Changing the TIBCO iProcess Conductor schema to use an alternate Oracle database instance where the TIBCO iProcess Conductor user password has also been changed.
Article ID: KB0088376
Updated On:
| Products | Versions |
|---|---|
| TIBCO iProcess Conductor | - |
| Not Applicable | - |
Description
Resolution:
DESCRIPTION:
===========
Changing the TIBCO iProcess Conductor schema to use an alternate Oracle database instance where the TIBCO iProcess Conductor user password has also been changed.
ENVIRONMENT:
=============
TIBCO iProcess Conductor 11.2.0
JBOSS Application Server 4.2.1
SYMPTOMS:
==========
On the start-up of the JBOSS application Server, there were errors in the FFTrace.log file, such as the following:
2010-06-30 13:01:09,944 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=IPCUser 2010-06-30 13:01:39,259 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=null 2010-06-30 13:01:39,273 WARN [com.staffware.frameworks.scheduler.startup.HealthMonitor] Failed to locate scheduler service - service may be in the process of deploying(TFF_SCHEDULER_SERVICE not bound)
And the server.log file, contained numerous errors of the following nature:
2010-06-30 13:01:09,944 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=IPCUser 2010-06-30 13:01:39,259 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=null 2010-06-30 13:01:39,273 WARN [com.staffware.frameworks.scheduler.startup.HealthMonitor] Failed to locate scheduler service - service may be in the process of deploying(TFF_SCHEDULER_SERVICE not bound)
CAUSE:
=======
When changing the username, password and connections details in JBOSS to use a new schema, the following files must be changed:
The JDBC connection details in the files:$JBOSS_HOME/server/default/deploy/oracle-ds.xml, $JBOSS_HOME/server/default/deploy/oracle-xa-ds.xml
To username and password credentials in the file: $JBOSS_HOME/server/default/conf/login-config.xml
However, it is incorrect to assume you can insert the password into this file in clear text for the iPC schema user and expect the JBOSS application Server to automatically encrypt the password on start-up. Hence the errors in the FFTrace.log and server.log files
RESOLUTION:
===========
The password needs to be encrypted and then the encrypted output placed in the login-config.xml file, as follows:
Make sure the correct version of JAVA is set prior to running the command::
# env |grep JAVA
JAVA_HOME=/usr/jdk1.5.0_06
# env |grep $PATH
PATH=/usr/jdk1.5.0_06/bin:/usr/sbin:/usr/bin
#
JAVA is set in the JAVA_HOME and PATH environment variables.
# java -version
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05) Java HotSpot(TM) Server VM (build 1.5.0_06-b05, mixed mode) #
Run the following command from the $JBOSS_HOME location:
java -cp lib/jboss-common.jar:lib/jboss-jmx.jar:server/default/lib/jbosssx.jar:server/default/lib/jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule <password>
Substitute the <password> with the user password which is to be encrypted. The following is an example:
# java -cp lib/jboss-common.jar:lib/jboss-jmx.jar:server/default/lib/jbosssx.jar:server/default/lib/jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule staffpro1
Encoded password: 20cf448c381092829bd9a0b76da9b8e7 #
Insert the encrypted password into the the login-config.xml file in the $JBOSS_HOME/server/default/conf directory, as follows:
<!-- Security domain configuration for COM --> <application-policy name = "COMSecurityDomain">
<authentication>
<login-module code = "com.staffware.frameworks.base.security.COMLoginModule" flag = "required">
<module-option name = "unauthenticatedIdentity">IPCUser</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security Domain for Audit Database-->
<application-policy name = "AuditDBSecurityDomain">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">IPC1110SL1</module-option>
<module-option name = "password">20cf448c381092829bd9a0b76da9b8e7</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=NoTxCM,name=com/OracleDS_AU
DIT</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security Domain for IPC Database-->
<application-policy name = "IPCDBSecurityDomain">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">IPC1110SL1</module-option>
<module-option name = "password">20cf448c381092829bd9a0b76da9b8e7</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=com/OracleDS_CO
M</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security Domain for IPE Database-->
<application-policy name = "IPEDBSecurityDomain">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">proi1110sl1</module-option>
<module-option name = "password">20cf448c381092829bd9a0b76da9b8e7</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=com/OracleDS_SSOLITE</module-option>
</login-module>
#
Then restart the JBOSS application Server and check the FFTrace.log and server.log files.
DESCRIPTION:
===========
Changing the TIBCO iProcess Conductor schema to use an alternate Oracle database instance where the TIBCO iProcess Conductor user password has also been changed.
ENVIRONMENT:
=============
TIBCO iProcess Conductor 11.2.0
JBOSS Application Server 4.2.1
SYMPTOMS:
==========
On the start-up of the JBOSS application Server, there were errors in the FFTrace.log file, such as the following:
2010-06-30 13:01:09,944 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=IPCUser 2010-06-30 13:01:39,259 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=null 2010-06-30 13:01:39,273 WARN [com.staffware.frameworks.scheduler.startup.HealthMonitor] Failed to locate scheduler service - service may be in the process of deploying(TFF_SCHEDULER_SERVICE not bound)
And the server.log file, contained numerous errors of the following nature:
2010-06-30 13:01:09,944 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=IPCUser 2010-06-30 13:01:39,259 WARN [com.staffware.frameworks.scheduler.session.SchedulerEventInjector] java.lang.SecurityException: Invalid authentication attempt, principal=null 2010-06-30 13:01:39,273 WARN [com.staffware.frameworks.scheduler.startup.HealthMonitor] Failed to locate scheduler service - service may be in the process of deploying(TFF_SCHEDULER_SERVICE not bound)
CAUSE:
=======
When changing the username, password and connections details in JBOSS to use a new schema, the following files must be changed:
The JDBC connection details in the files:$JBOSS_HOME/server/default/deploy/oracle-ds.xml, $JBOSS_HOME/server/default/deploy/oracle-xa-ds.xml
To username and password credentials in the file: $JBOSS_HOME/server/default/conf/login-config.xml
However, it is incorrect to assume you can insert the password into this file in clear text for the iPC schema user and expect the JBOSS application Server to automatically encrypt the password on start-up. Hence the errors in the FFTrace.log and server.log files
RESOLUTION:
===========
The password needs to be encrypted and then the encrypted output placed in the login-config.xml file, as follows:
Make sure the correct version of JAVA is set prior to running the command::
# env |grep JAVA
JAVA_HOME=/usr/jdk1.5.0_06
# env |grep $PATH
PATH=/usr/jdk1.5.0_06/bin:/usr/sbin:/usr/bin
#
JAVA is set in the JAVA_HOME and PATH environment variables.
# java -version
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05) Java HotSpot(TM) Server VM (build 1.5.0_06-b05, mixed mode) #
Run the following command from the $JBOSS_HOME location:
java -cp lib/jboss-common.jar:lib/jboss-jmx.jar:server/default/lib/jbosssx.jar:server/default/lib/jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule <password>
Substitute the <password> with the user password which is to be encrypted. The following is an example:
# java -cp lib/jboss-common.jar:lib/jboss-jmx.jar:server/default/lib/jbosssx.jar:server/default/lib/jboss-jca.jar org.jboss.resource.security.SecureIdentityLoginModule staffpro1
Encoded password: 20cf448c381092829bd9a0b76da9b8e7 #
Insert the encrypted password into the the login-config.xml file in the $JBOSS_HOME/server/default/conf directory, as follows:
<!-- Security domain configuration for COM --> <application-policy name = "COMSecurityDomain">
<authentication>
<login-module code = "com.staffware.frameworks.base.security.COMLoginModule" flag = "required">
<module-option name = "unauthenticatedIdentity">IPCUser</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security Domain for Audit Database-->
<application-policy name = "AuditDBSecurityDomain">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">IPC1110SL1</module-option>
<module-option name = "password">20cf448c381092829bd9a0b76da9b8e7</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=NoTxCM,name=com/OracleDS_AU
DIT</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security Domain for IPC Database-->
<application-policy name = "IPCDBSecurityDomain">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">IPC1110SL1</module-option>
<module-option name = "password">20cf448c381092829bd9a0b76da9b8e7</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=com/OracleDS_CO
M</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security Domain for IPE Database-->
<application-policy name = "IPEDBSecurityDomain">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">proi1110sl1</module-option>
<module-option name = "password">20cf448c381092829bd9a0b76da9b8e7</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=com/OracleDS_SSOLITE</module-option>
</login-module>
#
Then restart the JBOSS application Server and check the FFTrace.log and server.log files.
Issue/Introduction
Changing the TIBCO iProcess Conductor schema to use an alternate Oracle database instance where the TIBCO iProcess Conductor user password has also been changed.
Feedback
Yes
No
Powered by
