Direct links to fixes
APAR status
Closed as program error.
Error description
When you synchronize group membership between your user repository (for example, LDAP) and the IBM BPM database by using one of the administrative scripts (syncGroupMembershipForGroups or syncGroupMembershipForAllGroups), run time can be very long.
Local fix
Problem summary
When you run one of the administrative group membership synchronization scripts, IBM BPM matches the distinguished names (DNs) of the group members in the user repository to the DNs stored for users in the IBM BPM database, which relies on removing unexpected white spaces from the DNs as well as normalizing the capitalization used in them. These actions take time and there is no way to disable them, even if they are not necessary.
Problem conclusion
A fix is available for IBM BPM V8.0.1.3. that allows you to configure whether the actions of detecting and removing white spaces and normalizing capitalization in distinguished names in VMM/LDAP should be applied. The following new configuration properties are provided allowing to you to enable or disable the white space detection and capitalization normalization actions: normalize-whitespaces-for-distinguished-names-prop - Use this property if the DNs stored in VMM/ LDAP show varying usage of white spaces in DNs referring to the same user or group, for example DN for user entry: uid=user1,ou=mycomp DN for group member reference: uid =user1, ou =mycomp. If you have a well-maintained VMM/LDAP that avoids variations in white space usage, you should set this property to false. In case of known or suspected white space variations set the property to true. Include the setting in your 100Custom.xml file: <common merge="mergeChildren"> <security> <vmm-options> <normalize-whitespaces-for-distinguished-names-prop> false | true </normalize-whitespaces-for-distinguished-names-prop> </vmm-options> </security> </common> If the property is not set (which is the default), IBM BPM assumes that the property is associated with true. normalize-case-for-distinguished-names-prop - Use this property if the DNs stored in VMM/LDAP show varying usage of capitalization in DNs referring to the same user or group, for example DN for user entry: uid=user1,ou=mycomp DN for group member reference: uiD=UsEr1,ou =MyComp. If you have a well-maintained VMMLDAP that avoids variations in capitalization, you do not need to set this property. In case of known or suspected variations in capitalization, include the following setting in your 100Custom.xml file: <common merge="mergeChildren"> <security> <vmm-options> <normalize-case-for-distinguished-names-prop> required_value </normalize-case-for-distinguished-names-prop> </vmm-options> </security> </common> The required_value can take one of the following values: INSQL, INJAVA. If the property is not set (which is the default), IBM BPM assumes that the property is associated with INSQL. Note that this value does not have performance implications for a well maintained VMM/LDAP content. During group membership synchronization for a group IBM BPM performs the following actions: - Queries the group entry for the group members in the user repository - Resolves the user record in the IBM BPM database for each group member by using the retrieved group member DN - Updates the group membership in the IBM BPM database table by using the retrieved user ID for each group member Some user repositories provide inconsistent variations of capitalization when being queried for group members versus user names. With the default setting of INSQL, an IBM BPM database with case-insensitive-security-cache set to true (which is the default for all database systems other than Microsoft SQL Server) first performs a case-sensitive search for users based on the response to the group members queries. For group members that are not found during this case-sensitive search, a second case-insensitive query is required. Case insensitivity is achieved by applying the SQL function ?UPPER? to the user name, which can have a significant performance impact. As a result, the default is good for the following environments: - Environments that receive consistent data from the user registry (and, therefore, never require a second case insensitive query) - Environments that receive inconsistent data from the user registry only occasionally (and, therefore, fall back to the second query only in exceptional cases) - Environments that have the case-insensitive-security-cache flag set to false (which is the default for MS SQL Server) because the second query (that would provide the same result) is not necessary and omitted anyway However, if your environment experiences frequent inconsistent responses from the user registry, set the value to INJAVA. This setting achieves case insensitivity by storing the corresponding distinguished name for each user in a normalized fashion, converting it to lower case as part of user synchronization performed with one of the available user synchronization scripts or, implicitly, when the user logs in. When performing group membership synchronization, group members in the IBM BPM database are searched for by transforming the group member name to its normalized counterpart, such as by converting it to lower case in Java. This configuration avoids a second database query for group membership synchronization by increasing the processing cost of user synchronization. Note that the normalizaton procedure requires normalized values to be available for user DNs in the user records in the IBM BPM database so that whenever the setting is switched from INSQL to INJAVA the user DNs must be recomputed in the user records. To achieve this computation, run the syncExistingUsers administrative script. Conversely, whenever switching the setting from INJAVA to INSQL, the user DNs must be recomputed in the user records to restore non-normalized DNs. The same action applies when the value for white space-related normalization is changed. The syncExistingUsers script must be executed as well. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR53495: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR53495, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR53495
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
801
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-06-02
Closed date
2015-11-03
Last modified date
2015-11-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R801 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
16 October 2021