A CWWIM4538E multiple principals error displays while starting IBM Business Process Management (BPM) and server does not start properly

-

Problem(Abstract)

When you attempt to start IBM Business Process Manager, it does not start properly and the CWWIM4538E error message is logged.

Symptom

You might see either or both of the following exceptions in the SystemOut during the start of IBM Business Process Manager:

CWWIM4538E Multiple principals were found for the 'admin' principal name.

CWSIA0004E: The authentication for the supplied user name admin and
the associated password was not successful

The CWWIM4538E message occurs when a user exists in more than one security provider. The CWSIA0004E message can occur when a the system user or administrator attempts to login and start the IBM Business Process Manager system. With multiple users present, IBM Business Process Manager cannot start properly.


Cause

IBM Business Process Manager ships with default internal users. These users might also be present in the LDAP system. If an overlap of users happens, IBM Business Process Manager cannot start properly and the CWWIM4538E error message is logged.

In WebSphere Application Server, each security user must be unique across all the federated repositories. This uniqueness requirement includes file based, LDAP, and custom security providers. For example, the user "admin" can only be in one of the configured repositories.


Resolving the problem

The connected LDAP repositories share one or more of the default users for IBM Business Process Manager. The following list contains the default users for each major IBM Business Process Manager product level:

  • IBM Business Process Manager 7.5: tw_admin, tw_author, tw_user, tw_webservice, tw_portal_admin, tw_runtime_server, bpmAuthor, admin
  • IBM Business Process Manager 8.0: tw_admin, tw_author, tw_user, tw_webservice, tw_portal_admin, tw_runtime_server, bpmAuthor, admin
  • IBM Business Process Manager 8.5: bpmadmin and deadmin (these are user defined and may be different)

To resolve this conflict, use a filter in the WebSphere security repository to exclude a user or group from the LDAP search. Complete the following steps:

  1. Backup your WebSphere configuration before starting. The three files that are used in the configuration are security.xml, wimconfig.xml, and fileRegistry.xml. Make safe backups of these files and the deployment manager (DMGR) and other named profiles before beginning.
  2. Login to the WebSphere Administrative console.The default URL and port is http://server_name:9060/ibm/console

  3. Click Security > Global Security.

  4. Click Federated Repositories.

  5. Click the name of the configured LDAP provider. The following screen capture shows the LDAP configuration pages:




  6. Under Additional Properties, click LDAP entity types as shown in the previous screen shot. When you click the link, the next page, which is the LDAP entity types page, shows where you can apply the filters.

  7. Click PersonAccount as shown in the following screen shot:




  8. In the search filter, place the name of the user or users to exclude from the LDAP search. The following screen shot shows the user "admin" being removed from search. Here 'cn' stands for common name. Consult with the LDAP configuration as the LDAP property to filter on might be different in the configuration for your provider. The rest of the search base is the location in the LDAP tree to start excluding users.




  9. Click OK and click Save to Configuration.

  10. Stop the IBM Business Process Manager servers, if they are running.

  11. Stop the node agent.

  12. Restart the node agent.

  13. Verify in the WebSphere users and groups section of the WebSphere Administrative Console that the user is no longer visible.

  14. Start the IBM Business Process Manager servers.


The same method applies to groups and organizational units.

Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more