IBM Support

JR52438: CWTDS1100E IS LOGGED WHEN STARTING BPM SERVER BECAUSE OF USERID MISMATCH BETWEEN SERVER AND BPM DOCUMENT STORE DB

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When you start the server of your IBM Business Process Manager
    (BPM) environment, you find the the following error in the
    SystemOut.log file:
    
    [4/21/15 18:43:45:501 AST] 0000008d EmbeddedECMIn E
    CWTDS1100E: An error occurred while validating or creating the
    default configuration for the IBM BPM document store.
    
    CWTDS0021E: The user registry configuration was changed in a way
    that causes the access to the IBM BPM document store to fail for
    the technical user 'tw_admin'.
    Explanation: The technical user defined in the BPM role type
    'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM'
    domain.
    Action: Revert the recent user registry configuration changes
    and follow the instructions of the 'Administering the technical
    user for the IBM BPM document store' topic in the IBM BPM
    Information Center to ensure the technical user keeps access to
    the IBM BPM document store.
    
    In some cases, the error text is slightly different, but the
    explanation and action are the same, for example
    
    CWTDS0022E: The configuration was changed in a way that the
    technical user 'tw_admin' of the IBM BPM document store fails to
    change the object 'Domain'.
    
    In addition, you observe that the Event Manager does not start.
    For example, no tasks can run. When this error occurs on a
    online process server, the process server is not visible in IBM
    Process Center.
    

Local fix

  • When you change the user repository or delete users from the
    repository, make sure there is at least one user who is allowed
    to connect to the IBM BPM document store at any time.
    
    You can use the maintainDocumentStoreAuthorization admin command
    to modify the set of users who are allowed to work with IBM BPM
    document store. For example, use the special keyword
    #AUTHENTICATED-USERS to temporarily authorize all users who
    successfully authenticate to the IBM BPM document store by using
    the following wsadmin command:
    
    AdminTask.maintainDocumentStoreAuthorization('[-deName <DE name>
    -add #AUTHENTICATED-USERS]')
    
    When all authenticated users are allowed to access the document
    store, you can modify the user registry. After you finish
    modifying the user registry configuration, restrict access to
    one or two users again.
    

Problem summary

  • To enable communication with the IBM BPM document store, you
    define a technical user by mapping the EmbeddedECMTechnicalUser
    authorization role type  to an authentication alias, which in
    turn is mapped to a user. All communication with the IBM BPM
    document store is done on behalf of this user. However,
    authorization to the IBM BPM document store is based on unique
    IDs. Only the user with a particular unique ID can manage the
    IBM BPM document store and access its documents.
    
    If you change your user registry configuration, for example by
    removing the file-based repository so that you use only an LDAP
    server in federated repositories, a user with the same user ID
    and password in the LDAP cannot access the IBM BPM document
    store. Even though the user has the identical name, the unique
    ID has changed and this change is why the document store
    considers this user  different.
    
    The error can also arise when you delete the technical user from
    the file-based repository and re-create the user with this name.
    The re-created user has a different  unique ID and is,
    therefore, not authorized to communicate with the IBM BPM
    document store.
    

Problem conclusion

  • A fix is/will be available for IBM BPM that extends the
    existing admin task getDocumentStoreStatus to help you determine
    the user who is allowed to access the document store. If you are
    locked out, run the admin command again with the new option:
    -authorizationDetails.
    
    For example, to run the getDocumentStoreStatus command for a
    deployment environment named 'DE1' call:
    
    AdminTask.getDocumentStoreStatus([ '-deName', 'DE1',
    '-authorizationDetails'])
    
    The following examples of the admin command's output include
    instructions about how to repair the user registry and security
    configuration to unlock the IBM BPM document store connection.
    
    Example 1
    You changed the ECM technical user role mapping, but you have
    not updated the IBM BPM document store authorizations.
    
    In this case, you will see CWTDS2067E, CWTDS2070I, and
    CWTDS2071I messages:
    
    CWTDS2067E: The 'tw_admin' technical user is not authorized to
    update the 'Domain' object.
    
    CWTDS2070I: The unique ID of user
    uid=tw_admin,o=defaultWIMFileBasedRealm is
    7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb.
    
    CWTDS2071I:  A user or group with the unique ID
    2db3d211-af0c-4d59-a7be-e0718c584a2a and name
    uid=tw_admin_old,o=defaultWIMFileBasedRealm has access to the
    IBM BPM document store.
    
    CWTDS2070I indicates that the ECM technical user is
    ?uid=tw_admin,o=defaultWIMFileBasedRealm?. CWTDS2071I indicates
    that the user who is authorized to communicate with the IBM BPM
    document store is 'uid=tw_admin_old,o=defaultWIMFileBasedRealm',
    which is different from the user who is configured as technical
    user.
    
    You can solve the lockout issue by completing the following
    steps:
    
    1. Revert theEmbeddedECMTechnicalUser authorization role mapping
      to use the former admin tw_admin_old:
      In the administrative console, choose Deployment Environments
      > <Deployment Environment Name> > Business Integration
      Security, and check the EmbeddedECMTechnicalUser role. Make
      sure it is bound to an authentication alias that is mapped to
      the old user: tw_admin_old.
    
    2. Make sure the change is synched with all nodes.
    3. Restart the environment.
    4. Use the admin script maintainDocumentStoreAuthorization to
      authorize the new admin. For example, to add a new
      authorization for user 'tw_admin' in Deployment Environment
      DE1, use the following admin
    command:AdminTask.maintainDocumentStoreAuthorization(['-deName',
      'DE1', '-add', 'tw_admin'])
    
    For more information about the
    maintainDocumentStoreAuthorization command, see
    ?maintainDocumentStoreAuthorization command? at
    http://www.ibm.com/support/knowledgecenter/SSFPJS_8.5.0/com.ibm.
    wbpm.ref.doc/topics/rref_maintaindocstoreauth.html
    
    5.  Change the role mapping to use the new admin role and synch
      nodes.
    6. Restart the environment.
    
    Example 2
    You removed the technical user from the user repository, but you
    did not transfer the IBM BPM document Store authorizations to an
    existing user.
    
    In this case, you see CWTDS2067E, CWTDS2070I, and CWTDS2072W
    messages:
    
    CWTDS2067E: The 'tw_admin' technical user is not authorized to
    update the 'Domain' object.
    
    CWTDS2070I:  The unique ID of user
    uid=tw_admin,o=defaultWIMFileBasedRealm is
    7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb.
    
    CWTDS2072W:  A user or group with unique ID
    2db3d211-af0c-4d59-a7be-e0718c584a2a has access to the IBM BPM
    document store. However, a user or group with this unique ID is
    not found in the current user repository.
    
    CWTDS2070I reports the unique name and unique ID of the ECM
    technical user. CWTDS2072W lists the unique ID of the user who
    may access the document store, but the user name for this ID
    cannot be determined because  the user has been removed from the
    user repository.
    
    To resolve this problem, complete the following steps:
    
    1. Re-create the former user in the user registry and make sure
      that user has the unique ID reported in the CWTDS2072W
      message.
    2. Re-create an authentication alias for that user and add it to
      the admin group.
    3. Complete the steps in Example 1.
    
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR52438:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR52438 , and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR52438

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-01-29

  • Closed date

    2015-03-16

  • Last modified date

    2015-04-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R855 PSY

       UP

  • R856 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
23 April 2015