IBM Support

JR52438: CWTDS1100E IS LOGGED WHEN STARTING BPM SERVER BECAUSE OF USERID MISMATCH BETWEEN SERVER AND BPM DOCUMENT STORE DB

Direct links to fixes

8.5.5.0-WS-BPM-IFJR52438
8.5.6.0-WS-BPM-IFJR52438
bpm.8560.cf1.delta.repository.1
bpm.8560.cf1.delta.repository.2
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When you start the server of your IBM Business Process Manager
(BPM) environment, you find the the following error in the
SystemOut.log file:

[4/21/15 18:43:45:501 AST] 0000008d EmbeddedECMIn E
CWTDS1100E: An error occurred while validating or creating the
default configuration for the IBM BPM document store.

CWTDS0021E: The user registry configuration was changed in a way
that causes the access to the IBM BPM document store to fail for
the technical user 'tw_admin'.
Explanation: The technical user defined in the BPM role type
'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM'
domain.
Action: Revert the recent user registry configuration changes
and follow the instructions of the 'Administering the technical
user for the IBM BPM document store' topic in the IBM BPM
Information Center to ensure the technical user keeps access to
the IBM BPM document store.

In some cases, the error text is slightly different, but the
explanation and action are the same, for example

CWTDS0022E: The configuration was changed in a way that the
technical user 'tw_admin' of the IBM BPM document store fails to
change the object 'Domain'.

In addition, you observe that the Event Manager does not start.
For example, no tasks can run. When this error occurs on a
online process server, the process server is not visible in IBM
Process Center.

Local fix

  • When you change the user repository or delete users from the
repository, make sure there is at least one user who is allowed
to connect to the IBM BPM document store at any time.

You can use the maintainDocumentStoreAuthorization admin command
to modify the set of users who are allowed to work with IBM BPM
document store. For example, use the special keyword
#AUTHENTICATED-USERS to temporarily authorize all users who
successfully authenticate to the IBM BPM document store by using
the following wsadmin command:

AdminTask.maintainDocumentStoreAuthorization('[-deName <DE name>
-add #AUTHENTICATED-USERS]')

When all authenticated users are allowed to access the document
store, you can modify the user registry. After you finish
modifying the user registry configuration, restrict access to
one or two users again.

Problem summary

  • To enable communication with the IBM BPM document store, you
define a technical user by mapping the EmbeddedECMTechnicalUser
authorization role type  to an authentication alias, which in
turn is mapped to a user. All communication with the IBM BPM
document store is done on behalf of this user. However,
authorization to the IBM BPM document store is based on unique
IDs. Only the user with a particular unique ID can manage the
IBM BPM document store and access its documents.

If you change your user registry configuration, for example by
removing the file-based repository so that you use only an LDAP
server in federated repositories, a user with the same user ID
and password in the LDAP cannot access the IBM BPM document
store. Even though the user has the identical name, the unique
ID has changed and this change is why the document store
considers this user  different.

The error can also arise when you delete the technical user from
the file-based repository and re-create the user with this name.
The re-created user has a different  unique ID and is,
therefore, not authorized to communicate with the IBM BPM
document store.

Problem conclusion

  • A fix is/will be available for IBM BPM that extends the
existing admin task getDocumentStoreStatus to help you determine
the user who is allowed to access the document store. If you are
locked out, run the admin command again with the new option:
-authorizationDetails.

For example, to run the getDocumentStoreStatus command for a
deployment environment named 'DE1' call:

AdminTask.getDocumentStoreStatus([ '-deName', 'DE1',
'-authorizationDetails'])

The following examples of the admin command's output include
instructions about how to repair the user registry and security
configuration to unlock the IBM BPM document store connection.

Example 1
You changed the ECM technical user role mapping, but you have
not updated the IBM BPM document store authorizations.

In this case, you will see CWTDS2067E, CWTDS2070I, and
CWTDS2071I messages:

CWTDS2067E: The 'tw_admin' technical user is not authorized to
update the 'Domain' object.

CWTDS2070I: The unique ID of user
uid=tw_admin,o=defaultWIMFileBasedRealm is
7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb.

CWTDS2071I:  A user or group with the unique ID
2db3d211-af0c-4d59-a7be-e0718c584a2a and name
uid=tw_admin_old,o=defaultWIMFileBasedRealm has access to the
IBM BPM document store.

CWTDS2070I indicates that the ECM technical user is
?uid=tw_admin,o=defaultWIMFileBasedRealm?. CWTDS2071I indicates
that the user who is authorized to communicate with the IBM BPM
document store is 'uid=tw_admin_old,o=defaultWIMFileBasedRealm',
which is different from the user who is configured as technical
user.

You can solve the lockout issue by completing the following
steps:

1. Revert theEmbeddedECMTechnicalUser authorization role mapping
  to use the former admin tw_admin_old:
  In the administrative console, choose Deployment Environments
  > <Deployment Environment Name> > Business Integration
  Security, and check the EmbeddedECMTechnicalUser role. Make
  sure it is bound to an authentication alias that is mapped to
  the old user: tw_admin_old.

2. Make sure the change is synched with all nodes.
3. Restart the environment.
4. Use the admin script maintainDocumentStoreAuthorization to
  authorize the new admin. For example, to add a new
  authorization for user 'tw_admin' in Deployment Environment
  DE1, use the following admin
command:AdminTask.maintainDocumentStoreAuthorization(['-deName',
  'DE1', '-add', 'tw_admin'])

For more information about the
maintainDocumentStoreAuthorization command, see
?maintainDocumentStoreAuthorization command? at
http://www.ibm.com/support/knowledgecenter/SSFPJS_8.5.0/com.ibm.
wbpm.ref.doc/topics/rref_maintaindocstoreauth.html

5.  Change the role mapping to use the new admin role and synch
  nodes.
6. Restart the environment.

Example 2
You removed the technical user from the user repository, but you
did not transfer the IBM BPM document Store authorizations to an
existing user.

In this case, you see CWTDS2067E, CWTDS2070I, and CWTDS2072W
messages:

CWTDS2067E: The 'tw_admin' technical user is not authorized to
update the 'Domain' object.

CWTDS2070I:  The unique ID of user
uid=tw_admin,o=defaultWIMFileBasedRealm is
7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb.

CWTDS2072W:  A user or group with unique ID
2db3d211-af0c-4d59-a7be-e0718c584a2a has access to the IBM BPM
document store. However, a user or group with this unique ID is
not found in the current user repository.

CWTDS2070I reports the unique name and unique ID of the ECM
technical user. CWTDS2072W lists the unique ID of the user who
may access the document store, but the user name for this ID
cannot be determined because  the user has been removed from the
user repository.

To resolve this problem, complete the following steps:

1. Re-create the former user in the user registry and make sure
  that user has the unique ID reported in the CWTDS2072W
  message.
2. Re-create an authentication alias for that user and add it to
  the admin group.
3. Complete the steps in Example 1.


On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR52438:

1. Select IBM Business Process Manager with your edition from
  the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.

2. Select APAR or SPR, enter JR52438 , and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

Temporary fix

  • Not applicable

Comments

  • 



APAR Information




    

  • APAR number
    JR52438
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    855
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-01-29
    • 

  • Closed date
    2015-03-16
    • 

  • Last modified date
    2015-04-23
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 August 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback