| Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter Portal 11g Release 1 (11.1.1.6.0) Part Number E12405-17 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Administrator's Guide for Oracle WebCenter Portal 11g Release 1 (11.1.1.6.0) Part Number E12405-17 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure and manage the Worklist service for WebCenter Portal applications (Spaces applications and Framework applications) deployed on Oracle WebLogic Server.
Always use Fusion Middleware Control or WLST command-line tool to review and configure back-end services for WebCenter Portal applications. Any changes that you make to Spaces applications and Framework applications, post deployment, are stored in MDS metatdata store as customizations. See Section 1.3.5, "WebCenter Portal Configuration Considerations."
Note:
Changes that you make to Worklist service configuration, through Fusion Middleware Control or using WLST, are not dynamic so you must restart the managed server on which the WebCenter Portal application is deployed for your changes to take effect. See Section 8.2, "Starting and Stopping Managed Servers for WebCenter Portal Application Deployments."
This chapter includes the following sections:
Audience
The content of this chapter is intended for Fusion Middleware administrators (users granted the Admin or Operator role through the Oracle WebLogic Server Administration Console). See also Section 1.8, "Understanding Administrative Operations, Roles, and Tools."
Use the roadmaps in this section as an administrator's guide through the configuration process:
Section 23.1.1, "Roadmap - Configuring the Worklist Service for WebCenter Portal: Spaces"
Section 23.1.2, "Roadmap - Configuring the Worklist Service for Framework applications"
Figure 23-1 and Table 23-1 in this section provide an overview of the prerequisites and tasks required to get the Worklist service working in a Spaces application.
Figure 23-1 Configuring the Worklist Service for Spaces
Table 23-1 Configuring the Worklist Service for Spaces
| Actor | Task | Sub-Task |
|---|---|---|
|
Administrator |
1. Install WebCenter Portal: Spaces and the Oracle SOA Suite |
|
|
Administrator |
2. Configure a Worklist connection using one of the following tools:Foot 1
|
When using Fusion Middleware Control:
When using WLST:
|
|
Administrator |
3. (Optional) Configure WebCenter Portal: Spaces workflowsFootref 1 |
3.a Specify the BPEL server connection used for WebCenter Portal: Spaces workflows using either of the following tools:
3.b Configure WS-security keystore |
|
Administrator |
4. (Optional) Deploy additional BPEL workflows |
|
|
Administrator |
5. (Optional) Configure BPEL server to use same identity store as SpacesFootref 1 |
|
|
Administrator |
6. (Optional) Secure the connection to the BPEL server |
6.c Configure SSL |
|
End User |
7. Test that the Worklist service is working in Spaces |
7.a Log in to Spaces 7.b Add a Worklist task flow to a page 7.c Generate a worklist event 7.d Verify event information displays in the task flow |
Footnote 1 Auto configured out-of-the-box
Figure 23-2 and Table 23-2 in this section provide an overview of the prerequisites and tasks required to get the Worklist service working in Framework applications.
Figure 23-2 Configuring the Worklist Service for Framework applications
Table 23-2 Configuring the Worklist Service for Framework applications
| Actor | Task | Sub-Task |
|---|---|---|
|
Administrator |
1. Install WebCenter Portal and the Oracle SOA Suite |
|
|
Developer |
2. Integrate the Worklist service in your Framework application |
|
|
Developer/Administrator |
3. Deploy the Framework application using one of the following tools:
|
|
|
Administrator |
||
|
Administrator |
5. (Optional): Configure BPEL server to use same identity store as the application |
|
|
Administrator |
6. (Optional): Secure the connection to the BPEL server |
6.c Configure SSL |
|
Developer/Administrator |
7. (Optional): Add/modify connection parameters using one of the following tools:
|
|
|
End User |
8. Test that the Worklist service is working |
8.a Log in to the Framework application 8.b Generate a worklist event 8.c Verify event information displays in the task flow |
Consider the following while working with BPEL connections:
The Worklist service allows multiple connections so that WebCenter Portal users can monitor and manage assignments and notifications from a range of BPEL servers. For more information, see Section 23.4, "Setting Up Worklist Connections."
WebCenter Portal: Spaces workflows require a single connection to the BPEL server included with the Oracle SOA Suite. For more information, see Section 9.3, "Specifying the BPEL Server Hosting Spaces Workflows."
The Worklist service and the WebCenter Portal: Spaces workflows can share the same BPEL server connection or each connect to different BPEL servers. To enable the display of worklist items created by the Spaces workflows in the current WebCenter Portal users' worklists, it is recommended that the WebCenter Portal: Spaces workflows and the Worklist service share a connection.
The Worklist service can be wired to multiple BPEL connections to enable aggregation of worklist items from multiple BPEL servers. For example, when the topology contains several BPEL servers running various workflow types, such as Human Resource and General Ledger servers.
It is mandated that the BPEL connections are unique URLs. If this is not the case, then duplicate queries to the same server are created.
Consider the following to ensure smooth functioning of the Worklists service:
Pages that include Worklists task flows must be secured through ADF security.
The Worklists service must be configured to use an Oracle SOA Suite BPEL server that is accessible through the BPEL Worklists application. The URL is in the following format:
http://host:port/integration/worklistapp
If the Worklist service is not running in the same domain as the Oracle SOA Suite BPEL server, the identity store (LDAP) should be either shared (recommended) or contain identical user names.
Clocks on the Worklists service's managed server and the Oracle SOA Suite BPEL's managed server must be synchronized such that the SAML authentication condition, NotBefore, which checks the freshness of the assertion, is not breached.
No configuration-related exceptions must exist. Use the WLST command listWorklistConnections to display the configured connections and validate the connection details. After listing the connections, validate them using the URL property appended with /integration/worklistapp. Hence, verify that http://host:port/integration/worklistapp can access the BPEL Worklist application.
If the Oracle SOA Suite BPEL's managed server is configured to use an identity store and that store does not contain BPMWorkflowAdmin, weblogic by default, then the BPMWorkflowAdmin user must be configured, as described in Section 23.5.2.2, "Shared User Directory Does Not Include the weblogic User."
The wsm-pm application must be running on both the Worklists service's and Oracle SOA Suite's BPEL server's managed servers without any issues. This can be validated through the URL:
http://host:port/wsm-pm/validator
For information on how to resolve BPEL server issues, see Section 23.5, "Troubleshooting Issues with Worklists."
This section includes the following subsections:
Section 23.3.1, "BPEL Server - Installation and Configuration"
Section 23.3.3, "BPEL Server - Limitations in WebCenter Portal"
The Worklist service relies on the Oracle BPEL Process Manager (BPEL) server, which is included with Oracle SOA Suite.
To work with the Worklist service, you must install Oracle SOA Suite. For information about how to install Oracle SOA Suite, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
After installing Oracle SOA Suite, you can integrate the Worklist service into your WebCenter Portal application by setting up connections to the BPEL server.
The Worklist service displays tasks for the currently authenticated user. For WebCenter Portal users to store and retrieve tasks on an Oracle SOA Suite BPEL server, their user names must either exist in a shared user directory (LDAP), or be set up similarly on both the WebCenter Portal application and the BPEL Server.
For example, if the user rsmith wants to use the Worklist service to store and retrieve tasks from the BPEL server, you must ensure that the user rsmith exists on both the BPEL server and within your application.
To access BPEL task details from the WebCenter Portal Worklist component, without incurring additional login prompts, WebCenter Portal and Oracle SOA Suite servers must be configured to a shared Oracle Single Sign-On server. For more information, see Section 31.2, "Configuring Oracle Access Manager (OAM)" and Section 31.3, "Configuring Oracle Single Sign-On (OSSO)."
For a secure connection you can optionally configure WS-Security between SOA and Spaces. For information, see Chapter 34, "Configuring WS-Security."
Worklist task flows function inside authenticated pages only. If Worklist task flows are placed on unsecured pages, that is public pages that are not navigated to from an application on which the user has logged in, the warning message "You must log in to view Worklist content." is displayed. This is done to ensure that a session for the current users is available to determine which user's tasks are to be queried.
This section includes the following subsections:
The Worklist service enables WebCenter Portal applications to show authenticated users a list of BPEL worklist items currently assigned to them. BPEL worklist items are open BPEL tasks from one or more BPEL worklist repositories.
A connection to every BPEL server that delivers worklist items is required. Multiple worklist connections are allowed so that WebCenter Portal users can monitor and manage assignments and notifications from a range of BPEL servers.
If a BPEL server cannot be contacted, the Worklist task flow indicates that the connection is unavailable and any reason for the error is recorded in the server's diagnostic log. This log is located on the server that hosts the worklist component's log directory. For a Spaces application: ./user_projects/domains/base_domain/servers/WC_Spaces/logs/WC_Spaces-diagnostic.log. For a Framework application: ./user_projects/domains/base_domain/servers/WC_Spaces/logs/WC_CustomPortal-diagnostic.log.
WebCenter Portal: Spaces
Spaces requires a BPEL server connection to support its internal workflows, that is, space membership notifications and space subscription requests. The BPEL server providing this functionality is always a BPEL server included with the Oracle SOA Suite. For more information, see Section 9.3, "Specifying the BPEL Server Hosting Spaces Workflows."
The Worklist service can share the SOA instance connection and by doing so, display worklist items relating to space activity in each user's Worklist task flow.
This section includes the following subsections:
Section 23.4.2.1, "Registering Worklist Connections Using Fusion Middleware Control"
Section 23.4.2.2, "Registering Worklist Connections Using WLST"
To register a Worklist connection:
Log in to Fusion Middleware Control and navigate to the home page for Spaces or the Framework application. For more information, see:
Do one of the following:
For the Spaces application - From the WebCenter Portal menu, choose Settings > Service Configuration.
For Framework applications - From the Application Deployment menu, choose WebCenter Portal > Service Configuration.
From the list of services on the WebCenter Portal Service Configuration page, select Worklist.
To register a new connection, click Add (Figure 23-3).
Enter a unique name for the Worklist connection and set it as the active connection (Table 23-3). This connection is picked up after you restart the managed server.
Table 23-3 Worklist Connection - Name
| Field | Description |
|---|---|
|
Name |
Enter a unique name for the connection. The name must be unique (across all connection types) within the WebCenter Portal application. This name may be displayed to users working with the worklist feature in the application. Users may organize their worklist assignments through various sorting and grouping options. The option "Group By Worklist Server" displays the name you specify here so it's important to enter a meaningful name that other users will easily recognize, for example, |
|
Active Connection |
Select to activate this worklist connection in the WebCenter Portal application. Once activated, worklist items from the associated BPEL server display in users' worklists. Multiple worklist connections may be active at a time, enabling WebCenter Portal users to monitor and manage assignments and notifications from a range of BPEL servers. If you need to disable a connection for any reason, deselect this option. (Edit mode only.) Check boxes indicate whether other components share this connection:
Although not shown here, the Notification service might be set up to use the BPEL server connection too. See, Section 19.2, "Setting Up Notifications". Before modifying connection properties, consider impact to any other components that share this connection. |
Enter connection details for the BPEL server (Table 23-4).
Table 23-4 Worklist Connection - Connection Details
| Field | Description |
|---|---|
|
BPEL Soap URL |
Enter the URL required to access the BPEL server. Use the format: protocol://host:port For example: Note: Spaces uses the BPEL server included with the Oracle SOA Suite to implement WebCenter Portal: Spaces workflows. If you are setting up the workflow connection, make sure you enter the SOA Suite's BPEL server URL here. For more information, see Section 9.3, "Specifying the BPEL Server Hosting Spaces Workflows." |
|
SAML Token Policy URI |
Select the SAML (Security Assertion Markup Language) token policy this connection uses for authentication. SAML is an XML-based standard for passing security tokens defining authentication and authorization rights. An attesting entity (that has a trusted relationship with the receiver) vouches for the verification of the subject by method called sender-vouches.Options available are:
|
|
Recipient Key Alias |
The recipient key alias to be used for message protected SAML policy authentication. Only required when the BPEL server connection is using a SAML token policy for authentication and the application's Worklist service is using multiple BPEL server connections. For example, To determine the recipient key alias for a complex topology, see Section 34.3, "Configuring WS-Security for a Complex Topology." |
|
Link URL |
Specify the URL used to link to the BPEL server. Only required if it is different to the BPEL SOAP URL, for example, when SSO or HTTPS is configured. Use the format: For example, For performance reasons, in an HTTPS or SSO environment, the Link URL specifies user access to BPEL worklist items, through HTTPS or SSO Web servers, whereas the BPEL SOAP URL specifies direct access to BPEL Web services, without redirection through HTTPS or SSO Web servers. |
Click OK to save this connection.
Click Test to verify if the connection you created works. For a successful connection, the Test Status message displays the advice that to start using the new (active) connection, you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Portal Application Deployments."
See Section 23.5, "Troubleshooting Issues with Worklists" if the test fails.
Tip:
To activate newly registered connections, perform the steps described in Section 23.4.3, "Activating a Worklist Connection."
Use the WLST command createBPELConnection to create a BPEL server connection. For command syntax and examples, see the section, "createBPELConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
To configure the Worklist service to actively use a new BPEL server connection some additional configuration is required. For more information, see Section 23.4.3.2, "Activating a Worklist Connections Using WLST."
For information on how to run WLST commands, see Section 1.13.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."
Note:
To activate newly registered connections, perform the steps described in Section 23.4.3, "Activating a Worklist Connection."
To start using the new (active) connection you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see the section, "Starting and Stopping WebLogic Managed Servers Using the Command Line" in the Oracle Fusion Middleware Administrator's Guide.
In WebCenter Portal applications, multiple Worklist connections may be active at a time. Multiple connections enable WebCenter Portal users to monitor and manage assignments and notifications from a multiple BPEL servers. From time to time you may need to temporarily disable an active connection so no errors or warnings are logged or displayed in the UI if the Worklist service queries a SOA server which is undergoing maintenance.
This section includes the following subsections:
Section 23.4.3.1, "Activating a Worklist Connections Using Fusion Middleware Control"
Section 23.4.3.2, "Activating a Worklist Connections Using WLST"
To activate or disable a Worklist connection:
Log in to Fusion Middleware Control and navigate to the home page for Spaces or the Framework application. For more information, see:
Do one of the following:
For the Spaces application - From the WebCenter Portal menu, choose Settings > Service Configuration.
For Framework applications - From the Application Deployment menu, choose WebCenter Portal > Service Configuration.
From the list of services on the WebCenter Portal Services Configuration page, select Worklist.
The Manage Worklist Connections table indicates currently active connections (if any).
Select the Worklist connection you want to activate (or disable), and then click Edit.
Select the Worklist check box to activate this Worklist connection in the WebCenter Portal application.
Once activated, worklist items from the associated BPEL server display in Worklist task flows. If you need to disable a connection for any reason, deselect this option.
Click OK to update the connection.
Click Test to verify if the connection you activated works. For a successfully activated connection, the Test Status message displays the advice that to start using the updated connection, you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Portal Application Deployments."
Use the WLST command addWorklistConnection to activate an existing BPEL connection for Worklist services. For command syntax and examples, see the section, "addWorklistConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
To subsequently disable a BPEL connection used by the Worklist service, run the WLST command removeWorklistConnection. Connection details are retained but the connection is no longer named as an active connection. For syntax details and examples, see "removeWorklistConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Use listWorklistConnections to see which connections are currently active.
For information on how to run WLST commands, see Section 1.13.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."
Note:
To start using the active connection you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see the section, "Starting and Stopping WebLogic Managed Servers Using the Command Line" in the Oracle Fusion Middleware Administrator's Guide.
This section includes the following subsections:
Section 23.4.4.1, "Modifying Worklist Connection Details Using Fusion Middleware Control"
Section 23.4.4.2, "Modifying Worklist Connection Details Using WLST"
To update worklist connection details:
Log in to Fusion Middleware Control and navigate to the home page for Spaces or the Framework application. For more information, see:
Do one of the following:
For the Spaces application- From the WebCenter Portal menu, choose Settings > Service Configuration.
For Framework applications - From the Application Deployment menu, choose WebCenter Portal > Service Configuration.
From the list of services on the WebCenter Portal Services Configuration page, select Worklist.
Select the Worklist connection you want to activate, and then click Edit.
Edit connection details, as required. For detailed parameter information, see Table 23-4, "Worklist Connection - Connection Details".
Click OK to update the connection.
Click Test to verify if the updated connection works. For a successfully updated connection, the Test Status message displays the advice that to start using the updated connection, you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Portal Application Deployments."
Use the WLST command setBPELConnection to edit existing BPEL server connection details. For command syntax and examples, see the section, "setBPELConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
For information on how to run WLST commands, see Section 1.13.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."
Note:
To start using the updated (active) connection you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see the section, "Starting and Stopping WebLogic Managed Servers Using the Command Line" in the Oracle Fusion Middleware Administrator's Guide.
Several WebCenter Portal components can share the same worklist connection, that is, the Worklist service, Notifications service, and, Spaces workflows. Before you delete a Worklist connection, navigate to the Application Configuration page in Fusion Middleware Control (WebCenter Portal > Settings > Application Configuration) to verify whether Spaces Workflows and Notifications are using the connection.
This section includes the following subsections:
Section 23.4.5.1, "Deleting Worklist Connections Using Fusion Middleware Control"
Section 23.4.5.2, "Deleting Worklist Connections Using WLST"
To delete a worklist connection:
Log in to Fusion Middleware Control and navigate to the home page for Spaces or the Framework application. For more information, see:
Do one of the following:
For the Spaces application - From the WebCenter Portal menu, choose Settings > Service Configuration.
For Framework applications - From the Application Deployment menu, choose WebCenter Portal > Service Configuration.
From the list of services on the WebCenter Portal Services Configuration page, select Worklist.
Select the Worklist connection you want to delete, and then click Delete.
To confirm, click Yes.
To effect this change you must restart the managed server on which the WebCenter Portal application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Portal Application Deployments."
Use the WLST command deleteConnection to remove a BPEL connection previously registered for the Worklist service. For command syntax and examples, see the section, "deleteConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Use the WLST command removeWorklistConnection remove a BPEL server that is configured in adf-config.xml. The Worklist service no longer uses the connection specified but BPEL server connection details are retained in connections.xml for future use.
Use the WLST command deleteConnection to remove a BPEL server connection from connections.xml.
For command syntax and detailed examples, see "removeWorklistConnection" and "deleteConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
For information on how to run WLST commands, see Section 1.13.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."
Restart the managed server so that changes can take place.
The Worklist service relies on several middleware components to display worklist items to logged-in users and therefore, several factors may cause the Worklist service to fail. The issues and solutions discussed in this section relate to some common problems you may encounter.
This section includes the following subsections:
Section 23.5.1, "Unavailability of the Worklist Service Due to Application Configuration Issues"
Section 23.5.2, "Unavailability of the Worklist Service Due to Server Failure"
Note:
To identify causes of failures, examine log files on the managed servers hosting Worklist service processes and the managed servers for any SOA BPEL servers you have configured.
Issues described in this section pertain to the unavailability of the Worklist service—Worklist task flows display the message The Worklist service is unavailable with the following warning:
Either no BPEL connections are configured, or there is an issue with the existing connection configuration. Verify that at least one BPEL Worklist connection is configured for this application, and that no unresolved "ConfigurationExceptions" exceptions are logged.
This section includes the following subsections:
Section 23.5.1.1, "adf-config.xml Refers to a Non-Existent BPEL Connection"
Section 23.5.1.2, "adf-config.xml Has No Reference to a BPEL Connection"
Problem
The connection listed in the adf-config.xml file does not exist in the application's connections.xml file. The following entries exist in the diagnostic log file for the managed server on which the application is running:
[2009-03-22T13:33:54.140+00:00] [DefaultServer] [WARNING] [WCS-32008] [oracle.webcenter.worklist.config][tid: [ACTIVE].ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'] userId: user][ ecid: 0000I0iOmdTFk3FLN2o2ye19kTB0000V,0][APP: Worklist#V2.0 arg: Human Resources The BPEL Connection named 'connection_name' was not present in the connections.xml file. This will prevent the Worklist service from being able to interact with the required this BPEL connection.
Solution
Either create a BPEL connection with the name stated in the log, or remove the connection. For more information about how to update the Worklist configuration post deployment, see Section 23.4, "Setting Up Worklist Connections."
During development, see the chapter "Integrating the Worklist Service" in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter Portal.
To find out which connections names are referenced and to validate the Worklist service configuration, run the WLST command, listWorklistConnections(appName='myApp', verbose=true). For more information, see "listWorklistConnections" in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
There is no reference to a Worklist service connection in the application's adf-config.xml, but this connection exists in the connections.xml file.
Problem
In diagnostic log files for the managed server on which the application is running, you see entries such as the following:
[2009-03-23T10:23:56.943+00:00] [DefaultServer] [WARNING] [WCS-32009] [oracle.webcenter.worklist.config] [tid: [ACTIVE].ExecuteThread: '21' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user] [ecid: 0000I0mqx8Fk3FLN2o2ye19lqBV000008,0] [APP: Worklist#V2.0] The Worklist service does not have a ConnectionName configuration entry in adf-config.xml that maps to a BPELConnection in connections.xml, therefore the Worklist service was not configured for this application.
Solution
Configure a connection to at least one BPEL server so that the Worklist service can query worklist items.
Post deployment, create Worklist connections through WLST or Fusion Middleware Control. For information, see Section 23.4.2, "Registering Worklist Connections." During development, create Worklist connections through Oracle JDeveloper. For information, see the chapter "Integrating the Worklist Service" in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter Portal. Do not modify adf-config.xml and connections.xml files manually.
Problem
The Worklist task flow continues to display the No Rows Yet message.
Solution
The following are possible solutions to address this problem:
No 'Assigned' worklist items exist for the logged in user:
If worklist items are assigned to the logged-in user and the state of these items is Assigned, then they always show in the Worklist task flow. The No Rows Yet message indicates that no assigned Worklist items exist for the logged-in user. This is not an issue, but expected behavior.
To confirm that this message is displaying correct information, open the Oracle SOA Suite BPEL Worklist application, and check whether any worklist items exist. The URL of BPEL Worklist application is: http://host:port/integration/worklistapp. Where host and port are the same as those used in the Worklist connection.
The ADF page on which the Worklist task flow exists is not ADF-secured:
The Worklist task flow is not able to query the Worklist repository, because there is no authenticated user associated with the application session to access the Oracle SOA Suite BPEL server. Apply the ADF security on the page. For information, see the section "Setting Security for the Worklist Service in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter Portal.
Server failure is the likely cause of an issue if a Worklist service connection exists, and the Worklist task flow shows the The Worklist service is unavailable warning. In case of multiple connections, the More items not currently available message displays. These generic warning messages display when there is an issue with Worklist service interactions with the Oracle SOA Suite BPEL repository.
To identify the root cause of the issue, examine the managed server's diagnostic logs at the time when the service fails. In some cases it is necessary to also examine the log files of the managed server on which the Oracle SOA Suite BPEL processes run. Typically, an entry such as the following exists in diagnostic logs of the Worklist application's managed server:
[2009-03-23T11:35:21.735+00:00] [DefaultServer] [ERROR] [WCS-32100] [oracle.webcenter.worklist.model] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user] [ecid: 0000I0n7GBZFk3FLN2o2ye19lrBX00000L,0] [APP: Worklist#V2.0] [arg: WebCenter Worklist] The WebCenter Worklist has queried the BPEL Worklist connection named 'WebCenter Worklist', and encountered a WebCenter Executor error. Please see related exception for details. If the WebCenter Worklist is running in an Application Server, check to see if the wsm-pm application is up and running.
This states that there is an issue with the wsm-pm application that is used for WS security. There can also be some other causes related to the exception. It is recommended that you examine the logged exceptions on both the WebCenter managed server and the configured Oracle SOA suites managed servers when these issues occur.
This section includes the following sub sections:
Section 23.5.2.2, "Shared User Directory Does Not Include the weblogic User"
Section 23.5.2.4, "Clocks are Out of Sync for More Than Five Minutes"
Section 23.5.2.5, "Worklist Service Timed Out or is Disabled"
Mismatch in identity stores used by the managed server on which the Worklist service task flow is running and that of the Oracle SOA Suite BPEL server.
Problem
If a user exists in the Worklist managed server's identity store but not in the Oracle SOA Suite's identity store, then the following messages display:
In the diagnostic logs of the Worklist service's managed server:
[2009-03-23T11:35:21.407+00:00] [DefaultServer] [ERROR] []
[oracle.webcenter.worklist.config] [tid: pool-1-daemon-thread-12] [userId: Luke]
[ecid: 0000I0n7GBZFk3FLN2o2ye19lrBX00000L,0:1:3] [APP: Worklist#V2.0] Error in
workflow service Web service operation invocation.[[
Error in workflow service Web service operation invocation. The error is .
Verify that the SOAP connection information for the server is correct.
ORABPEL-30044
Error in workflow service Web service operation invocation.
Error in workflow service Web service operation invocation. The error is .
Verify that the SOAP connection information for the server is correct.
at
oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPClient.convertSOAPF
aultException(TaskQueryServiceSOAPClient.java:242)
at
oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPClient.invoke(TaskQ
ueryServiceSOAPClient.java:203)
at
oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPClient.authenticate
(TaskQueryServiceSOAPClient.java:253)
at
oracle.bpel.services.workflow.query.client.AbstractDOMTaskQueryServiceClient.authe
nticate(AbstractDOMTaskQueryServiceClient.java:164)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.webcenter.concurrent.MethodTask.call(MethodTask.java:34)
at oracle.webcenter.concurrent.Submission$2.run(Submission.java:492)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:499)
at oracle.webcenter.concurrent.Submission.run(Submission.java:433)
at
oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:779)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at
oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThre
adPoolExecutor.java:657)
at
oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPo
olExecutor.java:682)
at java.lang.Thread.run(Thread.java:619)
]]
[2009-03-23T11:35:21.735+00:00] [DefaultServer] [NOTIFICATION] []
[oracle.webcenter.worklist.config] [tid: pool-1-daemon-thread-15] [userId: Luke]
[ecid: 0000I0n7GBZFk3FLN2o2ye19lrBX00000L,0:1:6] [APP: Worklist#V2.0]
TaskServiceSOAPClient: soapFault:[[
<env:Fault
xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sece
xt-1.0.xsd"xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode>ns0:FailedAuthentication</faultcode>
<faultstring>FailedAuthentication : The security token cannot be authenticated
or authorized.</faultstring>
<faultactor/>
</env:Fault>
]]
In the diagnostic logs of the Oracle SOA Suite's managed server:
[2009-03-23T04:52:07.909-07:00] [soa_server1] [ERROR] [WSM-00008] [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000I0nB64fFk3FLN2o2ye19lrBX00000O,0:1:3:1] [WEBSERVICE_PORT.name: TaskQueryServicePortSAML] [APP: soa-infra] [J2EE_MODULE.name: /integration/services/TaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] Web service authentication failed.
Solution
The same users must exist in identity stores of both managed servers. For information, see the section "Setting Security for the Worklist Service in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter Portal.
This can be easily accomplished with a common LDAP identity store. A useful check is to validate that you can log in to the Oracle SOA Suite's BPEL Worklist application with the user ID for which the Worklist service is unavailable. That is, try accessing the integration Worklist application at: http://host:port/integration/worklistapp. Where the host and port are the same as those used in the Worklist connection for the task flow application.
Problem
BPEL Web services cannot respond to requests received from the Worklist service because the shared user directory does not include the weblogic user.
Solution
Ensure that you have tried the solution provided in Users Mismatch in Identity Stores. If that solution did not resolve the issue, then try the solution described in this section.
If Oracle SOA Suite is connected to a shared user directory (LDAP), and the user weblogic does not exist in the identity store, then the following step assigns the BPMWorkflowAdmin role to a valid user in the identity store. Use WLST to revoke an application role from SOAAdmin and grant it to a member of the external identity store. This can be done by running the following WLST command from the SOA_ORACLE_HOME. For example:
cd SOA_ORACLE_HOME/common/bin/
wlst.sh
connect('weblogic','weblogic', '## soa host ##:## soa administration port ##')
revokeAppRole(appStripe="soa-infra", appRoleName="BPMWorkflowAdmin",
principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="SOAAdmin")
grantAppRole(appStripe="soa-infra", appRoleName="BPMWorkflowAdmin",
principalClass="weblogic.security.principal.WLSUserImpl", principalName="user")
In this example, the LDAP identity store has a user named user. If the user to which you want to grant the BPMWorkflowAdmin role does not exist in the LDAP identity store, then you must restart the Oracle SOA Suite's managed server to make this change effective.
Problem
Issue with the wsm-pm application on either the Worklist service's managed server, or the Oracle SOA Suite's managed server, or on both.
Solution
The wsm-pm application manages the Web service security policies that control the SAML authentication in the Worklist service. To validate the wsm-pm application, log in to the wsm-pm application's validation page as a user with administrative rights. Use this format for validation: http://host:port/wsm-pm/validator. If there are no issues with this application, then accessible policies must display. If policies do not display, then investigate the related logged information on the server whose wsm-pm application is failing.
Due to security reasons, the Web service security interaction between the Worklist service's managed server and that of the Oracle SOA Suite BPEL must take place with a time difference of less than five minutes. That is, the clocks on both host machines must have a time difference of less than five minutes, otherwise authentication fails. The SAML assertion uses the NotBefore condition to verify this.
Problem
Clocks of the Worklist service's managed server and the Oracle SOA Suite BPEL's managed server are out of sync for more than five minutes.
Solution
Ensure that the current time is not set to earlier than the SAML assertion's clockskew, which is 300 seconds by default.
Either match the time on the client and service machines, or configure the agent.clock.skew property (in seconds) in the policy-accessor-config.xml file. This file is located in the DOMAIN_HOME/config/fmwconfig directory.
Problem
The Worklist service cannot obtain a query result from the Oracle SOA Suite BPEL server within a defined period.
The Worklist service issues queries to the Oracle SOA Suite BPEL server using concurrent threads. These threads are allotted a certain amount of time in which to respond. If these threads do not respond in the allotted time, for example 15 seconds, then the Worklist service times out the call, and it allows the task flow to display the unavailability message. In such a case, log files include related exceptions such as the following:
[2009-03-03T12:09:34.769-08:00] [WLS_Spaces] [ERROR] [WCS-32103]
[oracle.webcenter.worklist.model] [tid: [ACTIVE].ExecuteThread: '3' for queue:
'weblogic.kernel.Default (self-tuning)'] [userId: user] [ecid:
0000HzDx68KC0zT6uBbAEH19fOWs00002q,0] [APP: webcenter] Unable to query BPEL repository.[[
oracle.webcenter.concurrent.TimeoutException: Execution timedout
queued : 1 ms
suspended : 0 ms
running : 15389 ms
timeout : 15000 ms
service : Worklist
resource : ir
source : oracle.webcenter.concurrent.CallableTask@bf3952
(oracle.webcenter.concurrent.CallableTask)
submission : 150
at
oracle.webcenter.concurrent.Submission.transitionTo(Submission.java:595)
at oracle.webcenter.concurrent.Submission.timeout(Submission.java:634)
at
oracle.webcenter.concurrent.InternalExecutorService.checkForTimeouts(InternalExecutorService.java:566)
at
oracle.webcenter.concurrent.InternalExecutorService.access$300(InternalExecutorService.java:18)
at
oracle.webcenter.concurrent.InternalExecutorService$1.run(InternalExecutorService.java:352)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)]]
Solution
If errors such as this occur consistently, then there may be fundamental issues with the resources available to the managed servers running the Worklist service and the Oracle SOA Suite BPEL server.
Validate that the volume of users and resources provided is adequate to run these servers in the infrastructure provided.
Note:
Continuous occurrence of TimeoutExceptions can also disable the Worklist service. Due to which this service cannot connect to the BPEL instance that is failing to respond quickly. In such a case, the logs contain oracle.webcenter.concurrent.DisabledException exceptions. These exceptions are related to the Worklist service failure.
|
 Copyright © 2009, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|