Tuesday, July 23, 2013

IBM BPM - Word to the wise when exporting snapshots

Don't do as I did and export the currently available snapshot, as this MAY not be the latest version of the Process Application.

What I should have done is to create a new snapshot from the Tip ( that's the most recent version of the code ) and then export this newly created snapshot instead.

My error caused one of my developers to lose some of his work - thankfully not too much, but it could've been much much worse.

If in doubt, create a snapshot and, equally importantly, check with the developer BEFORE you export.

IBM BPM - Monitoring Exports and Imports

I've recently been using some of the IBM BPM scripted commands, including BPMCreateOfflinePackage and BPMExtractOfflinePackage and BPMInstallOfflinePackage.

Whilst doing this, it's always useful to monitor how the corresponding export / import / install processes are going.

Want to know how ?

Watch the logs for messages that include: -

wle_expimp

as per the following example: -

[7/17/13 9:38:50:994 BST] 00000c7e wle_expimp    I   CWLLG0150I: Finished exporting for snapshot FOOBAR_01_JULY_TEST to server PS_Dev with an export result of com.lombardisoftware.expimp.pack.InstallationPackage@8f208f2
[7/17/13 9:38:50:994 BST] 00000c7e wle_expimp    I   CWLLG0151I: FOOBAR_01_JULY_TEST Beginning login to remote server
[7/17/13 9:38:51:216 BST] 00000c7e wle_expimp    I   CWLLG0154I: FOOBAR_01_JULY_TEST Remote login succeeded.
[7/17/13 9:38:51:216 BST] 00000c7e wle_expimp    I   CWLLG0714I: FOOBAR_01_JULY_TEST Sending export.
[7/17/13 9:55:03:525 BST] 0000005d wle_expimp    I   CWLLG0160I: The import has started
[7/17/13 10:00:08:555 BST] 00000dfb wle_expimp    I   CWLLG0160I: The import has started
[7/17/13 10:05:09:898 BST] 00000c83 wle_expimp    I   CWLLG0160I: The import has started
[7/17/13 10:05:52:849 BST] 00000c83 wle_expimp    I   CWLLG0162I: Import Failed
[7/17/13 10:05:52:853 BST] 00000dfb wle_expimp    I   CWLLG0162I: Import Failed
[7/17/13 10:06:37:029 BST] 0000005d wle_expimp    I   CWLLG0162I: Import finished successfully
[7/17/13 10:10:36:208 BST] 00000c7e wle_expimp    I   CWLLG1324I: FOOBAR_01_JULY_TEST Export sent.
[7/17/13 10:10:36:209 BST] 00000c7e wle_expimp    I   CWLLG0156I: FOOBAR_01_JULY_TEST Install succeeded
[7/17/13 10:10:36:209 BST] 00000c7e wle_expimp    I   CWLLG1325I: FOOBAR_01_JULY_TEST The snapshot is being marked as 'INSTALLED'.
[7/17/13 10:10:37:993 BST] 00000c7e wle_expimp    I   CWLLG1326I: FOOBAR_01_JULY_TEST Creating deployment record.
[7/17/13 10:10:38:201 BST] 00000c7e wle_expimp    I   CWLLG1327I: FOOBAR_01_JULY_TEST Deployment record created.
[7/17/13 10:10:38:202 BST] 00000c7e wle_expimp    I   CWLLG0159I: FOOBAR_01_JULY_TEST Install complete.

This is also immensely useful: -


including the trace strings: -

For IBM Business Process Manager Advanced : 

On the AppTarget cluster for the Process Center and the Process Server, set the trace string to ​ *=info: WLE.*=all:com.ibm.bpm.fds.*=all:ProcessApplicationLifecycle=all:
com.ibm.bpm.fds.repo.util.ContributionHelper=off:WLE.wle_expimp=finest 


For IBM Business Process Manager Standard or IBM Business Process Manager Express : 

On the AppTarget cluster for the Process Center and the Process Server, set the trace string to ​ *=info: WLE.*=all:WLE.wle_expimp=finest

One thing about which I'm learning is when imports fail with Error: You are not authorised to change this workspace. As far as I can establish, this is due to the user performing the import ( a non-admin user, of course ) does NOT have read access to a dependent  toolkit.

I'm continuing to learn, so watch this space.

Monday, July 22, 2013

IBM BPM Standard 7.5.1.1 - Updating the Group Cache

I've been having hours of fun, trying to work out why I couldn't map newly-created groups ( created in the File-Based Registry ) into BPM-specific roles, such as tw_authors which allows a user to log in and access Process Center and Process Designer.

In my case, I've created a set of temporary user accounts, and a corresponding group, in the File-Based Registry whilst I wait for "real" LDAP accounts to be created.

However, I couldn't work out why I couldn't see the newly created group ( IBM_Service ) when I attempted to add the group into the tw_authors role.

I faffed about ( that's English for trial and error ) for a while, before discovering the GroupCache option, as per the screenshot below and, even more importantly, the Reset link.

Once I reset the cache, the groups magically appeared.

Easy when one knows how :-)


IBM BPM Standard 7.5.1 - Updating Web Services Timeout


I'm trying to be a good citizen, and avoid editing files other than 100Custom.xml.

To that end, I wished to override the default SOAP-based web services timeout from the default of -1 ( to  infinity and beyond ) to a more sensible value of, say, 120 seconds.

However, I was struggling with the stanza, in terms of where to put this: -

<--Timeout in seconds to wait when invoking WebService using SOAPConnector
  Use -1 to disable-->
<timeout>120</timeout>

in 100Custom.xml.

This Technote is useful, but suggests that one should ( quelle horreure ) edit 99Local.xml: -


This is what I initially tried: -

...
</server>

<webservices merge="mergeChildren">
<timeout>120</timeout>
</webservices>


</properties>

and: -

...
<webservices merge="mergeChildren">
<timeout>120</timeout>
</webservices>

</server>


</properties>

but neither worked for me - the timeout value resolutely stuck at -1, as evidenced in TeamWorksConfiguration.running.xml following a restart of my JVM.

This is where I'm editing 100Custom.xml as it's a standalone / single server environment: -

 Directory of C:\profiles\ProcCtr01\config\cells\BPM75Node01Cell\nodes\BPM75Node01\servers\server1\process-center\config

07/18/2013  10:56 AM    <DIR>          .
07/18/2013  10:56 AM    <DIR>          ..
07/18/2013  11:25 AM             1,692 100Custom.xml
11/18/2011  02:05 PM             3,307 console.xml
11/18/2011  02:05 PM             2,133 HTTPEventListener.properties
11/18/2011  02:11 PM             3,077 log4j.xml
11/18/2011  02:05 PM    <DIR>          system
               4 File(s)         10,209 bytes
               3 Dir(s)   4,372,209,664 bytes free


Thanks to some excellent teaming from the IBM BPM Practitioner community, I was recommended to use: -


</server>

<webservices>
<timeout merge="replace">120</timeout>
</webservices>

</properties>
… 

and, eventually: -

</server>

<webservices merge="mergeChildren">
<timeout merge="replace">120</timeout>
</webservices>

</properties>
… 

The recommendation to use merge="mergeChildren" was to avoid inadvertently replacing the entire <webservices> XML node with just the timeout override entry.

Which is VERY good advice.

Bottom line, following the restart, my web services will now timeout after 2 minutes rather than NEVER timing out, which is nice.


Friday, July 19, 2013

Understanding the WebSphere Application Server SAML Trust Association Interceptor

This has come up in conversations a few times, so Martin Lansche's developerWorks article: -


is perfectly timed.

Summary:  Recent fixpacks to IBM® WebSphere® Application Server versions 7.0, 8.0 and 8.5 include a new SAML Trust Association Interceptor (TAI) that introduces new advanced single sign on capabilities. The TAI includes many properties, and understanding  what these options do and when to use them can be a challenge. The purpose of this article is to help you make sense of the SAML TAI. This content is part of the IBM WebSphere Developer Technical Journal.

Introduction

IBM WebSphere Application Server — and stack products running on top of a WebSphere Application Server platform — has had a customizable authentication framework since V5.1 based on the Trust Association Interceptor (TAI) interface. There are multiple product implementations of this interface. In 2012, the WebSphere Application Server full profile edition shipped a new Security Assertion Markup Language (SAML) TAI that is available on WebSphere Application Server versions 7.0, 8.0 and 8.5. (At the time of this writing, the IBM WebSphere Application Server Liberty profile does not have SAML support.) This TAI is by far the most comprehensive TAI available so far. This article will explain:

• How the SAML TAI can be used.
• When it is appropriate to use the SAML TAI.
• How the various SAML TAI properties work together.
• The intricate path that the SAML TAI weaves through the WebSphere Application Server authorization process.

This article assumes a firm understanding of the WebSphere Application Server authentication process (as described in the article Advanced authentication in WebSphere Application Server), as well as an understanding of:

• Digital signing
• Encryption
• Identity assertion
• TAIs in general.


Sunday, July 14, 2013

On the Wiki - IBM UX Screen Flow Manager

Summary

IBM UX Screen Flow Manager provides a mechanism to guide users through a well-defined sequence of screens where they can perform a number of steps or tasks in the appropriate sequence.

Introduction

Customers often have to implement portal- or portlet-based solutions that guide users through a well-defined sequence of screens. These sequences route users along paths that interconnect user interface artifacts, such as forms or masks, so that the users can accomplish specific tasks. From a user perspective, stepping through such sequences feels to the users like working with wizards. It relieves them from thinking about the right sequence of going through the screens and processing them.

The need for such solutions arises across all industries. In the insurance industry, screen flow modelers might need to model flows for processing policy quotations or claim submissions. Quoting a vehicle insurance policy might be composed of steps such as vehicle selection, vehicle data specification, insure data collection, tariff characteristics selection. Similar applications can be required for banking, help desk, or travel applications.

When developers write portal based solutions, the screens and the functions behind them are usually provided by portlets. But the mapping of individual screens to portlets can be difficult, as it impacts both the user experience and the reusability.

As of today, customers usually must select between two extremes:
• On the one hand, they can decide to have one single portlet provide all necessary screens and the entire set of functions that is required to accomplish a specific task. This approach where one portlet fits for all implies developing one single monolithic application. Due to its complexity and its non-modular character, such a portlet does not scale well, is hard to maintain, and difficult to reuse. However, this approach provides developers and screen flow modelers with the highest control for guiding users through the flow.
• On the other hand, they can decide to develop a single dedicated portlet for each of the individual screens and functions that are required to accomplish a specific task. This approach with one portlet per screen offers more flexibility and increases the options for reusability. However, guidance for the users is less strict and less controllable, which in turn increases the danger of erroneous navigation. Therefore, developers need to write "hard-wired" portlets. Such hard-wired portlets reduce flexibility, or users need to find out about the intended flow, which increases the risk for incorrect usage. In general, there is no single right answer for the right granularity. This issue often leads to time consuming discussions and decisions, depending on the actual scenario that is to be implemented.

The IBM® UX Screen Flow Manager provides operators, developers, and dialog modelers with the best of two worlds: It provides the basis for developing fine-granular, small split portlets, which can also be declaratively interconnected and managed by IBM WebSphere® Portal. This way, it provides an answer to the tradeoff decision by providing both strict user guidance and high reusability.

Wednesday, July 10, 2013

Book Review - A Project In Your Pocket

This is a shortened version of the review that I've submitted to the British Computer Society which, I hope, will be published in their monthly IT Now journal.

The review covers A Project In Your Pocket by John Turner 

As advertised, this short ( 96 pages ) book fits in one's pocket, as advertised. The size has positive and negative consequences; for me, I found that the size sometimes made the illustrations hard to follow; perhaps this is where I need the ebook variant, with the zoom option.

The book is easily digestible in short chunks; perhaps a chapter per day – although it could be quite easily consumed cover-to-cover in an hour or so

It does not assume that the reader is experienced in Project Management or delivery. I, for one, am involved in project delivery, but have no formal training as a Project Manager – however, this was not an inhibitor. John gives good background on the concepts that he introduces, and assumes nothing.

As the title suggests, the book introduces a new project management discipline; Snappy Projects ( which is also the name of John's company.

Each chapter covers one aspect of a nine-step programme, ranging from Branding, through Who?, What?, How? and ending with Sell.

John also makes frequent use of quotations - I especially like Joseph Priestley's wise words - "The more elaborate our means of communication the less we communicate."

The introduction is excellent, setting the scene by comparing and contrasting two of the most often used Project Management methodologies, waterfall ( via PRINCE2 and Agile ).

Throughout the remaining chapters, John introduces each of the nine steps, using examples tied back to the case study. At the end of the book, he provides illustrations of each of the project artefacts. Again, due to the book's size, some of these are unreadable – another potential benefit of an ebook.

In conclusion, this is a very useful book for anyone involved in the realm of Project Management, whether an experienced PM or a "mere" project team member. I'll keep a copy in my pocket or, at least, in my kit bag.

John finishes by recommending that the reader also look at other, non PM-related, books. I'll be taking him up on his suggestion.


For the full review, please look out for a future edition of IT Now.

IBM Business Process Manager - Exporting Snapshots using Scripts

Having just gone through this process, I wanted to write up my notes for future reference.

The objective is to export a process application snapshot to a file on disk, without using a web browser.

(A) Start WSAdmin

$ cd /opt/IBM/WebSphere/AppServer/profiles/dmgr/bin/
./wsadmin.sh -host processcenter01.uk.ibm.com -port 91302 -user tw_admin -password ******

Notes

(i) You need to connect to one of the application server JVM(s) running the BPM workload ( i.e. AppTarget cluster ) rather than the Deployment Manager, thus SOAP port will NOT be the normal used for DM-related wsadmin tasks
(ii) You need to authenticate as a BPM user i.e. tw_admin or equivalent, rather than the WAS/cell administrator account; we're running a BPM task, rather than a "pure" WAS task

(B) Export the snapshot

wsadmin> $AdminTask BPMCreateOfflinePackage {-containerAcronym HSS -containerSnapshotAcronym 7.5.1 -containerTrackAcronym Main -serverName ProcessServer01 }

Notes

(i) Note that the target Process Server needs to have been "registered" as an off-line Process Server on Process Center ( via Servers > Add a New Offline Server )
(ii) The Server Name used to "register" the server e.g. ProcessServer01 is what is used in the wsadmin script above

This should return: -

BPMCreateOfflinePackage passed.

In one case, the export took rather a long time ( ~60 minutes ), because the snapshot contained lots of toolkit snapshots ), and resulted in a 20 MB+ file.

Therefore, I needed to increase com.ibm.SOA.requestTimeout ( either via soap.client.props or via an override file )

(C) Generate a ZIP file containing the snapshot

wsadmin> $AdminTask BPMExtractOfflinePackage {-containerAcronym HSS -containerSnapshotAcronym 7.5.1 -containerTrackAcronym Main -serverName ProcessServer01 -outputFile  /tmp/hss_snapshot1.zip}

This should return: -

BPMExtractOfflinePackage passed.

resulting in: -

-rw-r--r-- 1 wasadmin1 wasadmin1 502418 Jul  9 16:24 /tmp/hss_snapshot1.zip

Troubleshooting 

If you see: -

[09/07/13 15:51:59:296 BST] 00000020 PALAdminComma I   BPMCreateOfflinePackage failed due to: null
                                 java.lang.NullPointerException
        at com.ibm.bpm.pal.commands.impl.internal.BPMCreateOfflinePackage.execute(BPMCreateOfflinePackage.java:63)
        at com.ibm.ws.management.cmdframework.impl.RemoteCommandMgrImpl.adminCmdExecute(RemoteCommandMgrImpl.java:335)
        at com.ibm.ws.management.cmdframework.impl.RemoteCommandMgrImpl.execute(RemoteCommandMgrImpl.java:292)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)


it is likely that the offline server has NOT been added to Process Center ( via the Servers tab ) - see above

If you see: -

WASX7015E: Exception running command: "$AdminTask BPMCreateOfflinePackage {-containerAcronym HSS -containerSnapshotAcronym 7.5.1 -containerTrackAcronym Main -serverName gbrdsr000000073_base-bpmPCapp01-server01 }"; exception information:

javax.management.MBeanException

com.ibm.websphere.management.cmdframework.CommandLoadException

java.io.IOException: java.io.IOException: org.eclipse.emf.ecore.resource.Resource$IOWrappedException: Package with uri 'http:///com/ibm/websphere/management/cmdframework/commanddata.ecore' not found. (file:///opt/IBM/WAS/wasadmin1/app/profiles/dmgr/Command.xmi, 2, 336)


check the SOAP port being used - it should be the SOAP port of one of the managed nodes NOT the DMGR - see above.

If you see: -

WASX7015E: Exception running command: "$AdminTask BPMCreateOfflinePackage {-containerAcronym HSS -containerSnapshotAcronym 7.5.1 -containerTrackAcronym Main -serverName ProcessServer01 }"; exception information:

java.lang.Exception: java.lang.Exception: Server gbrdsr000000073_base-bpmPCapp01-server01 doesn't exists in Proces Center.


ensure that the target Process Server is registered within Process Center as an off-line server, via Process Admin > Servers > Add a New Offline Server

If you see: -

WASX7015E: Exception running command: "$AdminTask BPMCreateOfflinePackage {-containerAcronym HSS -containerSnapshotAcronym 7.5.1 -containerTrackAcronym Main -serverName ProcessServer01 }"; exception information:

java.lang.Exception: java.lang.Exception: You are not authorized to deploy this snapshot


ensure that you're running wasadmin as a BPM, rather than WAS, user e.g. tw_admin or equivalent

With thanks to this article: -


for the overall process, as well as the IBM Information Center: -




Thursday, July 4, 2013

Monitoring and tuning IBM BPM performance with Websphere Performance Tuning Toolkit

Monitoring and tuning a BPM platform at the system level is far away from getting process tracking points data and build nice scoreboards showing the process performance. But at the end if the system doesn't perform well the users will complain about how it's affecting their performance and how that is impacting the process SLAs.  And if that happens the BPM "system" will be seen as the reason for the bad business performance. Besides all that no one likes to use a system that is slow and has bad responsiveness.


IBM WebSphere Application Server - Not returning group members from IBM Tivoli Directory Server

So this one has been bugging me for a few days.

I have WebSphere Application Server Network 7.0.0.25 hooking into IBM Tivoli Directory Server ( not sure which version ) over SSL.

WAS <-> LDAP connectivity is fine, and I can retrieve lists of users and groups from LDAP.

However, I am not able to see the members of LDAP groups via the WAS Integrated Solutions Console (ISC).

Navigating to Users and Groups > Manage Groups, I enter the group name - ibmbpm_Dev_Team - and click Search.

The group is returned, with the correct Unique Name ( Distinguished Name ).

However, when I click on the group name and click into the Members tab, I see no members and, in fact, see "The group has 0 members".

Needless to say, I can see the members if I connect to LDAP via a LDAP tool ( LDAP Browser Editor ).

I can see, from the exported LDIF, that the group has an objectClass of groupOfNames, and that the members ( 115 in total ) are objectClass of  member.

In WAS, under Global Security > Federated repositories > LDAP ( repository name ) > Group attribute definition, I've currently got Name of group membership unset ( null ), Scope of group membership attribute set to Direct and, under Member Attributes, I've got a single attribute ( member ) defined, with direct scope to object class groupOfNames.

Last time I had this problem ( with ComputerAssociates LDAP ), the problem was that the group was of objectClass groupOfUniqueNames and the members were of objectClass uniqueMember. Therefore, I needed to add the corresponding member attribute of uniqueMember.

However, this time around WAS VMM matches what I see in the LDIF - groupOfNames and member.

The one other strange thing is that, having enabled VMM etc. tracing: -

*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all

using the Must Gather: -


I can see, in trace.log, the group AND the members.

Therefore, it feels like the members ARE being returned from LDAP to VMM, but that the WAS ISC isn't displaying them.

The solution ?

So the trace had the answer - when I looked more closely, I could see the members listed: -

member:    T=e123456789
member:    T=h987654321

In other words, each member had an additional attribute ( T ), rather than the more standard uid or cn e.g. uid-e123456789 or cn=987654321.

The problem was that WAS didn't "know" about this attribute.

It was necessary to add this attribute into the PersonAccount objectClass.

Ironically, the client already had a Jacl script to do this very thing.

What's worse ?

One of my team had been telling me this for 2-3 days :-)

Once I executed the Jacl, and restart WAS, guess what ?

Yes, you've guessed it, the members started showing up in the WAS ISC.

The moral of the story ?

Listen to your colleague, and don't automatically assume that you know best :-)

*UPDATE 18 SEPTEMBER*

As per Sjaak's suggestion, the JACL script adds the T attribute into the PersonAccount Object Class; this is seen in wimconfig.xml which changes from: -

...
   
      uid
   

...

to: -

...
   
      uid
      T
   
...


*UPDATE 18 SEPTEMBER*

Monitoring WebSphere App Server SSL certificate expiry

My friend, Bob Clarke, drew my attention to this: -


A Jython script to check all certificates that are stored in keystores under Cell management. At my client's site I added IHS, Plugin and CACerts keystores to the Cell so that they too can be checked. 
If you have access to an SMTP service this script will send an email when a cert is due to expire in less than X days. I run this from a bourne wrapper (I'll place the code for this at the end of this post) which also sends an email if it can't run the AdminTask methods it needs to for any reason.


Nice :-)