20 Managing the Worklist Service

20.3.2.1 Registering Worklist Connections Using Fusion Middleware Control

To register a Worklist connection:

1. Log in to Fusion Middleware Control and navigate to the home page for WebCenter Spaces or the custom WebCenter application. For more information, see:

   • Section 6.2, "Navigating to the Home Page for WebCenter Spaces"

   • Section 6.3, "Navigating to the Home Page for Custom WebCenter Applications"

2. Do one of the following:

   • For WebCenter Spaces - From the WebCenter menu, choose Settings > Service Configuration.

   • For WebCenter applications - From the Application Deployment menu, choose WebCenter > Service Configuration.

3. From the list of services on the WebCenter Service Configuration page, select Worklist.

4. To register a new connection, click Add (Figure 20-1).

   Figure 20-1 Configuring Worklist Connections

   
   

5. Enter a unique name for the Worklist connection and activate the connection to use the connection immediately (Table 20-1).

   Table 20-1 Worklist Connection - Name

   Field	Description
   Name	Enter a unique name for the connection. The name must be unique (across all connection types) within the WebCenter application. This name may be displayed to users working with the worklist feature in the WebCenter application. Users may organize their worklist assignments through various sorting and grouping options. The option "Group By Worklist Server" displays the name you specify here so it's important to enter a meaningful name that other users will easily recognize, for example, Human Resources.
   Active Connection	Select to activate this worklist connection in the WebCenter application. Once activated, worklist items from the associated BPEL server display in users' worklists. Multiple worklist connections may be active at a time, enabling WebCenter users to monitor and manage assignments and notifications from a range of BPEL servers. If you need to disable a connection for any reason, deselect this option. (Edit mode only.) Check boxes indicate whether other components share this connection: WebCenter Spaces Application Indicates whether WebCenter Spaces uses this BPEL server connection for internal workflows, such as Group Space membership notifications, Group Space subscription requests, and more. The BPEL server that provides this functionality is the BPEL server included with the Oracle SOA Suite. For more information, see Section 9.1.1, "Specifying the BPEL Server Hosting WebCenter Spaces Workflows." Before modifying connection properties, consider impact to any other components that share this connection.

   
   

6. Enter connection details for the BPEL server (Table 20-2).

   Table 20-2 Worklist Connection - Connection Details

   Field	Description
   BPEL Soap URL	Enter the URL required to access the BPEL server. Use the format: protocol://host:port For example: http://mybpelserver.com:8001 Note: WebCenter Spaces uses the BPEL server included with the Oracle SOA Suite to implement group space subscription workflows. If you are setting up the workflow connection, make sure you enter the SOA Suite's BPEL server URL here. For more information, see Section 9.1.1, "Specifying the BPEL Server Hosting WebCenter Spaces Workflows."
   SAML Token Policy URI	Select the SAML (Security Assertion Markup Language) token policy this connection uses for authentication. SAML is an XML-based standard for passing security tokens defining authentication and authorization rights. An attesting entity (that has a trusted relationship with the receiver) vouches for the verification of the subject by method called sender-vouches.Options available are: SAML Token Client Policy (oracle/wss10_saml_token_client_policy) - Select to verify your basic configuration without any additional security. This is the default setting. SAML Token With Message Protection Client Policy (oracle/wss10_saml_token_with_message_protection_client_policy) - Select to increase the security using SAML-based BPEL Web Services. If selected, you must configure keystores both in your WebCenter application and in the BPEL application. For information about configuring the BPEL server's Worklist connection to use this policy, see Section 23.8.1.3, "Configuring the BPEL Server for a Simple Topology."

   
   

7. Click OK to save this connection.

8. To start using the new (active) connection you must restart the managed server on which the WebCenter application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Application Deployments."

20.3.2.2 Registering Worklist Connections Using WLST

Use the WLST command createBPELConnection to create a BPEL server connection. For command syntax and examples, see the section, "createBPELConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

To configure the Worklist service to actively use a new BPEL server connection some additional configuration is required. For more information, see Section 20.3.3.2, "Activating a Worklist Connections Using WLST."

For information on how to run WLST commands, see Section 1.12.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."

20.3.3.1 Activating a Worklist Connections Using Fusion Middleware Control

To activate or disable a Worklist connection:

1. Log in to Fusion Middleware Control and navigate to the home page for WebCenter Spaces or the custom WebCenter application. For more information, see:

   • Section 6.2, "Navigating to the Home Page for WebCenter Spaces"

   • Section 6.3, "Navigating to the Home Page for Custom WebCenter Applications"

2. Do one of the following:

   • For WebCenter Spaces - From the WebCenter menu, choose Settings > Service Configuration.

   • For WebCenter applications - From the Application Deployment menu, choose WebCenter > Service Configuration.

3. From the list of services on the WebCenter Services Configuration page, select Worklist.

   The Manage Worklist Connections table indicates currently active connections (if any).

4. Select the Worklist connection you want to activate (or disable), and then click Edit.

5. Select the Worklist check box to activate this Worklist connection in the WebCenter application.

   Once activated, worklist items from the associated BPEL server display in Worklist task flows. If you need to disable a connection for any reason, deselect this option.

6. Click OK to update the connection.

7. To start using the new (active) connection you must restart the managed server on which the WebCenter application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Application Deployments."

20.3.3.2 Activating a Worklist Connections Using WLST

Use the WLST command addWorklistConnection to activate an existing BPEL connection for Worklist services. For command syntax and examples, see the section, "addWorklistConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

To subsequently disable a BPEL connection used by the Worklist service, run the WLST command removeWorklistConnection. Connection details are retained but the connection is no longer named as an active connection.

Use listWorklistConnections to see which connections are currently active. If the listWorklistConnections command indicates an invalid connection name, a connection was removed from connections.xml using the deleteConnection command but it was not removed from adf-config.xml with removeWorklistConnection. To resolve this issue, you can either re-create the named connection using createBPELConnection, or run the removeWorklistConnection command.

For syntax details and examples, see "removeWorklistConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

For information on how to run WLST commands, see Section 1.12.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."

20.3.4.1 Modifying Worklist Connection Details Using Fusion Middleware Control

To update worklist connection details:

1. Log in to Fusion Middleware Control and navigate to the home page for WebCenter Spaces or the custom WebCenter application. For more information, see:

   • Section 6.2, "Navigating to the Home Page for WebCenter Spaces"

   • Section 6.3, "Navigating to the Home Page for Custom WebCenter Applications"

2. Do one of the following:

   • For WebCenter Spaces - From the WebCenter menu, choose Settings > Service Configuration.

   • For WebCenter applications - From the Application Deployment menu, choose WebCenter > Service Configuration.

3. From the list of services on the WebCenter Services Configuration page, select Worklist.

4. Select the Worklist connection you want to activate, and then click Edit.

5. Edit connection details, as required. For detailed parameter information, see Table 20-2, "Worklist Connection - Connection Details".

6. Click OK to update the connection.

7. To start using the updated (active) connection you must restart the managed server on which the WebCenter application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Application Deployments."

20.3.4.2 Modifying Worklist Connection Details Using WLST

Use the WLST command setBPELConnection to edit existing BPEL server connection details. For command syntax and examples, see the section, "setBPELConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

For information on how to run WLST commands, see Section 1.12.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."

20.3.5.1 Deleting Worklist Connections Using Fusion Middleware Control

To delete a worklist connection:

1. Log in to Fusion Middleware Control and navigate to the home page for WebCenter Spaces or the custom WebCenter application. For more information, see:

   • Section 6.2, "Navigating to the Home Page for WebCenter Spaces"

   • Section 6.3, "Navigating to the Home Page for Custom WebCenter Applications"

2. Do one of the following:

   • For WebCenter Spaces - From the WebCenter menu, choose Settings > Service Configuration.

   • For WebCenter applications - From the Application Deployment menu, choose WebCenter > Service Configuration.

3. From the list of services on the WebCenter Services Configuration page, select Worklist.

4. Select the Worklist connection you want to delete, and then click Delete.

5. To confirm, click Yes.

6. To effect this change you must restart the managed server on which the WebCenter application is deployed. For more information, see Section 8.2, "Starting and Stopping Managed Servers for WebCenter Application Deployments."

20.3.5.2 Deleting Worklist Connections Using WLST

Use the WLST command deleteConnection to remove a BPEL connection previously registered for the Worklist service. For command syntax and examples, see the section, "deleteConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

Use the WLST command removeWorklistConnection remove a BPEL server that is configured in adf-config.xml. The Worklist service no longer uses the connection specified but BPEL server connection details are retained in connections.xml for future use.

Use the WLST command deleteConnection to remove a BPEL server connection from connections.xml.

For command syntax and detailed examples, see "removeWorklistConnection" and "deleteConnection" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

For information on how to run WLST commands, see Section 1.12.3.1, "Running Oracle WebLogic Scripting Tool (WLST) Commands."

20.4.1.1 adf-config.xml Refers to a Non-Existent BPEL Connection

Problem

The connection listed in the adf-config.xml file does not exist in the application's connections.xml file. The following entries exist in the diagnostic log file for the managed server on which the application is running:

[2009-03-22T13:33:54.140+00:00] [DefaultServer] [WARNING] [WCS-32008] [oracle.webcenter.worklist.config][tid: [ACTIVE].ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'] userId: user][ ecid: 0000I0iOmdTFk3FLN2o2ye19kTB0000V,0][APP: Worklist#V2.0 arg: Human Resources The BPEL Connection named 'connection_name' was not present in the connections.xml file. This will prevent the Worklist service from being able to interact with the required this BPEL connection.

Solution

Either create a BPEL connection with the name stated in the log, or remove the connection. For more information about how to update the Worklist configuration post deployment, see Section 20.3, "Setting Up Worklist Connections."

During development, refer to the chapter "Integrating the Worklist Service" in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

To find out which connections names are referenced and to validate the Worklist service configuration, run the WLST command, listWorklistConnections(appName='myApp', verbose=true). For more information, see "listWorklistConnections" in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

20.4.1.2 adf-config.xml Has No Reference to a BPEL Connection

There is no reference to a Worklist service connection in the application's adf-config.xml, but this connection exists in the connections.xml file.

Problem

In diagnostic log files for the managed server on which the application is running, you see entries such as the following:

[2009-03-23T10:23:56.943+00:00] [DefaultServer] [WARNING] [WCS-32009] [oracle.webcenter.worklist.config] [tid: [ACTIVE].ExecuteThread: '21' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user] [ecid: 0000I0mqx8Fk3FLN2o2ye19lqBV000008,0] [APP: Worklist#V2.0] The Worklist service does not have a ConnectionName configuration entry in adf-config.xml that maps to a BPELConnection in connections.xml, therefore the Worklist service was not configured for this application.

Solution

Configure a connection to at least one BPEL server so that the Worklist service can query worklist items.

Post deployment, create Worklist connections through WLST or Fusion Middleware Control. For information, see Section 20.3, "Setting Up Worklist Connections." During development, create Worklist connections through Oracle JDeveloper. For information, see the chapter "Integrating the Worklist Service" in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

20.4.1.3 No Rows Yet Message Displays

Problem

The Worklist task flow continues to display the No Rows Yet message.

Solution

The following are possible solutions to address this problem:

• No 'Assigned' worklist items exist for the logged in user:

  If worklist items are assigned to the logged-in user and the state of these items is Assigned, then they always show in the Worklist task flow. The No Rows Yet message indicates that no assigned Worklist items exist for the logged-in user. This is not an issue, but expected behavior.

  To confirm that this message is displaying correct information, open the Oracle SOA Suite BPEL Worklist application, and check whether any worklist items exist. The URL of BPEL Worklist application is: http://host:port/integration/worklistapp. Where host and port are the same as those used in the Worklist connection.

• The ADF page on which the Worklist task flow exists is not ADF-secured:

  The Worklist task flow is not able to query the Worklist repository, because there is no authenticated user associated with the application session to access the Oracle SOA Suite BPEL server. Apply the ADF security on the page. For information, see the section "Setting Security for the Worklist Service in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

20.4.2.1 Users Mismatch in Identity Stores

Mismatch in identity stores used by the managed server on which the Worklist service task flow is running and that of the Oracle SOA Suite BPEL server.

Problem

If a user exists in the Worklist managed server's identity store but not in the Oracle SOA Suite's identity store, then the following messages display:

In the diagnostic logs of the Worklist service's managed server:

[2009-03-23T11:35:21.407+00:00] [DefaultServer] [ERROR] []
[oracle.webcenter.worklist.config] [tid: pool-1-daemon-thread-12] [userId: Luke]
[ecid: 0000I0n7GBZFk3FLN2o2ye19lrBX00000L,0:1:3] [APP: Worklist#V2.0] Error in
workflow service Web service operation invocation.[[
Error in workflow service Web service operation invocation. The error is .
Verify that the SOAP connection information for the server is correct.
 ORABPEL-30044
Error in workflow service Web service operation invocation.
Error in workflow service Web service operation invocation. The error is .
Verify that the SOAP connection information for the server is correct.
    at
oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPClient.convertSOAPF
aultException(TaskQueryServiceSOAPClient.java:242)
    at
oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPClient.invoke(TaskQ
ueryServiceSOAPClient.java:203)
    at
oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPClient.authenticate
(TaskQueryServiceSOAPClient.java:253)
    at
oracle.bpel.services.workflow.query.client.AbstractDOMTaskQueryServiceClient.authe
nticate(AbstractDOMTaskQueryServiceClient.java:164)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at oracle.webcenter.concurrent.MethodTask.call(MethodTask.java:34)
    at oracle.webcenter.concurrent.Submission$2.run(Submission.java:492)
    at java.security.AccessController.doPrivileged(Native Method)
    at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
    at oracle.webcenter.concurrent.Submission.runAsPrivileged(Submission.java:499)
    at oracle.webcenter.concurrent.Submission.run(Submission.java:433)
    at
oracle.webcenter.concurrent.Submission$SubmissionFutureTask.run(Submission.java:779)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
    at java.util.concurrent.FutureTask.run(FutureTask.java:138)
    at
oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.runTask(ModifiedThre
adPoolExecutor.java:657)
    at
oracle.webcenter.concurrent.ModifiedThreadPoolExecutor$Worker.run(ModifiedThreadPo
olExecutor.java:682)
    at java.lang.Thread.run(Thread.java:619)
]]
[2009-03-23T11:35:21.735+00:00] [DefaultServer] [NOTIFICATION] []
[oracle.webcenter.worklist.config] [tid: pool-1-daemon-thread-15] [userId: Luke]
[ecid: 0000I0n7GBZFk3FLN2o2ye19lrBX00000L,0:1:6] [APP: Worklist#V2.0]
TaskServiceSOAPClient: soapFault:[[
<env:Fault
xmlns:ns0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sece
xt-1.0.xsd"xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <faultcode>ns0:FailedAuthentication</faultcode>
   <faultstring>FailedAuthentication : The security token cannot be authenticated
or authorized.</faultstring>
   <faultactor/>
</env:Fault>
]]

In the diagnostic logs of the Oracle SOA Suite's managed server:

[2009-03-23T04:52:07.909-07:00] [soa_server1] [ERROR] [WSM-00008] [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000I0nB64fFk3FLN2o2ye19lrBX00000O,0:1:3:1] [WEBSERVICE_PORT.name: TaskQueryServicePortSAML] [APP: soa-infra] [J2EE_MODULE.name: /integration/services/TaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] Web service authentication failed.

Solution

The same users must exist in identity stores of both managed servers. For information, see the section "Setting Security for the Worklist Service in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

This can be easily accomplished with a common LDAP identity store. A useful check is to validate that you can log in to the Oracle SOA Suite's BPEL Worklist application with the user ID for which the Worklist service is unavailable. That is, try accessing the integration Worklist application at: http://host:port/integration/worklistapp. Where the host and port are the same as those used in the Worklist connection for the task flow application.

20.4.2.2 Shared User Directory Does Not Include the weblogic User

Problem

BPEL Web services cannot respond to requests received from the Worklist service because the shared user directory does not include the weblogic user.

Solution

Ensure that you have tried the solution provided in Users Mismatch in Identity Stores. If that solution did not resolve the issue, then try the solution described in this section.

If Oracle SOA Suite is connected to a shared user directory (LDAP), and the user weblogic does not exist in the identity store, then the following step assigns the BPMWorkflowAdmin role to a valid user in the identity store. Use WLST to revoke an application role from SOAAdmin and grant it to a member of the external identity store. This can be done by running the following WLST command from the SOA_ORACLE_HOME. For example:

cd SOA_ORACLE_HOME/common/bin/
wlst.sh
connect('weblogic','weblogic', '## soa host ##:## soa administration port ##')
revokeAppRole(appStripe="soa-infra", appRoleName="BPMWorkflowAdmin",
     principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="SOAAdmin")
grantAppRole(appStripe="soa-infra", appRoleName="BPMWorkflowAdmin",
     principalClass="weblogic.security.principal.WLSUserImpl", principalName="user")

In this example, the LDAP identity store has a user named user. If the user to which you want to grant the BPMWorkflowAdmin role does not exist in the LDAP identity store, then you must restart the Oracle SOA Suite's managed server to make this change effective.

20.4.2.3 Issues with the wsm-pm Application

Problem

Issue with the wsm-pm application on either the Worklist service's managed server, or the Oracle SOA Suite's managed server, or on both.

Solution

The wsm-pm application manages the Web service security policies that control the SAML authentication in the Worklist service. To validate the wsm-pm application, log in to the wsm-pm application's validation page as a user with administrative rights. Use this format for validation: http://host:port/wsm-pm/validator. If there are no issues with this application, then accessible policies must display. If policies do not display, then investigate the related logged information on the server whose wsm-pm application is failing.

20.4.2.4 Clocks are Out of Sync for More Than Five Minutes

Due to security reasons, the Web service security interaction between the Worklist service's managed server and that of the Oracle SOA Suite BPEL must take place with a time difference of less than five minutes. That is, the clocks on both host machines must have a time difference of less than five minutes, otherwise authentication fails. The SAML assertion uses the NotBefore condition to verify this.

Problem

Clocks of the Worklist service's managed server and the Oracle SOA Suite BPEL's managed server are out of sync for more than five minutes.

Solution

Ensure that the current time is not set to earlier than the SAML assertion's clockskew, which is 300 seconds by default.

Either match the time on the client and service machines, or configure the agent.clock.skew property (in seconds) in the policy-accessor-config.xml file. This file is located in the DOMAIN_HOME/config/fmwconfig directory.

20.4.2.5 Worklist Service Timed Out or is Disabled

Problem

The Worklist service cannot obtain a query result from the Oracle SOA Suite BPEL server within a defined period.

The Worklist service issues queries to the Oracle SOA Suite BPEL server using concurrent threads. These threads are allotted a certain amount of time in which to respond. If these threads do not respond in the allotted time, for example 15 seconds, then the Worklist service times out the call, and it allows the task flow to display the unavailability message. In such a case, log files include related exceptions such as the following:

[2009-03-03T12:09:34.769-08:00] [WLS_Spaces] [ERROR] [WCS-32103]
[oracle.webcenter.worklist.model] [tid: [ACTIVE].ExecuteThread: '3' for queue:
'weblogic.kernel.Default (self-tuning)'] [userId: user] [ecid:
0000HzDx68KC0zT6uBbAEH19fOWs00002q,0] [APP: webcenter] Unable to query BPEL repository.[[
oracle.webcenter.concurrent.TimeoutException: Execution timedout
      queued :     1 ms
   suspended :     0 ms
     running : 15389 ms
     timeout : 15000 ms
     service : Worklist
    resource : ir
      source : oracle.webcenter.concurrent.CallableTask@bf3952
(oracle.webcenter.concurrent.CallableTask)
  submission : 150
        at
oracle.webcenter.concurrent.Submission.transitionTo(Submission.java:595)
        at oracle.webcenter.concurrent.Submission.timeout(Submission.java:634)
        at
oracle.webcenter.concurrent.InternalExecutorService.checkForTimeouts(InternalExecutorService.java:566)
        at
oracle.webcenter.concurrent.InternalExecutorService.access$300(InternalExecutorService.java:18)
        at
oracle.webcenter.concurrent.InternalExecutorService$1.run(InternalExecutorService.java:352)
        at java.util.TimerThread.mainLoop(Timer.java:512)
        at java.util.TimerThread.run(Timer.java:462)]]

Solution

If errors such as this occur consistently, then there may be fundamental issues with the resources available to the managed servers running the Worklist service and the Oracle SOA Suite BPEL server.

Validate that the volume of users and resources provided is adequate to run these servers in the infrastructure provided.