IBM BPM, V8.0.1, All platforms > Install IBM BPM > IBM BPM Advanced > Install IBM BPM Advanced > On Windows > Network deployment environment > Configure profiles and create an ND environment > Create an ND environment > Use the administrative console > Configure components > Configure additional components > Configure Process Portal

Configure Tivoli Access Manager WebSEAL to work with Process Portal

If you have Tivoli Access Manager WebSEAL and you want to use it with Process Portal, you must complete several additional configuration steps.

Before you complete this task, you must have completed the following tasks:

• Verify that application security and administrative security is enabled for IBM BPM.
• Check that your user ID is registered in the user registry for IBM BPM.
• Ensure that WebSEAL is installed correctly, and start all Tivoli Access Manager services.

If you want to use Tivoli Access Manager WebSEAL with Process Portal, configure the user registry, configure IBM BPM to work with Tivoli Access Manager WebSEAL, configure Tivoli Access Manager WebSEAL to work with IBM BPM, and configure host junctions for your environment.

Procedure

1. Configure the user registry.
   1. Verify that Tivoli Access Manager and IBM BPM have the same users in the user registries. Either use the same user registry or maintain separate registries but keep the users synchronized.

   2. To create a trusted user account in Tivoli Access Manager, which can be used for configuring TAI, issue the following commands:

      pdadmin -a sec_master -p domino123

      pdadmin sec_master> user create -gsouser -no-password-policy taiuser "cn= taiuser,ou=websphere,o=ibm,c=us" taiuser taiuser ptaiuser

      pdadmin sec_master> user modify taiuser password-valid yes

      pdadmin sec_master> user modify taiuser account-valid yes

2. Configure IBM BPM to work with Tivoli Access Manager WebSEAL.

   1. On the administrative console, under Security > Global security, make sure to specify your user registry with the following information.
      • Host
      • Port
      • Bind distinguished name (DN)
      • Bind password

   2. On the IBM BPM system, run the com.tivoli.pd.jcfg.PDJrteCfg script to configure the Java Runtime Environment component for Tivoli Access Manager:

      java -cp BPM_installation_directory/tivoli/tam/PD.jar -Dpd.home= BPM_installation_directory/tivoli/tam/PolicyDirector -Dwas.install.root= BPM_installation_directory com.tivoli.pd.jcfg.PDJrteCfg -action config -cfgfiles_path BPM_installation_directory/java/jre -host Tivoli_Access_Manager_host -alt_config -was -java_home BPM_installation_directory/java/jre

      The script enables Java applications to use the Tivoli Access Manager policy and authorization servers.

      For ND environments, run the script on the dmgr first and then on the other nodes in the cell.

   3. Run the com.tivoli.pd.jcfg.SvrSslCfg script to configure and remove the configuration information associated with the WebSphere Application Server and the Tivoli Access Manager server.

      java -cp BPM_installation_directory/tivoli/tam/PD.jar -Dpd.cfg.home= BPM_installation_directory/java/jre com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd administrator_password -appsvr_id application_server_name -domain Default -port BPM_server_port -appsvr_pwd application_server_password -mode remote -host host_name_of_BPM_server -policysvr Tivoli_Access_Manager_server_name:port:rank -authzsvr Tivoli_Access_Manager_server_name:port:rank -cfg_file " BPM_installation_directory/tivoli/tam/PdPerm.properties" -key_file " BPM_installation_directory/tivoli/tam/PdPermKey" -cfg_action create

      For ND environments, run the script on the dmgr first and then on the other nodes in the cell.

   4. Configure WebSEAL to work with your product server by enabling the TAI++ interceptor on the server.

      1. In the administrative console, select Security > Global security.
      2. Expand Web and SIP security, and click Trust Association.

      3. Add a new interceptor for Tivoli Access Manager WebSEAL by click Interceptors, and then click New.

      4. Add com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus in the Interceptor class name text box and enter the following properties:

         Name	Value
         com.ibm.websphere.security.webseal.loginId	taiuser (if the user taiuser/ptaiuser was created in the Tivoli Access Manager)
         com.ibm.websphere.security.webseal.id	iv-creds
         com.ibm.websphere.security.webseal.configURL	${WAS_INSTALL_ROOT}/java/jre/PdPerm.properties, which is the path of the created PdPerm.properties file.

      5. Save the configuration, and restart the cell.
   5. Export the LTPA key file for single sign on (SSO).

      1. Start the administrative console.

      2. Click Security > Global security, and under Authentication, click LTPA.
      3. Type the password for the LTPA key file that you are exporting, and click Export keys.

3. Configure Tivoli Access Manager WebSEAL to work with IBM BPM.

   1. Create a WebSEAL instance, or use an existing WebSEAL instance.

      Follow your Tivoli Access Manager documentation to create a WebSEAL instance, and make sure to include the following information:

      • Use the sec_master administrator ID and the password you used in previous steps.
      • Clear the Enable SSL communication with the LDAP server check box.

      • If you are planning to use virtual host junctions, the most common ports are 80 for HTTP access and 443 for HTTPS access.

      To find an existing WebSEAL instances:

      pdadmin –a sec_master –p your_password

      pdadmin sec_master> server list

   2. Modify the WebSEAL configuration file.

      In the WebSEAL configuration file WebSEAL_install_directory/webseald- WebSEAL_instance_name.conf, set the following parameters, save the file, and restart the WebSEAL server:

      • basicauth-dummy-passwd= WebSEAL_userid_password using the same password you used in previous steps, for example: basicauth-dummy-passwd = ptaiuser, if you set the taiuser user name /ptaiuser password in Tivoli Access Manager.
      • ba-auth = both to enable the Basic Authentication mechanism of both HTTP and HTTPS
      • ltpa-auth = both to accept and generate LTPA cookies for both HTTP and HTTPS
      • keyfile =c:/wend/ltpa144 to copy the LTPA key file exported from the application server to the WebSEAL system
      • keyfile-password = passw0rd for the password used to access the LTPA key file
      • cookie-name = LtpaToken2 for the cookie that contains the LTPA token (case sensitive)
      • ltpa = C:/Program Files/IBM/tivoli/PDWebRTE/bin/ltpaauthn.dll for LTPA authentication
      • script-filter = yes under script-filtering, if you are using transparent junctions
      • type = text/javascript under filter-content-types, if you are using transparent junctions

   3. Import the WebSEAL SSL certificate into IBM BPM.

      1. In the administrative console, click Security > Global security > SSL certificate and key management > CellDefaultTrustStore > Signer certificates.

      2. Click Retrieve from port and enter the following information:
         • Host: your WebSEAL server host
         • Port: your WebSEAL server HTTPS port

         • Alias: your WebSEAL alias

      3. Click Retrieve signer information.

      4. Click Apply to store the certificate, and restart the server.

   4. Configure the ACL for IBM BPM users.

      IBM BPM users need additional authorities for PUT, POST, DELETE methods.

      1. On the administrative console for Tivoli Access Manager, go to the Tivoli Access Manager > Web Portal Manager > Object Space > Browse Object Space page and enter your sec_master user name and password. The default ACL for WebSEAL is default-webseal.

      2. Go to the Tivoli Access Manager > Web Portal Manager > Groups and create a group named bpm-users where you can add all IBM BPM users. Use the Registry GID cn=bpm-users,cn=SecurityGroups,secAuthority=Default.

      3. Go to Tivoli Access Manager > Web Portal Manager > ACL > List ACLs, select default-webseal and create an ACL entry with the name bpm-users and the required permissions.

   5. Configure the SSL between your proxy server and WebSEAL.

      Extract the certificate from your proxy server product and import the certificate in the Tivoli Access Manager WebSEAL keystore database.

4. Configure the host junctions for your environment. Complete one of the following steps, depending on whether you are using virtual host junctions or transparent host junctions. Standard junctions are not supported.

   • If you are using virtual host junctions, create a virtual host junction. A virtual host junction eliminates the need to create separate junctions.

     1. Create the junction between WebSEAL and your IBM BPM server using the -c iv_creds option for TAI++. Enter the following command as one line, using the variables that are appropriate for your environment:

        server task webseald-server create -t tcp -b supply -c iv_creds

        -h host_name -p websphere_app_port_number / junction_name

        Tip: The junction_name must begin with /.

     2. Verify that a virtual host has been configured. Virtual host junctions match a host and port number and forward addresses to the target host. No URL filtering occurs, and all requests that match are forwarded to the target host.
     3. Verify that the following applications are available to the same virtual host for IBM BPM.
        • REST Services Gateway
        • REST Services Gateway Dmgr
        • mm.was_ nodename_ servername

     4. Run the following command using pdadmin: server task webseal server virtualhost create -t transport -h target_host [-p port] [-v virtual_host_name] virtual_host_label

        Use the following information:

        • webseal server is the name of the WebSEAL server where you are creating the virtual host entry.
        • transport is the type of transport. Valid entries are tcp, ssl, tcpproxy, and sslproxy.
        • target_host is the host of the required application.
        • virtual_host_name is used to match HTTP requests to a virtual host junction. If no value is entered, it is made up of the target host and port by default.

          For example, if you set the virtual_host_name to myvirthost.ibm.com:80, WebSEAL matches the URLs containing myvirthost.ibm.com:80 and routes it to the host provided in the pdadmin command.

        • virtual_host_label is the label used to identify the entry in WebSEAL. It must be unique.

        For Process Portal to run as expected, both ssl and tcp entries must be created for the type of transport. When you need both Secure Sockets Layer (SSL) and Transmission Control Protocol (TCP) to be supported in the same virtual host junction, use the -g vhost_label option, where vhost_label is the original virtual host label to share configuration. This option finds a previously created virtual host junction (one created earlier, where the virtual_host_label matches the label provided in the -g option), and shares that configuration. The second entry still requires its own virtual_host_label, but it can share the target host, port, and other values. If you do not provide this -g option, a second virtual host cannot be created because WebSEAL sees the target host and port as being identical to a previously created junction (which is not allowed).

   • If you are using transparent host junctions, create a series of transparent path junctions.
     1. Review each context root you have defined. Edit your HTTP server configuration file and map the URLs for Process Portal.

        Add the following URLs:

        /ProcessPortal/*

        /portal/*

        /j_security_check/*

        /ibm_security_logout/*

        /BusinessSpace/*

        /BusinessSpaceHelp/*

        /mum/*

        /widgets/*

        /rest/*

        /BSpaceWidgetsHM/*

        /scaWidget/*

        /SecurityManagerWidgets/*

        /ServiceMonitorGraphWidget/*

        /BSpaceWidgetsBCM/*

        /wesbWidget/*

        /HumanTaskManagementWidgets/*

        /BSpaceWidgetsForms/*

        /eventmgr/*

        /teamworks/*

        /bpm/*

        /bpmrest-ui/*

        /BPMHelp/*

        /*.jsp/*

        /*.jsv/*

        /*.jsw/*

        /favicon.ico/*

     2. Run one of the following commands using pdadmin.

        • Input the junctions to a text file and run the following command: pdadmin -a admin_user_name -p admin_password -m transparent_junctions_file.txt.

        • For each context root defined, run the following command: server task WebSEAL_server_host_name create -t mutual -b supply -c iv_creds -x -h proxy_server_IP_address -p proxy_server_port -P secure_port / context_root.

     3. Configure the favicon.ico file to work properly with a protected WebSEAL environment:

        Follow the instructions in the Tivoli Access Manager for e-business Version 6.1.1 information center at http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc_6.1/am61_webseal_admin138.htm?path=3_6_0_3_1_3_1_6#favicon.

        When you attach the ACL, run the following command: pdadmin sec_master> acl attach /WebSEAL/iam.iamdemo.tivoli.com-ws1/favicon.ico favicon.

   To verify the junctions are created, view the junctions in the Tivoli Access Manager WebSEAL Web Portal Manager.

5. Complete additional configuration so that IBM BPM and Process Portal work correctly in your environment.
   1. Verify that the 99Local.xml file has the correct address used by end clients to reach your BPM system through WebSEAL.

      If you are using virtual host junctions, it is the virtual host. If you are using transparent host junctions, it is the WebSEAL DNS name.

      Modify the 99Local.xml file if needed by following instructions at Customize the Process Server/Process Center cluster to work with a web server.

   2. Modify the REST service provider URLs so that any REST service traffic for Process Portal passes through WebSEAL.

      1. Click Services > REST services > REST service providers.

      2. For each item listed, click the provider and update the Host name or virtual host in a load-balanced environment and the Port values to the host name and port that clients use to access the BPM system through WebSEAL. Typically with WebSEAL, the port is 80 if you are using HTTP and 443 if you are using HTTPS.

      3. Click Apply and save the changes.
   3. Modify the proxy-config.xml file with a new proxy policy section.

      1. Find the proxy-config.xml file at profile_root/BusinessSpace/ node_name/ server_name/mm.runtime.prof/config/proxy-config.xml.

      2. Add a policy section that copies the <proxy:policy url="endpoint://*" acf="none" basic-auth-support="true"> policy and changes the URL value changed to your proxy server IP address: <proxy:policy url="https:// your_proxy_server_IP_address/*" acf="none" basic-auth-support="true">.

      3. Run the updateBlobConfig command using the wsadmin scripting client, designating the -serverName and -nodeName parameters for a stand-alone server or -clusterName for a cluster, -propertyFileName with the value of the path for the proxy-config.xml file, and -prefix with the value Mashups_.

Configure Process Portal