Thursday, 24 September 2015

Things that make you go Hmmmmm #2772 - Updating RunAs Roles in IBM BPM Advanced 8.5.5

I'm in the process of documenting the migration of an IBM BPM Advanced 8.5.5 environment from the out-of-the-box file-based user registry to an external registry, MS Active Directory.

I'm going to write the entire process up more fully, once I've proven it to actually work.

However, one of the required steps took me a wee while to fully comprehend, and I obviously misunderstood the documentation.

This is the Knowledge Center page to which I refer: -


which says in part: -

...
IBM Business Process Manager provides the following applications that contain users that are mapped to the RunAs roles:
• IBM_BPM_PerformanceDW_supportDeploymentTarget
• IBM_BPM_Teamworks_applicationDeploymentTarget
• BPEContainer__applicationDeploymentTarget
• TaskContainer__applicationDeploymentTarget
...

...
Note: The bpmModifyMapRunAsRole script is used to update the IBM_BPM_Teamworks*.ear and IBM_BPM_PerformanceDW*.ear applications. It does not update other IBM Business Process Manager applications.

To define the RunAs roles user assignments, run the bpmModifyMapRunAsRole script, which is located at install_root/util/Security/bpmModifyMapRunAsRole.py.
...

So I read and absorbed this, and wrote the following series of commands: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -username wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName SupCluster -applicationName IBM_BPM_PerformanceDW_SupCluster

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName IBM_BPM_Teamworks_AppCluster

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName BPEContainer_AppCluster

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f /opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py -usr DepEnvAdmin -pwd P455w0rd -clusterName AppCluster -applicationName TaskContainer_AppCluster

each of which ran (!) and returned: -

*************************************************************************************
Start: Mapping run as roles to users

Mapping users for cluster profile.

End: Mapping run as roles to users
*************************************************************************************

However .....

The change didn't "take" and I could see no differences to the RunAs user mappings for each of the four applications.

Which wasn't nice.

So I read the actual Jython script: -

/opt/IBM/WebSphere/AppServer/util/Security/bpmModifyMapRunAsRole.py 

and saw, in part: -

...
if(applicationName == ''):
    appName = "IBM_BPM_Teamworks_" + targetName
    options = '[-MapRunAsRolesToUsers [[twem ' + userName + ' ' + password + '] [twuser ' + userName + ' ' + password + ']]]'
    AdminApp.edit(appName, options)

    appName = "IBM_BPM_PerformanceDW_" + targetName
    options = '[-MapRunAsRolesToUsers [[tw-loader ' + userName + ' ' + password + ']]]'
    AdminApp.edit(appName, options)

else:
     if(applicationName == 'Teamworks'):
      appName = "IBM_BPM_Teamworks_" + targetName
      options = '[-MapRunAsRolesToUsers [[twem ' + userName + ' ' + password + '] [twuser ' + userName + ' ' + password + ']]]'
      AdminApp.edit(appName, options)
     elif(applicationName == 'PerformanceDW'):
      appName = "IBM_BPM_PerformanceDW_" + targetName
      options = '[-MapRunAsRolesToUsers [[tw-loader ' + userName + ' ' + password + ']]]'
      AdminApp.edit(appName, options)

...

...
AdminConfig.save();
...

Interestingly, I never actually saw the output from AdminConfig.save() either, which rang alarum bells.

In other words, the script was looking for JUST the application name, NOT the fully qualified application name ( with the cluster name appended ) e.g. PerformanceDW rather than IBM_BPM_PerformanceDW_SupCluster.

Once I amended my commands: -

I started to see more meaningful messages: -

*************************************************************************************
Start: Mapping run as roles to users

Mapping users for cluster profile.

ADMA5075I: Editing of application IBM_BPM_PerformanceDW_SupCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_PerformanceDW_SupCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IBM_BPM_PerformanceDW_SupCluster is complete.
ADMA5076I: Application IBM_BPM_PerformanceDW_SupCluster edited successfully. The application or its web modules may require a restart when a save is performed.
End: Mapping run as roles to users
*************************************************************************************

*************************************************************************************
Start: Mapping run as roles to users

Mapping users for cluster profile.

ADMA5075I: Editing of application IBM_BPM_Teamworks_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application IBM_BPM_Teamworks_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application IBM_BPM_Teamworks_AppCluster is complete.
ADMA5076I: Application IBM_BPM_Teamworks_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
End: Mapping run as roles to users
*************************************************************************************


etc.

*AND* more importantly, the change was actually effective: -


which IS nice.

However, the script does NOT touch the BPEContainer and TaskContainer applications, as can be seen from the IF/ELSE logic above; it only works on the PerformanceDW and TeamWorks applications :-(

I ended up writing my own, modified, version of this script, specifically for the two extra BPM applications: -

daveModifyMapRunAsRole.py 
userName = sys.argv[0]
password = sys.argv[1]
clusterName = sys.argv[2]

targetName = clusterName

appName = "BPEContainer_" + targetName
options = '[-MapRunAsRolesToUsers [[JMSAPIUser ' + userName + ' ' + password + '] [AdminJobUser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)

appName = "TaskContainer_" + targetName
options = '[-MapRunAsRolesToUsers [[AdminJobUser ' + userName + ' ' + password + '] [EscalationUser ' + userName + ' ' + password + ']]]'
AdminApp.edit(appName, options)

AdminConfig.save()
AdminNodeManagement.syncActiveNodes()

which I ran as follows: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd -f daveModifyMapRunAsRole.py DepEnvAdmin P455w0rd AppCluster

with the following results: -

WASX7209I: Connected to process "dmgr" on node Dmgr using SOAP connector;  The type of process is: DeploymentManager
WASX7303I: The following options are passed to the scripting environment and are available as arguments that are stored in the argv variable: "[DepEnvAdmin, P455w0rd, AppCluster]"
ADMA5075I: Editing of application BPEContainer_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application BPEContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application BPEContainer_AppCluster is complete.
ADMA5076I: Application BPEContainer_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
ADMA5075I: Editing of application TaskContainer_AppCluster started.
ADMA5058I: Application and module versions are validated with versions of deployment targets.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5005I: The application TaskContainer_AppCluster is configured in the WebSphere Application Server repository.
ADMA5113I: Activation plan created successfully.
ADMA5011I: The cleanup of the temp directory for application TaskContainer_AppCluster is complete.
ADMA5076I: Application TaskContainer_AppCluster edited successfully. The application or its web modules may require a restart when a save is performed.
---------------------------------------------------------------
 AdminNodeManagement:        Synchronize the active nodes
 Usage: AdminNodeManagement.syncActiveNodes()
 Return: If the command is successfully invoked, a value of 1 is returned. 
---------------------------------------------------------------
 
Node1


I'm going to be writing this up more fully once I've run through the end-to-end process a few more times ....

No comments: