JR53495: SYNCHRONIZING GROUP MEMBERSHIP BETWEEN A USER REPOSITORY AND THE IBM BPM DATABASE TAKES TOO LONG

8.0.1.3-WS-BPM-IFJR53495
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

APAR status

• Closed as program error.

Error description

• When you synchronize group membership between your user
  repository (for example, LDAP) and the IBM BPM database by using
  one of the administrative scripts (syncGroupMembershipForGroups
  or syncGroupMembershipForAllGroups), run time can be very long.
  

Local fix

Problem summary

• When you run one of the administrative group membership
  synchronization scripts, IBM BPM matches the distinguished names
  (DNs) of the group members in the user repository to the DNs
  stored for users in the IBM BPM database, which relies on
  removing unexpected white spaces from the DNs as well as
  normalizing the capitalization used in them. These actions take
  time and there is no way to disable them, even if they are not
  necessary.
  

Problem conclusion

• A fix is available for IBM BPM V8.0.1.3. that allows you to
  configure whether the actions of detecting and removing white
  spaces and normalizing capitalization in distinguished names in
  VMM/LDAP should be applied.
  
  The following new configuration properties are provided allowing
  to you to enable or disable the white space detection and
  capitalization normalization actions:
  
  normalize-whitespaces-for-distinguished-names-prop - Use this
  property if the DNs stored in VMM/ LDAP show varying usage of
  white spaces in DNs referring to the same user or group, for
  example
  
  DN for user entry:  uid=user1,ou=mycomp
  DN for group member reference: uid =user1, ou =mycomp.
  
  If you have a well-maintained VMM/LDAP that avoids variations in
  white space usage, you should set this property to false.  In
  case of known or suspected white space variations set the
  property to true. Include the setting in your 100Custom.xml
  file:
  
  <common merge="mergeChildren">
    <security>
      <vmm-options>
        <normalize-whitespaces-for-distinguished-names-prop>
           false | true
        </normalize-whitespaces-for-distinguished-names-prop>
      </vmm-options>
    </security>
  </common>
  
  If the property is not set (which is the default), IBM BPM
  assumes that the property is associated with true.
  
  
  normalize-case-for-distinguished-names-prop - Use this property
  if the DNs stored in VMM/LDAP show varying usage of
  capitalization in DNs referring to the same user or group, for
  example
  
  DN for user entry:  uid=user1,ou=mycomp
  DN for group member reference: uiD=UsEr1,ou =MyComp.
  
  If you have a well-maintained VMMLDAP that avoids variations in
  capitalization, you do not need to set this property. In case of
  known or suspected variations in capitalization, include the
  following setting in your 100Custom.xml file:
  
  <common merge="mergeChildren">
    <security>
      <vmm-options>
        <normalize-case-for-distinguished-names-prop>
          required_value
        </normalize-case-for-distinguished-names-prop>
      </vmm-options>
    </security>
  </common>
  
   The required_value can take one of the following values: INSQL,
  INJAVA.
  
   If the property is not set (which is the default), IBM BPM
  assumes that the property is associated with INSQL. Note that
  this value does not have performance implications for a well
  maintained VMM/LDAP content.
  
  During group membership synchronization for a group IBM BPM
  performs the following actions:
  
  - Queries the group entry for the group members in the user
    repository
  
  - Resolves the user record in the IBM BPM database for each
    group member by using the retrieved group member DN
  
  - Updates the group membership in the IBM BPM database table by
    using the retrieved user ID for each group member
  
  Some user repositories provide inconsistent variations of
  capitalization when being queried for group members versus user
  names. With the default setting of INSQL, an IBM BPM database
  with case-insensitive-security-cache set to true (which is the
  default for all database systems other than Microsoft SQL
  Server) first performs a case-sensitive search for users based
  on the response to the group members queries. For group members
  that are not found during this case-sensitive search, a second
  case-insensitive query is required. Case insensitivity is
  achieved by applying the SQL function ?UPPER? to the user name,
  which can have a significant performance impact.
  
  As a result, the default is good for the following environments:
  
  - Environments that receive consistent data from the user
    registry (and, therefore, never require a second case
    insensitive query)
  - Environments that receive inconsistent data from the user
    registry only occasionally (and, therefore,  fall back to the
    second query only in exceptional cases)
  - Environments that have the case-insensitive-security-cache
    flag set to false (which is the default for MS SQL Server)
    because the second query (that would provide the same result)
    is not necessary and  omitted anyway
  
  However, if your environment experiences frequent inconsistent
  responses from the user registry, set the value to INJAVA. This
  setting achieves case insensitivity by storing the corresponding
  distinguished name for each user in a normalized fashion,
  converting it to lower case as part of user synchronization
  performed with one of the available user synchronization scripts
  or, implicitly, when the user logs in.
  
  When performing group membership synchronization, group members
  in the IBM BPM database are searched for by transforming the
  group member name to its normalized counterpart, such as by
  converting it to lower case in Java.
  
  This configuration avoids a second database query for group
  membership synchronization by increasing the processing cost of
  user synchronization.
  
  Note that the normalizaton procedure requires normalized values
  to be available for user DNs in the user records in the IBM BPM
  database so that whenever the setting is switched from INSQL to
  INJAVA the user DNs must be recomputed in the user records. To
  achieve this computation, run the syncExistingUsers
  administrative script. Conversely, whenever switching the
  setting from INJAVA to INSQL, the user DNs must be recomputed in
  the user records to restore non-normalized DNs. The same action
  applies when the value for white space-related normalization is
  changed. The syncExistingUsers script must be executed as well.
  
  On Fix Central (http://www.ibm.com/support/fixcentral), search
  for JR53495:
  
  1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
  
  2. Select APAR or SPR, enter JR53495, and click Continue.
  
  When you download fix packages, ensure that you also download
  the readme file for each fix. Review each readme file for
  additional installation instructions and information about the
  fix.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM STANDARD

• Fixed component ID

  5725C9500

Applicable component levels

• R801 PSY

     UP