In WebSphere Integration Developer, business processes and human
tasks will not run correctly "out of the box" on a test environment server
if security has been enabled. This is because the predefined server configuration
cannot find the expected user ID, password, and group settings in the user
registry. However, you can modify some specific properties that will permit
your business processes and human tasks to run correctly when security is
enabled.
When business processes and human tasks fail to run correctly, there
are several indications that the problem may be related to running with security
enabled. One indication is in the
SystemOut.log of the test environment
server, where you may find a stack trace that is similar to the example stack
trace found at the bottom of this topic. Another indication is when you right-click
your server in the Servers view and select
Launch > Business Process
Choreographer Explorer, it results in an
Unhandled Error 500 browser
page after you specify a user ID and password. The browser page contains the
following message (which will internally raise the exaception client.model.exception.Communication):
javax.naming.NameNotFoundException: Name "ejb/com/ibm/task/api/HumanTaskManagerHome"
not found in context "local:".
In the server log, you will find error
NMSV0605W with similar text.
To enable business processes to work with
security enabled:
- Complete the following steps to update the authentication aliases
that are required for the business process choreographer and the human task
manager:
- In the Business Integration perspective of WebSphere Integration
Developer, click the Servers tab. The Servers view
opens.
- In the Servers view, double-click your server. The server configuration
editor opens.
- Under Server connection type and admin port,
select SOAP.
- Expand the Security section of the editor.
- Ensure that the Security is enabled on this server check
box is selected.
- Under Current active authentication settings,
ensure that the correct administrative user ID and password are specified
in the User ID and Password fields.
- Press Ctrl-S to save your changes and
then close the server configuration editor.
- Right-click your server and select Start (or
select Restart > Start if your server is already running).
- When the server status eventually changes to Started,
right-click the server and select Run administrative console.
The administrative console opens.
- In the administrative console, specify your user ID and password
in the User ID and Password fields
and then click Log in.
- In the left frame of the administrative console, expand Security and
select the Global Security link. The Global Security
page opens.
- In the Authentication section, expand JAAS
Configuration and select J2C Authentication data.
The J2C Authentication Data page opens.
- Select the link for an authentication alias that uses wid as
a user ID (as indicated by wid appearing in the User ID column).
The page opens for the selected authentication alias.
- In the User ID and Password fields,
change the user ID and password to valid values; for example, your login user
ID and password.
- Click OK.
- Repeat the previous three steps for each of the remaining authentication
aliases that use wid as a user ID.
- In the Messages box at the top of the
J2C Authentication Data page, select the Save link.
The Global Security page opens.
- Click the Save button to update the security.xml
document.
- Complete the following steps to modify the J2EE role definition
for the human task manager:
- In the left frame of the administrative console, expand Applications and
select the Enterprise Applications link. The Enterprise
Applications page opens.
- Scroll down the page and select the TaskContainer_widNode_server1 link.
(If this exact application name does not exist, select the link of the most
similarly named application.) The page opens for the selected application.
- Scroll down the page and select the Map security
roles to users/groups link. The Map Security Roles to Users/Groups
page opens.
- Beside the TaskSystemAdministrator role,
select the Select check box.
- Click Look up users. The Look Up Users
or Groups page opens. (Note that instead of clicking Look up users,
you could simply select the All authenticated check
box for every role, but this is not recommended because it would permit each
user to receive all privileges for human task administration.)
- In the Search string field, type the
user ID that you want to use and click Search. In the Available list,
the user ID is displayed.
- In the Available list, select the user
ID and click the >> button to copy the user ID to the Selected list.
- If the user ID wid appears in the Selected list,
select it and then click the << button to remove
it from the Selected list.
- Click OK. The Map Security Roles to Users/Groups
page opens again.
- If wid appears in the Mapped
groups column, you can optionally remove the wid group
to eliminate the error message SECJ0340E in the SystemOut.log.
- Click OK in the Map Security Roles to
Users/Groups page. The Enterprise Applications page opens.
- In the Messages box at the top of the
page, select the Save link.
- Click the Save button to update the various
deployment descriptors.
- Complete the following steps to modify the J2EE role definition
for the business flow manager:
- In the left frame of the administrative console, expand Applications and
select the Enterprise Applications link. The Enterprise
Applications page opens.
- Scroll down the page and select the BPEContainer_widNode_server1 link.
(If this exact application name does not exist, select the link of the most
similarly named application.) The page opens for the selected application.
- Scroll down the page and select the Map security
roles to users/groups link. The Map Security Roles to Users/Groups
page opens.
- Beside the BPESystemAdministrator role,
select the Select check box.
- Click Look up users. The Look Up Users
or Groups page opens. (Note that instead of clicking Look up users,
you could simply select the All authenticated check
box for every role, but this is not recommended because it would permit each
user to receive all privileges for process choreography administration.)
- In the Search string field, type the
user ID that you want to use and click Search. In the Available list,
the user ID is displayed.
- In the Available list, select the user
ID and click the >> button to copy the user ID to the Selected list.
- If the user ID wid appears in the Selected list,
select it and then click the << button to remove
it from the Selected list.
- Click OK. The Map Security Roles to Users/Groups
page opens again.
- If wid appears in the Mapped
groups column, you can optionally remove the wid group
to eliminate the error message SECJ0340E in the SystemOut.log.
- Click OK in the Map Security Roles to
Users/Groups page. The Enterprise Applications page opens.
- In the Messages box at the top of the
page, select the Save link.
- Click the Save button to update the various
deployment descriptors.
- Complete the following steps to modify the RunAs role JMSAPIUser
definition for the business flow manager:
- In the left frame of the administrative console, expand Applications and
select the Enterprise Applications link. The Enterprise
Applications page opens.
- Scroll down the page and select the BPEContainer_widNode_server1 link
(or similarly named link). The page opens for the application.
- Scroll down the page and select the Map RunAs roles
to users link. The Map RunAs Roles to Users page opens.
- Beside the JMSAPIUser role, select the Select check
box.
- In the Username and Password fields,
type your username and password.
- Click Apply.
- Click OK in the Map RunAs Roles to Users
page. The Enterprise Applications page opens.
- In the Messages box at the top of the
page, select the Save link.
- Click the Save button to update the various
deployment descriptors.
- In the Servers view, right-click your server and select Restart
> Start.
If you cannot see the content of the SystemOut.log file in the Console
view, try following the instructions in the technote entitled "Console output
fails to display in the version 6 WebSphere Test Environment when global security
is enabled". If you are using the default authentication alias data predefined
by WebSphere Integration Developer and you have
not made the property
modifications that are required for your business processes and human tasks
to run correctly when security is enabled, you will receive a stack trace
similar to the one below as soon as you enable security.
[CWSIV0954E] com.ibm.wsspi.sib.core.exception.SIAuthenticationException: CWSIP0301E: Unable to authenticate user wid when creating a connection to secure messaging engine widNode.server1-CommonEventInfrastructure_Bus on bus CommonEventInfrastructure_Bus. was thrown while attempting to create a connection on factory com.ibm.ws.sib.processor.impl.MessageProcessor@7797368c.
at com.ibm.ws.sib.ra.inbound.impl.SibRaMessagingEngineConnection. <init>(SibRaMessagingEngineConnection.java:217)
at com.ibm.ws.sib.ra.inbound.impl.SibRaEndpointActivation.getConnection(SibRaEndpointActivation.java:362)
at com.ibm.ws.sib.ra.inbound.impl.SibRaStaticDestinationEndpointActivation.createListener(SibRaStaticDestinationEndpointActivation.java:669)
at com.ibm.ws.sib.ra.inbound.impl.SibRaStaticDestinationEndpointActivation. <init>(SibRaStaticDestinationEndpointActivation.java:222)
at com.ibm.ws.sib.ra.inbound.impl.SibRaResourceAdapterImpl.endpointActivation(SibRaResourceAdapterImpl.java:321)
at com.ibm.ejs.j2c.ActivationSpecWrapperImpl.activateEndpoint(ActivationSpecWrapperImpl.java:228)
at com.ibm.ejs.j2c.RAWrapperImpl.activateEndpoint(RAWrapperImpl.java:824)
at com.ibm.ejs.j2c.RALifeCycleManagerImpl.activateEndpoint(RALifeCycleManagerImpl.java:1298)
at com.ibm.ejs.container.MessageEndpointFactoryImpl.activateEndpoint(MessageEndpointFactoryImpl.java:256)
at com.ibm.ejs.container.EJSContainer.loadBeanMetaData(EJSContainer.java:1614)
at com.ibm.ejs.container.HomeOfHomes.loadBeanMetaData(HomeOfHomes.java:663)
at com.ibm.ejs.container.HomeRecord.getHomeAndInitialize(HomeRecord.java:458)
at com.ibm.ejs.container.EJSContainer.getHomeWrapperCommon(EJSContainer.java:1239)
at com.ibm.ejs.container.EJSContainer.getHomeInstance(EJSContainer.java:1148)
at com.ibm.ejs.container.EJSContainer.startBean(EJSContainer.java:1134)
at com.ibm.ws.runtime.component.EJBContainerImpl.startBean(EJBContainerImpl.java:3264)
at com.ibm.ws.runtime.component.EJBContainerImpl.install(EJBContainerImpl.java:2736)
at com.ibm.ws.runtime.component.EJBContainerImpl.start(EJBContainerImpl.java:3499)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1228)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1067)
at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:547)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:751)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:892)
at com.ibm.ws.runtime.component.ApplicationMgrImpl$AppInitializer.run(ApplicationMgrImpl.java:2003)
at com.ibm.ws.runtime.component.ComponentImpl.runAsynchronousInitializer(ComponentImpl.java:159)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplications(ApplicationMgrImpl.java:745)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:524)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:820)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:649)
at com.ibm.ws.runtime.component.ApplicationServerImpl.start(ApplicationServerImpl.java:149)
at com.ibm.ws.runtime.component.ContainerImpl.startComponents(ContainerImpl.java:820)
at com.ibm.ws.runtime.component.ContainerImpl.start(ContainerImpl.java:649)
at com.ibm.ws.runtime.component.ServerImpl.start(ServerImpl.java:402)
at com.ibm.ws.runtime.WsServerImpl.bootServerContainer(WsServerImpl.java:187)
at com.ibm.ws.runtime.WsServerImpl.start(WsServerImpl.java:133)
at com.ibm.ws.runtime.WsServerImpl.main(WsServerImpl.java:387)
at com.ibm.ws.runtime.WsServer.main(WsServer.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at com.ibm.ws.bootstrap.WSLauncher.run(WSLauncher.java:218)
at java.lang.Thread.run(Thread.java:568)