IBM BPM, V8.0.1, All platforms > Administer applications and processes in the runtime environment > Administer case management tasks

Security considerations for integrating BPEL processes with case management tasks

If you select Use security to access the web service from the case management task when you create the web service module in Integration Designer, user name and password credentials are supplied when a IBM Case Manager task invokes a web service module on Process Server. You can optionally select Use a secure socket (SSL) connection to provide an additional level of security for the request from IBM Case Manager to IBM BPM.

User name and password credentials are also required on the response of a long-running BPEL process from IBM BPM to IBM Case Manager and are facilitated by the import.

The following sections provide information on the security token that includes the user name and password as well as information about SSL.


Username security token

The user name and password credentials make up the security token for communication between a web services module and a case management task.

A security token represents a set of claims made by a client. The security token is embedded in the SOAP message within the SOAP header and is propagated from the message sender to the intended message receiver. On the receiving side, the web services security handler authenticates the security token and sets up the caller identity on the running thread.

By default, the FileNet P8 Component Manager service user credentials are used for authentication with the service. The Component Manager provides an option to configure different credentials for the service on Process Server.

Web service provider updates

Because it is possible for the SOAP header from the message sender to contain more than one security token, you must indicate which token should be used for authenticating the caller's identity.

Use the following procedure to create a caller and then associate the caller with the username token.

  1. From the administrative console, click Services > Service providers.

  2. From the Service provider pages, click the name of the web service.

  3. From the web service page, click the policy set binding.

  4. Click WS-Security.

  5. Click Caller.

  6. On the Callers page...

    1. Click New.

    2. In the Name field, enter an arbitrary name for the security token that identifies the caller.

    3. In the Caller identity local part field, enter: 
      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken

  7. Click OK.

The service provider configuration is updated after you restart Process Server or after you restart the application and clear the cache.

To clear the cache, you can use a wsadmin script, such as the following: 

set psm [$AdminControl queryNames type=PolicySetManager,*] 
$AdminControl invoke $psm refresh

Web service client updates

If you select Create a long-running business process, the response to IBM Case Manager occurs in a separate flow, and you need to specify the client user name security token on the import by configuring the callback handler.

Use the following procedure to update the callback user name and password so that the long-running process response is passed with the username token:

  1. From the administrative console, click Services > Service clients.

  2. On the Service clients page, click the web service module you deployed.

  3. In the Policy Set Attachments section of the Configuration tab, click BPM FileNet Web Services - Client.

  4. On the binding page, click WS-Security.

  5. On the WS-Security page, click Authentication and protection.

  6. On the Authentication and protection page, click gen_unametoken.

  7. On the gen_unametoken page...

    1. From the Token type list, select Username Token v1.0.

    2. From the JAAS login list, select wss.generate.unt.

    3. In the Additional Bindings section, click Callback handler.

  8. In the Basic Authentication section, enter a user name. Then enter a password in the Password field and the Confirm password field.

    The user name and password for the invocation back to Case Manager must be a valid FileNet P8 account with the appropriate permissions for this operation, as described in the "#AUTHENTICATED-USERS" topic of the FileNet P8 Information Center. Only authenticated users have the correct permissions to view and edit a case.

  9. Select OK.

The service client configuration is updated after you restart the Process Server or after you restart the application and clear the cache.

To clear the cache, you can use a wsadmin script, such as the following: 

set psm
[$AdminControl queryNames type=PolicySetManager,*] $AdminControl
invoke $psm refresh

For additional information, see the "Callback handler settings" topic in the WebSphere Application Server Information Center.


SSL configuration

SSL security can be used for establishing secure communications between two endpoints. If you want the user name and password credentials to be unobservable during message transmission, use the secure sockets layer (SSL).

When you select Use a secure socket (SSL) connection during the web service module configuration, the SSL setting depends on the type of process you select:

To establish secure communications, a certificate and an SSL configuration must be specified for the endpoint. To set up SSL configuration on Process Server, see "Creating a Secure Sockets Layer configuration" in the WebSphere Application Server Information Center.

Important: SSL configuration must also be set up for the remote endpoint on Case Manager. The procedure for setting up SSL is described in the "Set up Application Engine SSL security" topic of the FileNet P8 Information Center.

Administer case management tasks