Collect troubleshooting data for security problems in IBM Business Process Manager (BPM)

Technote (troubleshooting)


Problem(Abstract)

You are having a security problem with IBM Business Process Manager. For example, you might be having problems logging into certain parts of the BPM product (Process Portal, Process Admin console, Process Center console, IBM Process Designer), or you are seeing issues with your LDAP configuration, or users are unable to view their tasks. You would like to know what documentation you must collect (MustGather) so that the IBM Business Process Manager Support team can diagnose your problem. If you gather this documentation before contacting support, it will expedite the troubleshooting process and save you time.

Diagnosing the problem

Collect the troubleshooting information for security problems in IBM Business Process Manager. Gathering this information before calling IBM support helps in understanding the problem and saves time when analyzing the data.


Note: If you are experiencing security issues within your Process Designer, please provide the Process Designer MustGather found here.
Note: If you are experiencing SSL or SSO issues, please provide the Websphere Application Server MustGathers found here

Setting the trace string

  1. Provide the following trace. The trace needs to be enabled on the AppTarget or Server1 JVM:
    • For federated repositories or virtual member manager (VMM) issues, provide the following trace:

      *=info:
      WLE.*=all:
       
      WAS.clientinfopluslogging=all:
      com.ibm.ws.wim.*=all


      If there is a heavy load on the system and a lighter version of the trace is needed, you can substitute the previous trace with the following:

      *=info:

      com.ibm.ws.wim.*=all

    • For IBM Business Process Manager security issues involving task/instance authorization, provide the following trace:

      *=info:
      WLE.*=all:

      WAS.clientinfopluslogging=all


      If there is a heavy load on the system and a lighter version of the trace is needed, you can substitute the previous trace with the following:

      *=info:
      WLE.wle_security=all:
      com.ibm.bpm.auth.*=all

      Provide the the instance ID(s) and task id(s) which are affected.
      The instance ID can be found in the Process Portal next to the name of the BPD under Process Instances. You can also use the REST API method Current State to view all the task ID's of that instance.
      The instance and task ID can also be found in the Process Inspector within the Process Designer.

    • For IBM Business Process Manager security issues involving user authentication, provide the following information:
      1. What is your user registry configuration (standalone LDAP, federated repositories, and so on)
      2. Does IBM Business Process Manager participate in corporate single sign-on SSO solutions such as IBM Security Access Manager or SiteMinder based solutions?
      3. Does the problem affect all or only some users? Is the issue intermittent?
      4. Screen shots of the issue
      5. A client side traffic capture of the error, if applicable

    • For general security issues, set the trace string to:


      *=info:
      WLE.*=all:
      WAS.clientinfopluslogging=all


      If there is a heavy load on the system and a lighter version of the trace is needed, you can substitute the previous trace with the following:

      *=info:
      WLE.wle_security=all:
      com.ibm.bpm.auth.*=all


      Note: Enabling trace might slow down your system. This delay can lead to transaction time-outs and errors. Disable trace after collecting the requested information.

    • To set the tracing and generate a new set of logs and traces, complete the following steps for the servers or clusters that show the issue:
      1. In the Integrated Solutions Console, under ​Troubleshooting​ ​>​ ​Log and Trace​, select the server for which you want to change the settings. ​

      2. Click Change Log Detail Levels​.

      3. Select the ​configuration tab to set the tracing. This change takes effect after the next server restart and a completely new set of log files can be collected. Optionally, select the runtime​ tab to dynamically set the tracing.

      4. Enter the trace string and click OK.

      5. If you selected the configuration tab, stop the server.

      6. Archive and delete the current logs/traces/ffdc from the <profile_root>/​​logs​​ directory.

      7. Start the server and check the trace.log file to make sure that the correct tracing is set.

      8. Reproduce the problem and note down the timestamp. Check the trace.log file to ensure that the time of the issue is covered in the file and gather the complete server log files and ffdc directory. If possible, avoid unrelated activity on the same server.

      9. Delete the trace string from the Log Detail Level for your server.


        Note: Ensure that you have set the maximum trace file size (recommendation: 20MB) and the number of historical trace files (recommendation: 30) to an appropriate value. You can find those values at Servers > Application Servers > server_name > Diagnostic Trace Service.

  2. Consider sending files from the profile config directory:
    profile_root
    /config/cells/CELL_NAME/fileregistry.xml
    profile_root/config/cells/CELL_NAME/wim/config/wimconfig.xml
    profile_root
    /config/cells/CELL_NAME/security.xml
    You might want to remove encoded passwords from these files before sending them to IBM support.

  3. Send in the TeamWorksConfiguration.running.xml file from each application server:
    profile_root/config/cells/CELL_NAME/nodes/NODE_NAME/servers/SERVER_NAME/process-center/TeamWorksConfiguration.running.xml

  4. For task assignment and login issues, provide the following table exports in CSV format:
    LSW_USR_XREF
    LSW_USR_GRP_XREF
    LSW_USR_GRP_MEM_XREF
    LSW_GRP_GRP_MEM_XREF
    LSW_GRP_GRP_MEM_EXPLODED_XREF

    Submit the information for the user(s) and group(s) having the issue. Provide the userName/userID of the user running the test or is having the issue.

    Refer to Related Information section at the bottom of the page for help on how to find what groups a user belongs to or how to find the members of a specific group.

  5. Provide a clear topology description and which communication is failing along with a diagram if available.

General diagnostic information


Collect the general troubleshooting information as described in Collect troubleshooting data for the IBM Business Process Manager products.

What to do next

  1. Review the log files and traces at the time of the problem to try to determine the source of the problem.

  2. Use IBM Support Assistant to search for known problems in the information center, forums, and technotes.

  3. If you cannot find related problems or cannot solve the problem, send the information you have collected to IBM by following the instructions in Exchanging Information with IBM Technical Support.

Related information

WebSphere Application Server Security MustGather
Configure LDAP filters
How do I find all groups I am a member of in BPM?
How do I find all members of a security group team or p
How do I move required internal BPM users (tw_admin adm
In IBM BPM what does the user login process look like w
A simplified Chinese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM Business Process Manager Express Security Linux, Windows 8.5.5, 8.5, 8.0.1, 8.0, 7.5.1, 7.5
Business Integration IBM Business Process Manager Standard Security AIX, Linux, Solaris, Windows 8.5.5, 8.5, 8.0.1, 8.0, 7.5.1, 7.5
Business Integration IBM BPM Advanced Pattern on Red Hat Enterprise Linux Server Security Linux Red Hat - xSeries 8.0

Product Alias/Synonym

BPM

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Business Process Manager Advanced
Security

Software version:

7.5, 7.5.1, 8.0, 8.0.1, 8.5, 8.5.5

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1609418

Modified date:

2014-12-23

Translate my page

Machine Translation

Content navigation