UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Commodore
Commodore
993 views

4.8.2 Workflow Error

Jump to solution

We have upgraded from 4.7.4 to 4.8.2 and are testing,  been trying to sort this particular error:

Submission failed. Failed to submit resource request [id = cn=edituser,cn=requestdefs,cn=appconfig,cn=userapplication,cn=driverset01,ou=servers,o=emorydev] due to:Provisioning system error:Failed to start the workflow..

 

In catalina the error is:

[RBPM] Workflow service is not available
org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 : [<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Fault><Code><Value>Sender
</Value><Subcode><Value>Invalid</Value></Subcode></Code><Reason><Text>The authentication token represents an entity that does not have permission for the requ
ested operation.</Text></Reason></Fault>]

 

Verified all info and pw's are correct.  Updated ism to remove a bunch of odd entries. Anyone see something similar?

Labels (1)
1 Solution

Accepted Solutions
Micro Focus Contributor
Micro Focus Contributor

Can you please make sure the below configuration is proper

com.netiq.rbpm.clientID = rbpm

com.netiq.rbpm.redirect.url = https://<<IP>>:8543/IDMProv/oauth

com.netiq.rbpm.clientPass = <<Password>>

com.netiq.rbpm.landing.url = /idmdash/#/landing

If we have an incorrect rpbm clientID, then we will get AuthorizationException (i.e.,

The authentication token represents an entity that does not have permission for the requested operation)

 

View solution in original post

13 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

In 4.8, workflow.war is carved out of IDMProv.war and as the name suggests the Workflow stuff is moved.

Now in ISM-config there are lines for workflow and it is a new OAuth client.  Make ure they are all there. Lines like:

com.microfocus.workflow.clientID = workflow
com.microfocus.workflow.clientPass._attr_obscurity = ENCRYPT
com.microfocus.workflow.clientPass = some encrypted password
com.microfocus.workflow.landing.url = workflow
com.microfocus.workflow.redirect.url = workflow
com.microfocus.workflow.response-types = client_credentials

com.netiq.wf.engine.url = https://www.acme.com/workflow

And rememer this URL has to be OAuth'ed through OSP so has to perfectly match the cert etc...

(Make sure the workflow.war is deploted in Tomcat as well. Watch Catalina.out, search for "Deploy" and look for workflow.war deploying. Maybe it fails to start?

Commodore
Commodore

Seems to deploy just fine. 

 

main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/netiq/idm/apps/tomcat/webapps/workflow.war] has finished in [20,946] ms

0 Likes
Commodore
Commodore

Also see this in the log:

ERROR [com.netiq.idm.auth.oauth.OAuthRestFilter] (https-jsse-nio-8543-exec-6) [WORKFLOW] The authentication token represents an entity that does not have permission for the requested operation.

0 Likes
Vice Admiral
Vice Admiral

I read this wrong.. deleting my post.

0 Likes
Commodore
Commodore
It seems that we are not able to communicate with the workflow engine at all even though the war deploys and the tables are written to the database something isn't connecting properly.
0 Likes
Captain
Captain
Just to be sure - is this message present always when you try to make an request or are there any successfull calls? Is there any difference between calling from policies and creating requests manually in the portal?
0 Likes
Commodore
Commodore

Even manually requests fail.  It's as if the application isn't communicating at all, the app starts, no errors, we can login and view roles/resources and the like but something isn't communicating.  We've verified all certs, osp, idm, and tomcat keystores.  We have also updated and double and triple checked the ism.config and even updated and configured all the oauth secrets in configupdate, it's as if the upgrade broke connectivity but nothing that stands out and now we get a generic rbpm error .

Micro Focus Contributor
Micro Focus Contributor

Can you please make sure the below configuration is proper

com.netiq.rbpm.clientID = rbpm

com.netiq.rbpm.redirect.url = https://<<IP>>:8543/IDMProv/oauth

com.netiq.rbpm.clientPass = <<Password>>

com.netiq.rbpm.landing.url = /idmdash/#/landing

If we have an incorrect rpbm clientID, then we will get AuthorizationException (i.e.,

The authentication token represents an entity that does not have permission for the requested operation)

 

View solution in original post

Commodore
Commodore

This was the issue during the upgrade it never updated this value and passed in IDMProv instead. Even though it was set in configureupdate.sh it never updated the ism.configproperties.   Thank you!

Knowledge Partner Knowledge Partner
Knowledge Partner

If you have a commented out line in the ismc-configuration.properties (#) then the sed tool used during the install errors and does not properly update the file.

Stupid issue, but whatcha gonna do.  As the Me2 people learned, pound is ill advised.

 

0 Likes
Commodore
Commodore
We don't have anything commented out, but that's good info to have.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.