IBM Support

Collect troubleshooting data for security problems in IBM Business Process Manager (BPM) and IBM Business Automation Workflow (BAW)

Troubleshooting


Problem

You are having a security problem with IBM Business Process Manager or IBM Business Automation Workflow. For example, you might be having problems logging into certain parts of the BPM product (Process Portal, Process Admin console, Process Center console, IBM Process Designer), or you are seeing issues with your LDAP configuration, or users are unable to view their tasks. You would like to know what documentation you must collect (MustGather) so that the IBM Support team can diagnose your problem. If you gather this documentation before contacting support, it will expedite the troubleshooting process and save you time.

Diagnosing The Problem

Collect the troubleshooting information for security problems in IBM Business Process Manager. Gathering this information before calling IBM support helps in understanding the problem and saves time when analyzing the data.


Note: If you are experiencing security issues within your Process Designer, please provide the Process Designer MustGather found here.
Note: If you are experiencing SSL or SSO issues, please provide the Websphere Application Server MustGathers found here
 

Setting the trace string

  1. Provide the following trace. The trace needs to be enabled on the AppTarget or Server1 JVM:
    • For federated repositories or virtual member manager (VMM) issues, provide the following trace:

      *=info:
      WLE.*=all: 
      com.lombardisoftware.server.ejb.security.ParticipantGroupsCore=finest:
      com.lombardisoftware.server.core.ParticipantHelper=finest:
      WAS.clientinfopluslogging=all:
      org.springframework.jdbc.*=all:
      com.ibm.ws.wim.*=all



      If there is a heavy load on the system and a lighter version of the trace is needed, you can substitute the previous trace with the following:

      *=info:

      com.ibm.ws.wim.*=all
    • For IBM Business Process Manager security issues involving task/instance authorization, provide the following trace:

      *=info:
      WLE.*=all:
      com.lombardisoftware.server.ejb.security.ParticipantGroupsCore=finest:
      com.lombardisoftware.server.core.ParticipantHelper=finest:
      WAS.clientinfopluslogging=all:
      org.springframework.jdbc.*=all:
      com.ibm.bpm.auth.*=all



      If there is a heavy load on the system and a lighter version of the trace is needed, you can substitute the previous trace with the following:

      *=info:
      WLE.wle_security=all:
      com.ibm.bpm.auth.*=all

       
    • For IBM Business Process Manager or IBM Business Automation Workflow security issues involving user authentication, provide the following information:
      1. What is your user registry configuration (standalone LDAP, federated repositories, and so on)
      2. Does IBM Business Process Manager participate in corporate single sign-on SSO solutions such as IBM Security Access Manager or SiteMinder based solutions?
      3. Does the problem affect all or only some users? Is the issue intermittent?
      4. Screen shots of the issue
      5. A client side traffic capture of the error, if applicable
         
    • For IBM Business Process Manager or IBM Business Automation Workflow security issues involving security-hardening properties, provide the following trace:


      *=info:WLE.wle_security=all:com.ibm.bpm.servlet.filters.*=all
    • For general security issues, set the trace string to:


      *=info:
      WLE.*=all:
      com.lombardisoftware.server.ejb.security.ParticipantGroupsCore=finest::
      com.lombardisoftware.server.core.ParticipantHelper=finest:
      WAS.clientinfopluslogging=all:
      org.springframework.jdbc.*=all



      If there is a heavy load on the system and a lighter version of the trace is needed, you can substitute the previous trace with the following:

      *=info:
      WLE.wle_security=all:
      com.ibm.bpm.auth.*=all



      Note: Enabling trace might slow down your system. This delay can lead to transaction time-outs and errors. Disable trace after collecting the requested information.
    • To set the tracing and generate a new set of logs and traces, complete the following steps for the servers or clusters that show the issue:
      1. In the Integrated Solutions Console, under ​Troubleshooting​ ​>​ ​Log and Trace​, select the server for which you want to change the settings. ​
         
      2. Click Change Log Detail Levels​.
         
      3. Select the ​configuration tab to set the tracing. This change takes effect after the next server restart and a completely new set of log files can be collected. Optionally, select the runtime​ tab to dynamically set the tracing.
         
      4. Enter the trace string and click OK.
         
      5. If you selected the configuration tab, stop the server.
         
      6. Archive and delete the current logs/traces/ffdc from the <profile_root>/​​logs​​ directory.
         
      7. Start the server and check the trace.log file to make sure that the correct tracing is set.
         
      8. Reproduce the problem and note down the timestamp. Check the trace.log file to ensure that the time of the issue is covered in the file and gather the complete server log files and ffdc directory. If possible, avoid unrelated activity on the same server.
         
      9. Delete the trace string from the Log Detail Level for your server.


        Note: Ensure that you have set the maximum trace file size (recommendation: 20MB) and the number of historical trace files (recommendation: 30) to an appropriate value. You can find those values at Servers > Application Servers > server_name > Diagnostic Trace Service.
         
  2. Consider sending files from the profile config directory:
    profile_root/config/cells/CELL_NAME/fileregistry.xml
    profile_root/config/cells/CELL_NAME/wim/config/wimconfig.xml
    profile_root/config/cells/CELL_NAME/security.xml
    You might want to remove encoded passwords from these files before sending them to IBM support.
     
  3. Send in the TeamWorksConfiguration.running.xml file from each application server:
    profile_root/config/cells/CELL_NAME/nodes/NODE_NAME/servers/SERVER_NAME/process-center/TeamWorksConfiguration.running.xml
     
  4. For task assignment and login issues, provide the following table exports in CSV format:
    LSW_USR_XREF
    LSW_USR_GRP_XREF
    LSW_USR_GRP_MEM_XREF
    LSW_GRP_GRP_MEM_XREF
    LSW_GRP_GRP_MEM_EXPLODED_XREF

    Submit the information for the user(s) and group(s) having the issue. Provide the userName/userID of the user running the test or is having the issue.

    Provide the the instance ID(s) and task id(s) which are affected.
    The instance ID can be found in the Process Portal next to the name of the BPD under Process Instances. You can also use the REST API method Current State to view all the task ID's of that instance.
    The instance and task ID can also be found in the Process Inspector within the Process Designer.

    Provide the following table exports:
    select * from LSW_BPD_INSTANCE where bpd_instance_id IN (<processinstanceid>)
    and
    select * from LSW_TASK where task_id in (<taskid>)
    if the process instance ids or task ids are not available, or in the case where subprocesses or linked processes are used please send in the entire table content.

    Gather the responses from the following REST API:
    <host:port>/rest/bpm/wle/v1/process/<processInstanceId>
    <host:port>/rest/bpm/wle/v1/task/<taskid>


    If you are not sure which task ID or process instance ID is failing, the following lines in the above trace taken at the time of the issue should show them:
    wle 1 com.lombardisoftware.server.api.DefaultAuthorizationAPI canViewTaskInternal canViewTaskInternal(...) taskId=<taskId>)
    and
    wle 1 com.lombardisoftware.server.api.DefaultAuthorizationAPI canViewInstance canViewInstance(...) instanceId=<processinstanceid>)

    Refer to Related Information section at the bottom of the page for help on how to find what groups a user belongs to or how to find the members of a specific group.
     
  5. In case of communication failures, please provide a clear topology description and indicate which communication is failing along with a diagram if available
 

General diagnostic information


Collect the general troubleshooting information as described in Collect troubleshooting data for the IBM Business Process Manager products.
 

What to do next

  1. Review the log files and traces at the time of the problem to try to determine the source of the problem.
     
  2. Use IBM Support Assistant to search for known problems in the information center, forums, and technotes.
     
  3. If you cannot find related problems or cannot solve the problem, send the information you have collected to IBM by following the instructions in Exchanging Information with IBM Technical Support.
     

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"Security","Platform":[],"Version":"8.6;8.5.7;8.5.6;8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Component":"Security","Platform":[],"Version":"8.6;8.5.7;8.5.6;8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"Security","Platform":[],"Version":"8.6;8.5.7;8.5.6;8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18.0;19.0;20.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Product Synonym

BPM; BAW

Document Information

Modified date:
18 December 2020

UID

swg21609418