Direct links to fixes
APAR status
Closed as program error.
Error description
When you try to start a service of type BACKGROUND by using the startService REST API, you see the following error: CWTBG0568E : Unable to start service type BACKGROUND due to a restriction: Service type must be AJAX or HUMAN In releases earlier than IBM Business Process Manager (BPM) V8.0, this call was not restricted to services of types Ajax or human.
Local fix
Use services of type AJAX or HUMAN to wrap existing services of other types.
Problem summary
In IBM BPM V8.0 a potential security problem that allowed any authenticated user to run all types of services was fixed. However, this change limits the type of services that can be started by using a REST call to services that can be exposed to dedicated teams: Ajax and human services may be executed by using REST calls. The change in behavior is intentional, but you might depend on the previous behavior. Currently, these applications cannot work without wrapping existing services in human or Ajax service implementations.
Problem conclusion
A fix for IBM BPM V8.5.5.0 enables administrators to customize the restriction for startable services by type. The fix is secure by default and allows users to invoke only AJAX and HUMAN services by using the REST API. If you have custom client applications that rely on the REST API call and expose service types other than Ajax or human services, you need to add the following configuration information: A configuration property is introduced to specify the whitelist of startable services. In the 100Custom.xml file, add the startservice-valid-services stanza to list one or more valid-service-entry elements: <server> <portal merge="mergeChildren"> <startservice-valid-services> <valid-service-entry>Ajax Service </valid-service-entry> <valid-service-entry>Human Service </valid-service-entry> <valid-service-entry>General System Service </valid-service-entry> </startservice-valid-services> </portal> </server> The following values are possible for valid-service-entry: - all - none - Regular Service - Rule Service - Ajax Service - Human Service - Integration Service - Installation Service - General System Service - SCA Service - Case Manager Integration Service - Undercover Agent Passthrough Service If either the special keyword "all" or "none" is encountered in the list, all other entries are ignored. For more information, see "Modifying runtime server configuration properties" (http://www.ibm.com/support/knowledgecenter/SSFPJS_8.5.5/com.ibm .wbpm.admin.doc/topics/cadm_modconfigprops.html) and "The 99Local.xml and 100Custom.xml configuration files" (http://www.ibm.com/support/knowledgecenter/SSFPJS_8.5.5/com.ibm .wbpm.admin.doc/topics/managing_twks_config_settings.html). Use this flag only temporarily and convert the existing applications to use properly secured human or Ajax services as a facade. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR52574: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR52574, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Not applicable
Comments
APAR Information
APAR number
JR52574
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-02-13
Closed date
2015-04-13
Last modified date
2015-04-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R855 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 October 2021