Technical Articles
How to Delete Stale BI4 User Sessions with biUserSessionKillScript
Since the release of BI 4.0 (and going back as far as XI 3.x and XI R2), we’ve had various issues related to stale user sessions. I’m referring to a user session initiated from the BI Launchpad, CMC or other SDK application that should have expired and been deleted by the CMS hours or days ago, but is somehow still listed in the CMC > Sessions page. These open sessions not only consume a license but also take a small bit of CMS resources as long as they’re kept open. BI4.1 SP3 has a nice new feature that brings us one step closer by offering a way to manually drop a session. But this still leaves it up to the Administrator to manually do this periodically. See screenshot below from prereleased copy of SP3:
As you can see above, here’s a session that has been active for almost a week. The new SP3 feature will now allow you to select one or more sessions and click ‘end session’. This is no doubt a step in the right direction. Prior to BI4.1 SP3, you really had two options: 1.) Recycle the CMS or 2.) run an sdk script to do the delete. I think we can do better than this.
I’d love to be able to solve the real issue(s)… which would be for the BI product to always close the session when it expires (or possibly even sooner, for instance when the user is finished with it). But unless we knew the exact workflow a user followed that led to a stale session, we can’t prevent and fix these types of problems in a patch or code correction. If you find a specific workflow that can cause a session to linger for hours or days after it should have expired, please raise an incident with SAP in the BIP-BI-SRV component and we’ll do our best to resolve it. Also, be sure to read kbase# 1862925 – “Session handling and tuning”. Until the workflows are each identified, I’m offering you more of a reactive approach to this problem.
I’ve seen a few scripts on the SCN offering a way to delete user sessions. But I couldn’t find one that offered a way to automate the task, delete it safely and most of all delete a user session based on its age. The script I created can be uploaded to your BI 4.x environment as a Program File and automated via a recurring schedule or it can be run on from a command line manually on or off the BI server. I’ve tested it under various locale and regional settings and it works well on both Windows and Linux installations. As any program, there are probably flaws so please use at your own risk and let me know if you run into problems.
Due to file format restrictions on the SCN, the ‘biUserSessionKillScript’ (.biar, .jar and source code) can be downloaded from:
kbase#: 996692 – How to Automate the Cleanup of Stale BI4 User Sessions
** UPDATE (March 15, 2019) **
I’ve added a new zip file attachment “biUserSessionKillScript_v2_for_BI42.zip” to the kbase article above. It includes a few updates I made to the original script. Version 2 now allows you to override the 60 minute minimum session age as well as pass in a list of excluded user Ids. Be aware, the 60 minute minimum age was originally enforced as a safeguard to prevent unintentional mishaps. I’ve removed it to give admins an easier way to test the script. I’ve also included the .java file (source code) to version 2 in the zip file. Input parameters are passed differently into the application in version 2. See the updated notes below for instructions on how to use the new script. Lastly, the new script is compiled in java 8 and will not work in the lower environments which use the sapjvm 6.
Uploading as a Program File:
There’s two ways to insert the Program File into your BI4 environment. You can either add it via CMC as a Program File or import it via Promotion Management via an .lcmbiar file.
CMC insert method:
- Login to the CMC, Navigate to a folder, click on the ‘Manage’ menu and select: ‘Add’ > ‘Program File’
- Browse to the biUserSessionKillScript.jar file and change the ‘Program Type‘ radio button to ‘Java’.
- Select OK
Promotion Management method:
- Log into the CMC and open the Promotion Management page.
- Choose ‘Import’ > ‘Import File’ and select the attached .lcmbiar file.
- After clicking OK, select the destination dropdown and login to your CMS. Click ‘Create’.
- In the next screen, click ‘Promote’.
Scheduling the Program File:
Scheduling a Program File is very similar to scheduling a report. The only difference is you’ll need to specify a few arguments to tell BI how to run the program.
- Right click on the Program File and click ‘schedule’
- Select the ‘Program Parameters’ option on the left
- The only argument the script needs when run within BI is the Age of a Session in Minutes
- Specify this value in the Arguments textbox. For safety reasons, the value must be >= 60. Anything less and you risk deleting an active user session.
- In the ‘Class to run” textbox, type: biUserSessionKillScript
- From here, you can specify any of the other scheduling settings you need like recurrence, notification, etc. and then click ‘Schedule’ to run the job.
- Regardless if the script succeeds, there will be a text file saved to the Output FRS with the results. Click on the instance title to view the output.
Running the jsp outside of BI
Run manually on the server console via cmd line:
- Copy the ‘biUserSessionKillScript.jar’ into the equivilant folder in your BI4 installation directory:
- C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib
- If your path is different than above, then you’ll need to also edit the ‘biUserSessionKillScript.bat‘ file so the correct path is referenced.
- Execute the .bat file directly.
- To prevent the cmd window from disappearing at the end ofthe program, open a cmd window first, drag the .bat file into the window and click enter.
- Or you can copy the syntax within the .bat file and paste directly into a cmd window.
Run manually on a non-BI server via cmd line:
The biUserSessionKillScript.jar was compiled without including the BI4 dependency jars. This helps keep the file small and allows for a quick and easy download. Also, when the .jar is scheduled, BI already knows where to find the corresponding dependencies so there is no need to package them. However, if you want to run the script on a pc manually where neither BI4.x nor the client tools are installed, then you will need these depencies inserted into the jar. In this case, follow the steps below.
- On the BI4 Server, open the ‘biUserSessionKillScript.jar’ file with WinRar.
- Navigate to the path ‘C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib’ and insert all of the files below into the .jar.
- aspectjrt.jar
- bcm.jar
- biarengine.jar
- ceaspect.jar
- cecore.jar
- celib.jar
- ceplugins_core.jar
- certjFIPS.jar
- cesession.jar
- corbaidl.jar
- cryptojFIPS.jar
- ebus405.jar
- logging.jar
- TraceLog.jar
- Prior to adding the jar files into biUserSessionKillScript.jar, it will look like:
- After adding the files, it should look like:
- To Execute the file, open a command prompt and run:
- Version 1:
- <path to java.exe> -jar <path to biUserSessionKillScript.jar> <username> <password> <CMS servername> <Auth Type> <session age in minutes>
- Version 2:
- <path to java.exe> -jar <path to biUserSessionKillScript.jar> -user=<username> -password=<password> -cms=<CMS servername> -age=<session age in minutes>
Input Arguments:
- Version 1:
- age = must be the first argument passed to the application and it must be specified as an integer. Minimum value = 60
- A second parameter that was undocumented was the “-force” switch. It could be passed as a second argument for testing lower values. If this is not specified, and the age value specified is lower than 60, the age which will be used becomes 60 minutes.
- Version 2:
- The arguments below can be used in any order and are not case sensitive (except for the password).
- -user=<username>
- specify the username to login. Only needed when executed on the cmd line. Do not include if scheduling as a program file..
- -password=<password>
- password of the user above. Only needed when executed on the cmd line.
- -cms=<cms hostname>
- CMS name to be used during login. Only needed when executed on the cmd line.
- -age=<session age in minutes>
- Session age in minutes. If used with the -force switch, value specified is used. If no -force switch is used, then the value must be greater than 60, otherwise 60 will be used.
- -excludeusers=<userID1,userID2,etc>
- List of user Ids to exclude from possible deletion. The session age is first evaluated, then cross referenced with the exclude list. If the session user ID exists in the exclude list, the session is not deleted. However, it will still be listed in the output as *Excluded*.
- -force
- if used, the age value is accepted as-is.
- Example: To purge all sessions including the one you used to run the script, use -force -age=0
- Only intended for testing purposes. Use at your own discretion.
Fantastic work Josh! I know of at least a few people that will be very grateful to see this blog post. I'm going to forward it on now!
Jb
In 4.1 SP3, KIll sessions is part of CMC. You can make use of that feature by upgrading to 4.1 SP3. SP3 should be availble by end of March.
Amazing Josh. Great to see you 🙂
I have tested this in BI 4.1 SP2 and it works as expected.
Thank you Joshua Kuhn for sharing it over SCN.
Hello,
I am little confused as how it is different from SP3 feature. Is it better same like SP3.
The author is well aware of the new feature in SP3 as mentioned below -
BI4.1 SP3 has a nice new feature that brings us one step closer by offering a way to select a session in the CMC to end it. But this still leaves it up to the Administrator to manually kill these sessions.
Your clarification in this regard will be greately appreciated.
Regards
SS
Jawahar / Surendra,
Thanks for the comments. I'll edit the blog shortly and add a screenshot of what the new feature looks like in SP3. Maybe this will add some clarity. In short, the new feature in SP3 gives an admin the ability to select a user session in the CMC > Sessions page and click delete. This requires manual intervention. The .jar in the blog offers a way to schedule a Program File periodically (once or twice a day) to do this cleanup automatically based on the age of the session. And it determines the age based on the session's creation time.
Hi Joshua,
Great article. I especially like the way you described to schedule the java app in the CMC console for recurrent executions.
To kill idle sessions, would you suggest using the SI_UPDATE_TS property of the Connection InfoObject, and compare it with the SI_CREATION_TIME to determine the idle time of the BOE user session?
Thanks,
Pawan.
Hi Pawan,
Its a good idea and this would be a cleaner way. Unfortunately, the SI_UPDATE_TS field can't be trusted in this way for this infoobject type. From what I've seen, the SI_UPDATE_TS, SI_CREATION_TIME, SI_LAST_ACCESS and SI_LASTLOGONTIME properties do not get updated within the lifespan of a session object. The original date-time value that is written when the user logs in doesn't change for any of these fields. This was why I chose to go off of the SI_CREATION_TIME.
Nice work Josh. Another useful tool for the administrator toolkit. 🙂
Great contribution Josh! There's been a few situations where we've needed the ability to clean up a stale user session.
Im really glad integrated this functionality in the CMC in SP03, but your script makes it even possible for environments pre-SP03 🙂
This is very helpful.. Thank you
Hi,
I just ran this in our dev system as a test. I had a few users logged on for about 10 minutes so just as a test I ran it with 7 minutes as the parameter.
It ran successful and the output report showed the users but non of the sessions were killed.
I did this through the CMC as a program file
Any thoughts? I would love to have this feature working until we upgrade to SP3.
Thanks!!
The minimum value the tool will accept is 60 minutes. This was done for two reasons.
1.) User sessions typically take ~60 minutes to timeout when an idle page is left open. Using any value less than 60 and you risk deleting an active user session.
2.) I didn't want the tool to be used to circumvent the licensing model.
The tough part about this whole idea is that there's no real way to tell the difference between a valid user session and one that isn't. The only method I could think of was to make an assumption based on time and leaving this up to the admin seemed the safest approach. I've yet to hear of an issue with anyone running the script where it doesn't work, or where it deletes more than it was intended. But I'd urge you to look at the output file that gets created after the program file is run. This will log the settings used when it was run and which sessions were left alone vs which ones were deleted at that time. Hope this helps. The blog explains how to find this output file. Thanks for the feedback and please continue to let me know if you have issues.
Awesome! thanks for the quick response. I will test out with a user logged in for over an hour.
Ill let you know how it goes.
Thanks!
Worked like a charm. Very nice program!
One question......obviously if reports are running under a users name they will not be stopped right? a session requires you to be physically logged on right?
When a report is scheduled, a user session is created for the duration of the schedule as the user that scheduled the document. However, this session is created with SI_AUTHEN_METHOD = 'server-token'. When you login as a user to BI Launchpad, for example, the SI_AUTHEN_METHOD = 'secEnterprise' , 'secWinAD' , etc. The script uses the following query to pull back session objects before it determines the age of each session:
select si_id, si_name, si_creation_time from ci_systemobjects where si_kind='Connection' and si_parentid=41 and si_name != 'System Account' and SI_AUTHEN_METHOD != 'server-token'
As you can see, the server tokens are already being omitted from the query, so these should never be removed as a part of this script. Also, a 'server-token' isn't a visible session that you would see in the CMC > Sessions page.
looks like this solution is working great for me client. there was quite a stir-up with people not being able to log in:
a few notes- I set it to run every 4 hours with the 60Min threshold. Additionally I kept the number of instances allow to just 50. no reason to have 10000s of these read outs.
Could be a nice way to retroactively check on your team and who was logged when!
thanks again!
Very much useful option provided within CMC for Administrator to support user session activities.
This is really helpful for what we are trying to do.Thanks.
Hi,
This has been really helpful in our environment. I am using this to kill the stale sessions in DEV/QA and PROD.
From past couple of weeks Iam getting error on the schedules in Dev "
The specified JVM '"F:\Program Files (x86)\SAP BusinessObjects\SAP
BusinessObjects Enterprise XI 4.0\win32_x86\jre"\bin\java.exe' does not exist or
is not a valid executable file."
The schedule is still running fine in QA and Prod.
Appreciate your help.
Thanks,
Shaheen
The tool will be executed by the AdaptiveJobServer running the subservice: 'Program Scheduling Service'. I believe this service should be looking for the java.exe in the 64-bit location, not the 32-bit location you've specified above. Could it be you've added a JAVA_HOME env variable recently and pointed it to this location? or did you recently make any changes to the AdaptiveJobServer that would force it to use the java.exe in the 32bit dir? In any event, the AJS is a 64bit application and should load the 64bit jvm.
The error you're getting is more of a problem with how the jobserver is loading the jvm, not the execution of the script itself. The script has the ability to run in the 32 or 64 bit jvm in console mode. But when scheduling it, the jobserver decides where to load the jvm. The source of the issue is likely a recent java upgrade, env variable change, or something else related to java in this path. If the BI4 environment is clustered across multiple hosts, try using a JobServer on a different host to test. If you're having this issue scheduling the program file, I would also expect scheduling any webi doc on the same AJS to also fail.
Or you can try running the script manually from the command line. That would allow you to point to whichever java.exe you want it to use.
Does this program requires "Program logon" information?
Not if you mean when scheduling within the CMC / BI Launchpad. An enterprise session is passed to the program at schedule time just like any other scheduled report in the system.
If the jar is run from the command line, then yes you will need to pass the CMS login information.
When i schedule from CMC without program logon, it failed with error "No operating system credentials were set for running the program"
When i gave the credentials of Server account , it failed again with error "
The Program Object reported an error while running, but no error code was
provided"
Feel free to private message me and we'll work through it. But I have never had to set the "program logon" options when scheduling this Program File.
The Adaptive JobServer which is running your 'Program Scheduling Service' will take the program from the FRS and execute it locally. So as long as this Jobserver is running under an account that has permissions to the java.exe and can run the command mentioned in the blog, it will work. It sounds like you have locked down your user accounts in some way where the SYSTEM account or whichever account is running your SIA might not have execute permissions to the java.exe. Try testing with another jar and upload it as a program file, chances are this will also fail.
Thanks. I sent an email to you. Please check.
Hi Joshua,
Thanks for providing the solution. It helped us a lot. I am facing the same issue as Jawahar stated above. I was able to implement this successfully in DEV/PROD but not in QA environment.
When I schedule from CMC without program logon, it failed with error "No operating system credentials were set for running the program"
When I give the credentials, I am getting the below error message.
Error Message:Could not authenticate using the provided operating system credentials.
Any help is greatly appreciated!!!
I'll be honest, I don't know if the other issue ever got resolved. Its the only time I had heard of the problem and now you're the 2nd. The last I spoke to Jawahar, I felt pretty confident the problem was specific to the Windows service account running the SIA. I remember wanting to test running the SIA as local SYSTEM or possibly as local Administrator just to test the theory, but I looked back through email conversations and don't see what the result of that test was or if it was ever tried. You may want to do the same, look to the local security policies and maybe compare settings between the servers.
Thanks Joshua for your prompt response. I really appreciate it. I will try to work with windows admin team and try to find out the differences between the servers. I will let you know whats causing this if I find out 😕 . Can I send you personal message on this particular issue where If BI expertise is needed?.
Of course.
Thanks Joshua for the example! I've done something similar, but I need to add multiple argument values into the args array in the program. I can't seem to figure out the syntax in the "Arguments" box to specify multiple values to populate my array. Can you help with that?
Thanks
I'm pretty sure the 'Arguments' textbox uses a space delimiter.
That was it! Thank you
Thanks for this post. I am using BO 4.1 SP3 Patch 10 and it helped me a lot fixing stale session issue.
-Vikash
Very nice and usefull script. As an improvement it could have option to kill sessions that are not active in last x minutes/hours.
But looks like BI4 doesn't hold that information, in CMC you can find only first logon time.
Awesome work Josh 🙂 loved it a lot 😀
Hi Joshua,
The script worked in my dev system where the installation in the default directory'C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib . But in my production the installation is in D drive. When scheduling, I am getting an error java class path not found. How to get this work?
-Praveen
I'm pretty sure the installation drive has nothing to do with it. The /java/lib folder that its looking for is referenced in a placeholder variable in your BI system. %CommonJavaLibDir%. When the program file is scheduled, its loaded by the jobserver and the jobserver is what will fetch the libraries needed. The script doesn't tell it where to get these, only the names of the required jars. If you unzip the biUserSessionKillScript.jar, there's a manifest file that shows the classpath. It shouldn't have any paths referenced here, only a comma separated list of names. Further to that, I'm pretty sure I've run the same script on a linux system.
This is likely more of a configuration issue on the 2nd server. Did you possibly not do a full install on the server where its failing? Maybe you're missing a few jars or config settings. Another idea would be to try copying the biUserSessionKillScript.jar into the /java/lib folder and executing it manually via command line from there? There's a batch file in the downloaded zip and instructions in the blog above on how to do this. If that works, then so should the jobserver. Lastly, try creating a new program file in the CMC and point to the same biUserSessionKillScript.jar file.
Hi Joshua,
I am trying to download the script, but was not able to do it. Does it require a special privilage?
The download link above points to kbase article which is password-protected via the Service marketplace. You will need a login for SMP.
I must say it is a great tool to control end user sessions. But unfortunately we are not able to identify the actual stale sessions. Sessions which are actually inactive for more than 60 minutes without any activity.
Here in this code we are just deleting sessions by comparing last logon time with current time. Not able use this tool 🙁 😥 😥 .
Actually I needed a tool to clear out the OpenDoc sessions. We are planning to use lot of Opendoc type reports. It will increase the user sessions. Was thinking may be I can use this tool to clearly identify such sessions and kill it after 60 minutes or so. I can see under CMC-->sessions, sometime it is marked as "Open Doc" or "Logon without Client ID".
Is there a way to kill specific sessions?
Correct, this script only compares logon time to current time. Each session, regardless if it comes in via openDoc, BI Launchpad or a client tool should adhere to the session timeout set on the web application server. Although the session cleanup usually works correctly within BI, we found that every once in a while certain sessions would stick around for days. This script was designed to help automate the cleanup of sessions in this situation (when the built in session cleanup didn't work), not a means of overriding the session cleanup already written into the BI4 product. At this time, the only way to delete a session is to do it via the CMC > Sessions page, restart the CMS's or to run a script such as this. The idle session is maintained by the web application server. When a user logs in, the clock starts counting down based on the session timeout setting. Every click resets the timer. When it reaches 0, then the web app server communicates this to the CMS and the CMS will eventually do its session cleanup. Because the remaining time value is never shared w/ the CMS (until it reaches 0), there's not a way for us to query the CMS via the BI SDK to determine HOW STALE a session is. Make sense?
It sounds like your concern is more about how to control sessions in a heavily used OpenDoc environment. I believe your answer is going to be in finding a sweet spot for the idle session timeout. What works for one system may be too short or too long for you. Based on the types of reports viewed through openDoc, you'll want to set the session timeout accordingly. Then for the few instances where a session is never cleaned up, you can run this script once or twice a day just to clean out the remainder of the sessions missed by the internal BI session cleanup mechanism. There used to be a workaround in previous versions for forcing an opendoc logout when the browser was closed, but this might not be possible anymore due to the BOE webapp changes in BI4.0 compared to XI3.1.
Thank you so much for your response. As you have said, need find that sweet spot. 😳
didn't work for me at all.. im on SP7, latest patches.. I need it to kill users immediately upon closing the browser.. that's SUPPOSED to work in SP06.. but for me it does not. I have a case with SAP, but getting help is like pulling my own teeth out since they are on the opposite side of the planet.
BI 4.2 is the answer.
how\where do I get BI 4.2?
Hi Josh
Thanks for creating this!!
I have loaded the file via the lcmbiar file and scheduled it to run. All good so far, except it fails with the message:
Could not create temporary directory for program files.
Where is it trying to create this temp directory please?
Thanks
There is no temp directory specified in the script. It's likely the JobServer that is throwing the error. The program file will rely on the jobserver to execute it and if any temp files are created during the processing of it, they would utilize the jobserver's working folder.
If you have multiple jobservers, try scheduling it to a server group where you can force the processing to a specific JS and rule out if this error occurs on all or just a specific JS. Also check user security. Its not required, but try scheduling the program file as administrator and maybe move it to another folder where advanced permissions aren't denied. Worst case, look at the jobserver logs to see what other information it offers. Sorry, I haven't heard of this error coming up for anyone else. Please update the post if you were able to narrow down the problem.
hi Joshua, question, how does the script identify if the user session is active or stale? what if the user is active for 24 hours, and script argument is 720 minutes(12 hours), Will the user get kicked out because the user's session age has crossed the limit?
The script uses the SI_CREATION_TIME property of the session object to calculate how old the session is. There are other date time fields in the session object, such as SI_UPDATE_TS, SI_LAST_ACCESS and SI_LASTLOGONTIME. But at the time of writing the script, i found that these properties do not get updated within the lifespan of a session object. This was why I chose to go off of the SI_CREATION_TIME. The script will delete a session once its age is greater than the argument value (in minutes).
yes, once the session is deleted, if the user was actively using the BI Launchpad or CMC, they should receive a login prompt on their next click. So you really don't want to set the age argument too low for this reason.
And is this also an issue in SAP BI 4.2 SP2 , do we manually have to kill the Stale User sessions/use this automated script?
Hi Joshua,
The script is working in our production environment, but fails on all other environments with an error
"The specified JVM 'D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\bin\java.exe' does not exist or is not a valid executable file"
The set up is same across all environments. Any suggestions?
Thanks,
Shaheen
Hi Shaheen,
Is the path you entered a cut/paste mistake or did the error really have “\bin” entered twice in the path? It should obviously only exist once. As for the script failing, I’m not sure. There’s nothing in the script that points to java.exe and when running as a program file, its up to the jobserver to find the java.exe on the host to execute the jar.
Are you running it as a program file via the jobserver? Or are you running the jar manually on the host using the .bat file? I’d suggest running it manually via the bat file or you can use the Windows cmd prompt if you wish. The jar file would need to be copied into the java\lib folder first so the required dependency jars can be found. Once copied, if you use the .bat file, then first edit the file and change the path to your D:/ drive and test the path is correct. If you use the cmd option, then your command should look something like:
“D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\java.exe” -jar “D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib\biUserSessionKillScript.jar” Administrator <password> localhost secEnterprise 720
See if that works for you. If so, then there’s probably some kind of pathing issue on the problem servers when the jobserver tries to find the java.exe successfully. In that case, look to your placeholders in the CMC and/or possibly your JAVA_HOME env variable. Lastly, if you see the cmd above works, try it again by replacing the first path with just “java”. This will let the OS use the env variables to find the java.exe instead. If this fails, then what i just said about the java pathing is probably true.
Also, as a last resort, make sure you haven’t split the services on your jobservers. There could be a chance the request is being sent to a jobserver that doesn’t have a program job service member.
Good Luck!
Josh
Hi Josh,
I'm facing the same issue as described above:
The specified JVM 'D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\bin\java.exe' does not exist or is not a valid executable file.
I checked the %JdkBinDir% placeholder for the APS and this is set to: D:/Program Files (x86)/SAP BusinessObjects/SAP BusinessObjects Enterprise XI 4.0/win64_x64/sapjvm/bin/.
Also tried to run the .jar file via the command line as explained in your answer above. Unfortunately that will not work because our BI Plaform is Corba SSL encrypted so I'm unable to connect to the CMS.
Do you have any ideas? I'm running BI 4.2 SP5 Patch 4 installation.
Thanks for your reply!
With kind regards,
Martijn van Foeken | Interdobs
Hi Josh,
Some additional info: when I check the AJS logs I get the following:
JavaExec.cpp:498:-: TraceLog message 296
|5e3df926-ea72-bb04-a9e5-7c559908fb46|2019 01 09 15:43:50:963|+0100|Information| |==| | |jobserver_NLNEHVDCS4VWJ23.AdaptiveJobServer_ProgramSchedulingService_CHILD0| 2532|20216|| |178|1|4|2|BIAdministrationConsole.WebApp|NLNEHVDCS4VWJ23:1388:129.5838:1|CMS.runJobs|localhost:3644:7068.6680297:1|jobserver_NLNEHVDCS4VWJ23.AdaptiveJobServer_ProgramSchedulingService_CHILD0.run|localhost:2532:20216.5:1|CggeyuNvAkZ6uScwf6PfGGo16cc|||||||||||(JavaExec.cpp:498) procprogram: JavaProcessor::GetJVMPath() -- JVM path from environment variable JAVA_HOME: [D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin]
JavaExec.cpp:527:-: TraceLog message 297
|d030e57c-aae5-a0b4-2949-3f89b9b59aa6|2019 01 09 15:43:50:963|+0100|Information| |==| | |jobserver_NLNEHVDCS4VWJ23.AdaptiveJobServer_ProgramSchedulingService_CHILD0| 2532|20216|| |178|1|4|2|BIAdministrationConsole.WebApp|NLNEHVDCS4VWJ23:1388:129.5838:1|CMS.runJobs|localhost:3644:7068.6680297:1|jobserver_NLNEHVDCS4VWJ23.AdaptiveJobServer_ProgramSchedulingService_CHILD0.run|localhost:2532:20216.5:1|CggeyuNvAkZ6uScwf6PfGGo16cc|||||||||||procprogram: JavaProcessor::GetJVMPath() -- Located JVM at [D:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\bin\java.exe]
JAVA_HOME is set correct.
With kind regards,
Martijn van Foeken | Interdobs
Very useful tool.
I would like to have an extension. Define a white list usergroup by its id that is excluded from the kill. So our function users hosting several java sdk programs / jsps like extracting meta data and performing maintenance won't be affected.
Cheers
Roberto
Forget to add: Very useful tool Joshua.
I do not see any source code attached to the zip file. I want to exclude Administrator from the kill.
I'm sorry Dave, but the source for this script was intentionally not publicized. I misspoke on an earlier post. If you want to email me directly, I can give you an updated jar that excludes SI_ID=12 so its not brought back in the query.
Regards,
Joshua (Joshua.Kuhn@sapns2.com)
I see couple of questions about similar problem I have when trying to schedule this program but seems that these did not reached to any conclusion. When I scheduled biUserSessionKillScript then first result was failed and reason was "No operating system credentials were set for running the program."
SIA service runs unders specified domain user account which is member of local server Administrators group and from event viewer I saw that JobServerChild.exe process was created using this account.
I scheduled again with Run now and filled program logon information with same account and it failed again, This time with result "The Program Object reported an error while running, but no error code was provided." From event viewer I saw that JobServerChild.exe process was created using same account.
When I try to run it from command line then I get java error:
Exception in thread "Thread-0" java.lang.NoClassDefFoundError: com/rsa/crypto/jcm/ModuleLoader
at com.rsa.cryptoj.o.cq.<clinit>(Unknown Source)
at com.rsa.cryptoj.o.co.<clinit>(Unknown Source)
at com.rsa.jsafe.CryptoJ.isFIPS140Compliant(Unknown Source)
at com.businessobjects.bcm.internal.BcmRsaLib.initialize(BcmRsaLib.java:214)
at com.businessobjects.bcm.internal.BcmRsaLib.<clinit>(BcmRsaLib.java:289)
at com.businessobjects.bcm.BCM.<clinit>(BCM.java:1158)
at com.crystaldecisions.enterprise.ocaframework.BCMInitializer.run(BCMInitializer.java:29)
at java.lang.Thread.run(Thread.java:812)
Caused by: java.lang.ClassNotFoundException: com.rsa.crypto.jcm.ModuleLoader
at java.net.URLClassLoader.findClass(URLClassLoader.java:444)
at java.lang.ClassLoader.loadClass(ClassLoader.java:490)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
... 8 more
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.lang.NoClassDefFoundError: com/businessobjects/bcm/BCM : cannotinitialize class because prior initialization attempt failed
Is there something I can do to troubleshoot it or we are missing some jar files or something else. Or it just doesn't work for some reasons. We have BO 4.2 SP4 installed on server.
Hi Markko,
Sorry for the delayed response. Although the program is quite old now, I've heard of it working for customers on BI4.2 Sp4 and newer. So the patch level shouldn't be a problem. Although the program has dependencies, it doesn't come packaged with any. Meaning, it relies on the jobserver to load the jars from the local machine. I personally have not witnessed the error, but as mentioned, there were a couple of users that posted similar problems. I don't believe we were ever able to figure out the root cause. Based on the error in your post, the NoClassDefFoundError is thrown because the jar can't find the class 'ModuleLoader.class". The ModuleLoader class is contained within the cryptojFIPS.jar which should exist in the "<bobj install>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib" folder.
Is there a chance you have a multinode install where only certain components were installed on the jobserver node? Usually most customers will do a full install on each node and then disable/stop and delete the servers they don't need. But if a custom install was one and certain components were left out on the node where the jobserver is running, then its possible you're missing certain jars needed to run a program object.
Something else I should mention... When the program object is scheduled, the enterprise session is passed to the program object from the jobserver. This is done automatically by the sdk, not something written into the program itself. The CMS kicks off the schedule, finds an available jobserver to take the job and then the jobserver spawns a child process to run the job. The child process is responsible for executing the java program on the local machine wherever the jobserver is running. The jobserver already has its classpath defined as the /java/lib folder specified above and will look here for any dependencies. This is why they aren't packaged with the jar.
When you ran the java program manually on the command line (in jar format), you would have needed to run it from within this /java/lib folder so it would find all dependencies. Also, since you are running it on the command line, you will have to pass in the BI login credentials. The program will take these login creds as input arguments and create a new BI user session. At this moment, the sdk will look for the cryptojFIPS.jar to handle the secure login attempt.
In order to troubleshoot this further, make sure you're running the program object from within the /java/lib path mentioned above. If its still returning a NoClassDefFoundError, try running on other servers to compare. Here's a list of the the jars needed to run the program. All should exist by default in the /java/lib folder on the BI server running the jobserver.
aspectjrt.jar
bcm.jar
biarengine.jar
ceaspect.jar
cecore.jar
celib.jar
ceplugins_core.jar
certjFIPS.jar
cesession.jar
cryptojFIPS.jar
ebus405.jar
logging.jar
corbaidl.jar
Regards,
Joshua
There was summer and vacation and I looked at the probleem again just now. Seems that I can't get it to work with BO 4.2 SP4. One reason may be the security changes what were made. One topic about it is https://answers.sap.com/questions/252016/sap-bo-bip-sdk-the-fips140-self-integrity-check-fa.html
And there is Note #2433337 where there is comment:
--------------------------
Addition of jars expected during Custom development using JAVA SDk
In 4.2 Sp04 RSA library is upgraded to 6.2.1 version for Java components. This version of RSA requires 2 additional jars of RSA to be referenced by BCM jar.
When the Java SDK from 4.2 SP04 is used by different components, if the new jars are not refered at runtime, BCM initialization error or classdefNotFound error is observed.
Resolution
When customers and partners are using SDK jars for custom development if the existing custom jars have references to cryptojFIPS, ssljFIPS,certjFIPS, kindly include references to jcmFIPS and cryptojce jars inorder to avoid BCM initialization error/ classdefNotFound error during login etc..
Ensure that the entry is made to the required manifest file and also copy 2 additional jars to the required location.
For details refer to Note - 2451365
I tried adding these 2 jar files to manifest, set classpath from commandline, copied to another lib directory, ran it in same directory where jar library was and tried couple ohter things but no luck. Error messages persisted and it didn't work on command line. I guess I leave it at that and don't troubleshoot it anymore.
Hi Markko,
If you have some time this week, would you mind contacting me so I can have a look at your system. I just imported the biar file into a BI4.2 SP4 system as well as a 4.2 SP6 environment. I tested with the same biar file that is saved in the SAP Note and the program object worked in each system without any modification. As you mentioned, the crypto libraries changed in SP4 but I really don't expect this to be a problem since the dependency jars aren't packaged in my jar. The only reference is to the classes I use directly in the manifest. The jobserver is responsible for loading all needed jars at schedule time. but there's a chance the jars you have are different than mine (even on the same patch level). So if you have time and are willing to talk, let's set up some time this week to try and figure out a solution. Once figured out, we'll post the results here for anyone else interested. Please email me directly - joshua.kuhn@sapns2.com
Regards,
Joshua
Hi Joshua, Is there a specific version of JAVA needed for this to run, we are trying to run this on BOBJ 4.2 sp5 and we are getting the following error
Exception in thread "Thread-0" java.lang.NoClassDefFoundError: com/rsa/crypto/jcm/ModuleLoader
at com.rsa.cryptoj.o.cq.<clinit>(Unknown Source)
at com.rsa.cryptoj.o.co.<clinit>(Unknown Source)
at com.rsa.jsafe.CryptoJ.isFIPS140Compliant(Unknown Source)
at com.businessobjects.bcm.internal.BcmRsaLib.initialize(BcmRsaLib.java:214)
at com.businessobjects.bcm.internal.BcmRsaLib.<clinit>(BcmRsaLib.java:289)
at com.businessobjects.bcm.BCM.<clinit>(BCM.java:1158)
at com.crystaldecisions.enterprise.ocaframework.BCMInitializer.run(BCMInitializer.java:29)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: com.rsa.crypto.jcm.ModuleLoader
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 8 more
Exception in thread "main" java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: java.lang.NoClassDefFoundError: Could not initialize class com.businessobjects.bcm.BCM
at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.establishConfidentialChannel(ConfidentialChannelService.java:189)
at com.crystaldecisions.sdk.occa.security.internal.ConfidentialChannelService.createConfidentialChannel(ConfidentialChannelService.java:149)
at com.crystaldecisions.sdk.occa.security.internal.CCMap.locateCCItem(CCMap.java:63)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:846)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:806)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:211)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:166)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody0(SessionMgr.java:915)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon_aroundBody1$advice(SessionMgr.java:521)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:1)
at biUserSessionKillScript.main(biUserSessionKillScript.java:49)
regards
Jonu Joy
Hi , I'm in version SAP Business Objects 4.2 SP4 Patch 9 ( on windows) and I have the same issue detailed in previuos posts
Exception in thread “Thread-0” java.lang.NoClassDefFoundError: com/rsa/crypto/jcm/ModuleLoader
at com.rsa.cryptoj.o.cq.<clinit>(Unknown Source)
at com.rsa.cryptoj.o.co.<clinit>(Unknown Source)
at com.rsa.jsafe.CryptoJ.isFIPS140Compliant(Unknown Source)
at com.businessobjects.bcm.internal.BcmRsaLib.initialize(BcmRsaLib.java:214)
....
I readed note related to change in java library since version SP4 but I've not found any solution in order to solve the issue and making biUserSessionKillScript.jar working on my enviroment.
So I decided to arrange an vbs in order to Delete Stale session from my enviroments.
Here
my vbs if anyone wants to test it.
Before using it you can customize it modifying:
line) DoDelete = False ' False = Test Mode, True = Actually Delete Session
line) Set logStream = objFSO.OpenTextFile("C:\Temp\biUserSessionKillScript.log", 8, 1) Log in order to change path and log file name
Then you can run vbs by running
'%windir%\SysWOW64\cscript.exe biUserSessionKillScript.vbs <System:Port> <AdminUser> <AdminPassword> <AuthenticationType> <SessionAgeinMinutes>
Bye
Alberto
Alberto, that is good and working alternatiive. I tested it from command line and it worked well. But I could not help myself and made it little more compact. Part I rewrote is below.
“No operating system credentials were set for running the program” :
For anyone receiving the error “No operating system credentials were set for running the program.” while scheduling the program object, the issue looks to be in the security settings in the CMC application. Log into the CMC, go to the 'Applications' page, right click on 'Central Management Console' and choose the option 'Program Object Rights'. In the next page, deselect the option 'Use Impersonation' and the program object should now run to success. In the two cases I've seen thus far, this was enabled in the BI environment. By default this is usually disabled.
java.lang.NoClassDefFoundError :
This error appears to be a timing issue in how the dependency jars are getting loaded by the application (when run via cmdline) or by the jobserver (when scheduled). The cause comes down to the manifest file within the jar. All of the minimum dependencies are listed in the manifest. The problem occurs because these jars load other jars incorrectly. I've been able to resolve this by altering the manifest to explicitly include a few of the secondary jars. I'll be updating the attachment in the sap note with an updated jar to include the new manifest once i've had a chance to test on BI4.1. At this point i don't know if the new manifest will only work in BI4.2 or both BI4.2 and BI4.1. I'll update this thread once the SAP Note is updated and i've had more time to test the results in BI4.1.
Hope you are still monitoring this blog. I have set this program up on the CMC and had a user complain that it deleted his ACTIVE session. Is this looking at the wrong field to determine if the session is stale? What gets reset when the user is active in the system and working?
SAP BusinessObjects SP7 Patch 500
Hi Tom.
What your user witnessed is probably correct. However, this can only happen if you set the age parameter on the script to too low of a value.
Let me explain...
There are 4 date properties that reside in a session object. You can see this by using query builder. But the problem is that SI_UPDATE_TS, SI_CREATION_TIME, SI_LAST_ACCESS and SI_LASTLOGONTIME properties do not get updated within the lifespan of a session object. At least that's how it worked at the time of this blog post. I don't know if this is still true in the latest SP. Since the original date-time value that is written when the user logs in does not get updated for any of these fields, I chose to go off of the SI_CREATION_TIME to calculate the age of a session. The script uses the age parameter value you enter as an input parameter to determine if a session is old enough to be deleted. If you set this to 1 minute, then yes, any session older than a minute will be dropped.
Originally when I first released the script, I made sure the minimum value allowed for age was a high number. The idea was to prevent admins from deleting user sessions that were still in use. But I kept getting requests to circumvent this and eventually I made the change in version 2 to allow admins to override the minimum. The example I gave in the original blog was to use 720 minutes. Usually there really shouldn't be a need to run the script more than once or twice a day unless your system is always really close to exceeding the user licenses. But then again, maybe there is a use case that I'm not aware of. Hopefully this answers your question.
Regards,
Josh
Great work Josh, works in our 4.2 SP7 environment. I was wondering if you can update the script by including an input argument to target a specific user ID to be killed?
Hi all and hi Joshua, Firts of all thx for your script.
Just a little question....I'm using 4.2SP6 and when i run the script it fails with a "Erreur interne" message....any ideas of what occurs and how can i solve it ?
Thanks in advance
Regards
Hi,
I got the following message :
The first argument must be an integer. Enter a value in minutes.
This is the argument :
What did I do wrong?
Kind regards
Suzy
Hi Suzy,
Simply enter the value in minutes.
Kind regards,
Martijn van Foeken | Interdobs
Hi Joshua,
It seems that the script scheduling does not work for 4.3
Do you have a new version package for 4.3?
Regards,
Jeff
Hello
After upgrade to 4.2 SP09 Patch 13 i have error like below:
The Program Object reported an error while running, but no error code was provided.
Regards
There was a change to the Program object rights
https://launchpad.support.sap.com/#/notes/3245474