IBM BPM, V8.0.1, All platforms > Securing IBM BPM and applications > Configure SSL for IBM BPM

Configure SSL communication for an ND environment

The following steps are required to make the communication between the Process Center and the Process Server work with https in an ND environment.

If the Process Center and clustered runtime servers were started before you begin to configure SSL, and the LSW_SERVER table on the Process Center contains the non-secure port of the runtime server, you must delete the runtime server from the Process Center:

  1. Stop Process Server.

  2. From the Servers tab on the Process Center Console, delete Process Server from the Process Center repository.
  3. Delete the record with the non-secure port from the LSW_SERVER table on the Process Center database.

  4. Start Process Server.

If the 100Custom.xml does not yet exist in the PROFILE_HOME\config\cells\ cell_name\nodes\ node_name\servers\ server_name\ server_type\config directory, create it as described in Manage IBM Process Server configuration settings.


Procedure

  1. Import the Process Server WebSphere Application Server root SSL certificate into Process Center.

    1. In the Process Center WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.

    2. Enter the Host name, secure Port of the Process Server profile (WC_defaulthost_secure), and Alias, and click Retrieve signer information. You can retrieve the signer information for any of the servers listed.

      The WC_defaulthost_secure profile is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.

    3. Click Apply and save your changes.
  2. Export the Process Center root signer certificate.

    1. In the Process Center WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.

    2. From the Signer certificates panel, select root and click Extract.

    3. Specify the File name path where you want to save the certificate and set the Data type to Binary DER data.

    4. Click OK.

    5. Copy the extracted Process Center root certificate to the Process Server system.
  3. Import the Process Center root SSL certificate into Process Server.

    1. In the Process Server WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.

    2. Enter the Host name, secure Port of the Process Center profile (WC_defaulthost_secure), and Alias, and click Retrieve signer information. You can retrieve the signer information for any of the servers listed.

      The WC_defaulthost_secure profile is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.

    3. Click Apply and save your changes.
  4. Export the Process Server root signer certificate.

    1. In the Process Server WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.

    2. From the Signer certificates panel, select Root and click Extract.

    3. Specify the File name path where you want to save the certificate and set the Data type to Binary DER data.

    4. Click OK.
  5. Edit the 100Custom.xml file on the Process Center.

    1. Edit the WAS_HOME\profiles\ PC dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ server name\process-center\config\100Custom.xml file to overwrite the values from the 99Local.xml file.

      For example: c:\BPM\profiles\PCDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\config\100Custom.xml.

    2. Open WAS_HOME\profiles\ PC dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ app target server name\process-center\config\system\99local.xml.

      For example: c:\BPM\profiles\PCDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\config\system\99local.xml.

    3. Copy all occurrences of http://<PC_hostname>:<non_secured_port>, including the enclosing xml tags, and paste them in to the 100Custom.xml file.

    4. Add merge="mergeChildren" to the parent xml tags that contain the http://<PC_hostname>:<non_secured_port> statement.

    5. Add merge="replace" to the xml tag that contains the http://<PC_hostname>:<non_secured_port> statement.
    6. Change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured-port> and add the corresponding closing XML tags.

      If you are using WebSphere Proxy Server or IBM HTTP Server, change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<IHS/proxy server_hostname>:<IHS/proxy server_secured-port>.

    7. Copy the parent tags for the <client-link> that contains http://<PC_hostname>:<non_secured_port> and paste them to the server tag.

    8. Add the server section to the 100custom.xml file. Add merge="mergeChildren" to the parent xml tags and add merge="replace" to the xml tag containing the http://<PC_hostname>:<non_secured_port> statement. Change http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port>.

    9. Add the following lines to the <server> section to specify the correct Process Center secure port: 
      <deploy-snapshot-using-https merge="replace">true</deploy-snapshot-using-https>
<server-port merge="replace">< PC WC_defaulthost_secure port></server-port>

      Set the value to WC_defaulthost_secure port of the Process Center profile.

      The WC_defaulthost_secure profile is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.

      If you are using WebSphere Proxy Server or IBM HTTP Server, specify the WebSphere Proxy Server or IBM HTTP Server host name and secure port.

      For example: 

      <server-host merge="replace">[IHS/proxy server_hostname]</server-host>
<server-port merge="replace">[IHS/proxy server_secured-port]</server-port>
    10. Open WAS_HOME\profiles\ PC dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ app target server name\process-center\config\system\99Sharepoint.xml.

      For example: c:\BPM\profiles\PCDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\config\system\99Sharepoint.xml.

    11. Copy all occurrences of http://<PC_hostname>:<non_secured_port> from the 99Sharepoint.xml file, including its parent xml tags, and paste them to the 100Custom.xml file.
    12. Change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port>.
    13. Save and close the 100Custom.xml file.

    The following example shows the Process Center 100Custom.xml file: 

    <properties>
    <!--Properties file for customer cluster scoped properties. -->
			
	<!-- set unversioned-po-caching-enable to false for clustering 
    <common merge="mergeChildren">
        <environment-name merge="replace">My Environment</environment-name>
        <default-unversioned-po-cache-size merge="replace">500</default-unversioned-po-cache-size>
		<default-versioned-po-cache-size merge="replace">500</default-versioned-po-cache-size>
        <unversioned-po-caching-enable merge="replace">false</unversioned-po-caching-enable>
		<default-webapi-userid-cache-size merge="replace">500</default-webapi-userid-cache-size>
    </common>
    -->

    <!-- Sample connector configuration 
    <server>
        <reloadable-jar-location>temp</reloadable-jar-location>
        <reloadable-jar-location-load-only-once>false</reloadable-jar-location-load-only-once>
    </server>
    -->
    
    <!-- Sample default work schedule config.  
	<server>
		<default-work-schedule  merge="replace">				
				<time-schedule>7AM-7PM Every Day</time-schedule>
				<time-zone>CST</time-zone>
				<holiday-schedule>empty holiday</holiday-schedule>
		</default-work-schedule>		
	</server>
	-->
    <authoring-environment merge="mergeChildren">
        <images-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</images-prefix>

        <portal-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/portal</portal-prefix>                

        <repository-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/ProcessCenter</repository-prefix>

        <servlet-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</servlet-prefix>

        <webapi-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/webapi</webapi-prefix>
        
        <process-help-wiki-url-view merge="replace">https://qastress3.eng1.svl.ibm.com:9443/processhelp/en/%TITLE%?teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-view>
        <process-help-wiki-url-edit merge="replace">https://qastress3.eng1.svl.ibm.com:9443/processhelp/en/Special:Edit?topic=%TITLE%&amp;teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-edit>

    </authoring-environment>

    <common merge="mergeChildren">
        <portal-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/portal</portal-prefix>
        
        <process-admin-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/ProcessAdmin</process-admin-prefix>
        
        <teamworks-webapp-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</teamworks-webapp-prefix>
        <webservices merge="mergeChildren">
            <base-url merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks/webservices</base-url>
        </webservices>

        <xml-serialization merge="mergeChildren">
            <default-namespace-uri merge="replace">https://qastress3.eng1.svl.ibm.com:9443/schema/</default-namespace-uri>
        </xml-serialization>
        <coach-designer-xsl-url merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks/coachdesigner/transform/CoachDesigner.xsl</coach-designer-xsl-url>
        <office merge="mergeChildren">
            <sharepoint merge="mergeChildren">
                <default-workspace-site-description merge="replace"><![CDATA[This site has been automatically generated for managing collaborations and documents for the Lombardi TeamWorks process instance: <#= tw.system.process.name #> <#= tw.system.process.instanceId #>

TeamWorks Link:  https://qastress3.eng1.svl.ibm.com:9443/portal/jsp/getProcessDetails.do?bpdInstanceId=<#= tw.system.process.instanceId #>

]]></default-workspace-site-description>
            </sharepoint>
        </office>
    </common>

    <server merge="mergeChildren">    	    	
        <email merge="mergeChildren">
            <mail-template merge="mergeChildren">
                <client-link merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</client-link>
            </mail-template>
        </email>
        <repository-server-url merge="replace">https://qastress3.eng1.svl.ibm.com:9443/ProcessCenter</repository-server-url>
        <deploy-snapshot-using-https merge="replace">true</deploy-snapshot-using-https>
        <server-port merge="replace">9443</server-port>				

	</server>
			
</properties>
  6. Edit the 100Custom.xml file on the Process Server.

    1. Edit the WAS_HOME\profiles\ PS dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ app target server name\process-server\config\100Custom.xml file to overwrite values from the 99Local.xml file.

      For example: c:\BPM\profiles\PSDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\config\100Custom.xml.

    2. Open WAS_HOME\profiles\ PS dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ app target server name\process-server\config\system\99local.xml.

      For example: c:\BPM\profiles\PSDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\process-server\config\system\99local.xml.

    3. Copy all occurrences of http://<PS_hostname>:<non_secured_port> in the 99local.xml file, including the enclosing xml tags, and paste them in to the 100Custom.xml file.

    4. Add merge="mergeChildren" to the parent xml tags that contain the http://<PS_hostname>:<non_secured_port> statement.

    5. Add merge="replace" to the xml tag that contains the http://<PS_hostname>:<non_secured_port> statement.
    6. Change all occurrences of http://<PS_hostname>:<non_secured_port> to https://<PS_hostname>:<secured_port> and add the corresponding closing XML tags.

      If you are using WebSphere Proxy Server or IBM HTTP Server, change all occurrences of http://<PS_hostname>:<non_secured_port> to https://<IHS/proxy server_hostname>:<IHS/proxy server_secured-port>.

    7. Copy the parent tags for the <client-link> that contains http://<PS_hostname>:<non_secured_port> and paste them to the server tag.

    8. Add the server section to the 100custom.xml file. Add merge="mergeChildren" to the parent xml tags and add merge="replace" to the xml tag containing the http://<PS_hostname>:<non_secured_port> entry. Change http://<PS_hostname>:<non_secured_port> to https://<PS_hostname>:<secured_port>.
    9. Search for repository-server-url in the server section of the 99local.xml file and copy it to the server section of the 100custom.xml file.
    10. Change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port>.

      If you are using WebSphere Proxy Server or IBM HTTP Server, change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<IHS/proxy server_hostname>:<IHS/proxy server_secured-port>.

    11. Add the following lines to the <server> section to specify the correct Process Server secure port: 
      <server-port merge="replace">< PS WC_defaulthost_secure port></server-port>

      Set the value to WC_defaulthost_secure of the Process Server profile.

      The WC_defaulthost_secure profile is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.

      If you are using WebSphere Proxy Server or IBM HTTP Server, specify the WebSphere Proxy Server or IBM HTTP Server host name and secure port.

      For example: 

      <server-host merge="replace">[IHS/proxy server_hostname]</server-host>
<server-port merge="replace">[IHS/proxy server_secured-port]</server-port>
    12. Open WAS_HOME\profiles\ PS dmgr profile name\config\cells\ <cell name>\nodes\ <node name>\servers\ app target server name\process-server\config\system\99Sharepoint.xml.

      For example: c:\BPM\profiles\PSDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\process-server\config\system\99Sharepoint.xml.

    13. Copy all occurrences of http://<PS_hostname>:<non_secured_port> from the 99Sharepoint.xml file, including its parent xml tags, and paste them to the 100Custom.xml file.
    14. Change all occurrences of http://<PS_hostname>:<non_secured_port> to https://<PS_hostname>:<secured_port>.

      If you are using WebSphere Proxy Server or IBM HTTP Server, change all occurrences of http://<PS_hostname>:<non_secured_port> to https://<IHS/proxy server_hostname>:<IHS/proxy server_secured-port>.

    15. Save and close the 100Custom.xml file.

    The following example shows the Process Server 100Custom.xml file: 

    <properties>
    <!--Properties file for customer cluster scoped properties. -->
			
			
	<!-- set unversioned-po-caching-enable to false for clustering 
    <common merge="mergeChildren">
        <environment-name merge="replace">My Environment</environment-name>
        <default-unversioned-po-cache-size merge="replace">500</default-unversioned-po-cache-size>
		<default-versioned-po-cache-size merge="replace">500</default-versioned-po-cache-size>
        <unversioned-po-caching-enable merge="replace">false</unversioned-po-caching-enable>
		<default-webapi-userid-cache-size merge="replace">500</default-webapi-userid-cache-size>
    </common>
<xml-serialization merge="mergeChildren">
     <default-namespace-uri merge="replace">https://wpsvm10b.svl.ibm.com:9443/schema/</default-namespace-uri>
</xml-serialization>
    <!-- Sample connector configuration 
    <server>
        <reloadable-jar-location>temp</reloadable-jar-location>
        <reloadable-jar-location-load-only-once>false</reloadable-jar-location-load-only-once>
    </server>
    -->
    
    <!-- Sample default work schedule config.  
	<server>
		<default-work-schedule  merge="replace">				
				<time-schedule>7AM-7PM Every Day</time-schedule>
				<time-zone>CST</time-zone>
				<holiday-schedule>empty holiday</holiday-schedule>
		</default-work-schedule>		
	</server>
	-->
	
    <authoring-environment merge="mergeChildren">
        <images-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</images-prefix>

        <portal-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/portal</portal-prefix>                

        <repository-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/ProcessCenter</repository-prefix>

        <servlet-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</servlet-prefix>

        <use-portal-for-preview merge="replace">true</use-portal-for-preview>

        <webapi-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/webapi</webapi-prefix>
        
        <process-help-wiki-url-view merge="replace">https://wpsvm10b.svl.ibm.com:9443/processhelp/en/%TITLE%?teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-view>
        <process-help-wiki-url-edit merge="replace">https://wpsvm10b.svl.ibm.com:9443/processhelp/en/Special:Edit?topic=%TITLE%&amp;teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-edit>
    </authoring-environment>

    <common merge="mergeChildren">
        <portal-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/portal</portal-prefix>
        
        <process-admin-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/ProcessAdmin</process-admin-prefix>
        
        <teamworks-webapp-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</teamworks-webapp-prefix>
                
        <webservices merge="mergeChildren">
            <base-url merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks/webservices</base-url>
        </webservices>
        <coach-designer-xsl-url merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks/coachdesigner/transform/CoachDesigner.xsl</coach-designer-xsl-url>
 
        <office merge="mergeChildren">
            <sharepoint merge="mergeChildren">
                <default-workspace-site-description merge="replace"><![CDATA[This site has been automatically generated for managing collaborations and documents for the Lombardi TeamWorks process instance: <#= tw.system.process.name #> <#= tw.system.process.instanceId #>

TeamWorks Link:  https://wpsvm10b.svl.ibm.com:9443/portal/jsp/getProcessDetails.do?bpdInstanceId=<#= tw.system.process.instanceId #>

]]></default-workspace-site-description>
            </sharepoint>
        </office>
    </common>

    <server merge="mergeChildren">    	    	
								
        <!-- email properties -->
        <email merge="mergeChildren">
            <mail-template merge="mergeChildren" >
                <client-link merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</client-link>
            </mail-template>
        </email>

        <repository-server-url merge="replace">https://qastress3.svl.ibm.com:9443/ProcessCenter</repository-server-url>
        <server-port merge="replace">9443</server-port>				
    </server>
			
</properties>

  7. For each IBM BPM installation, install the Process Server signer certificate in to the Process Center truststore.

    1. Invoke Process Center WAS_HOME/java/jre/bin/ikeyman.

    2. ClickKey Database File > Open.
    3. Set the Key database type to JKS.

    4. Click Browse and set the file location to WAS_HOME/java/jre/lib/security.
    5. Change the Files of Type to All Files, select cacerts, and click Open.

    6. Click OK.
    7. Provide the Password. The default password is changeit.

    8. Select Signer Certificates from the Personal Certificates drop-down menu.

    9. Click Add.
    10. Change the Files of Type to All Files, select the location of the Process Server DER file, and click Open.

    11. Enter a label for the certificate, for example, ProcessServer-root, and click OK.
    12. Close the ikeyman window.

  8. For each IBM BPM installation, install the Process Center signer certificate in to the Process Server truststore.

    1. Invoke Process Server WAS_HOME/java/jre/bin/ikeyman.

    2. ClickKey Database File > Open.
    3. Set the Key database type to JKS.

    4. Click Browse and set the file location to WAS_HOME/java/jre/lib/security.
    5. Change the Files of Type to All Files, select cacerts, and click Open.

    6. Click OK.
    7. Provide the Password. The default password is changeit.

    8. Select Signer Certificates from the Personal Certificates drop-down menu.

    9. Click Add.
    10. Change the Files of Type to All Files, select the location of the Process Center DER file, and click Open.

    11. Enter a label for the certificate, for example, ProcessCenter-root, and click OK.
    12. Close the ikeyman window.
  9. Disable all unsecured ports on all Process Center and Process Server servers.

    1. Log in to the WebSphere Application Server administrative console and navigate to Servers > Server Types > WebSphere Application Servers.

    2. For each server, click the server link, then go to Container Settings > Web Container Settings > Web container transport chains.

    3. Click each link for the unsecured port, for example, HttpQueueInboundDefault, and clear the Enabled check box.
    4. Repeat these steps for all WebSphere Application Server cluster members on all nodes.

      For example, if the xxx.AppTarget cluster has members on Node1 and Node2, these steps must be performed on both nodes.

  10. In the Process Center WebSphere Application Server administrative console, click Security > Global security > Web and SIP security > Single sign-on (SSO) and check the Requires SSL check box.

  11. In the Process Server WebSphere Application Server administrative console, click Security > Global security > Web and SIP security > Single sign-on (SSO) and check the Requires SSL check box.

  12. Specify HTTPS URLs and ports for all Representational State Transfer (REST) services for your environment by using the REST service administrative console page.

    1. Click Services > REST services > REST service providers.

    2. Select all from the Scope selection pull-down menu.

    3. Click on the REST service provider in Provider Application field and specify the Host name or virtual host in a load-balanced environment and the Port.

    4. Click Apply and save your changes.
  13. Verify the Process Server 100Custom.xml file changes in the server

    1. Open the TeamWorksConfiguration.running.xml file, which is located in the WAS_HOME\profiles\ PS dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ app target server name\process-server\ directory.

      The TeamWorksConfiguration.running.xml file may not be available in every environment.

    2. Confirm the changes in the 100Custom.xml file.

      For example: c:\BPM\profiles\PSDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\process-server\TeamWorksConfiguration.running.xml

  14. Verify the Process Center 100Custom.xml file changes in the server.

    1. Open the TeamWorksConfiguration.running.xml file, which is located in the WAS_HOME\profiles\ PC dmgr profile name\config\cells\ cell name\nodes\ node name\servers\ app target server name\process-center\ directory.

      The TeamWorksConfiguration.running.xml file may not be available in every environment.

    2. Confirm the changes in the 100Custom.xml file.

      For example: c:\BPM\profiles\PCDmgr01\config\cells\cell01\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\TeamWorksConfiguration.running.xml

    Depending on your environment, you might need to repeat the following steps for the personal certificate:

  15. Restart the Process Server and Process Center servers.

    1. Use the WebSphere Application Server administrative console to stop the clusters.
    2. Stop the node agent and dmgr.
    3. Re-start the node agent.
    4. Re-start the dmgr.

    5. Use the WebSphere Application Server administrative console to start the clusters.
  16. Verify your configuration.

    1. Log in to the Process Center Console using an https connection.

    2. From the Server tab, click runtime server > configure server and confirm that it is opened in a secure browser with https.

Configure SSL for IBM BPM