Enabling business processes to work with security enabled

In WebSphere Integration Developer, business processes and human tasks will not run correctly "out of the box" on a test environment server if security has been enabled. This is because the predefined server configuration cannot find the expected user ID, password, and group settings in the user registry. However, you can modify some specific properties that will permit your business processes and human tasks to run correctly when security is enabled.

When business processes and human tasks fail to run correctly, there are several indications that the problem may be related to running with security enabled. One indication is in the SystemOut.log of the test environment server, where you may find a stack trace that is similar to the example stack trace found at the bottom of this topic. Another indication is when you right-click your server in the Servers view and select Launch > Business Process Choreographer Explorer, it results in an Unhandled Error 500 browser page after you specify a user ID and password. The browser page contains the following message (which will internally raise the exaception client.model.exception.Communication):

javax.naming.NameNotFoundException: Name "ejb/com/ibm/task/api/HumanTaskManagerHome" not found in context "local:".

In the server log, you will find error NMSV0605W with similar text.

To enable business processes to work with security enabled:

  1. Complete the following steps to update the authentication aliases that are required for the business process choreographer and the human task manager:
    1. In the Business Integration perspective of WebSphere Integration Developer, click the Servers tab. The Servers view opens.
    2. In the Servers view, double-click your server. The server configuration editor opens.
    3. Under Server connection type and admin port, select SOAP.
    4. Expand the Security section of the editor.
    5. Ensure that the Security is enabled on this server check box is selected.
    6. Under Current active authentication settings, ensure that the correct administrative user ID and password are specified in the User ID and Password fields.
    7. Press Ctrl-S to save your changes and then close the server configuration editor.
    8. Right-click your server and select Start (or select Restart > Start if your server is already running).
    9. When the server status eventually changes to Started, right-click the server and select Run administrative console. The administrative console opens.
    10. In the administrative console, specify your user ID and password in the User ID and Password fields and then click Log in.
    11. In the left frame of the administrative console, expand Security and select the Global Security link. The Global Security page opens.
    12. In the Authentication section, expand JAAS Configuration and select J2C Authentication data. The J2C Authentication Data page opens.
    13. Select the link for an authentication alias that uses wid as a user ID (as indicated by wid appearing in the User ID column). The page opens for the selected authentication alias.
    14. In the User ID and Password fields, change the user ID and password to valid values; for example, your login user ID and password.
    15. Click OK.
    16. Repeat the previous three steps for each of the remaining authentication aliases that use wid as a user ID.
    17. In the Messages box at the top of the J2C Authentication Data page, select the Save link. The Global Security page opens.
    18. Click the Save button to update the security.xml document.
  2. Complete the following steps to modify the J2EE role definition for the human task manager:
    1. In the left frame of the administrative console, expand Applications and select the Enterprise Applications link. The Enterprise Applications page opens.
    2. Scroll down the page and select the TaskContainer_widNode_server1 link. (If this exact application name does not exist, select the link of the most similarly named application.) The page opens for the selected application.
    3. Scroll down the page and select the Map security roles to users/groups link. The Map Security Roles to Users/Groups page opens.
    4. Beside the TaskSystemAdministrator role, select the Select check box.
    5. Click Look up users. The Look Up Users or Groups page opens. (Note that instead of clicking Look up users, you could simply select the All authenticated check box for every role, but this is not recommended because it would permit each user to receive all privileges for human task administration.)
    6. In the Search string field, type the user ID that you want to use and click Search. In the Available list, the user ID is displayed.
    7. In the Available list, select the user ID and click the >> button to copy the user ID to the Selected list.
    8. If the user ID wid appears in the Selected list, select it and then click the << button to remove it from the Selected list.
    9. Click OK. The Map Security Roles to Users/Groups page opens again.
    10. If wid appears in the Mapped groups column, you can optionally remove the wid group to eliminate the error message SECJ0340E in the SystemOut.log.
    11. Click OK in the Map Security Roles to Users/Groups page. The Enterprise Applications page opens.
    12. In the Messages box at the top of the page, select the Save link.
    13. Click the Save button to update the various deployment descriptors.
  3. Complete the following steps to modify the J2EE role definition for the business flow manager:
    1. In the left frame of the administrative console, expand Applications and select the Enterprise Applications link. The Enterprise Applications page opens.
    2. Scroll down the page and select the BPEContainer_widNode_server1 link. (If this exact application name does not exist, select the link of the most similarly named application.) The page opens for the selected application.
    3. Scroll down the page and select the Map security roles to users/groups link. The Map Security Roles to Users/Groups page opens.
    4. Beside the BPESystemAdministrator role, select the Select check box.
    5. Click Look up users. The Look Up Users or Groups page opens. (Note that instead of clicking Look up users, you could simply select the All authenticated check box for every role, but this is not recommended because it would permit each user to receive all privileges for process choreography administration.)
    6. In the Search string field, type the user ID that you want to use and click Search. In the Available list, the user ID is displayed.
    7. In the Available list, select the user ID and click the >> button to copy the user ID to the Selected list.
    8. If the user ID wid appears in the Selected list, select it and then click the << button to remove it from the Selected list.
    9. Click OK. The Map Security Roles to Users/Groups page opens again.
    10. If wid appears in the Mapped groups column, you can optionally remove the wid group to eliminate the error message SECJ0340E in the SystemOut.log.
    11. Click OK in the Map Security Roles to Users/Groups page. The Enterprise Applications page opens.
    12. In the Messages box at the top of the page, select the Save link.
    13. Click the Save button to update the various deployment descriptors.
  4. Complete the following steps to modify the RunAs role JMSAPIUser definition for the business flow manager:
    1. In the left frame of the administrative console, expand Applications and select the Enterprise Applications link. The Enterprise Applications page opens.
    2. Scroll down the page and select the BPEContainer_widNode_server1 link (or similarly named link). The page opens for the application.
    3. Scroll down the page and select the Map RunAs roles to users link. The Map RunAs Roles to Users page opens.
    4. Beside the JMSAPIUser role, select the Select check box.
    5. In the Username and Password fields, type your username and password.
    6. Click Apply.
    7. Click OK in the Map RunAs Roles to Users page. The Enterprise Applications page opens.
    8. In the Messages box at the top of the page, select the Save link.
    9. Click the Save button to update the various deployment descriptors.
  5. In the Servers view, right-click your server and select Restart > Start.
If you cannot see the content of the SystemOut.log file in the Console view, try following the instructions in the technote entitled "Console output fails to display in the version 6 WebSphere Test Environment when global security is enabled". If you are using the default authentication alias data predefined by WebSphere Integration Developer and you have not made the property modifications that are required for your business processes and human tasks to run correctly when security is enabled, you will receive a stack trace similar to the one below as soon as you enable security.
[CWSIV0954E] com.ibm.wsspi.sib.core.exception.SIAuthenticationException: CWSIP0301E: Unable to authenticate user wid when creating a connection to secure messaging engine widNode.server1-CommonEventInfrastructure_Bus on bus CommonEventInfrastructure_Bus. was thrown while attempting to create a connection on factory com.ibm.ws.sib.processor.impl.MessageProcessor@7797368c.
 at com.ibm.ws.sib.ra.inbound.impl.SibRaMessagingEngineConnection. <init>(SibRaMessagingEngineConnection.java:217)
 at com.ibm.ws.sib.ra.inbound.impl.SibRaEndpointActivation.getConnection(SibRaEndpointActivation.java:362)
 at com.ibm.ws.sib.ra.inbound.impl.SibRaStaticDestinationEndpointActivation.createListener(SibRaStaticDestinationEndpointActivation.java:669)
 at com.ibm.ws.sib.ra.inbound.impl.SibRaStaticDestinationEndpointActivation. <init>(SibRaStaticDestinationEndpointActivation.java:222)
 at com.ibm.ws.sib.ra.inbound.impl.SibRaResourceAdapterImpl.endpointActivation(SibRaResourceAdapterImpl.java:321)
 at com.ibm.ejs.j2c.ActivationSpecWrapperImpl.activateEndpoint(ActivationSpecWrapperImpl.java:228)
 at com.ibm.ejs.j2c.RAWrapperImpl.activateEndpoint(RAWrapperImpl.java:824)
 at com.ibm.ejs.j2c.RALifeCycleManagerImpl.activateEndpoint(RALifeCycleManagerImpl.java:1298)
 at com.ibm.ejs.container.MessageEndpointFactoryImpl.activateEndpoint(MessageEndpointFactoryImpl.java:256)
 at com.ibm.ejs.container.EJSContainer.loadBeanMetaData(EJSContainer.java:1614)
 at com.ibm.ejs.container.HomeOfHomes.loadBeanMetaData(HomeOfHomes.java:663)
 at com.ibm.ejs.container.HomeRecord.getHomeAndInitialize(HomeRecord.java:458)
 at com.ibm.ejs.container.EJSContainer.getHomeWrapperCommon(EJSContainer.java:1239)
 at com.ibm.ejs.container.EJSContainer.getHomeInstance(EJSContainer.java:1148)
 at com.ibm.ejs.container.EJSContainer.startBean(EJSContainer.java:1134)
 at com.ibm.ws.runtime.component.EJBContainerImpl.startBean(EJBContainerImpl.java:3264)
 at com.ibm.ws.runtime.component.EJBContainerImpl.install(EJBContainerImpl.java:2736)
 at com.ibm.ws.runtime.component.EJBContainerImpl.start(EJBContainerImpl.java:3499)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1228)
 at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1067)
 at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:547)
 at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:751)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:892)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl$AppInitializer.run(ApplicationMgrImpl.java:2003)
 at com.ibm.ws.runtime.component.ComponentImpl.runAsynchronousInitializer(ComponentImpl.java:159)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplications(ApplicationMgrImpl.java:745)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:524)
 at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:820)
 at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:649)
 at com.ibm.ws.runtime.component.ApplicationServerImpl.start(ApplicationServerImpl.java:149)
 at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:820)
 at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:649)
 at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:402)
 at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:187)
 at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:133)
 at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:387)
 at com.ibm.ws.runtime.WsServer.main(WsServer.java:53)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
 at java.lang.reflect.Method.invoke(Method.java:391)
 at com.ibm.ws.bootstrap.WSLauncher.run(WSLauncher.java:218)
 at java.lang.Thread.run(Thread.java:568)

Feedback
(C) Copyright IBM Corporation 2005, 2006. All Rights Reserved.