BPM, Workflow, and Case

 View Only

Track client IP for new user sessions in IBM Business Automation Workflow

By Jens Engelke posted Tue December 22, 2020 09:28 AM


We have received many questions and feature requests around tracking "active" users in IBM Business Automation Workflow. The interpretation of "active users" varies greatly - from users who can access the system (because they exist in an LDAP server and are authorized to do X) up to concurrent users in Process Portal.

The most reliable way of counting concurrent users is by auditing all incoming requests and listing users that are active during any given time window as described in Monitoring IBM Business Process Manager (BPM) V8570 usage.

However, enabling audit in WebSphere Application Server is not for free (from a resource consumption perspective) and it still needs a tool to periodically parse and aggregate audit log files to get to the final number.

A close proximation can be found by just reviewing the regular SystemOut.log files and searching for CWLLG1088I. Messages with this ID are emitted when a new session is established for a browser user. As you may  know, IBM Business Automation Workflow requires up-to-date group membership information in its database to efficiently query task lists by joining a task table and the group membership table. To ensure "fresh" membership data in the database for active users, the product synchronizes group memberships from the connected user registry (LDAP) to the database - once per session. This is when CWLLG1088I is printed.

There is some grey area, though:

  • Case Management related features do not rely on these database tables, hence synchronization (and log message) is skipped when working with Case Management capabilities only.
  • Programmatic REST clients often do not maintain session state and cause group membership synchronization for system accounts (and related log messages) over and over again.
  • There is no way to notice logout or closed browsers / users who navigate away

As several customers have built their own ways of monitoring around this log message, we actually extended this approach in V20.0.0.2 by allowing to track the client IP address from which this new browser session was established. 

A new 100Custom.xml setting can be enabled to include the client IP. The feature is off by default as the client IP can be considered sensitive (personal) information and require consent before being tracked.

After running the following wsadmin script, sync nodes and restart your AppTarget cluster JVMs:

baw_de = 'De1'
AdminTask.updateBPMConfig(['-de', baw_de, '-create', '/common'])
AdminTask.updateBPMConfig(['-de', baw_de, '-create', '/common/security'])
AdminTask.updateBPMConfig(['-de', baw_de, '-create', '/common/security/log-client-ip-at-logon', '-xNodeValue', 'true'])

Next time a user establishes a new session, CWLLG0490I is emitted to the log, too.

[12/22/20 15:01:06:740 CET] 00000188 SecurityCore  I com.lombardisoftware.server.ejb.security.SecurityCore updateGroupMembership CWLLG1088I: Initializing session is done for user de007
[12/22/20 15:01:06:740 CET] 00000188 SecurityCore  I com.lombardisoftware.server.ejb.security.SecurityCore refreshGroupMembershipAtLogin CWLLG0490I: New session established for user de007 from client IP