Configure cross-cell security for IBM BPM and IBM Case Manager

IBM BPM, V8.0.1, All platforms > Install IBM BPM > IBM BPM Advanced > Install IBM BPM Advanced > On Windows > Network deployment environment > Configure profiles and create an ND environment > Create an ND environment > Use the administrative console > Configure components > Configure additional components > Configure Process Portal > Configure the Business Space component for Process Portal > Configure Business Space to work with IBM Case Manager
Configure cross-cell security for IBM BPM and IBM Case Manager

The products are configured in two different cells. Both cells need access the same users, single sign-on (SSO), and Secure Sockets Layer (SSL).

This topic applies to the following products:

IBM BPM Standard
IBM BPM Advanced

Before you configure a cross-cell setup, :

Install and configure IBM Case Manager V5.1 or later in one cell.
Install and configure IBM BPM Advanced or IBM BPM Standard in another cell.

Procedure

Configure so that the IBM BPM and IBM Case Manager cells have access to the same users. There are different possible ways to achieve this, depending on your choice of user account repository.
For example, if you have an existing LDAP server, you could make it available to both cells.
Identify the necessary search filters that match your user repository definitions. Both cells require identical filter strings for the following searches:

User
Group
Group membership

You must inspect the definitions for your user repository to be able to determine the correct filter strings.
For example, if you use a LDAP server that has the following definitions.

Group: groupOfNames
OrgContainer: organization;organizationalUnit;domain;container
PersonAccount: inetOrgPerson
The appropriate search filters would be the following:

User search filter: (&(objectClass=inetOrgPerson)(uid={0}))
Group search filter: (&(cn={0})(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)))
Group membership search filter: (|(&(objectclass=groupOfNames)(member={0}))(&(objectclass=groupOfUniqueNames)(uniqueMember={0})))

Collect information about the user repository. Depending on the type of user repository you use, collect appropriate information such as the server host name, port number, login property, certificate mapping, and LDAP base entry distinguished name.

On the IBM Case Manager server, add the user directory to the federated realm.

Start the Enterprise Manager and connect to the IBM Case Manager P8 domain.
To start the Create a Directory Configuration wizard, right-click Enterprise Manager, select Properties, select the Directory configuration tab, and click Add. The Create a Directory Configuration Wizard window opens.
Enter all the information that is required by the wizard about your user repository.
Add a base entry for the user repositoryto the federated realm. In the administrative console, click Security > Global Security then in the User account repository section, click Configure > Add base entry to realm then enter the required information about the user repository. Click OK and Save.
If you use an LDAP server, make sure that you specify EXACT_DN for the certificate mapping.
Restart the IBM Case Manager environment.
Verify that you can search the user repository. In the administrative console, click Users and Groups > Manage Users. In the Search for users section enter a string in the Search for field that should match some existing users in the repository, for example a*, click Search and verify that matching users are found.

On the IBM BPM server, add the user directory to the federated realm.

Add a base entry for the user repositoryto the federated realm. In the administrative console, click Security > Global Security then in the User account repository section, click Configure > Add base entry to realm then enter the required information about the user repository. Click OK and Save.
If you use an LDAP server, make sure that you specify EXACT_DN for the certificate mapping.
Restart the IBM BPM environment.
Verify that you can search the user repository. In the administrative console, click Users and Groups > Manage Users. In the Search for users section enter a string in the Search for field that should match some existing users in the repository, for example a*, click Search and verify that matching users are found.

Configure cross-cell single sign-on (SSO).

Verify that automatic key generation is turned off. Perform the following steps for all participating cells for IBM BPM and IBM Case Manager.

In the administrative console, click Security > SSL certificate and key management > Manage endpoint security configurations
Expand the branches of the tree down to either the inbound or outbound management scope that contains the key set group, and then click the scope link for the cell.
In the Related Items section, click Key Set Groups.
Click the key set group NodeLTPAKeySetGroup.
Clear the Automatically generate keys option.
Click OK and Save to save the changes to the master configuration.
Start the server again to activate the changes.
Remember to perform steps 6.a.i: to 6.a.vii: for all participating cells for both products.

Share a common LTPA key between all participating cells. As an example, the following steps illustrate exporting the LTPA key from the IBM BPM server and importing it into the keystore of one IBM Case Manager cell.

In the IBM BPM administrative console click Security > Global Security, then in the Authentication section, click LTPA.
In the Cross-cell single sign-on section enter a new strong password and a key file name. The file is created in the server's profile root directory unless a fully-qualified path is specified.
Click Export keys then OK.
Transfer the exported key file in binary mode to the file system of the IBM Case Manager cell.
In the IBM Case Manager administrative console, click Security > Global Security, then in the Authentication section, click LTPA.
In the Cross-cell single sign-on section enter the password and a key file name.
Click Import keys then OK.
If your setup includes more cells, repeat steps 6.b.iv: to 6.b.vii: for each additional cell.

Set the same domain name for SSO. Perform the following steps for all participating IBM BPM and IBM Case Manager. cells.

In the administrative console, click Security > Global Security.
In the Authentication cache settings section, expand Web and SIP security, then click Single sign-on (SSO).
In the General Properties section, specify the following configuration values:

Select the Enabled option.
For Requires SSL, enter the domain name that you are using for the servers, for example, example.com.
Verify that the Interoperability Mode and Web inbound security attribute propagation options are both selected.
Click OK and save the changes to the master configuration.

Remember to perform steps 6.c.i: to 6.c.iii.4: for all participating cells.

Verify that SSO works across the cells. If you have Business Space configured on IBM BPM perform the following actions:

Using a web browser, open the IBM BPM Business Space client by entering a URL similar to the following example http://bpmserver.example.com:9080/BusinessSpace.
Log on using a user name and password that is stored in the shared LDAP server.
Without closing the IBM BPM Business Space tab, press Control-T to open a new tab in the browser.
In the new browser tab, open the IBM Case Manager case client by entering a URL similar to the following example http://icmserver.example.com:9080/CaseClient.
If you are automatically logged in as the same user without having to enter a user ID and password in the case client then the SSO is working.

Configure SSL by exchanging the server SSL certificates.

Extract the root SSL certificate from the IBM BPM server. Perform the following actions using the administrative console on the IBM BPM server.

Click Security > SSL certificate and key management > Key stores and certificates > DefaultTrustStore > Signer certificates.
Select the root certificate then click Extract.
Enter a file name for the exported certificate, for example, c:\bpmserverCert.pem, and click OK.

If you are using a remote desktop connection, the exported certificate will be saved on the machine from which you started the administrative console.
Transfer the exported certificate file in binary mode to the IBM Case Manager file system.
Add the IBM BPM server certificate to the IBM Case Manager server. Perform the following actions using the administrative console on the IBM Case Manager server.

Click Security > SSL certificate and key management > Key stores and certificates > DefaultTrustStore > Signer certificates.
Click Add.
Enter an alias, for example, bpmserver.
Enter the file name of the IBM BPM server certificate, for example, c:\bpmserverCert.pem, and click OK.
Save the changes.

Extract the root SSL certificate from the IBM Case Manager server. Perform the following actions using the administrative console on the IBM Case Manager server.

Click Security > SSL certificate and key management > Key stores and certificates > DefaultTrustStore > Signer certificates.
Select the root certificate then click Extract.
Enter a file name for the exported certificate, for example, c:\icmserverCert.pem, and click OK.

Remember: If you are using a remote desktop connection, the exported certificate will be saved on the machine from which you started the administrative console.
Transfer the exported certificate file in binary mode to the IBM BPM file system.
Add the IBM Case Manager server certificate to the IBM BPM server. Perform the following actions using the administrative console on the IBM BPM server.

Click Security > SSL certificate and key management > Key stores and certificates > DefaultTrustStore > Signer certificates.
Click Add.
Enter an alias, for example, icmserver.
Enter the file name of the IBM BPM server certificate, for example, c:\icmserverCert.pem, and click OK.
Save the changes.

Results
The cross-cell setup is configured, including SSO and SSL.

What to do next
Register the IBM BPM widgets in IBM Case Manager.

Configure Business Space to work with IBM Case Manager

Related tasks:
Selecting the user repository for Process Portal: