IBM Support

Post-installation tasks for IBM Business Process Manager V8.5.6 CF02 and V8.5.6 CF01

Product Readmes


Abstract

Some individual fixes in the IBM Business Process Manager (BPM) cumulative fix 2 (CF02) require additional configuration steps to complete the installation. Configure the individual fixes by searching for the APAR number and following the respective instructions.

Content

IBM Business Process Manager Standard, IBM Business Process Manager Express, and IBM Business Process Manager Advanced are referred to collectively as the IBM Business Process Manager products.


Cumulative fix 2
Interim fix (APAR)DescriptionTask to enable the function
JR52765
JavaScript API TWSEARCH returns only process instances that have tasks
.
Even if an administrator searches for process instances within a JavaScript step, the query checks for task instance-based authorization. As a result, process instances that do not have tasks are not returnedWith this fix, you can turn off the authorization check to enable the new behavior by inserting the following elements into the properties element of the the 100Custom.xml files in Process Center and Process Server:

<common>
<search-execution>
<javascript-administrative-search-processes-with-user-authorization merge="replace">false</javascript-administrative-search-processes-with-user-authorization>
</search-execution>
</common>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR53056
The user is mismatched between the user information cache and the database
This fix prevents the user information mismatch between the cache and the database.

To prevent the transaction that loads the cache entry from using it, specify a period of time during which the cache entry is considered invalid and is not used if it has not been confirmed by at least one successful read from the database.

NOTE: This behavior occurs in few environments.
As a result, the specified period of time is set to 0, meaning that cache entries are always considered valid. Change this value only if you experience exceptions.
To change the value, edit the 100Custom.xml files in Process Center and Process Server to contain an entry that is similar to the following entry:

<server>
<user-info-cache-block-period merge="replace">120000</user-info-cache-block-period>
</second>

The period is specified in ms (milliseconds). The recommended period is 120000 (2 minutes).

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR53243
Dashboards cannot be launched in some SSO environments
In some single sign-on configurations, an access gateway or a reverse proxy is configured in a way that the IBM BPM server does not trust certain requests routed by the access gateway or reverse proxy. As a result, the dashboard content is not routed through the single sign-on gateway and an empty dashboard is displayed instead.To successfully enable the custom dashboard allowlist, you must set the com.ibm.bpm.dashboard.allowlist property on the stand-alone server in an IBM BPM Express environment or on each application cluster member in an IBM BPM Standard or IBM BPM Advanced environment. You can use either the WebSphere administrative console or the wsadmin scripting client, as described in the following procedure:

To use the WebSphere administrative console to set the com.ibm.bpm.dashboard.allowlist property for your environment, complete the following steps:
  1. Log into the administrative console.
  2. In the tree view, expand Servers > Server Types and select WebSphere application servers. The Application servers page opens.
  3. Click your server name to open the Configuration page, then expand Java and Process management and select Process definition to open the Process definition page.
  4. Select Java Virtual Machine to open the Java Virtual Machine page and then select Custom properties to open the Custom properties page.
  5. Click New to open the New page where you will add the JVM custom property.
  6. In the Name field, type com.ibm.bpm.dashboard.allowlist.
  7. In the Value field, specify a comma-separated list of acceptable host names or domains.
  8. In the Description field, type allowlist of SSO access gateway servers or referers.
  9. Click OK and then click the Save link at the top of the page to save the changes in the administrative console.
  10. In an IBM BPM Standard or IBM BPM Advanced environment, repeat the above steps for each application cluster member.
  11. Restart the stand-alone server or the application cluster members to activate the new property.

To use the wsadmin scripting client to set the com.ibm.bpm.dashboard.allowlist property for your environment, run the following commands (where cluster_name is the cluster name in your environment):

for server in AdminUtilities.convertToList(AdminConfig.showAttribute(AdminConfig.getid("/Cell:/ServerCluster:cluster_name/"), "members")):
     serverName = AdminConfig.showAttribute(server, "memberName")
     nodeName = AdminConfig.showAttribute(server, "nodeName")
     AdminTask.setJVMSystemProperties( [ '-serverName', serverName, '-nodeName', nodeName, '-propertyName', 'com.ibm.bpm.dashboard.allowlist', '-propertyValue', 'hostname.com' ] ')
     property = AdminConfig.getid("/Cell:/Node:%s/Server:%s/JavaProcessDef:/JavaVirtualMachine:/Property:com.ibm.bpm.dashboard.allowlist/" % (nodeName, serverName))
     AdminConfig.modify(property, [['description', 'allowlist of SSO access gateway servers or referers']])
AdminConfig.save()
JR53495
Synchronizing group membership between a user repository and the IBM BPM database takes too long
Before this fix, when you run one of the administrative group membership synchronization scripts, IBM BPM matches the distinguished names (DNs) of the group members in the user repository to the DNs stored for users in the IBM BPM database, which relies on removing unexpected white spaces from the DNs as well as normalizing the capitalization used in them. These actions take time and there is no way to disable them, even if they are not necessary.
With the fix applied, the following configuration properties are provided, allowing to you to enable or disable the white space detection and capitalization normalization actions:

normalize-whitespaces-for-distinguished-names-prop
- Use this property if the DNs stored in the VMM or LDAP show varying usage of white spaces in DNs referring to the same user or group, for example
- DN for user entry: uid=user1,ou=mycomp
- DN for group member reference: uid =user1, ou =mycomp.
If you have a well-maintained VMM or LDAP that avoids variations in white space usage, set this property to "false".

In case of known or suspected white space variations set the property to "true". Include the setting in the 100Custom.xml files in Process Center and Process Server:

<common>
<security>
<vmm-options>
<normalize-whitespaces-for-distinguished-names-prop merge="replace">false | true</normalize-whitespaces-for-distinguished-names-prop>
</vmm-options>
</security>
</common>

For more information, see The 99Local.xml and 100Custom.xml configuration files.

If the property is not set (which is the default), IBM BPM assumes that the property is associated with "true".

normalize-case-for-distinguished-names-prop
- Use this property if the DNs stored in VMM/LDAP show varying usage of capitalization in DNs referring to the same user or group, for example
- DN for user entry: uid=user1,ou=mycomp
- DN for group member reference: uiD=UsEr1,ou=MyComp.

If you have a well-maintained VMM or LDAP that avoids variations in capitalization, you do not need to set this property.

In case of known or suspected variations in capitalization, include the following setting in the 100Custom.xml file in Process Center and Process Server:

<common>
<security>
<vmm-options>
<normalize-case-for-distinguished-names-prop merge="replace">required_value</normalize-case-for-distinguished-names-prop>
</vmm-options>
</security>
</common>

The required_value can take one of the following values: INSQL, INJAVA.

If the property is not set (which is the default), IBM BPM assumes that the property is associated with "INSQL".
NOTE: This value does not have performance implications for a well-maintained VMM or LDAP content.

During group membership synchronization for a group IBM BPM performs the following actions:
-queries the group entry for the group members in the user repository
-resolves the user record in the IBM BPM database for each group member by using the retrieved group member DN
-updates the group membership in the IBM BPM database table by using the retrieved user ID for each group member

Some user repositories provide inconsistent variations of capitalization when being queried for group members versus user names. With the default setting of "INSQL", an IBM BPM database with case-insensitive-security-cache set to "true" (which is the default for all database systems other than Microsoft SQL Server) first performs a case-sensitive search for users based on the response to the group members queries.
For group members that are not found during this case-sensitive search, a second case-insensitive query is required. Case insensitivity is achieved by applying the SQL function “UPPER” to the user name, which can significantly affect performance.

As a result, choose the default setting for the following environments:
-environments that receive consistent data from the user registry (and, therefore, never require a second case insensitive query)
-environments that receive inconsistent data from the user registry only occasionally (and, therefore, fall back to the second query only in exceptional cases)
-environments that have the case-insensitive-security-cache flag set to false (which is the default for MS SQL Server) because the second query (that would provide the same result) is not necessary and omitted anyway.

However, if your environment experiences frequent inconsistent responses from the user registry, set the value to "INJAVA" to achieve case insensitivity by storing the corresponding distinguished name for each user in a normalized fashion, converting it to lower case as part of user synchronization performed with one of the available user synchronization scripts or, implicitly, when the user logs in.

When performing group membership synchronization, group members in the IBM BPM database are found by transforming the group member name to its normalized counterpart, such as by converting it to lower case in Java.

This configuration avoids a second database query for group membership synchronization by increasing the processing cost of user synchronization.

NOTE: The normalizaton procedure requires normalized values to be available for user DNs in the user records in the IBM BPM database so that whenever the setting is switched from "INSQL" to "INJAVA" the user DNs must be recomputed in the user records. To achieve this computation, run the syncExistingUsers administrative script. Conversely, whenever you change the setting from "INJAVA" to "INSQL", the user DNs must be recomputed in the user records to restore non-normalized DNs. The same action is required when the value for white space-related normalization is changed. Run the syncExistingUsers script as well.
JR53563
Process Inspector in the Process Admin Console allows administrators to access instance data
A new configuration property is introduced that lets you toggle between enabling administrators to get task data or not:

<authorization-enabled-for-admins-to-get-set-task-data>

By default this property is not set, meaning that administrators can get task data.
To disable admins from getting task data, set the property to "noadmins" in the 100Custom.xml file of either Process Center or Process Server:

<server>
<portal>
<authorization-enabled-for-admins-to-get-set-task-data merge="replace">noadmins</authorization-enabled-for-admins-to-get-set-task-data>
</portal>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR54212
REST APIs /SYSTEM/ENV/VARIABLE and /PROCESSMODEL required admin rights
A new custom property <enforce-rest-admin-auth> has been introduced with this fix. By default, the value of this property is 'false'. When set to "true", only admin users have access to certain REST API calls.To enable this property, modify the 100Custom.xml file in Process Center and Process Server with the following property:

<server>
<enforce-rest-admin-auth merge="replace">true</enforce-rest-admin-auth>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR54338
You want to disable automatic tracking data for services
By default, services always create a few Performance Data Warehouse tracking records in the LSW_TASK table when they run. The service-tracking-enabled property was added so that you can disable the creation of these tracking records. Because these records do not provide much value, set this property to false. To disable automatic tracking data for services, add the following parameter to the 100Custom.xml file for the Process Center or Process Server environment:

<server>
<service-tracking-enabled merge="replace">false</service-tracking-enabled>
</server>

To return to the default behavior of the product, set the parameter to "true".

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR54416
Process Inspector starts LDAP retrieval, which causes the page to stop responding
A new configuration property is introduced to toggle the retrieval of the LDAP users to occur or not occur when Process Inspector is open.

<disable-autocomplete>

By default, this property is set to "false", meaning LDAP users are retrieved and cached when Process Inspector is open.



To disable the property, set the property to "false" in the 100Custom.xml file of either Process Center or Process Server:

<server>
<process-inspector>
<disable-autocomplete merge="replace">true</disable-autocomplete>
</process-inspector>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR54462
Performance regressed in IBM Process Designer with large number of favorites in the LSW_FAVORITES TABLE
In IBM Process Designer, it takes between 15 and 30 seconds to load the page when you try to debug a process or project or run a graphic user interface (coach view or human task) because IBM BPM retrieves all the favorites in the lsw_favorite table. IBM BPM searches all favorites that this user is eligible for. For each favorite, IBM BPM must expand the objects stored in the favorite table.
The following parameter, introduced in interim fix JR52126, triggers the processing that causes the slow performance. The setting is "true" for this configuration parameter:

<enforce-correct-service-type-for-execute-service-by-name>

This fix provides recommended indexes for IBM Business Process Manager, which are required to avoid performance issues when retrieving a large number of favorites from the LSW_FAVORITE table.
To avoid performance issues when retrieving a large number of favorites from the LSW_FAVORITE table, you must update the LSWC_FAV_NUQ2 index on the LSW_FAVORITE table. Furthermore, you must create the IDX7_SNAPSHOT index on the LSW_SNAPSHOT table.

The following manual steps are only required when you upgrade from IBM BPM V8.5.6 or V8.5.6 CF01. When you upgrade from a previous release, the following steps are performed during the DBUpgrade step.

You can use SQL statements similar to the following statements to make the changes for your database.

On distributed platforms:

Before running the statements, replace all of the following parameters:
-- @SCHEMA@ with the actual value used for your Process Server schema

DROP INDEX @[email protected]_FAVORITE.LSWC_FAV_NUQ2;
COMMIT;
CREATE INDEX @[email protected]_FAV_NUQ2 ON @[email protected]_FAVORITE (SNAPSHOT_ID, GROUP_ID, BRANCH_ID, CACHED_PROCESS_VERSION_ID, EXPOSED_SERVICE_TYPE, TIP, ENABLED);
COMMIT;
CREATE INDEX @[email protected]_SNAPSHOT ON @[email protected]_SNAPSHOT (SNAPSHOT_ID, IS_ACTIVE, IS_ARCHIVED);
COMMIT;

When you use IBM DB2 for z/OS:

Before running the statements, replace all of the following parameters:
-- @SCHEMA@ with the actual value used for your Process Server schema
-- @STOGRP@ with the actual value used for your DB2 storage group name

DROP INDEX @[email protected]_FAV_NUQ2;
COMMIT;
CREATE INDEX @[email protected]_FAV_NUQ2
ON @[email protected]_FAVORITE(
"SNAPSHOT_ID",
"GROUP_ID",
"BRANCH_ID",
"CACHED_PROCESS_VERSION_ID",
"EXPOSED_SERVICE_TYPE",
"TIP",
"ENABLED")
USING STOGROUP @STOGRP@;
COMMIT ;
CREATE INDEX @[email protected]_SNAPSHOT
ON @[email protected]_SNAPSHOT(
"SNAPSHOT_ID",
"IS_ACTIVE",
"IS_ARCHIVED")
USING STOGROUP @STOGRP@;
COMMIT ;

Then, create the IDX7_SNAPSHOT index on the LSW_SNAPSHOT table.
JR54526
JR54731
Interim fixes that update IBM Process Portal or Coach static content require all users to manually clear the browser cache
These fixes enable an automatic purge of the browser cache when Process Portal and coach static content changes through an interim fix.Because of these fixes, you no longer need to clear your browser cache after applying Process Portal or coach interim fixes.
JR54667
The content of coach views (or custom HTML) placed inside a horizontal section does not wrap.
Before this interim fix, coach views (or custom HTML) placed inside a horizontal section were set as whitespace: nowrap, which forced the content of those coach views to not wrap.

This fix changes the setting towhitespace: normal, which is the default setting that the coach view has when running outside the horizontal section.
When the custom coach view (or custom HTML) requires the whitespace: nowrap attribute, you must explicitly set it in your implementation.
JR54753
When you debug a human service in IBM Process Designer, you see a generic message displayed for an error in the service
In IBM Process Designer, when you launch a human service in debug mode by clicking the Debug icon (bringing up the Process Inspector, with a browser window displaying the running instance of the service), if an error occurs in the service, a generic error message similar to the following is displayed:

Error
Ask the administrator to check the SystemOut.log file for more information to resolve the error. (9f5705dc-4783-4cb5-855f-875e438ce884)

The identifier in parentheses at the end can be correlated to the SystemOut.log file from the Process Center server to facilitate retrieval of the detailed error message from the log. This generic error message was introduced with the fix for APAR JR52721 (http://www.ibm.com/support/docview.wss?uid=swg1JR52721), to eliminate a security vulnerability. For application developers, however, this generic message hinders productivity. Therefore, in the debug mode scenario, the detailed error message should be displayed instead of the generic error message.
To enable the display of a detailed error messages generated by custom application code instead of the generic error message, set the following property in the 100Custom.xml files in Process Center and Process Server:

<server merge="mergeChildren">
<debug merge="mergeChildren">
<display-debug-error-messages merge="replace">true</display-debug-error-messages>
</debug>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.

Notes:
  • Setting this property results in the display of detailed error messages to the end user regardless of how the application was launched (by Process Portal or by the Process Inspector in Process Designer). Therefore, configure this setting on development environments only to debug custom application code, not on production environments because doing so might enable the detailed error messages to be used to exploit security vulnerabilities.
  • A UUID value in parentheses is displayed after each error message, regardless of whether it is a detailed or generic message. You can correlate the UUID value with the SystemOut.log file on the server for additional information (including the detailed message and stack trace).

JR55154
Cannot disable user and group search (GET method) in IBM Business Space
When you are using Business Space, you can search for and discover all users and groups defined in the user registry, even if you do not have sufficient privileges to perform that action.To restrict user and group search in Business Space to only administrators, complete the following steps:
1. In the WebSphere Application Server administrative console, go to Resources > Resource Environment > Resource environment providers > Mashups_ConfigService > Custom properties.
2. Create a new String type property named com.ibm.mashups.usersearch.blocked.
3. Set the value to true. When the value of the com.ibm.mashups.usersearch.blocked property is set to true, only administrators can search users or groups in Business Space.
4. Restart the stand-alone server or network deployment environment.


Cumulative fix 1
Interim fix (APAR)DescriptionTask to enable the function
JR52438
CWTDS1100E is logged when starting the IBM BPM server because of a user ID mismatch between the server and the IBM BPM document store database

This fix extends the existing admin task getDocumentStoreStatus to help you determine the user who is allowed to access the document store.

If you are locked out, run the admin command again with the new option: -authorizationDetails.

For example, to run the getDocumentStoreStatus command for a deployment environment named DE1 call

>AdminTask.getDocumentStoreStatus([ '-deName', 'DE1', '-authorizationDetails'])

The following examples of the admin command's output include instructions about how to repair the user registry and security configuration to unlock the IBM BPM document store connection.

Example 1
---------
If you changed the ECM technical user role mapping, but you have not updated the IBM BPM document store authorizations, you see the following messages:

CWTDS2067E: The 'tw_admin' technical user is not authorized to update the 'Domain' object.

CWTDS2070I: The unique ID of user uid=tw_admin,o=defaultWIMFileBasedRealm is 7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb.

CWTDS2071I: A user or group with the unique ID 2db3d211-af0c-4d59-a7be-e0718c584a2a and name uid=tw_admin_old,o=defaultWIMFileBasedRealm has access to the IBM BPM document store.

CWTDS2070I indicates that the ECM technical user is uid=tw_admin,o=defaultWIMFileBasedRealm. CWTDS2071I indicates that the user who is authorized to
communicate with the IBM BPM document store is uid=tw_admin_old,o=defaultWIMFileBasedRealm, which is different from the user who is configured as technical user.

To solve the lockout issue, complete the following steps:

1. Revert the EmbeddedECMTechnicalUser authorization role mapping to use the former admin tw_admin_old:
In the administrative console, choose Deployment Environments > <Deployment Environment Name> > Business Integration Security,
and check the EmbeddedECMTechnicalUser role. Make sure it is bound to an authentication alias that is mapped to the old user: tw_admin_old.

2. Make sure the change is synced with all nodes.
3. Restart the environment.
4. Use the admin script maintainDocumentStoreAuthorization to authorize the new admin.
For example, to add a new authorization for the tw_admin user in DE1 deployment environment, use the following admin command:

>AdminTask.maintainDocumentStoreAuthorization(['-deName', 'DE1', '-add', 'tw_admin'])

For more information about the maintainDocumentStoreAuthorization command, see maintainDocumentStoreAuthorization command.

5. Change the role mapping to use the new admin role and synch nodes.
6. Restart the environment.

Example 2
---------
If you removed the technical user from the user repository, but you did not transfer the IBM BPM document store authorizations to an existing user, you see the following messages:

CWTDS2067E: The 'tw_admin' technical user is not authorized to update the 'Domain' object.

CWTDS2070I: The unique ID of user uid=tw_admin,o=defaultWIMFileBasedRealm is 7a3a5dd4-6aff-463c-8cd8-3fa53163bbfb.

CWTDS2072W: A user or group with unique ID 2db3d211-af0c-4d59-a7be-e0718c584a2a has access to the IBM BPM document store. However, a user or group with this unique ID is not found in the current user repository.

CWTDS2070I reports the unique name and unique ID of the ECM technical user. CWTDS2072W lists the unique ID of the user who may access the document store,
but the user name for this ID cannot be determined because the user has been removed from the user repository.

To resolve this problem, complete the following steps:

1. Re-create the former user in the user registry and make sure that user has the unique ID reported in the CWTDS2072W message.
2. Re-create an authentication alias for that user and add it to the admin group.
3. Complete the steps in Example 1.
JR52601
Cannot restrict access to information by using REST APIs

This fix enhances authorization control for REST APIs by governing access to user, group, and team information.

To enable the enhanced authorization control, add the following setting to your 100Custom.xml files in Process Center and Process Server:

<server>
<portal>
<authorization-enabled-for-org-info merge="replace">true</authorization-enabled-for-org-info>
</portal>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.

The enhanced authorization control enforces the following authorization rules when users access user-, group-, or team-related REST APIs:

View user information: .../user/<userIdOrName>, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup) for all users
- All users for viewing data about themselves
- Users who are authorized by the following policies:
-- ACTION_REFRESH_USER policy
-- ACTION_MANAGE_ANY_USERATTRIBUTE policy

Refresh user information: .../user/<userIdOrName>?refreshUser=true, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Users authorized by the ACTION_REFRESH_USER policy

Update user attributes: .../user/{userNameOrID}?action=setPreference, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup) for all users
- Users authorized by the ACTION_MANAGE_ANY_USERATTRIBUTE policy

View users information: .../users, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)

View potential collaborators for a claimed task: .../users?collabTaskidFilter=..., is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Users authorized to invite others to collaborate on a task: Task owner

View potential reassignees for a received or claimed task: .../users?assignTaskidFilter=...,
is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Users authorized to reassign the task to other users, such as
-- Task owner, if authorized by ACTION_REASSIGN_TASK_USER_ROLE policy
-- Task team managers
-- Instance owners

View group information: .../group/<groupIdOrName>, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Team managers (if the specified group corresponds to a team)

View groups information: .../groups, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)

View team information: .../team/<teamIdOrName>, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
- Team managers

View team information: .../participantGroup/<pgIdOrName>, is enabled for
- IBM BPM administrators (members of the bpmAdminGroup)
JR52823
IBM Process Portal users can upload executable files to the IBM BPM server

Perform the following actions to determine the file types that should be blocked from being uploaded as file attachments in Process Portal:

1. In the administrative console, go to Resources > Resource Environment Providers > Mashups_ConfigService and add the following new property:

Name = com.ibm.bpm.portal.stream.attachments.extensions.blocklist
Value = <comma separated list of filename extensions without '.'>
(Example: exe,scr,dll,com,bin)

2. Save the configuration.
3. Restart the servers or clusters.
JR52960
After applying interim fix JR47706, default EPV data for target snapshot version overwrites EPV data set in older snapshot
This fix introduces a new property to toggle between inserting a new EPV value if a default value is specified during Deployment, instance migration, or both.
By default the property is false, meaning that during deployment or instance migration, the default EPV is not persisted. The latest EPV variable is whatever was updated last.
This fix adds a flag to modify the behavior when deploying or migrating Snapshot EPV data. With it set to true, an EPV's default value is set for each EPV using the current time as the effective time for the change when a snapshot is deployed. The default value from the snapshot will then take precedence at run time because it has the latest effective time stamp. The property defaults to false, which was the original behavior before interim fix JR47706.

The fix doesn't prevent the migration of the older values, everything is copied over; however, because the default value is inserted with the deployment time stamp, it will become the latest EPV value.

Add the following lines to the 100Custom.xml files in Process Center and Process Server:

<server>
<instance-migration>
<epv-deploy-default merge="replace">true</epv-deploy-default>
</instance-migration>
</server>

Then restart the server.

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR52974
EXECUTESERVICEBYNAME JavaScript API overwrites values of private variables in the called service
This fix causes the service engine to show you the following exception when the API tries to overwrite a private or output variable of the called service. Set the following configuration flag in the 100Custom.xm files in Process Center and Process Serverl:

<server>
<service-engine>
<enforce-private-variable-scope merge="replace">true</enforce-private-variable-scope>
</service-engine>
</server>

Then restart the server.

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR53209
Security APAR - CVE-2015-1904 - Missing authorization for uploading and downloading documents in ECM

This fix adds a customizable security service and a server-side configuration property to enable or disable the new behavior.

This service checks the permissions of a user. You can create it and select it by using the new External ECM Document Authorization Service service selector, which is added to the Server Settings for the added ECM servers. This service is necessary for server definitions that have "Always use this connection information" selected.

After you apply interim fix JR53209, creating, updating, or downloading external ECM documents is disabled if the following conditions are met:
- You use the Document List or Document Viewer coach views to create, update, or download the documents.
- You are using an external ECM server instead of the internal IBM BPM document store.
- The properties of the ECM server definition have "Always use this connection information" selected.

If your process applications are impacted by JR53209, perform one of the following procedures:

- Disable the new behavior so users can bypass authorization for impacted applications:

Change the 100Custom.xml file to include this XML:
<server>
    <!-- enable the document authorization security service -->
    <enable-document-authorization-security-service merge="replace">false</enable-document-authorization-security-service>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
- For external ECM Server definitions within your process apps and toolkits, clear the "Always use this connection information" option, which causes IBM BPM to propagate each user's context to the ECM server.
Not all ECM systems can share security context with IBM BPM. To determine whether you can use this option, see Authentication scenarios.

- Create a service that checks users' authorization. Then associate this service with each ECM server definition.
1. Open the settings page for a process app or toolkit that contains an ECM server definition and go to the Servers tab.
2. Select the ECM server from the list and scroll to the bottom of the Properties on the left.
3. For the newly added External ECM Document Authorization Service property, select New to generate an empty service with the proper interface or select an existing service.
4. Define the logic that uses one or more of the input parameters to determine authorization for the action.
The service must return "true" if the user is authorized for the action and "false" if he or she is not authorized.
Your new service runs when a user creates, updates, or downloads a document from a Document List coach view.
5. Run a test to confirm the authorization logic you have developed is working as you expect.
6. Create a snapshot for your changes when you are ready to deploy them.

The interface for this service must have the following signature in the Variables tab of the new service created in step 3:

Input parameters
-documentId (ECMID)
-objectTypeId (ECMID)
-action (String) The actions available for creating, downloading, and updating external ECM documents are
"ACTION_CREATE_DOCUMENT", "ACTION_GET_DOCUMENT_CONTENT", and "ACTION_UPDATE_DOCUMENT"
-serverName (String)

Output parameter
-authorized (Boolean)

The following four error messages have been added for this function and might indicate that you did not configure this property properly:
CWTDE0001E The External ECM Document Authorization service is not defined.
CWTDE0002E The External ECM Document Authorization service cannot be resolved.
CWTDE0003E You are not authorized to perform the operation on the selected object.
CWTDE0004E The External ECM Document Authorization service did not finish successfully.
JR53223
After moving to IBM BPM V8.5.6, PROCESSAPPS Rest API requires admin rights to run on a process server
This fix introduces the <enforce-rest-admin-auth> custom property that, when changed from the default setting of false to true, ensures only admin users have access to certain REST API calls.


To limit access for the REST API /ProcessApps command to only users who have admin rights, set the <enforce-rest-admin-auth> custom property to "true". By default this property is set to "false".

Before you start the servers, modify the 100Custom.xml files in Process Center and Process Server with the following lines:

<server>
<enforce-rest-admin-auth merge="replace">true</enforce-rest-admin-auth>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR53280
Incorrect user membership for ad hoc groups
This fix introduces a property that gives you a way to monitor and repair user membership for ad hoc groups. Set the following configuration flag in your 100Custom.xml files in Process Center and Process Server:

<server>
<portal>
<enable-ad-hoc-group-monitoring merge="replace">true</enable-ad-hoc-group-monitoring>
</portal>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR53607
User synchronization creates new users for existing user names that contain trailing blanks (white spaces)
This fix includes a configuration property you can use to specify whether the information of a user already in the database should be updated with the information of a user with the name that was corrected in LDAP. This property is set to true by default. If the property remains set to true, information for the user already in the database is updated when you specify the corrected user name and select Synchronize in the Process Admin Console or log in with the user ID. Selecting Existing User Synchronize does not update the user's information.If you set this property to false, the user is not recognized as equivalent to the corrected user in LDAP.
As a result, user information including the full name and provider name are set to null.

You can set this property to false in the 100Custom.xml files in Process Center and Process Server:

<common>
<security>
<update-user-ignoring-trailing-blanks merge="replace">false</update-user-ignoring-trailing-blanks>
</security>
</common>

For more information, see The 99Local.xml and 100Custom.xml configuration files.
JR53620
"CWWIM0006e initialization of component, CONFIGMANAGER, failed" app server startup
This fix allows the BPMConfig -create command to add the bpm.de.node.#.clusterMember.#.jvmSettings.#.jvmArgs properties to IBM BPM's default generic JVM properties instead of replacing them.
This fix allows the BPMConfig -create command to add the bpm.de.node.#.clusterMember.#.jvmSettings.#.jvmArgs properties to IBM BPM's default generic JVM properties instead of replacing them.

If the IBM BPM deployment environment was created with bpm.de.node.#.clusterMember.#.jvmSettings.#.jvmArgs set in the config properties file when JR53620 was not already installed, the IBM BPM default generic JVM settings are missing. In that case, manually add these JVM generic properties as described in the following procedure, which is a required one-time repair action:

1. Open the administrative console.

2. For a stand-alone server (IBM BPM Express) go to Servers > Server Types > WebSphere application servers > server1 > Server infrastructure > Java and Process Management > Process definition > Java Virtual Machine > Generic JVM arguments and make sure the following entries are included:

For an IBM SDK, ${IBMSCMX} ${IBMGCPOLICY_GENCON} ${IBMJITPMC}
For a Sun JVM, ${SUNMAXPERMSIZE}
-Dsun.net.http.allowRestrictedHeaders=true
-Declipse.bundle.setTCCL=false

Note the leading dash that is needed for the "-D" JVM option.

3. For the deployment manager (IBM BPM Standard and IBM BPM Advanced) go to System administration > Deployment manager > Java and Process Management > Process definition > Java Virtual Machine > Generic JVM arguments and make sure the following entries are included:

For an IBM SDK, ${IBMSCMX} ${IBMGCPOLICY_GENCON} ${IBMJITPMC}
For a Sun JVM, ${SUNMAXPERMSIZE}

4. For all application cluster members (IBM BPM Standard and IBM BPM Advanced) go to Servers > Clusters > WebSphere application server clusters > <appClusterName> > Cluster Members > <clusterMemberName> > Server infrastructure > Java and Process Management > Process definition > Java Virtual Machine > Generic JVM arguments and make sure the following entries are included:

For an IBM SDK, ${IBMSCMX} ${IBMGCPOLICY_GENCON} ${IBMJITPMC} -Xmns256m -Xmnx768m -Xgc:preferredHeapBase=0x100000000
For a Sun JVM, ${SUNMAXPERMSIZE} -XX:NewSize=256m -XX:MaxNewSize=768m
-Dsun.net.http.allowRestrictedHeaders=true
-Declipse.bundle.setTCCL=false

Note the leading dash that is needed for the "-D" and "-X" JVM options.

5. For all messaging and support cluster members in a three-cluster topology (IBM BPM Standard and IBM BPM Advanced) go to Servers > Clusters > WebSphere application server clusters > <clusterName> > Cluster Members > <clusterMemberName> > Server infrastructure > Java and Process Management > Process definition > Java Virtual Machine > Generic JVM arguments and make sure the following entries are included:

For an IBM SDK, ${IBMSCMX} ${IBMGCPOLICY_GENCON} ${IBMJITPMC}
For a Sun JVM, ${SUNMAXPERMSIZE}

6. Save your changes and, in an ND environment (IBM BPM Standard and IBM BPM Advanced), synchronize them to the managed nodes.
JR53686
Disable task-level collaboration in IBM Process Portal
This interim fix adds a custom property that allows you to disable user-initiated user-to-user collaboration, hiding the Collaborate menu item from users in Process Portal, and disabling events that propagate collaboration information between users' sessions.The custom property is named com.ibm.bpm.portal.disable.taskCollaboration and its value should be set to false to disable collaboration (its default value is true).

To set the property, complete the following steps:

1. In the administrative console, go to Resource environment providers > Mashup_ConfigService > Custom properties > New.

2. Set the following values:

Name: com.ibm.bpm.portal.disable.taskCollaboration
Value: false

3. Save the configuration.
JR53814
Cannot set the default schema namespace for inbound web service WSDL files

To update the default namespace for inbound web service WSDL files, complete the following steps:

1. On the deployment manager, start the wsadmin tool:
wsadmin -lang jython -conntype NONE

2. Locate the parent configuration object.

For IBM Process Center (where application_cluster_name is the name of the application cluster in the deployment environment):
bpdServer = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name /BPMClusterConfigExtension:/BPMProcessCenter:/")

For IBM Process Server (where application_cluster_name is the name of the application cluster in the deployment environment):
bpdServer = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name /BPMClusterConfigExtension:/BPMProcessServer:/")

3. Modify the 'defaultNamespaceUri' for the bpdServer:
wsadmin> AdminConfig.modify(bpdServer, [['defaultNamespaceUri', 'http://hostname:port/schema/']])

4. Save the change:
wsadmin> AdminConfig.save()
JR53951
ILLEGALDATAEXCEPTION in IBM Business Process Manager due to control characters not serialized

To automatically remove XML invalid characters in string input so that the string is XML compliant, you must activate the fix by setting the following configuration flag in the 100Custom.xml files in Process Center and Process Server and restarting the server:

<server>
<autocorrect-xml merge="replace">true</autocorrect-xml>
</server>

For more information, see The 99Local.xml and 100Custom.xml configuration files.

[{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"","label":"Linux zSeries"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation \/ Configuration","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

BPM

Document Information

Modified date:
17 June 2018

UID

swg27047155