Quote from: Justin Derrick on September 03, 2025, 05:19:52 PMYou need to specify the Application Group or User Group that you want to apply that query restriction to.

As a matter of good governance, all permissions should be administered at the Group level, and users added to and removed from Groups in order to grant or restrict or deny access/permissions.

-JD.

Yes, although I specified the group, I still cannot update the query restriction using the arsxml command.

...
  <applicationGroup name="AG1" ... >
     <permission group="GROUP"  ....... queryRes="br_code = '001'" />
...

I'm during try update query restriction by arsxml.

USER1 has permission to view application group AG1 but no query restriction configured at first time.
So, I export xml by arsxml export will have output xml something like this:

<onDemand xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <applicationGroup name="AG1" ... >
      <field name ... >
      <permission user="USER1" adminAuthority="true" lvAuthority="true" accessAuthority="true" docViewPerm="true" docAddPerm="true" docUpdatePerm="false" docDeletePerm="true" docPrintPerm="true" docCopyPerm="true" docHoldPerm="true" docCFSODPerm="true" docFTIPerm="true" annotViewPerm="true" annotAddPerm="true" annotDeletePerm="false" annotUpdatePerm="false" annotCopyPerm="true" />
       ....
   </applicationGroup>
</onDemand>

-- Then I have edit to --

<onDemand xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <applicationGroup name="AG1" ... >
      <field name ... >
      <permission user="USER1" adminAuthority="true" lvAuthority="true" accessAuthority="true" docViewPerm="true" docAddPerm="true" docUpdatePerm="false" docDeletePerm="true" docPrintPerm="true" docCopyPerm="true" docHoldPerm="true" docCFSODPerm="true" docFTIPerm="true" annotViewPerm="true" annotAddPerm="true" annotDeletePerm="false" annotUpdatePerm="false" annotCopyPerm="true"  queryRes="br_code = '001'" />
       ....
   </applicationGroup>
</onDemand>

When I execute arsxml command, it's not updated anything in permission:
arsxml  -hlocalhost -uadmin -ppassword -i update_perm.xml  -v -x -ecu

...
ARS7709I Adding applicationGroup-permission, AG1-USER1
ARS7743E A permission object named 'USER1' already exists.
ARS7761I Add of applicationGroup-permission, USER1-USER1 failed.

 -- Then I tried 'task="update"' inside xml tag, still no luck --
      <permission user="USER1" task="update" adminAuthority="true" lvAuthority="true" accessAuthority="true" docViewPerm="true" docAddPerm="true" docUpdatePerm="false" docDeletePerm="true" docPrintPerm="true" docCopyPerm="true" docHoldPerm="true" docCFSODPerm="true" docFTIPerm="true" annotViewPerm="true" annotAddPerm="true" annotDeletePerm="false" annotUpdatePerm="false" annotCopyPerm="true"  queryRes="br_code = '001'" />

But something changed in message ...

ARS7755E The permission object named 'USER1' can not be updated unless the parent object is also being updated.

Can anyone suggest solution to me?

This is quite an old forum, but if it helps, please check the initial encryption key for arssockd.

Reference: https://www.ibm.com/support/pages/ibm-content-manager-ondemand-native-encryption (PDF on page 5)

# Create key store
gsk8capicmd_64 -keydb -create -db "odkeys.p12" -pw "myKeyDBpasswd" -type pkcs12 -stash

# Update Key to arssockd
arssockd -I <INSTANCE> -d "keystore_type=PKCS12,keystore_location=/opt/IBM/ondemand/V10.5/config/odkeys.p12,keystore_mkl=*"

# Checked by
arssockd -I <INSTANCE> -D

I'm having trouble accessing the main page (ICN admin desktop) after deploying ICN. All deployment steps completed successfully, and the JDBC datasource test passed.

Can anyone suggest a solution?

ICN:
Cannot connect to the web client.
The web application server might not be running or cannot be reached because of network problems.
Ask your system administrator to review the web application server log files.

In SystemOut.log:
[7/25/25 17:42:51:654 ICT] 0000009d SystemErr     R CIWEB Error: [@x.x.x.x] com.ibm.ecm.jaxrs.Actions.loadAndExecuteAction() Failed processing
javax.servlet.ServletException: Failed to initialize.
        at com.ibm.ecm.jaxrs.GlobalConfiguration.initialize(GlobalConfiguration.java:84)
        at com.ibm.ecm.jaxrs.GlobalConfiguration.process(GlobalConfiguration.java:177)
        at com.ibm.ecm.jaxrs.Actions.loadAndExecuteAction(Actions.java:951)
        at com.ibm.ecm.jaxrs.Actions.handleAction(Actions.java:134)
        at com.ibm.ecm.jaxrs.Actions.handlePostActions(Actions.java:204)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at com.ibm.ws.jaxrs20.server.LibertyJaxRsServerFactoryBean.performInvocation(LibertyJaxRsServerFactoryBean.java:650)
        at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.performInvocation(LibertyJaxRsInvoker.java:108)
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
        at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.invoke(LibertyJaxRsInvoker.java:176)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:191)
        at com.ibm.ws.jaxrs20.server.LibertyJaxRsInvoker.invoke(LibertyJaxRsInvoker.java:364)
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:73)
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:111)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:309)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:136)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:280)
        at com.ibm.ws.jaxrs20.endpoint.AbstractJaxRsWebEndpoint.invoke(AbstractJaxRsWebEndpoint.java:147)
        at com.ibm.websphere.jaxrs.server.IBMRestServlet.handleRequest(IBMRestServlet.java:192)
        at com.ibm.websphere.jaxrs.server.IBMRestServlet.doPost(IBMRestServlet.java:150)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at com.ibm.websphere.jaxrs.server.IBMRestServlet.service(IBMRestServlet.java:138)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1235)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:779)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)
        at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:179)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:143)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:96)
        at com.ibm.ecm.filters.JAXRSFilter.doFilter(JAXRSFilter.java:42)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ecm.filters.CSPFilter.doFilter(CSPFilter.java:89)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ecm.filters.ESAPIWafFilter.doFilter(ESAPIWafFilter.java:265)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ecm.filters.CORSFilter.doFilter(CORSFilter.java:85)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ecm.jaxrs.ContextFilter.contextFilter(ContextFilter.java:75)
        at com.ibm.ecm.jaxrs.ContextFilter.doFilter(ContextFilter.java:55)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ecm.filters.SessionTimeoutFilter.doFilter(SessionTimeoutFilter.java:79)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:197)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:979)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1119)
        at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:82)
        at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:966)
        at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
        at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:289)
        at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
        at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
        at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
        at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
        at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
        at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
        at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
        at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
        at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
Caused by: java.lang.IllegalStateException: Data store is null
        at com.ibm.ecm.configuration.GlobalConfig.initializeDatabaseConfiguration(GlobalConfig.java:114)
        at com.ibm.ecm.configuration.GlobalConfig.initialize(GlobalConfig.java:62)
        at com.ibm.ecm.configuration.Config.initialize(Config.java:112)
        at com.ibm.ecm.jaxrs.GlobalConfiguration.initializeConfig(GlobalConfiguration.java:93)
        at com.ibm.ecm.jaxrs.GlobalConfiguration.initialize(GlobalConfiguration.java:76)
        ... 70 more

Hi Everyone,

I may not original forum owner, but I was founded same issue. (Error 408: No availble connections to pool odpool)
Unfortunely, I have no issue on firewall/connectivity. (WAS/CMODREST/CMODSERVER on same server!)

================
My arsrestapi.log:
2025-Apr-11 13:10:58.728 PM [] INFO  SecurityPropertyReader:provideServerPropertiesMap - Number of keys stored: 2
2025-Apr-11 13:10:58.729 PM [] INFO  PoolPropertyReader:provideServerPropertiesMap - Reading pool properties from -> poolConfig.properties
2025-Apr-11 13:10:58.730 PM [] INFO  PropertyMapReader:provideServerPropertiesMap - Reading pools from -> /opt/ibm/ondemand/V10.5/restcfgdir/pools
2025-Apr-11 13:10:58.730 PM [] INFO  PropertyMapReader:provideServerPropertiesMap - Pool configuration: /opt/ibm/ondemand/V10.5/restcfgdir/pools/odpool.conn
2025-Apr-11 13:10:58.733 PM [] INFO  StartupListener:init - Starting pool: odpool
2025-Apr-11 13:10:58.759 PM [] FATAL StartupListener:init - Trace directory does not exist!
2025-Apr-11 13:12:40.619 PM [ad5d072a-8f12-4bc6-b681-77521746bca3] INFO  LogFilter:filter - GET request to path v1/ping has been made wih authorizaion header CMODSharedKey odpool-{access-id}
2025-Apr-11 13:12:40.627 PM [ad5d072a-8f12-4bc6-b681-77521746bca3] INFO  SignatureRequiredFilter:filter - Security is currently disabled. Please note, this is intended for debug/development purposes only. This is not advised for production environements.
2025-Apr-11 13:12:40.651 PM [ad5d072a-8f12-4bc6-b681-77521746bca3] ERROR PingServiceImpl:getpingInfo - Trace directory does not exist!
2025-Apr-11 13:12:40.652 PM [ad5d072a-8f12-4bc6-b681-77521746bca3] ERROR PingService:ping - Server busy... Maximum pool size reached, no available connections!
2025-Apr-11 13:12:40.658 PM [ad5d072a-8f12-4bc6-b681-77521746bca3] INFO  LogFilter:filter - GET response from path v1/ping has been made

===================
My cmodtest.tmpl:
#OD Server Settings
odHost=192.168.40.102
odPort=1445
odUser=admin
odPassword={my-password}
odInstance=archive
transformXML=/opt/ibm/ondemand/V10.5/config/arsxform.xml
secureAPI=False
language=ENU
maxHits=100
tempDir=/tmp
traceDir=/tmp/traceDir
traceLevel=1
odInstallDir=
odCachedFolderList=
odEncryptionKey=
odSetKeyBeforeLogin=
mime-txt=text/plain
mime-pdf=application/pdf
# Pool
minIdlePerPool=3
maxIdlePerPool=10
maxTotalPerPool=10
maxTotal=40
maxWaitMillis=5000

#SSL Settings
USE_SSL=FALSE
SSL_KEYRINGFILE=
SSL_KEYRINGSTASH=
====
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/{MyServer}Node01Cell/cmod-rest_war.ear/cmod-rest.war/WEB-INF/classes/poolConfig.properties :
#Connection Pool Settings

# minIdlePerPool:
#
# The target for the minimum number of idle connections to maintain in each of the Pooled sub-pools
# Also used when instantiating the number of server connections created at startup for a given pool
minIdlePerPool=3

# maxIdlePerPool:
#
# The cap on the number of "idle" server connections per Pool
maxIdlePerPool=10

# maxTotalPerPool:
#
# The limit on the number of connections allocated by the pool (checked out or idle), per Pool
maxTotalPerPool=10

# maxTotal:
#
# The cap on the total number of connections managed by the pool. Negative values mean that
# there is no limit to the number of connections allocated by the pool
maxTotal=100

# maxWaitMillis:
#
# The maximum amount of time (in milliseconds) the borrowObject() method should block before
# throwing an exception when the pool is exhausted and getBlockWhenExhausted() is true. When
# less than 0, the borrowObject() method may block indefinitely.
maxWaitMillis=5000

===
Related Files/Folders:

# pwd
/opt/ibm/ondemand/V10.5/restcfgdir
# find .
.
./keys
./keys/MyAccessID.ksf
./cmodtest.tmpl
./pools
./pools/odpool.conn



Can anyone found same issue?

I am using ARSMAINT to expire documents that have reached the aging criteria as defined in the Application Group in CMOD 10.1.0.3.


Command:
arsmaint -c -d -u admin -p xxxx -n 0 -x 0 -g MY-APPGROUP

However, it seems that there is a limit to the number of load IDs that can be expired at one time.

For example, if 1,000 documents meet the aging criteria for expiration in CMOD, the first execution of ARSMAINT will expire only the first 100 load IDs. The next execution will expire load IDs 101–200, and so on, until all 1,000 load IDs are expired.

I'm unsure whether this behavior has been previously observed or if IBM has issued any notice regarding this change in the ARSMAINT program. Additionally, I haven't found any new parameters that would allow an increase in the limit for the number of load IDs expired per execution.

# arsmaint
ARS1201I Usage: arsmaint [-c [-n <min>] [-x <max>]] [-d] [-D <pct>] [-e] [-f <full>] [-g <name>] [-i] [-I <od_inst>] [-L] [-m] [-o] [-r] [-R] [-t <yyyy-mm-dd> [-u <userid>] [-p <passwd>]]
        Version:  10.1.0.3
        -c Expire Cache
        -d Expire Database
        -D <pct> Threshold of load being held before reloading
                 (defaults to 0% - not reloaded)
        -e Migrate Database Tables
        -f <full> Cache Full - When to send alert message (defaults to 95%)
        -g <name> Application Group Name (Defaults to all)
        -h <od_inst> OnDemand Instance Name (same as -I)
        -i Expire Migrated Imported Database Tables
        -I <od_inst> OnDemand Instance Name (same as -h)
        -L Update load id table with application id
        -m Migrate Cache
        -n <min> Min cache threshold percentage (Only for -c, Defaults to 80%)
        -o Expire OnDemand Distribution Facility
        -p <passwd> OnDemand Passwd Stash File (Only for -t)
        -r Database Statistics
        -R Reload Resources
        -s Cache Filesystem statistics
        -t <yyyy-mm-dd> Date To Expire/Migrate (Defaults to Today)
        -u <userid> OnDemand Userid (Only for -t)
        -v Verify/Validate Cache Filesystems
        -x <max> Max cache threshold percentage (Only for -c, Defaults to 80%)

Does your arscache filesystems utilization is relies to your parameter?
-n 60 -x 70 : meant if threshold over 70%, expire until it has been reduced to 60%.

Old topic but need to re-confirm, do you have any impact from move CMOD AIX to Linux?
I found some concern about big endian (AIX) vs little endian (Linux) for cache filesystems

But, DB2 should be fine to use DB2MOVE

Based on your license types. (e.g. AUVU, PVU, ...)

AUVU (Authorized User Value Unit): This counts the number of unique users added to the IBM CMOD system. The number of AUVUs purchased must not be exceeded by the number of users in the system.

PVU: Processor Value Unit - IBM has reference table to calculate brand/number-of-core to PVUs.
Intel core will use less PVU than POWER-core half-by-half as I remembered.
(ex. Intel 4-cores=70PVU, POWER 4-cores=140PVU ..this may not actual values just example)

This licensing model requires the use of ILMT (IBM License Metric Tool) to track and report the number of CPU cores in your LPAR/VM, ensuring compliance with the number of PVUs purchased.

Also, they have some more license model -- RVU, Employee VU, ..

However, double check with IBM sale representative for your license usage.

Does IBM CMOD product has some document or certificate that passed security scan for product?
(e.g. Passed OWASP top 10, secure coding, penetration test, or VA scan)

In case of software packages, banking customer need this documentation/certification to approve go-live.
(In case of app development, they need to have source code scan, VA Scan, penetration test processes.)

Hi Justin,

Thank you.
It seem arspdoci used for managed pdf indexer for CMOD loading (Like a pdf indexer that use in Admin Client to setup index position from PDF document)
But what I find out is how to cut PDF by offset/lenght specified in .ind file from arsdoc get.

Thank you

Hi Justin,

Thank you for your reply.
Yes, I quite okay with generic index file because I often to use for loading PDF and other types to CMOD.

The generic index file that I have ever used as below format. (Offset=0, Length=0)
...
GROUP_OFFSET:0
GROUP_LENGTH:0
GROUP_FILENAME:File1.pdf
               
...
GROUP_OFFSET:0
GROUP_LENGTH:0
GROUP_FILENAME:File2
...



But I mentioned about PDF merge files that got from arsdoc_get, they're not append file2, file3, ... to page 2, page 3, ...
But it append/build something like a layers or binary combined.

Indexer has reference to same file but changed on offset and length

...
GROUP_OFFSET:0
GROUP_LENGTH:102187
GROUP_FILENAME:PDF-TIV2.pdf.0.PDF-TIV2.PDF-TIV2.out
               
...
GROUP_OFFSET:102187
GROUP_LENGTH:681891
GROUP_FILENAME:PDF-TIV2.pdf.0.PDF-TIV2.PDF-TIV2.out
...


Do you know or can share document that explain about this PDF's specification or utllity to split it back to original?

You may use DB2HADR for sync CMOD database, but you need another technic to managed arscache, one thing is storage replicate

But I never use DB2 HADR with CMOD, only storage replication for all (Both DB2, arscache)
I have some customer install CMOD, DB2 on 2 sites, and put data to SAN Storage.
In normal case, this storage will mounted on production, replicate to DR, and mount to DR on disaster case. (Then start services)

One issue that cannot prevent in this scenario is data corruption, destination will got same data from source storage.
Another point is RPO, since DB replicate by storage, so some last transaction that's incomplete may lost in rollforward/recover when start DB at DR site.

I have requirement to export all data from CMOD to original pdf with indexes of them. (To use on another system)

So, I try to used 'arsdoc get' command. But output of PDF will be merged in very strange format cannot use to another system,
that is when open by normal PDF viewer will show only first file that exported from CMOD but I exported about 10 pdf files from CMOD.
When inspect filesize of PDF merged, I see filesize come from 10 pdf combined. (Ex. each file is 100K, merged file is 1000K)
In index file will show offset/lenght of each PDF. I think it managed as layers of PDF.


arsdoc get -hlocalhost -uadmin -ppassword -f "PDF-TIV" -g  -N -c -i "where doc_no like '%'" -o PDF-TIV.pdf
Note:
- When arsload back to CMOD, it will spilit to 10 PDF file correctly
- Option -g -N -c needed to used together.

Screenshot: https://u.pcloud.link/publink/show?code=XZCVdJ0ZotyT0txuaOYVyljCldfCzSOyuzd7

Thank you very much everyone. I will convince end customer to go 10.5.