Wednesday, 1 April 2015

For the Record - IBM Business Monitor 8.5.6 with Oracle 12c pluggable database

This popped up in Twitter yesterday, and references a rather excellent developerWorks Answers article: -


I performed this installation on a RHEL 6.6 system with a remote Oracle 12c database and run into several issues. In this article, I wanted to share my installation experience and provide the solutions to the different problems

Monday, 30 March 2015

IBM Operational Decision Manager V8.7.0.1 Fix Pack


This came via my IBM colleague, Dan Selman, through the medium of Twitter: -


This cumulative fix pack updates WebSphere Operational Decision Management V8.7.0 to V8.7.0.1.


IBM provides periodic fixes for the Operational Decision Manager family (formerly known as WebSphere Operational Decision Management). The following is a complete list of fixes for the components IBM Decision Server and IBM Decision Center.

IBM Installation Manager - Using response file variables

I needed this: -


so here it is :-)

This is also quite useful: -


IBM Operational Decision Manager - Performance Improvements

This popped up in my Twitter feed earlier: -

Improve performance for IBM Operational Decision Manager, Part 1: Reduce rule execution time

IBM® Operational Decision Manager (ODM) offers a variety of options for optimal performance. Each organization's environment and needs are unique, so guidance about settings to increase performance and to streamline resource             management is essential. This tutorial provides a brief overview of the different IBM ODM modules, and how they interact with each other, and recommended settings for performance improvements that have been found to have the most impact on rule execution. This content is part of the IBM Business Process Management Journal.

I am guessing that there will be more coming from this author, on this precise topic, so please follow the article linked for the rest of the series .....

Thursday, 26 March 2015

CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'deAdmin'.

For other reasons, relating to incorrectly formatted SSL certificates within a WAS profile, I needed to recreate my IBM BPM 8.5.5 environment yesterday.

I did this by deleting the WAS profiles, which took care of the Deployment Environment, and had my DB2 SME drop the nine Messaging Engine tables from the Common/Shared DB ( CMNDB ).

I recreated the Deployment Environment using BPConfig, and all seemed well .....

Until a colleague tried to invoke a multi-stage BPD, which triggers events to be consumed by IBM Business Monitor.

Guess what ?

Yes, my Deployment Environment rebuild hadn't quite worked as purely as I thought.

In the WAS logs, we saw: -

com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'deAdmin'.

Explanation: The technical user defined in the BPM role type 'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM' domain.

Action: Revert the recent user registry configuration changes and follow the instructions of the 'Administering the technical user for the IBM BPM document store' topic in the IBM BPM Information Center to ensure the technical user keeps access to the IBM BPM document store.


As per the message, I referenced: -


which made reference to a series of useful Jython commands, including: -

AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -list]')

 AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -add uid=deAdmin,o=defaultWIMFileBasedRealm]')

 AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -add #AUTHENTICATED-USERS]')

 all of which failed with: -

WASX7015E: Exception running command: "AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -list]')"; exception information:

com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: com.ibm.bpm.embeddedecm.exception.UserRegistryConfigurationProblemException: CWTDS0021E: The user registry configuration was changed in a way that causes the access to the IBM BPM document store to fail for the technical user 'deAdmin'.

Explanation: The technical user defined in the BPM role type 'EmbeddedECMTechnicalUser' is not permitted to access the 'BPM' domain.

Action: Revert the recent user registry configuration changes and follow the instructions of the 'Administering the technical user for the IBM BPM document store' topic in the IBM BPM Information Center to ensure the technical user keeps access to the IBM BPM document store.

At that point, I started to wonder if I should've had John clear down ALL of the DBs.

So I completely shut down the Deployment Environment and had him do just that. He had a nice scripted process to recreate them, so they were back in the game within ~10 minutes.

I then needed to bootstrap the AppCluster DB tables: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/bootstrapProcessServerData.sh -clusterName AppCluster

and then start the Deployment Environment.

This time, the clever ECM Jython command worked: -

AdminTask.maintainDocumentStoreAuthorization('[-deName PSCell1De1 -list]')

returning: -

"Authorization on the domain for the IBM BPM document store\nCWTDS2034I: Access is granted to the IBM BPM document store domain 'uid=deAdmin,o=defaultWIMFileBasedRealm' with access mask '459,267'.\nAuthorization on the object store for the IBM BPM document store\nCWTDS2035I: Access is granted to the IBM BPM document store object store 'uid=deAdmin,o=defaultWIMFileBasedRealm' with access mask '838,205,440'."

 which is nice.

IBM HTTP Server and the Global Security Toolkit - Not quite Harry Potter

I have blogged about this before: -


but I finally have a much clearer idea of the problem, and the pukka solution.

When creating a self-signed  SSL certificate in IHS, via a command such as: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,ou=nbsnet,dc=co,c=uk" -label "hostname.domain.co.uk" -default_cert yes

I'd end up with an exception: -

CTGSK3024W Invalid value for parameter "-dn" (cn=hostname.domain.co.uk,o=domain,o=co,c=uk).

Initially, I thought that the problem was with the format of the Distinguished Name, so I used an escape character in front of each comma: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk\,ou=nbsnet\,dc=co\,c=uk" -label "hostname.domain.co.uk" -default_cert yes

which worked OK .... or so I thought.

However, when I looked at the certificate in Firefox, I noted that the Issuer contained an invalid Common Name (CN) - it actually held the DN: -


I spent a wee while digging around, and found that, if I instead used ikeycmd : -

/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,o=domain,o=co,c=uk" -label "hostname.domain.co.uk" -default_cert yes


the certificate created with the correct Issuer.

Which is unusual.

I've experimented further, including: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -size 2048 -dn "cn=hostname.domain.co.uk,dc=domain,dc=co,dc=uk" -label "hostname.domain.co.uk" -default_cert yes

In other words, I continued to experiment with the format of the DN.

According to this document: -


the crucial thing is to ensure that the DN is formatted to a certain X.500 standard: -

-dn <dist_name>

The X.500 distinguished name that uniquely identifies the certificate. The input must be a quoted string of the following format (only CN is required):

        CN=common name
        O=organization
        OU=organization unit
        L=location

        ST=state, province
        C=country
        DC=domain component
        EMAIL=email address

For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"

Multiple OU values are now supported. Simply add additional OU key\value pairs to the specified distinguished name. If the OU value requires a comma (',') then you must escape it with '\\'

For Example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,OU=GSKit\\, Gold Coast,L=RTP,ST=NC,C=US"

Therefore, via trial and error, I've found a syntax that works for my client, and also works with GSK rather than depending upon ikeycmd, as hosting a JRE on a web server is typically a bad idea.

For evidence, please see the 39 Steps here: -



Wednesday, 25 March 2015