4.8.2 Workflow Error

We have upgraded from 4.7.4 to 4.8.2 and are testing,  been trying to sort this particular error:

Submission failed. Failed to submit resource request [id = cn=edituser,cn=requestdefs,cn=appconfig,cn=userapplication,cn=driverset01,ou=servers,o=emorydev] due to:Provisioning system error:Failed to start the workflow..


In catalina the error is:

[RBPM] Workflow service is not available
org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 : [<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Fault><Code><Value>Sender
</Value><Subcode><Value>Invalid</Value></Subcode></Code><Reason><Text>The authentication token represents an entity that does not have permission for the requ
ested operation.</Text></Reason></Fault>]


Verified all info and pw's are correct.  Updated ism to remove a bunch of odd entries. Anyone see something similar?

  • In 4.8, workflow.war is carved out of IDMProv.war and as the name suggests the Workflow stuff is moved.

    Now in ISM-config there are lines for workflow and it is a new OAuth client.  Make ure they are all there. Lines like:

    com.microfocus.workflow.clientID = workflow
    com.microfocus.workflow.clientPass._attr_obscurity = ENCRYPT
    com.microfocus.workflow.clientPass = some encrypted password
    com.microfocus.workflow.landing.url = workflow
    com.microfocus.workflow.redirect.url = workflow
    com.microfocus.workflow.response-types = client_credentials

    com.netiq.wf.engine.url = https://www.acme.com/workflow

    And rememer this URL has to be OAuth'ed through OSP so has to perfectly match the cert etc...

    (Make sure the workflow.war is deploted in Tomcat as well. Watch Catalina.out, search for "Deploy" and look for workflow.war deploying. Maybe it fails to start?

  • Seems to deploy just fine. 


    main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/netiq/idm/apps/tomcat/webapps/workflow.war] has finished in [20,946] ms

  • Also see this in the log:

    ERROR [com.netiq.idm.auth.oauth.OAuthRestFilter] (https-jsse-nio-8543-exec-6) [WORKFLOW] The authentication token represents an entity that does not have permission for the requested operation.

  • I read this wrong.. deleting my post.

  • It seems that we are not able to communicate with the workflow engine at all even though the war deploys and the tables are written to the database something isn't connecting properly.
  • Just to be sure - is this message present always when you try to make an request or are there any successfull calls? Is there any difference between calling from policies and creating requests manually in the portal?
  • Even manually requests fail.  It's as if the application isn't communicating at all, the app starts, no errors, we can login and view roles/resources and the like but something isn't communicating.  We've verified all certs, osp, idm, and tomcat keystores.  We have also updated and double and triple checked the ism.config and even updated and configured all the oauth secrets in configupdate, it's as if the upgrade broke connectivity but nothing that stands out and now we get a generic rbpm error .

  • Verified Answer

    Can you please make sure the below configuration is proper

    com.netiq.rbpm.clientID = rbpm

    com.netiq.rbpm.redirect.url = https://<<IP>>:8543/IDMProv/oauth

    com.netiq.rbpm.clientPass = <<Password>>

    com.netiq.rbpm.landing.url = /idmdash/#/landing

    If we have an incorrect rpbm clientID, then we will get AuthorizationException (i.e.,

    The authentication token represents an entity that does not have permission for the requested operation)


  • This was the issue during the upgrade it never updated this value and passed in IDMProv instead. Even though it was set in configureupdate.sh it never updated the ism.configproperties.   Thank you!

  • If you have a commented out line in the ismc-configuration.properties (#) then the sed tool used during the install errors and does not properly update the file.

    Stupid issue, but whatcha gonna do.  As the Me2 people learned, pound is ill advised.