Known limitations

• Automation Decision Services
• Automation Document Processing Development
• Automation Workstream Services
• Business Automation Workflow Runtime
• Business Automation Workflow Authoring

Problem

When you are upgrading from 21.0.3-IF035, 21.0.3-IF036, 21.0.3-IF037, 21.0.3-IF038 or 21.0.3-IF039 to 24.0.0-IF004, the script shows the following message:

There is a known issue with the following patterns: ADS, ADP Development, BAA, BAW Authoring, BAW Runtime in CP4BA ${cp4a_operator_csv_version} when upgrading to CP4BA ${CP4BA_CSV_VERSION}.  Please refer to the technote https://www.ibm.com/mysupport/aCIKe000000CkmPOAS to check and perform the necessary steps before you can upgrade to CP4BA ${CP4BA_CSV_VERSION}"
"Select 'Yes' to continue with the upgrade if you have checked and confirmed that the database schema is in the correct state.  (Yes/No) (Default: No):

Where ${cp4a_operator_csv_version} is the current installed version and ${CP4BA_CSV_VERSION} is 24.0.0-IF004

Workaround

For more information, see technote.

Problem

When you run the ./cp4a-deployment.sh -m upgradeOperator -n <project_name> script, the wfps operator (ibm-cp4a-wfps-operator) upgrade fails with the following error:

constraints not satisfiable: no operators found with name ibm-cp4a-wfps-operator.v21.3.31 in channel v24.0 of package ibm-cp4a-wfps-operator in the catalog referenced by subscription ibm-cp4a-wfps-operator-v21.3-ibm-cp4a-operator-catalog-openshift-marketplace, subscription ibm-cp4a-wfps-operator-v21.3-ibm-cp4a-operator-catalog-openshift-marketplace exists.

Workaround

Delete the ibm-cp4a-wfps-operator and install the 24.0.0-IF001 wfps (ibm-cp4a-wfps-operator) operator directly.

Problem

Check the status of the ibm-iam-request operand request by running the following command.

oc get operandrequest

If you see that ibm-iam-request failed, then use the steps in the workaround to resolve the issue.

Workaround

Go to the <namespace> of the CP4BA deployment that you are upgrading.

export NAMESPACE = <namespace>
oc project $NAMESPACE

Scale down the Business Teams Service (BTS) operator to 0.

oc scale deployment ibm-bts-operator-controller-manager -n $NAMESPACE --replicas=0

Delete the Postgres batch job by running the following command.

oc delete job create-postgres-license-config -n $NAMESPACE

Delete the ODLM operand pod by running the following command.

oc delete pod -l name=operand-deployment-lifecycle-manager -n $NAMESPACE

Check that the Postgres job is restarted by running the following command.

oc get pod -l job-name=create-postgres-license-config -n $NAMESPACE

Check the status of the Cloud Pak foundational services databases by running the following command.

oc get cluster -n $NAMESPACE

Scale the Business Teams Service (BTS) operator back up to 1.

oc scale deployment ibm-bts-operator-controller-manager -n $NAMESPACE --replicas=1

Problem

The Zen PVCs can get stuck during an upgrade. You can get the status by running the following command.

oc get pvc | grep Pending
common-service-db-1                          Pending                                                                                       96m
common-service-db-1-wal                      Pending 

Workaround

Delete the EDB Postgres CR that is used by the Cloud Pak foundational services, and then restart the ODLM by running the following commands.

oc delete clusters.postgresql.k8s.enterprisedb.io common-service-db -n <cp4ba-deployment-namespace>
oc delete pod -l name=operand-deployment-lifecycle-manager -n <cp4ba-deployment-namespace>

Problem

• Sometimes, if the Business Teams Service version 3.24 or earlier is installed in several namespaces in parallel, the Business Teams Service pods do not start.
• When you run the cp4a-deployment.sh script in the upgradeOperator mode to upgrade your Cloud Pak for Business Automation from cluster-scoped to namespace-scoped, the script scales down the ibm-bts-controller-manager operator in the ibm-common-services namespace.

Workaround

• Install the latest interim fix for CP4BA 21.0.3. The Business Teams Service version must be 3.33.1 before you upgrade to 24.0.0.
• If you have multiple instances of Cloud Pak for Business Automation that are not yet upgraded to 24.0.0 on the cluster, then run the following command to manually start the ibm-bts-controller-manager in the ibm-common-services namespace after you complete the current upgrade.

  oc scale --replica=1 deployment ibm-bts-controller-manager -n ibm-common-services

Cause:

During the upgrade, sometimes the <meta-name>-pg-client-cert-secret is created by the CP4BA operator with an invalid character in the clientkey.pk8 key.

The following errors can be seen in the BTS pod logs:

Exception was raised during database initialization: 
java.sql.SQLException: Could not read SSL key file /opt/ibm/wlp/usr/shared/resources/security/db/clientkey.pk8. 
DSRA0010E: SQL State = 08006, Error Code = 0 
Caused by: java.io.EOFException: not enough content at java.base/sun.security.util.DerValue.<init>(Unknown Source) 
                                         at java.base/sun.security.util.DerValue.wrap(Unknown Source) 
                                         at java.base/sun.security.util.DerValue.wrap(Unknown Source) 
                                         at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(Unknown Source) 
                                         at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:236)... 
                                         48 more", "status": "waitingToBeUp"}, "status": "down"

Solution:

1. Log in to the OpenShift CLI as the administrator.
2. Get the secret.

   oc get secret | grep pg-client-cert-secret

3. Delete the secret.

   oc delete secret icp4adeploy-pg-client-cert-secret

4. You can wait for the operator to reconcile on its own (30-60 minutes) or force a restart by deleting the pod.

   oc get pod | grep cp4a-operator | grep -v catalog
   oc delete pod ibm-cp4a-operator-xxxxx-xxxxx

Cause:

During the installation, sometimes the <meta-name>-pg-client-cert-secret is created by the CP4BA operator with an invalid character in the clientkey.pk8 key.

The following errors can be seen in the BTS pod logs:

Exception was raised during database initialization: 
java.sql.SQLException: Could not read SSL key file /opt/ibm/wlp/usr/shared/resources/security/db/clientkey.pk8. 
DSRA0010E: SQL State = 08006, Error Code = 0 
Caused by: java.io.EOFException: not enough content at java.base/sun.security.util.DerValue.<init>(Unknown Source) 
                                         at java.base/sun.security.util.DerValue.wrap(Unknown Source) 
                                         at java.base/sun.security.util.DerValue.wrap(Unknown Source) 
                                         at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(Unknown Source) 
                                         at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:236)... 
                                         48 more", "status": "waitingToBeUp"}, "status": "down"

Solution:

1. Log in to the OpenShift CLI as the administrator.
2. Get the secret.

   oc get secret | grep pg-client-cert-secret

3. Delete the secret.

   oc delete secret icp4adeploy-pg-client-cert-secret

4. You can wait for the operator to reconcile on its own (30-60 minutes) or force a restart by deleting the pod.

   oc get pod | grep cp4a-operator | grep -v catalog
   oc delete pod ibm-cp4a-operator-xxxxx-xxxxx

error getting resource from lister for rolebindings.authorization.openshift.io, zen5-backup-rolebinding: rolebindings.authorization.openshift.io "zen5-backup-rolebinding" not found
error getting resource from lister for roles.authorization.openshift.io, zen5-backup-role: roles.authorization.openshift.io "zen5-backup-role" not found

The issue is already fixed in Cloud Pak foundational services 4.6.13, which is planned to be included in the IF006 interim fix.

• Case Management features and applications are not supported.
• Processes cannot be triggered if documents are added from the Administration Console for Content Platform Engine (ACCE). However, processes can be started when documents are added from Navigator or IBM Business Automation Workflow desktop.
• External Services for REST Services and Web Services cannot be created.
• External Workflow cannot be created.
• Automation Services are unable to consume applications published through Open API.

Problem

If the LDAP certificates are changed or expire, IM cannot refresh the certificates automatically, and can result in SSL errors in the platform-auth-service-** pod.

CWPKI0823E: SSL HANDSHAKE FAILURE: The signer might need to be added to local trust store 
[/opt/ibm/wlp/output/defaultServer/resources/security/key.jks], located in SSL configuration alias [defaultSSLConfig]. 
The extended error message from the SSL handshake exception is: [PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target].

Workaround

Manually import the new or changed LDAP certificates to IM. For more information, see Configuring LDAP over SSL.

Problem:

If you configure an IBM Security Directory Server (SDS/TDS) LDAP with a CP4BA deployment, users cannot be configured properly to have sufficient permissions for Document Processing functionality.

Impact:

If your LDAP type is IBM Security Directory Server, you cannot use Document Processing.

Action:

The issue is likely to be resolved in an upcoming interim fix, so regularly review the What's new in 24.0.0 for this update.

Problem:

When uploading a DOC or DOCX file in ADP, the warning message might appear:

javaldx: Could not find a Java™ Runtime Environment!

Warning: failed to read the path from javaldx

Impact:

This warning does not affect the function of the system or the processing of the uploaded document. Users can safely ignore this warning because it does not impact the upload or document processing workflow. The document is still processed as expected without any issues.

Action:

No additional action is required. If you experience any unexpected behavior beyond this warning, contact the support team for further assistance.

Importing a project with the overwrite option in Document Processing Designer only supports importing projects from the previous version.

When you import a project with the merge option, the current project is merged with the project from the exported archive file. Only non-conflicting document types are imported into the project, and if there are conflicting document types, they are skipped during import. If you need to import a document type that is in conflict, you must first delete that document type from the project before you import the archive file.

After you import a project, it is recommended to retrain both classification and extraction models to avoid issues with the change of document classes in the merged project, and make sure that the models are trained and build with the latest features.

Workaround

You must view the batch contents, remove the failed documents, and upload these documents again.

In some situations, the documents continue to be processed by the server and might transition out of the Uploading Error status. When a batch has the Uploading Error status, but none of the documents are in error, you can recover the batch by either adding or removing a document in the batch. The batch status is updated and processing can resume.

You reach the Verify client user interface in different ways, depending on your application. For example, for the single document application, you tab into the content list on the start page, select a document from the list by pressing the Tab or Arrow keys, and then you tab to the context icon (the 3 ...), select the icon by pressing the space bar or the Enter key, and finally press the Arrow keys to select Review document.

When standardizing your data, you can associate a data definition with a field or a document type. These data definitions are used when deploying the project to a runtime environment. For simple fields, you can either create a data definition, or reuse an existing one. For composite fields, you are not able to reuse an existing data definition, you can only create one.

If you attempt to create a data definition with the same name as an existing one, you get a uniqueness error.

For more information, see Saving an ADP Project fails with status code 500 service error.

• Extraction of multiple addresses within a single block is not supported. You cannot define your own composite address field types because you cannot define multiple postal mail address subfields for a single address block.
• You cannot upgrade previous address field types (such as address block or US mail address) to the new Postal mail address and Address information field types. Address field types that you defined in earlier versions remain the same.

  Workaround

  If you want to use the new address functionality, you must deploy a new key class based on the new address field types (Postal mail address and Address information).

• In a FIPS-enabled deployment, you cannot upload or process Microsoft Word documents that have the .doc or .docx format.
• If you observe that the viewer hangs when a multipage Microsoft Word document is loaded to the classification or data extraction issue page, look up the log of your browser development tool console. An error message that is similar to the following one means that the connection between the viewone service and the Application Engine has expired.

  Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored. v1files x1~1> JS Thread 6 Jun 2022, 08:41:52, UTC-7 (000005615/000002156): finishLoading viewone_ajax-0.js:4856:26 java.lang.ArrayIndexOutOfBoundsException: Invalid page number -1 viewone_ajax-0.js:4856:26

  Workaround

  Refresh the page and reload the document.

• Data highlighting and Click N Key coordinates for DOC and DOCX documents might not capture highlighted text correctly when fixing data extraction issues in the runtime application.

  Workaround

  Use the keyboard to correct any values that encounter this issue.

• While data extraction from simple tables is fully supported, some limitations exist for complex tables, for example when you extract data from the summary section of tables, or if some watermarks, text, or other interfering elements exist in your documents. Complex tables are not fully supported. For the full list of supported tables, and examples of the types of tables that contain limitations, see Best practices on table extraction.

Problem

When you create an application in Business Automation Studio, an application configurator displays where you enter configuration parameters for the application.

However, after the application is created, you cannot access the same configurator. As a result, you cannot change the configuration settings the same way.

Workaround

To reconfigure your settings after the application is created:

1. In Business Automation Studio, open your application.
2. Select Application project settings from the top left drop-down list.
3. Click the Environment variables tab.
4. Edit the following environment variables where applicable:
   • evObjectStoreName (the CPE current object store)
   • evDbaProjectId (the CPE's currently deployed project ID)
   • evRootFolder (the CPE folder, only for the Document Processing template)
5. Click Finish editing to save changes. Click Preview.
6. Export and import your application to the Application Engine.

Business Performance Center

You cannot create an alert for a period KPI if it contains a group. If you want to create an alert for a period KPI, go to the Monitoring tab and remove the Group by keyword. Then, go to the Thresholds tab to create one or more alerts.

Aggregations

Because Business Performance Center uses OpenSearch as its database, approximation problems can be found with aggregations of numbers greater than 2^53 (that is, about 9 * 10^15). See the Limitations section of the Aggregations page of the OpenSearch documentation.

Fixed date time range

If, in a fixed date time range, you modify only the date or time, your changes are not saved.

Data tables

When any chart is displayed as a data table, only the first 1000 rows are shown.

Data permissions

You can set up data permissions by monitoring source or by team. If you encounter an error when you set a permission by source, try setting the same permission by team.

Chart window title

If the chart window is too small to display the full title, an ellipsis (…) replaces the end of the title. To view the full title, expand the chart window or click the Fullscreen button.

Defining a high number of fields in an OpenSearch index might lead to a so-called mappings explosion which might cause out-of-memory errors and difficult situations to recover from. The maximum number of fields in OpenSearch indices created by IBM Business Automation Insights is set to 1000. Field and object mappings, and field aliases, count towards this limit. Ensure that the various documents that are stored in OpenSearch indices do not lead to reaching this limit.

Event formats are documented in Reference for event emission.

For Operational Decision Manager, you can configure event processing to avoid the risk of mappings explosion. See Operational Decision Manager event processing walkthrough.

To avoid this issue, edit the filter in the User tasks currently waiting to be processed search. Set the state filter to accept one of the following values: TASK_CREATED, TASK_STARTED, TASK_CLAIM_CANCELLED, TASK_CLAIMED.

• Ensure that cpe is deployed in a highly available setup, with at least two replicas.
• Monitor the cpe pod and restart if issues occur.

ORA-28860: Fatal SSL error

If you deployed Business Automation Studio with the Business Automation Workflow server in the same custom resource YAML file, and you do not see process applications from Business Automation Workflow server in Business Automation Studio, restart the Business Automation Workflow server pod.

If you use the kubectl get pods command to check the pods when a pod is in the CrashLoopBackOff state, you get the following error message:

Warning Failed 3m kubelet, <IP_ADDRESS> Error: failed to start container: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \" rootfs_linux.go:58: mounting

To recover a pod, delete it in the OpenShift® console and create a new pod.

To use Application Engine with Db2® for High Availability and Disaster Recovery (HADR), you must have an alternative server available when Application Engine starts.

IBM Resource Registry can get out of sync.

After you create the Resource Registry, you must keep the replica size.

• If you update the Resource Registry admin secret to change the username or password, first delete the instance_name-dba-rr-random_value pods to cause Resource Registry to enable the updates. Alternatively, you can enable the update manually with etcd commands.
• If you update the Resource Registry configurations in the icp4acluster custom resource instance, the update might not affect the Resource Registry pod directly. It affects the newly created pods when you increase the number of replicas.

After you deploy Business Automation Studio or Application Engine, you cannot change the Business Automation Studio or Application Engine admin user.

Because of a Node.js server limitation, Application Engine trusts only root CA.

• The certificate can be self-signed, or signed by a well-known root CA.
• If you are using a depth zero self-signed certificate, it must be listed as a trusted certificate.
• If you are using a certificate that is signed by a self-signed root CA, the self-signed CA must be in the trusted list. Using a leaf certificate in the trusted list is not supported.
• If you are adding the root CA of two or more external services to the Application Engine trust list, you can't use the same common name for those root CAs.

For more information and to resolve the issue, see Content Platform Engine uneven CBR indexing workload and indexing degradation.