Loading...
Beans and Roles
IBM
IBM WebSphere
IBM WODM
Online Training
Operational Decision Manager
VirtualNuggets
WebSphere
WODM
http://ibmwebsphereodmonlinetraining.blogspot.com/2016/05/ibm-wodm-beans-and-roles.html
This post describe an issue that we saw with IBM WebSphere Operational Decision Management (WODM) 8.0.1, when attempting to use the Rules Execution Server (RES) Console.
We accessed the RES Console using the following URL: -
https://wodm801.uk.ibm.com:8443/res
and logged in as the resAdmin user ( this user is in Active Directory, which is federated into the WAS cell ) and corresponding password.
However, when we clicked on the Diagnostics tab, and clicked the Run Diagnostics button. we saw exceptions against the XU MBean and Rule Session Second Execution processes with the following errors in SystemOut.log :
javax.management.JMRuntimeException: ADMN0022E: Access is denied for the notifyRulesetArchiveChanged operation on IlrXUManagement MBean because of insufficient or empty credentials. and Caused by: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getAdapterVersion operation on IlrXUManagement MBean because of insufficient or empty credentials.
We found a number of IBM Technotes and discussion forum posts on the problem, including this advice Rule Execution Server diagnostics failure:
<snip>
The application server security is enabled but the Rule Execution Server users do not have the required administrative roles:
If working with WebSphere Application Server or WebLogic, you must provide some level of administrative role to the Rule Execution Server admin user so that that user can access MBeans.
</snip>
and this: -
Authorization failed, Not granted any of the required roles
<snip>
This error indicates that security is enabled on the server and that the required roles have not been defined for the application.
Indeed, when security is enabled, DVS require all groups or users who are allowed to access it to be mapped to one of the two mandatory roles: resAdministrators or resDeployers. For Rule Execution Server, those roles are: resAdministrators, resDeployers, and resMonitors.
For RTS: rtsAdministrator, rtsConfigManager, rtsInstaller, and rtsUser.
</snip>
and this: -
Rule Execution Server diagnostic MBean execution fails on WebSphere
<snip>
Map your administrator group (resAdministrators by default) to the Monitor role in the
WebSphere Application Server administration console.
</snip>
This led us to believe that the user ( resAdmin ) wasn't in the right groups, so we spent time adding it to the resMonitors group, but to no avail. We started to think that the problem might be related to WAS <-> LDAP interactions, including group search base and filters.
Then we found this forum post: -
Diagnostic error messages - Ilog 6.7.3 with WAS 6.1
which said, in part: -
Did you map the resAdministrators group to the Monitor role? To access the MBeans of the Rule Execution Server model, an application must have sufficient security credentials, restricted to the Monitor role in the WebSphere authentication system.
Rule Execution Server users can be given access to the MBeans of the model by configuring a mapping between the resAdministrators group declared in the custom registry and the Monitor role.
To map users to the Monitor role:
1. In the Integrated Solutions Console open Users and Groups > Administrative group roles.
2. Click Add. For Role(s) select Monitor, then click Search and move the entry beginning with resAdministrators from the Available column to the Mapped to role column.
Click OK.
3. Click the Save directly to the master configuration.
4. Open Users and Groups > Administrative user roles.
5. Click Add. For Role(s) select Monitor, then click Search. Move resAdmin from the Available column to the Mapped to role column.
Click OK.
6. Click the Save directly to the master configuration.
7. Restart your application server or your deployment manage It then dawned on us.
As this is a clustered environment, the RES application needs to talk, via JMX, to the Deployment Manager and, therefore, the resAdmin user needs to be able to access the WAS administration MBeans.
Once we added the resAdministrators and resDeployers groups (these are in LDAP) into the WAS Administrative Group monitor role: -
and restarted the application server on which he RES Console runs, all was well.
Beans and Roles,
IBM,
IBM WebSphere,
IBM WODM,
Online Training,
Operational Decision Manager,
VirtualNuggets,
WebSphere,
WODM
WODM
8480527498497640293
Post a Comment
Home
item
Blog Archive
Popular Posts
-
In this Blog Post we are about see the procedure to create BOM entries from an existing XOM. You can afterwards extend the BOM without mod...
-
This post describe how we overcame an issue with IBM Installation Manager, observed when attempting to install IBM Operational Decision Ma...
-
In order to establish a new Business Rule Management System ( BRMS ), there has to be detailed steps involved with Installation, Testing ...
-
The word ILOG comes from the two French words – “Intelligence” and “Logical” which means intelligent software. When business rules are im...
-
This post describe an issue that we saw with IBM WebSphere Operational Decision Management (WODM) 8.0.1, when attempting to use the Rules...
-
IBM WODM ( WebSphere Decision Management ) provides a flexible working environment for business people to share, collaborate, and m...
-
Most of us will come to face a problem of JDBC drivers after the installation of IBM WebSphere ODM | WODM v8.0.1. When you are started up ...
-
Companies can make complex and as well as business decisions by the use of IBM WebSphere Operational Decision Management’s (WODM) powerful...
-
Staged Decision Management: Advantages: The development life cycle stages are fully isolated. A single cell has full; ODM run-...