IBM Support

JR53495: SYNCHRONIZING GROUP MEMBERSHIP BETWEEN A USER REPOSITORY AND THE IBM BPM DATABASE TAKES TOO LONG

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When you synchronize group membership between your user
    repository (for example, LDAP) and the IBM BPM database by using
    one of the administrative scripts (syncGroupMembershipForGroups
    or syncGroupMembershipForAllGroups), run time can be very long.
    

Local fix

Problem summary

  • When you run one of the administrative group membership
    synchronization scripts, IBM BPM matches the distinguished names
    (DNs) of the group members in the user repository to the DNs
    stored for users in the IBM BPM database, which relies on
    removing unexpected white spaces from the DNs as well as
    normalizing the capitalization used in them. These actions take
    time and there is no way to disable them, even if they are not
    necessary.
    

Problem conclusion

  • A fix is available for IBM BPM V8.0.1.3. that allows you to
    configure whether the actions of detecting and removing white
    spaces and normalizing capitalization in distinguished names in
    VMM/LDAP should be applied.
    
    The following new configuration properties are provided allowing
    to you to enable or disable the white space detection and
    capitalization normalization actions:
    
    normalize-whitespaces-for-distinguished-names-prop - Use this
    property if the DNs stored in VMM/ LDAP show varying usage of
    white spaces in DNs referring to the same user or group, for
    example
    
    DN for user entry:  uid=user1,ou=mycomp
    DN for group member reference: uid =user1, ou =mycomp.
    
    If you have a well-maintained VMM/LDAP that avoids variations in
    white space usage, you should set this property to false.  In
    case of known or suspected white space variations set the
    property to true. Include the setting in your 100Custom.xml
    file:
    
    <common merge="mergeChildren">
      <security>
        <vmm-options>
          <normalize-whitespaces-for-distinguished-names-prop>
             false | true
          </normalize-whitespaces-for-distinguished-names-prop>
        </vmm-options>
      </security>
    </common>
    
    If the property is not set (which is the default), IBM BPM
    assumes that the property is associated with true.
    
    
    normalize-case-for-distinguished-names-prop - Use this property
    if the DNs stored in VMM/LDAP show varying usage of
    capitalization in DNs referring to the same user or group, for
    example
    
    DN for user entry:  uid=user1,ou=mycomp
    DN for group member reference: uiD=UsEr1,ou =MyComp.
    
    If you have a well-maintained VMMLDAP that avoids variations in
    capitalization, you do not need to set this property. In case of
    known or suspected variations in capitalization, include the
    following setting in your 100Custom.xml file:
    
    <common merge="mergeChildren">
      <security>
        <vmm-options>
          <normalize-case-for-distinguished-names-prop>
            required_value
          </normalize-case-for-distinguished-names-prop>
        </vmm-options>
      </security>
    </common>
    
     The required_value can take one of the following values: INSQL,
    INJAVA.
    
     If the property is not set (which is the default), IBM BPM
    assumes that the property is associated with INSQL. Note that
    this value does not have performance implications for a well
    maintained VMM/LDAP content.
    
    During group membership synchronization for a group IBM BPM
    performs the following actions:
    
    - Queries the group entry for the group members in the user
      repository
    
    - Resolves the user record in the IBM BPM database for each
      group member by using the retrieved group member DN
    
    - Updates the group membership in the IBM BPM database table by
      using the retrieved user ID for each group member
    
    Some user repositories provide inconsistent variations of
    capitalization when being queried for group members versus user
    names. With the default setting of INSQL, an IBM BPM database
    with case-insensitive-security-cache set to true (which is the
    default for all database systems other than Microsoft SQL
    Server) first performs a case-sensitive search for users based
    on the response to the group members queries. For group members
    that are not found during this case-sensitive search, a second
    case-insensitive query is required. Case insensitivity is
    achieved by applying the SQL function ?UPPER? to the user name,
    which can have a significant performance impact.
    
    As a result, the default is good for the following environments:
    
    - Environments that receive consistent data from the user
      registry (and, therefore, never require a second case
      insensitive query)
    - Environments that receive inconsistent data from the user
      registry only occasionally (and, therefore,  fall back to the
      second query only in exceptional cases)
    - Environments that have the case-insensitive-security-cache
      flag set to false (which is the default for MS SQL Server)
      because the second query (that would provide the same result)
      is not necessary and  omitted anyway
    
    However, if your environment experiences frequent inconsistent
    responses from the user registry, set the value to INJAVA. This
    setting achieves case insensitivity by storing the corresponding
    distinguished name for each user in a normalized fashion,
    converting it to lower case as part of user synchronization
    performed with one of the available user synchronization scripts
    or, implicitly, when the user logs in.
    
    When performing group membership synchronization, group members
    in the IBM BPM database are searched for by transforming the
    group member name to its normalized counterpart, such as by
    converting it to lower case in Java.
    
    This configuration avoids a second database query for group
    membership synchronization by increasing the processing cost of
    user synchronization.
    
    Note that the normalizaton procedure requires normalized values
    to be available for user DNs in the user records in the IBM BPM
    database so that whenever the setting is switched from INSQL to
    INJAVA the user DNs must be recomputed in the user records. To
    achieve this computation, run the syncExistingUsers
    administrative script. Conversely, whenever switching the
    setting from INJAVA to INSQL, the user DNs must be recomputed in
    the user records to restore non-normalized DNs. The same action
    applies when the value for white space-related normalization is
    changed. The syncExistingUsers script must be executed as well.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR53495:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR53495, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR53495

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    801

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-06-02

  • Closed date

    2015-11-03

  • Last modified date

    2015-11-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R801 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
03 November 2015