Thursday, 26 March 2015

CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'deAdmin'.

For other reasons, relating to incorrectly formatted SSL certificates within a WAS profile, I needed to recreate my IBM BPM 8.5.5 environment yesterday.

I did this by deleting the WAS profiles, which took care of the Deployment Environment, and had my DB2 SME drop the nine Messaging Engine tables from the Common/Shared DB ( CMNDB ).

I recreated the Deployment Environment using BPConfig, and all seemed well .....

Until a colleague tried to invoke a multi-stage BPD, which triggers events to be consumed by IBM Business Monitor.

Guess what ?

Yes, my Deployment Environment rebuild hadn't quite worked as purely as I thought.

In the WAS logs, we saw: -

com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'deAdmin'.

Explanation: The technical user defined in the BPM role type 'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM' domain.

Action: Revert the recent user registry configuration changes and follow the instructions of the 'Administering the technical user for the IBM BPM document store' topic in the IBM BPM Information Center to ensure the technical user keeps access to the IBM BPM document store.


As per the message, I referenced: -


which made reference to a series of useful Jython commands, including: -

AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -list]')

 AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -add uid=deAdmin,o=defaultWIMFileBasedRealm]')

 AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -add #AUTHENTICATED-USERS]')

 all of which failed with: -

WASX7015E: Exception running command: "AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -list]')"; exception information:

com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'deAdmin'.

Explanation: The technical user defined in the BPM role type 'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM' domain.

Action: Revert the recent user registry configuration changes and follow the instructions of the 'Administering the technical user for the IBM BPM document store' topic in the IBM BPM Information Center to ensure the technical user keeps access to the IBM BPM document store.

At that point, I started to wonder if I should've had John clear down ALL of the DBs.

So I completely shut down the Deployment Environment and had him do just that. He had a nice scripted process to recreate them, so they were back in the game within ~10 minutes.

I then needed to bootstrap the AppCluster DB tables: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/bootstrapProcessServerData.sh -clusterName AppCluster

and then start the Deployment Environment.

This time, the clever ECM Jython command worked: -

AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -list]')

returning: -

"Authorization on the domain for the IBM BPM document store\nCWTDS2034I: Access is granted to the IBM BPM document store domain 'uid=deAdmin,o=defaultWIMFileBasedRealm' with access mask '459,267'.\nAuthorization on the object store for the IBM BPM document store\nCWTDS2035I: Access is granted to the IBM BPM document store object store 'uid=deAdmin,o=defaultWIMFileBasedRealm' with access mask '838,205,440'."

 which is nice.

No comments: