Tuesday, 13 May 2014

IBM Business Monitor 8.0.1.2 - Problems emitting events from IBM BPM Advanced 8.5

So I'm on a journey of discovery, working with a colleague to set up IBM BPM -> IBM Business Monitor integration for the very first time.

I will write up my notes in due course, but I did hit two problems, one of which I've referenced below, purely for information.

The thing that kicked this off was an exception: -

Track support for CWMAX4230 error on IBM® WebSphere® Business Monitor model configuration.

that my colleague saw when he tried to deploy a Monitor model .....


Briefly, it's necessary to set up a security relationship between BPM and Monitor, in order that the BPM server can publish events to a Service Integration bus topic, to which Monitor can then subscribe.

This requires the exchange of certain security information, including SSL certificates and, if one so chooses, Lightweight Third Party Authentication (LTPA) tokens.

LTPA tokens are used to assert the identity of a user from the BPM environment ( which is running on one WAS cell ) to the Monitor environment ( which is running on a second WAS cell ).

Now I've used LTPA many many times in the past, usually to integrate WebSphere Portal with IBM Connections, IBM Sametime with IBM Connections, IBM Quickr with WebSphere Portal, IBM Domino with WebSphere Portal etc.

In essence, one generates a LTPA key on server A ( BPM cell ) and imports it into server B ( Monitor cell ), and vice versa.

The LTPA token uses the WebSphere Identity Manager (WIM) realm, which is typically defaultWIMFileBasedRealm e.g.

...
com.ibm.websphere.ltpa.Realm=defaultWIMFileBasedRealm
...

In essence, we set up a trust relationship between the two WAS cells, using the exported/imported LTPA keys.

However, one other important thing is that the LTPA token, generated and delivered back to the end-user, and then used to assert the user's identity to the target WAS cell, is generated with an expiration interval.

Therefore, the clock on the server that generated it needs to be in sync with the target WAS server.

If the clocks aren't in sync, then we got a problem ..... :-)

So this is what I had: -

Monitor

Tue May 13 05:49:02 CDT 2014

BPM

Tue May 13 11:46:24 CDT 2014

Thankfully, this old but useful document: -


This issue is resolved through the following actions:

• Enable the exchange of LTPA keys between the WebSphere Business Monitor and WebSphere Process Server nodes. Refer to WebSphere Business Monitor, Version 6.1 product documentation for "Sharing LTPA keys" at: http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r1mx/index.jsp?topic=/com.ibm.btools.help.monitor.install.doc/security/ltpa_cfg.html
• Assure that the system clocks of the WebSphere Business Monitor and WebSphere Portal Server nodes are synchronised

For the record, I was also seeing this: -

[5/13/14 11:49:30:432 CDT] 00000559 LTPAServerObj W   SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Tue May 13 11:46:00 CDT 2014, current Date: Tue May 13 11:49:30 CDT 2014 Token attributes:  username=user:defaultWIMFileBasedRealm/uid=wasadmin,o=defaultWIMFileBasedRealm.. This warning might indicate expected behavior. Please refer to technote at http://www-01.ibm.com/support/docview.wss?uid=swg21594981
.

in the SystemOut.log of the BPM cell's Deployment Manager.

Bottom line, get your clocks in order or LTPA won't work :-)

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...