml file: <common merge="mergeChildren"> <security merge="mergeChildren"> <vmm-options merge="mergeChildren"> <user-full-name-prop merge="replace">displayName</user-full-name-prop> </vmm-options> </security> </common> 2. Deploy the changes, restart the environment and verify the settings have been updated. For more information about making the 100Custom.xml file configuration changes, see The 99Local.xml and 100Custom.xml configuration files. 3. Synchronize your existing LDAP users, because the former full name is saved in the database and won't be updated automatically: a. Open the Process Admin Console. b. From Server Admin, go to User Management > User Synchronization. c. Click Existing User Synchronize. If the synchronize fails with the following message "com.ibm.websphere.wim.exception.MaxResultsExceededException: CWWIM1018E" refer to the A MaxResultsExceededException: CWWIM1018E exception occurs when upgrading to IBM Business Process Manager (BPM) V7.5.x or 8.x from WebSphere Process Server (WPS) dW Answers article. |
| JR48521 Need to configure the serialization datatime_millisecond_digits outside the .jar file | A JVM property, com.ibm.ws.bo.serializationDatetimeMillisecondDigits, is added to allow setting the millisecond precession for any datatime value serialization for a business object. This property sets how many millisecond digits are preserved for a datetime object and defaults to 3. | To change the number of digits, you must configure the com.ibm.ws.bo.serializationDatetimeMillisecondDigits JVM custom property in the administrative console for each server: 1. Select Servers > Server Types > WebSphere application servers > server_name. 2. Under Server Infrastructure, click Java and process management > Process definition > Java virtual machine > CustomProperties and add the com.ibm.ws.bo.serializationDatetimeMillisecondDigits custom property. 3. Set the value to the number of digits you want. 4. Repeat the steps for all JVMs in the environment. |
| JR48507 Provide scripts and administrative tasks to manually trigger group membership refresh | While logging into Process Portal, group membership that is stored in the WebSphere Application Server's user registry is updated for the user that logs in. If a change is detected, this change is reflected in the database and relevant participant groups. Task specific or participant group specific expressions, also known as dynamic groups, might also be affected by this change in the group membership. Therefore, all dynamic groups are updated to reflect the correct membership and authorization. In certain scenario or if there are many dynamic groups in the system, logging in might take very long. | To avoid this performance issue, take one of the following administrative actions: Disable the refresh of dynamic groups during login: 1. Locate the configuration file 100Custom.xml in your server or cluster environment and add this configuration option: <server merge="mergeChildren"> <update-dynamic-groups-on-login merge="replace">false</update-dynamic-groups-on-login> </server> 2. Synchronize all nodes so the updated configuration is applied to all servers. 3. Restart the server or cluster members to allow them to pick up the updated configuration. 4. You can verify the correct configuration by inspecting the file TeamWorksConfiguration.running.xml in your profile's config directory. or Run the administrative script groupMembershipFullUpdate that is provided by this interim fix to update group membership and dynamic groups by an administrator. This interim fix provides four new administrative scripts and AdminTasks for usage by wsadmin that were originally introduced in version 8.5: groupMembershipFullUpdate [options] Updates the user registry group membership of all users that are known to BPM. At the end of the group membership update, dynamic groups are updated once if at least one group membership update was detected. groupMembershipUpdate [options] <userID1> <userID2> ... <userIDn> Updates the user registry group membership of the users passed with this command. If an user ID is passed that is unknown to IBM BPM, this users is created within BPM. At the end of the group membership update, dynamic groups are updated once if at least one group membership update was detected. usersFullSync [options] Synchronizes all users available from the User Registry. No group membership is updated. This admin task is equivalent to the "Full Synchronize" command in the Process Admin Console. usersSync [options] <userID1> <userID2> ... <userIDn> Synchronizes the passed users from LDAP. No group membership is updated. This admin task is equivalent to the "Synchronize" command in the Process Admin Console. Options: -username <username> -password <password> -host <server host name> -port <server SOAP port number> Usage sample on a node running a windows version of Business Process Manager: 1. Switch to <profile>\bin and execute setupCmdLine.bat. 2. Stay in directory <profile>\bin and execute <install>\BPM\Lombardi\tools\security\groupMembershipFullUpdate.bat For other scripts and other platforms, execute similar steps. For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR48541 Milliseconds section for data and time value lost in outbound we service integration | Update the appropriate 100Custom.xml files for Process Center or Process Server with the following content: <common merge="mergeChildren"> .... <dateandtime-include-milliseconds merge="replace">true</dateandtime-include-milliseconds> <dateandtime-include-milliseconds merge="replace">true</dateandtime-include-milliseconds> .... </common> For more information, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR48704 Delays during login to Process Portal because of large COMETD posts subscriptions | To enable both Notification and TaskList subscription, set the web-messaging-push "enabled" parameter to "true" in the appropriate 100Custom.xml file in Process Center and Process Server before you start the servers:” <server merge="mergeChildren"> <web-messaging-push merge="replace" match="name" enabled="true"> <web-messaging type="NOTIFY_TASK_RESOURCE_ASSIGNED" enabled="true"/> <web-messaging type="NOTIFY_TASK_COLLABORATION_INVITE" enabled="true"/> <web-messaging type="NOTIFY_PROCESS_COMMENT_TAGGED" enabled="true"/> <web-messaging type="TASKLIST_TASK_RESOURCE_ASSIGNED" enabled="true"/> <web-messaging type="TASKLIST_TASK_FIELD_CHANGED" enabled="true"/> </web-messaging-push> </server> To disable both Notification and TaskList subscription, set the web-messaging-push "enabled" parameter to "false" in the 100Custom.xml files for Process Center and Process Server before you start the servers: <server merge="mergeChildren"> <web-messaging-push merge="replace" match="name" enabled="false"> <web-messaging type="NOTIFY_TASK_RESOURCE_ASSIGNED" enabled="true"/> <web-messaging type="NOTIFY_TASK_COLLABORATION_INVITE" enabled="true"/> <web-messaging type="NOTIFY_PROCESS_COMMENT_TAGGED" enabled="true"/> <web-messaging type="TASKLIST_TASK_RESOURCE_ASSIGNED" enabled="true"/> <web-messaging type="TASKLIST_TASK_FIELD_CHANGED" enabled="true"/> </web-messaging-push> </server> To disable only notification subscription, set the following property as indicated below in the appropriate 100Custom.xml files for Process Center and Process Server before you start the servers: <server merge="mergeChildren"> <web-messaging-push merge="replace" match="name" enabled="true"> <web-messaging type="NOTIFY_TASK_RESOURCE_ASSIGNED" enabled="false"/> <web-messaging type="NOTIFY_TASK_COLLABORATION_INVITE" enabled="false"/> <web-messaging type="NOTIFY_PROCESS_COMMENT_TAGGED" enabled="false"/> <web-messaging type="TASKLIST_TASK_RESOURCE_ASSIGNED" enabled="true"/> <web-messaging type="TASKLIST_TASK_FIELD_CHANGED" enabled="true"/> </web-messaging-push> </server> To disable only Task List auto refresh subscription, set the following property as indicated below in the appropriate 100Custom.xml files for Process Center and Process Server before you start the servers: <server merge="mergeChildren"> <web-messaging-push merge="replace" match="name" enabled="true"> <web-messaging type="NOTIFY_TASK_RESOURCE_ASSIGNED" enabled="true"/> <web-messaging type="NOTIFY_TASK_COLLABORATION_INVITE" enabled="true"/> <web-messaging type="NOTIFY_PROCESS_COMMENT_TAGGED" enabled="true"/> <web-messaging type="TASKLIST_TASK_RESOURCE_ASSIGNED" enabled="false"/> <web-messaging type="TASKLIST_TASK_FIELD_CHANGED" enabled="false"/> </web-messaging-push> </server> For more information, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR49045 Document List coach view (Content Management) is not switching to chosen language | This fix changes the default Enterprise Content Management (ECM) search service in the Content Management (CM) toolkit. When you work with the Document List coach view, this service is called to perform the search to populate the documents table. Usually, you copy this service from the CM toolkit into the current process application (PA) and configure it to use the ECM server required. Because of this practice, if you have an older version of the service copied into the process application, the fix won't work. | To apply the fix, copy the fixed default ECM search service into the process application and configure this search service to be used by the Document List. |
| JR49113 Performance improvement for the collaboration feature | This fix introduces a new configuration setting that you can set in the 100Custom.xml files for Process Center and Process Server to optimize authorization checks for task actions, depending on whether coach, heritage coach, or both features are used: <server merge="mergeChildren"> <allow-collaboration merge="replace">never</allow-collaboration> </server> The possible value for that property are checkForCoaches - default value - With this property set, IBM BPM checks the model to determine whether coaches or heritage coaches are used. This is the most reliable property but also the most expensive. never - This value disables collaboration actions system-wide. Use this property if no coaches are used in the models to achieve better performance compared to that with the checkForCoaches property. always - This value enables collaboration actions system-wide. Use this property if no heritage coaches are used in the models to achieve better performance compared to that with the checkForCoaches property. | |
| JR49281 Enable capability to create ad hoc tasks for BPD instances in end states by using a custom property | The actions for creating ad hoc task instances stay as introduced by interim fix JR47117. However, you can re-enable the previous behavior by using the following custom property in the 100Custom.xml files for Process Center and Process Server: <server merge="mergeChildren"> <enable-adhoc-tasks-in-end-states merge="replace">true</enable-adhoc-tasks-in-end-states> </server> For more information, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR49363 Process Inspector shows a blank screen when a process has an empty due date | Enable the display of taskless business process definitions (BPDs) by modifying the 100Custom.xml in Process Center and Process Server. <server> <process-inspector merge="mergeChildren"> <taskless-bpd-support merge="replace">true</taskless-bpd-support> </process-inspector> </server> For more information, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR49413 Process Portal times out when you go to a process instance and high CPU usage occurs on the server | To change the default value of 20 seconds, before you start the servers you can change the calc-all-paths-processing-time-limit property in the Process Center or Process Server 100Custom.xml file. <common> <critical-path> <!-- Limits the amount of time the system spends trying to calculate the critical path, in seconds --> <calc-all-paths-processing-time-limit merge="replace">20</calc-all-paths-processing-time-limit> </critical-path> </common> For more information, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR49505 SECURITY APAR CVE-2014-0908 - Adding user attribute REST API authorization | This fix introduces a configurable allowlist of user attributes to control which user attributes are readable for all users. The configuration property name for this allowlist is public-attribute. | The default allowlist is introduced in 00Static.xml and can be extended or overwritten in the 100Custom.xml files for Process Center and Process Server: <server> ... <user-attributes> ... <rest-authorization> <public-attribute merge="append">Title</public-attribute> <public-attribute merge="append">Task Email Address</public-attribute> <public-attribute merge="append">Image</public-attribute> <public-attribute merge="append">Primary Role</public-attribute> <public-attribute merge="append">Phone Number</public-attribute> ... For information about how to change configuration properties in the 100Custom.xml file, see Changing server properties in 100Custom.xml. With the fix applied, another configurable allowlist of user attributes is introduced to control which user attributes can be updated by each user for his or her own user profile. The configuration property name for this allowlist is self-manageable-attribute. Because there are cases in Process Portal when users would set their own email address, phone number, job title, and other settings by using REST APIs, all attributes that are shipped with the product are listed as self-manageable. <server> ... <user-attributes> ... <rest-authorization> ... <self-manageable-attribute>Title</self-manageable-attribute> <self-manageable-attribute>Portal Notification Post Mention</self-manageable-attribute> <self-manageable-attribute>Task Notification</self-manageable-attribute> <self-manageable-attribute>Task Email Address</self-manageable-attribute> <self-manageable-attribute>Calendar Type</self-manageable-attribute> <self-manageable-attribute>Show Unfollow Messages</self-manageable-attribute> <self-manageable-attribute>Send Connections Notification On New Task</self-manageable-attribute> <self-manageable-attribute>Image</self-manageable-attribute> <self-manageable-attribute>Primary Role</self-manageable-attribute> <self-manageable-attribute>Portal Notification New Task To My Group</self-manageable-attribute> <self-manageable-attribute>Base Text Direction</self-manageable-attribute> <self-manageable-attribute>Portal Mention Timestamp</self-manageable-attribute> <self-manageable-attribute>Phone Number</self-manageable-attribute> <self-manageable-attribute>Portal Default Page</self-manageable-attribute> <self-manageable-attribute>Locale</self-manageable-attribute> <self-manageable-attribute>Alert On Assign And Run</self-manageable-attribute> <self-manageable-attribute>Portal Dashboard Display Order</self-manageable-attribute> <self-manageable-attribute>Portal Notification New Task To Me</self-manageable-attribute> </rest-authorization> </user-attributes> .. If your process applications contain custom user attribute definitions, explicitly list these custom user attributes in the previous allowlists in case you want these attributes to be either public or self-manageable. For example, the following stanza in 100Custom.xml adds CustomAttribute to the list of self-manageable attributes: <server> <user-attributes merge="mergeChildren"> <rest-authorization merge="mergeChildren"> <self-manageable-attribute merge="append">CustomAttribute</self-manageable-attribute> </rest-authorization> </user-attributes> </server> Also, an action policy has been added that gives administrators the ability to grant full read and write access to all user attributes of all users. The name of the action policy is ACTION_MANAGE_ANY_USERATTRIBUTE. For information about how to configure action policies, see Configuration properties for Process Portal action policies. The default assignment is tw_admins to ensure that members of the default administrator group can manage user attributes by using a REST API. If you configured a different group to be the bpmAdminGroup, you might want to change this default assignment to the group name configured as bpmAdminGroup. For information about setting a bpmAdminGroup, see Security configuration properties. To revert to the previous open behavior, you can either remove all role assignments from action policy ACTION_MANAGE_ANY_USERATTRIBUTE or remove the two allowlist configuration properties by overwriting server/user-attributes/rest-authorization with no value in the 100Custom.xml file. For more information, see Security configuration properties. For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR50092 SECURITY APAR CVE-2014-3075 - Validate the file MIME type for document list based on file content | Use the following configuration template to update the 100Custom.xml files in your environment, In this template -Document upload mime types are commented out and, as a result, everything may be uploaded. You can uncomment the <document-attachment-accepted-mime-types> xml to only allow text/plain to be uploaded. You can also add other mime types to the allowlist by following the pattern. -Document download mime types is set to map from text/html to text/plain. You can add any new mappings to the blocklist, as required. <server> <!-- mime type allowlist which specifies mime types accepted for upload to document list or document attachment --> <!-- <document-attachment-accepted-mime-types> <allow-null-mime-type>false</allow-null-mime-type> <mime-type>text/plain</mime-type> <mime-type>application/octet-stream</mime-type> </document-attachment-accepted-mime-types> --> <!-- mime type blocklist which specifies mappings from unacceptable mime types to acceptable mime types for --> <!-- download from document list or document attachment --> <document-attachment-download-mime-types> <mime-type-map> <from>text/html</from> <to>text/plain</to> </mime-type-map> <!-- missing <to> element implies mapping to content/octet-stream --> <!-- <mime-type-map> <from>image/gif</from> </mime-type-map> --> </document-attachment-download-mime-types> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR50137 TW.SYSTEM.ORG.GETALLTEAMS() fails with a NullPointerException if a team was deleted from a toolkit snapshot | If you get a NullPointerException using the getAllTeams API, create another snapshot of your toolkit and update your process application dependency to this new version. | |
| JR50215 SECURITY APAR CVE-2014-4758 - Ability for user to revoke starting services by using callservice.do | Edit the appropriate 100Custom.xml file in Process Center and Process Server to contain service screening. By default, callService.do can run only AJAX services. Administrators can change this restriction to allow permutations of different services that are allowed. ATTENTION: Allowing callService.do to run multiple services introduces a possible security issue. In fact, even AJAX services could be used for an attack by an authenticated user if that user knows specifics about the service. If the <callservice-valid-services> tag is not added to the 100Custom.xml, Process Portal uses only AJAX services. If you need to invoke callService.do to launch a service, ensure there is a <valid-service-entry> tag (inside the <callservice-valid-services> tag) that contains the type of the service you need to launch. See the following example to run only integration services: <properties> <server merge="mergeChildren"> <portal merge="mergeChildren"> <callservice-valid-services> <valid-service-entry>integration Service</valid-service-entry> </callservice-valid-services> </portal> </server> </properties> Existing services * All * None * Regular Service * Rule Service * Ajax Service * Human Service * Integration Service * Installation Service * General System Service * SCA Service * Case Manager Integration Service * Undercover Agent Passthrough Service By default, only AJAX services are allowed through callService.do; therefore, the string "ajax service" is used for the tag. Altogether, it would look like this example: <properties> <server merge="mergeChildren"> <portal merge="mergeChildren"> <callservice-valid-services> <valid-service-entry>ajax service</valid-service-entry> </callservice-valid-services> </portal> </server> </properties> You can use any permutation of the service ID to allow callService.do to run a specific type of service. The following example blocks everything except for Regular Services, AJAX Services, and SCA Services: <properties> <server merge="mergeChildren"> <portal merge="mergeChildren"> <callservice-valid-services> <valid-service-entry>Regular Service</valid-service-entry> <valid-service-entry>Ajax Service</valid-service-entry> <valid-service-entry>SCA Service</valid-service-entry> </callservice-valid-services> </portal> </server> </properties> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR48973 Instance migration is slow due to being single threaded. JR51910 Missing business objects referenced in BPD tasks causes instance migration to fail. | This fix allows you to migrate instances by using multiple threads. Additionally, you can choose which type of tasks to migrate and whether the execution context is loaded. By default, instance migration performs with the following configuration after the fix is installed: <thread-pool-size> = 5 <migrate-tasks> = all <defer-ec> = false thread-pool-size determines how many threads are used for an instance migration within one server. migrate-tasks can be set to one of 3 values: "all" = Migrate all tasks for an instance "none" = Don't migrate any tasks "skip-closed" = Don't migrate closed tasks. Migrate the rest. When defer-ec is set to true the execution context of migrated task is not loaded. If the snapshot is missing objects required for context to be loaded, this setting allows the snapshot to still be migrated, which helps if you accidentally removed a business object and need to migrate back to an old snapshot. | To override the default configuration, update the Process Center or Process Server 100Custom.xml files. Example This example shows setting the threads to 5, only active tasks are migrated, and execution context is not loaded. <server> <instance-migration> <thread-pool-size merge="replace">5</thread-pool-size> <migrate-tasks merge="replace">skip-closed</migrate-tasks> <defer-ec merge="replace">true</defer-ec> </instance-migration> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR50238 Error occurs when you try to run a stored procedure | This fix corrects the database stored procedure issues that occur with LSW_HOUSE_KEEPING, LSW_ERASE_BPD_INSTANCE, LSW_ERASE_TASK and LSW_BPD_INSTANCE_DELETE. | If you get a SQL constraint violation error related to the LSW_USR_GRP_XREF and one of these stored procedures(LSW_HOUSE_KEEPING, LSW_ERASE_BPD_INSTANCE, LSW_ERASE_TASK, LSW_BPD_INSTANCE_DELETE) and have not previous applied the DBUpgrade for JR50238, complete the following steps to resolve the issue: 1. Update the profile's DB scripts: a. Go to the upgrade script directory of the profile: <profile_root>/dbscripts/Upgrade/<deploymentEnvironmentName>/<databaseType>/<databaseName>.<schemaName> where -<profile_root> is the deployment manager profile directory for IBM BPM Standard and IBM BPM Advanced and the stand-alone profile directory for IBM BPM Express. -<databaseName> is the name of the IBM BPM Process database. -<schemaName> is the name of the user used to connect to the DB. If this directory does not exist, create it now. b. If the directory already exists, make a backup of the createProcedure_ProcessServer.sql file in this directory. c. Copy the createProcedure_ProcessServer.sql and dropProcedure_ProcessServer.sql files from the <install_root>/BPM/dbscripts/<databaseType>/Upgrade directory to the profile directory mentioned. d. Replace @SCHEMA@ in both copied files with the user associated with the connection to the IBM BPM Process database. 2. Upgrade the stored procedures with DBUpgrade: a. Ensure the environment is stopped properly and then back up the IBM BPM Process database. b. Copy <install_root>/util/migration/resources/migration.properties into a <workingDirectory>. f. Adjust the following values in the migration.properties file according to your environment: - bpm.home - installation root directory - profile.name - Deployment manager profile name - target.config.property.file - Full path to the .properties file used to create deployment environment with BPMConfig g. In the directory <install_root>/bin, start the database upgrade by running the following command: - On Windows: DBUpgrade.bat -propertiesFile <workingDirectory>\migration.properties -ifix JR50238 - On Linux: DBUpgrade.sh -propertiesFile <workingDirectory>/migration.properties -ifix JR50238 h. If the command fails, roll back to the backup and then troubleshoot any issues before retrying the command. 3. Verify that the output of the DBUpgrade command states "JR50238 installed successfully". |
| JR50299 Error deleting large app from Process Center: "Collection passed as value of GROUP_ID is too large" | This fix allows you to configure the number of entities that can be used in SQL "in clauses". | You might receive the following error when you trigger the use of a object list larger than 100 in an SQL "IN" clause: "Collection passed as value of <object> is too large (<size>, limit is <configured value>) where <object> is the type of objects in the collection, size is the size of the collection, and <configured value> is this configuration setting or 100 by default." For example, the following error shows a list of 257 groups being used in an SQL query, which causes the failure: "Collection passed as value of GROUP_ID is too large (257, limit is 100)" To avoid the error, ensure that max-in-clause-length is set to a value larger than what is mentioned in the error or any object list size that you might use. Use the following configuration template to update the 100Custom.xml files for Process Center and Process Server: <server merge="mergeChildren"> <max-in-clause-length merge="replace">{int value}</max-in-clause-length> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR50346 Require configurable file size restriction for upload of content management documents | Use the following configuration template to update the 100Custom.xml files in your environment. In this template the limit for uploads is set to 1MB. The configuration option specifies the maximum file upload size in bytes. <server> <document-attachment-max-file-size-upload merge="replace">1048576</document-attachment-max-file-size-upload> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR50354 IBM BPM should not assume UTC is the time zone for dates that have no time zone information | This fix adds a property to allow you to configure of a default timezone used for web services defined in Process Designer. | Update the 100Custom.xml file in both Process Center and Process Server to enable the client default time zone setting: <common merge="mergeChildren"> <webservices merge="mergeChildren"> <default-client-timezone merge="replace">GMT-08:00</default-client-timezone> </webservices> </common> The GMT-08:00 is a sample for how to configure the client time zone. You can adjust that to the time zone you want. For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR50481 Heritage coaches do not load correctly in Internet Explorer 10 | Before you start the servers, set the following property in the 100Custom.xml files in Process Center or Process Server to enable launching coaches in a new window: <server merge="mergeChildren"> <launch-in-new-window-enabled merge="replace">true</launch-in-new-window-enabled> </portal> </server> NOTE: Coaches for dashboard services cannot be launched in a new window. For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR50679 SLA consequences is not triggered each time a SLA is violated | A setting of "true" for this value triggers the SLA consequence for every violation. A setting of "false" triggers the SLE consequences only when the SLA moved from non-violation to violation and subsequent violations are not trigger again. | Before you start the servers, add the following parameter to the 100Custom.xml files for Process Center or Process Server, depending which environment the fix is being installed on. If it is installed on both, apply the change to the 100Custom.xml files in both environments. <server merge="mergeChildren"> ... <trigger-sla-consequence-every-violation merge="replace">true</trigger-sla-consequence-every-violation> ... </server> To disable this function, set the parameter to "false". For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR50807 JR51292 Performance improvement for "Copy to" and "Move to" of application items in Process Designer | These fixes provide recommend indexes for Process Center, which are required to avoid performance issues with "copy to" or "move to" because of query changes. | To avoid performance issues for "move to" or "copy to" functions, you must update the IDX_BRANCH index on the LSW_BRANCH table to include PROJECT_ID and LAST_MODIFIED. You can use SQL statements similar to the following statements to make the change for your database. On distributed platforms: DROP INDEX LSW_BRANCH.IDX_BRANCH; COMMIT ; CREATE INDEX IDX_BRANCH ON LSW_BRANCH (PROJECT_ID, LAST_MODIFIED); COMMIT ; On z/OS, you can use the SQL command but update the command based on your specific z/OS DB setting: DROP INDEX IDX_BRANCH; COMMIT ; CREATE INDEX IDX_BRANCH ON LSW_BRANCH( "PROJECT_ID", "LAST_MODIFIED") USING STOGROUP P1DBSTO; COMMIT ; |
| JR50951 HTTP session objects use too much memory | This fix modifies the cache so that stateful session beans for human services of user tasks in a business process definition (BPD) instance are no longer kept in the cache. Human services that start directly from IBM Process Portal (exposed as startable) don't have an associated task and, therefore, the cache is not modified for these services. In addition, this fix makes the cache timeout configurable. To modify the default timeout (60 minutes), edit the 100Custom.xml that is located in the <profile-root>/config/cells/<cell-name>/nodes/<node-name>/servers/<server-name>/<server-type>/config directory (where <server-type> can be either process-center or process-server). | Add the following definition to the <server> element: <web-workflow-manager merge="mergeChildren"> <session-bean-cache-expiry-timeout merge="replace">timeout in minutes</session-bean-cache-expiry-timeout> </web-workflow-manager> For example, an 100Custom.xml file that sets the timeout value to 50 minutes would look like this: <properties> <web-workflow-manager merge="mergeChildren"> <session-bean-cache-expiry-timeout merge="replace">timeout in minutes</session-bean-cache-expiry-timeout> </web-workflow-manager> </properties> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR51057 Email notification does not contain the name of the user task but contains the name of the service implementation instead | This fix introduces the new replacement variable “userTaskName” so that you can specify the user task's name as part of the email template. During the email notification, the variable is replaced by the name of the user task. | To use the new replacement variable, complete the following steps: 1. In the 99Local.xml file, select the process variable in server > email > mail-template and copy it into the 100Custom.xml file in Process Server. For more information about the location of these files, see The 99Local.xml and 100Custom.xml configuration files. 2. If the process variable's value is "externalmailprocesslink_{0}.html", complete the following steps: a. Extract the files "externalmailprocesslink_*.html" from "<install_root>/BPM/Lombardi/process-server/lib/procsrv_resources.jar". b. Edit those files by adding "{userTaskName}" wherever appropriate. For example, replace "{actName}" with "{userTaskName}". c. Save those files in "<install_root>/BPM/Lombardi/process-server/lib/procsrv_resources.jar". 3. If the process variable was changed, look for the file that is specified in the process variable and edit the file by following the instructions in step 2 of this procedure. |
| JR51325 | If you are having issues loading managed assets, ensure that the classloader-resource-map-size is set properly. For information about how to determine the proper settings based on your managed asset usage, see CONFIGURE MANAGED ASSET CACHE TO PREVENT SLOW PERFORMANCE WHEN USING IBM BPM MANAGED ASSETS. The default value might not be sufficient if you are using a lot of Java classes in your managed assets. | You can configure the classloader-resource-map-size and classloader-cache-size by adding the following lines to the 100Custom.xml files for Process Center and Process Server: <server> <classloader-resource-map-size merge="replace">size</classloader-resource-map-size> <classloader-cache-size merge="replace">"new value"</classloader-cache-size> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR51409 Receive SQL error when log in or synchronize users that have long LDAP distinguished names | This fix corrects the schema issue of the PROVIDER column length being too small. | If you get an SQL error related to the column length of LDAP name for LSW_USR_XREF and have not previous applied the DBUpgrade for JR51409, complete the following steps to resolve the issue: 1. Ensure the environment is stopped properly and then back up the Process Server database. 2. Copy <install_root>/util/migration/resources/migration.properties into a <workingDirectory>. 3. Adjust the following values in the migration.properties file according to your environment: - bpm.home - installation root directory - profile.name - Deployment manager profile name - target.config.property.file - Full path to the .properties file used to create deployment environment with BPMConfig 4. In the directory <install_root>/bin, start the database upgrade by running the following command: - On Windows: DBUpgrade.bat -propertiesFile <workingDirectory>\migration.properties -ifix JR51409 - On Linux: DBUpgrade.sh -propertiesFile <workingDirectory>/migration.properties -ifix JR51409 5. Verify that the output of the DBUpgrade command states "JR51409 installed successfully". If the command fails, roll back to the backup and then troubleshoot the issues before retrying the command. |
| JR51452 There is no API for creating internal groups in IBM BPM | This fix provides a new JavaScript API method that you can use to create an internal group in IBM BPM. | Using the method follows this syntax: TWRole createRole(String roleName, String roleDisplayName, String roleDescription, boolean checkAuthorization), where - roleName: name of the role to create, cannot be null - roleDisplayName: display name to be used for the role, if null roleName is added as display name - roleDescription: description to be used for the role, can be null - checkAuthorization: --if true, authorization is enforced: only administrative users (members of the BpmAdminsSecurityGroup) are allowed to create the role --if false, no authorization check is performed If the role was created, a scriptable object of type TWRole is returned. If role could not be created, perhaps because a role with the same name exists, null is returned. If a required authorization fails, an exception is thrown. |
| JR51814 Exposed items REST API does not support filtering of items other than services that snapshots refer to (extend JR51596) | This interim fix enhances the configuration property for Process Portal added in the JR51596 interim fix (prerequisite of JR51814) to use the exposed items REST API to filter out processes, reports, and scoreboards referred to in toolkits, in addition to services (for which filtering was added in JR51596) by type and service subtype to improve the performance of exposed item retrieval. Without the fix and configuration property, each exposed item in a toolkit is included in the API's result set, once for the toolkit itself plus once for each time a process application snapshot refers to the toolkit. With the fix and property, each exposed item (of a type or service subtype specified in the property) in a toolkit is included in the API's result set only once (for the toolkit itself). Interim fix JR51596 also introduced two new parameters to the /exposed REST API call to limit the amount of data returned when the API is invoked directly: excludeReferencedFromToolkit - Similar to the com.ibm.bpm.portal.excludeReferencedFromToolkit property for Process Portal described in step 3 below, but for direct REST API use; specified types and service subtypes are also comma separated. excludeProcessStartUrl - Setting this parameter to "true" disables the relatively expensive computation of the startUrl value for exposed process items. Here is an example of using the two parameters in a REST API call: http://localhost:9080/rest/bpm/wle/v1/exposed?excludeProcessStartUrl=tr… | To configure Process Portal to filter out items in referenced toolkits, complete the following steps: NOTE: These steps are not required if you need to filter items only for direct REST API use. 1. In the administrative console, go to Resources > Resource Environment > Resource Environment Providers > Mashups_ConfigService > Custom properties. 2. Click New and add a new property named com.ibm.bpm.portal.excludeReferencedFromToolkit. 3. The following types and service subtypes can be specified as the value of the property, comma separated: process - for all processes report - for all reports scoreboard - for all scoreboards dashboard - for dashboard services startable_service - for startable services url - for URL services administration_service - for administration services service - for all services (overrides dashboard, startable_service, url, and administration_service subtypes) all - all items including all services (subtypes) 4. Click OK, and then click Save. 5. Stop the entire environment, including cluster members, node agents, and the deployment manager for a network deployment environment. |
| JR51895 You experience a performance issue when you run a human service that has a high number of complex business object variables | When a human service goes from one coach to the next, it accesses variables. When these variables are typed by complex business objects, the human service must look up the corresponding business object definition. The lookup action takes time, especially when the business object definition is in a different context than the human service. It is time consuming to cache every TWClass for each snapshot, considering the number of business object types being used in BPDs and services. And determining a reasonable value for the twobject-class-cache-size parameter becomes more difficult when you are working with generic data types (Any, map, or record) because their number is determined during run time. Therefore, start with a cache-size of 5000 and vary this value during a set of performance tests. | To optimize the lookup action by enabling a cache, add the following content to the 100Custom.xml files for Process Center and Process Server: <server merge="mergeChildren"> <twobject-class-cache-size merge="replace">{int value}</twobject-class-cache-size> </server> For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR51941 Process Federation Server does not read or index data from the Business Choreographer database | Follow the instructions in Enabling indexing of BPEL-related data on an IBM BPM server in a federated environment. To enable the new state observer plug-in implementation, complete the following steps: 1. Open a command line and go to the <install_root>/ProcessChoreographer/admin directory. 2. Run the following command: ../../bin/wsadmin -f setStateObserver.py -enable IndexerLog -cluster <clusterName> 3. Create a database table by following the configuration instruction for the Process Federation Server indexer for BPEL. | |
| JR52126 SECURITY APAR CVE-2015-0110 - Internal service types can be invoked | This fix causes a behavioral change by ensuring that services are started only by running an executeServiceByName URL in intended scenarios. Some previously working scenarios are now blocked by default. With this fix installed, you can start human services that are exposed to the logged-on user and to start through a URL. For more information, see Exposing a human service. You will not be able to start other services unless all of the following requirements are met: - The request is processed on Process Center. - The request was issued by Process Designer in a playback session. - The user who issued this request is a member of the tw_authors group. - The user who issues this request is granted Read access to the process application. | Review any failing services to ensure they are exposed as a URL and exposed to the current user. For more information, see Exposing a human service and Configuring exposed processes and services. If the old behavior is needed while correcting your applications, a new configuration flag is introduced. By setting the following compatibility flag to false in the 100Custom.xml files for Process Center and Process Server, you can re-enable the previous behavior: <server merge="mergeChildren"> <web-workflow-manager merge="mergeChildren"> <enforce-correct-service-type-for-execute-service-by-name merge="replace">false</enforce-correct-service-type-for-execute-service-by-name> </web-workflow-manager> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR52601 Cannot restrict access to information by using REST APIs | This fix enhances authorization control for REST APIs, restricting access to information about all users, groups, and teams to only concerned parties, such as IBM Business Process Manager (BPM) administrators, team managers, or users who are associated with specific work. | To enable the enhanced authorization control, add the following setting to your 100Custom.xml files for Process Center and Process Server: <server> <portal merge="mergeChildren"> <authorization-enabled-for-org-info merge="replace">true</authorization-enabled-for-org-info> </portal> </server> The enhanced authorization control enforces the following authorization rules when users access user-, group-, or team-related REST APIs: View user information: .../user/<userIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) for all users - All users for viewing data about themselves - Users who are authorized by the following policies: -- ACTION_REFRESH_USER policy -- ACTION_MANAGE_ANY_USERATTRIBUTE policy Refresh user information: .../user/<userIdOrName>?refreshUser=true, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Users authorized by the ACTION_REFRESH_USER policy Update user attributes: .../user/{userNameOrID}?action=setPreference, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) for all users - Users authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy View users information: .../users, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) View potential collaborators for a claimed task: .../users?collabTaskidFilter=..., is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Users authorized to invite others to collaborate on a task: Task owner View potential reassignees for a received or claimed task: .../users?assignTaskidFilter=..., is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Users authorized to reassign the task to other users, such as -- Task owner, if authorized by ACTION_REASSIGN_TASK_USER_ROLE policy -- Task team managers -- Instance owners View group information: .../group/<groupIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Team managers (if the specified group corresponds to a team) View groups information: .../groups, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) View team information: .../team/<teamIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) - Team managers View team information: .../participantGroup/<pgIdOrName>, is enabled for - IBM BPM administrators (members of the bpmAdminGroup) For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR52385 Last user assignment might resolve to a user who is not a member of the assigned-to team | When you specify Assign To = Lane and User Distribution = Last User, IBM BPM searches for the last activity in the lane that was completed and assigns the current activity to the user who completed the task for that activity. However, this user might not belong to the team associated to the Lane, such as when the last activity was reassigned to a different user or when the last activity was interrupted by an attached event. This fix checks whether the user who closed the last task in the lane belongs to the team assigned to the lane. If this is not the case, IBM BPM assigns the current task to the team associated to the lane. | For backwards compatibility, a new configuration flag is introduced. By setting the following compatibility flag to false in the 100Custom.xml file, you can re-enable the previous behavior: <server> <bpd-engine> <user-distribution-last-user-enforce-team-membership merge="replace">false</user-distribution-last-user-enforce-team-membership> </bpd-engine> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR52765 JavaScript API TWSEARCH returns only process instances that have tasks | Even if an administrator performs a process instance search within a JavaScript step, the query checks for task instance-based authorization. As a result, process instances that do not have tasks are not returned. With this fix, instance queries that are performed with administrator authorization can return instances that do not have tasks. | You can switch off the authorization check to enable the new behavior by inserting the following elements into the properties element of the 100Custom.xml files for Process Center and Process Server: <common merge="mergeChildren"> <search-execution merge="mergeChildren"> <javascript-administrative-search-processes-with-user-authorization merge="replace">false</javascript-administrative-search-processes-with-user-authorization> </search-execution> </common> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR52823 IBM Process Portal users can upload executable files to the IBM BPM server | To prevent certain file types or extensions from being uploaded as file attachments, define a new custom property in the Mashups Config service: 1. In the administrative console, for each application cluster member (Standard and Advanced) or for the stand-alone server (Express), go to Resources > Resource Environment > Resource Environment Providers > Mashups_ConfigService > Custom properties. 2. Add the property "com.ibm.bpm.portal.stream.attachments.extensions.blocklist". 3. Set the value as a comma-separated list of extensions without the dot, for example xe,scr,dll,com,bin. 4. Save the changes and, in an ND environment, synchronize the changes to the managed nodes. 5. Restart the application cluster (Standard or Advanced) or stand-alone server (Express). | |
| JR52960 After applying JR47706, default EPV data for the target snapshot version overwrites the EPV data set in an older snapshot release | This fix introduces a new property that allows you to toggle between not persisting or persisting a default or new EPV value if a default value is specified during deployment, instance migration, or both. By default, the property is set to false, meaning that during deployment or instance migration, the default EPV is not be persisted. The latest EPV variable is whatever was updated last. | To enable the property, add the following property to the appropriate 100Custom.xml files for Process Center and Process Server: <server> <instance-migration merge="mergeChildren"> <epv-deploy-default merge="replace">true</epv-deploy-default> </instance-migration> </server> Restart the server. For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR53209 Security APAR - CVE-2015-1904 - Missing authorization for document upload and download | This fix adds a customizable security service and a server-side configuration property to enable or disable the new behavior. This service checks the permissions of a user. You can create it and select it by using the new External ECM Document Authorization Service service selector, which is added to the Server Settings for the added ECM servers. This service is necessary for server definitions that have "Always use this connection information" selected. | For external ECM Server definitions within your process apps and toolkits, clear the "Always use this connection information" option, which causes IBM BPM to propagate each user's context to the ECM server. Not all ECM systems can share security context with IBM BPM. To determine whether you can use this option, see Authentication scenarios. Create a service that checks users' authorization. Then associate this service with each ECM server definition. 1. Open the settings page for a process app or toolkit that contains an ECM server definition and go to the Servers tab. 2. Select the ECM server from the list and scroll to the bottom of the Properties on the left. 3. For the newly added External ECM Document Authorization Service property, select New to generate an empty service with the proper interface or select an existing service. 4. Define the logic that uses one or more of the input parameters to determine authorization for the action. The service must return "true" if the user is authorized for the action and "false" if he or she is not authorized. Your new service runs when a user creates, updates, or downloads a document from a Document List coach view. 5. Run a test to confirm the authorization logic you have developed is working as you expect. 6. Create a snapshot for your changes when you are ready to deploy them. The interface for this service must have the following signature in the Variables tab of the new service created in step 3: Input parameters -documentId (ECMID) -objectTypeId (ECMID) -action (String) The actions available for creating, downloading, and updating external ECM documents are "ACTION_CREATE_DOCUMENT", "ACTION_GET_DOCUMENT_CONTENT", and "ACTION_UPDATE_DOCUMENT" -serverName (String) Output parameter -authorized (Boolean) The following error messages have been added for this function and might indicate that you did not configure this property properly: CWTDE0001E The External ECM Document Authorization service is not defined. CWTDE0002E The External ECM Document Authorization service cannot be resolved. CWTDE0003E You are not authorized to perform the operation on the selected object. CWTDE0004E The External ECM Document Authorization service did not finish successfully. For more information, see The 99Local.xml and 100Custom.xml configuration files. |
| JR53214 With interim fix JR51915 installed, IBM Process Portal loads slowly because the exposed REST CALL takes a long time to complete | These steps apply only to IBM BPM V8.5.0.2 servers that you are federating into a Process Federation Server. Process Federation Server was added in IBM BPMV 8.5.6. Create the change log tables by running the DB scripts available on the Process Federation Server. You can find these scripts in <liberty_home>\ibmProcessFederationServer\wlp-ext\dbscripts. Before you start the servers, set the following property in the appropriate 100Custom.xml files for Process Center and Process Server with the domains that should have CORS support: <server> <rest merge="mergeChildren"> <allowed-origins merge="replace">https://portal1.ibm.com:9443,https://portal2.ibm.com:9443</allowed-orig…; </rest> </server> To enable federation, set the following property in the 100Custom.xml file for Process Center and Process Server: <server> <search-index merge="mergeChildren"> <federated-index-enabled merge="replace">true</federated-index-enabled> </search-index> </server> NOTE: Only one <server> tag should be used if setting both properties. For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. | |
| JR53458 .xlsx, .xlsm, .docx, .pptx are still failing to upload even after applying interim fix JR50092 | This fix introduces additional function to the document list coach view with a server-side configuration option that allows you to create an optional allowlist of file extensions to be specified in addition to the optional allowlist of MIME-types. Only extensions in the file extension list may be uploaded using the Document List coach view. | The following example is a sample configuration of the new option, which you can configure in the 100Custom.xml file in Process Center and Process Server: <server> <!-- extension allowlist which specifies extensions accepted for --> <!-- upload to document list or document attachment --> <document-attachment-accepted-extensions> <!-- specifies whether to allow a document with no extension for upload --> <allow-null-extension>false</allow-null-extension> <!-- lists the extensions allowed for upload --> <extension>xlsx</extension> <extension>docx</extension> </document-attachment-accepted-extensions> </server> NOTE: If the allowlist of MIME-types is configured in addition to the allowlist of file extensions, documents that match either of the allowlists (MIME-types or extensions) may be uploaded. For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
| JR53563 Process Inspector in Process Admin Console allows administrators to access instance data | A new configuration property is introduced to toggle between enabling admins to get task data or not. <authorization-enabled-for-admins-to-get-set-task-data> By default this property is not set, meaning that admins can get task data. | To disable admins from getting task data, set the property to "noadmins": <server> <portal merge="mergeChildren"> <authorization-enabled-for-admins-to-get-set-task-data merge="replace">noadmins</authorization-enabled-for-admins-to-get-set-task-data> </portal> </server> |
| JR53951 You receive an ILLEGALDATA exception in IBM BPM because invalid XML characters are identified during XML serialization | This fix automatically removes invalid characters in string input so that the string is XML compliant. | For the fix to take effect, you must set the following configuration flag in the 100Custom.xml files for Process Center and Process Server and restart the server: <server> <autocorrect-xml merge="replace">true</autocorrect-xml> </server> For more information about the 100Custom.xml file, see The 99Local.xml and 100Custom.xml configuration files. |
[{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Product Synonym
BPM
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg27047034