Tib Amx Bpm Admin
-
Upload
paavani-jella -
Category
Documents
-
view
223 -
download
5
Transcript of Tib Amx Bpm Admin
TIBCO ActiveMatrix®
BPM AdministrationSoftware Release 1.0.3December 2010
Important Information
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN LICENSE.PDF) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.TIB, TIBCO, TIBCO Adapter, Predictive Business, Information Bus, The Power of Now, TIBCO ActiveMatrix and TIBCO Silver are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries.All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.Copyright © 2005-2010 TIBCO Software Inc. ALL RIGHTS RESERVED.TIBCO Software Inc. Confidential Information
| iii
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How to Contact TIBCO Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1 Configuring an LDAP Shared Resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Adding and Using New Shared Resource Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Add a New Shared Resource Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Add a New Shared Resource Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Use the LDAP Shared Resource in Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Creating a new LDAP Authenticator for Login Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Create an LDAP Authenticator Resource Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Add a New Resource Instance for this Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Deploy an Application to the BPMNode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Log in to Workspace as a User from this LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 2 BPM Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Using Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3 Defining Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Loggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Appenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Editing Logging Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Defining Where your Logging Output is Stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 4 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Creating a Server-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating a Client-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating a KeyStore Provider for the Server-as-Client Trust Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating an Instance of the Server-as-Client KeyStore Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Creating a KeyStore Provider for the Server Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating an Instance of the Server's KeyStore Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Amending the SSL Server Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
BPM Administration
iv | Contents
Amending the SSL Client Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Amending the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Re-Installing Effected Resource Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
BPM Administration
| 5
Preface
This document covers information you may need to allow you to administer BPM using TIBCO ActiveMatrix.
For more information on any of the subjects covered here, see the Administrator interface documentation for your BPM runtime environment.
Topics
• Typographical Conventions, page 6
• How to Contact TIBCO Support, page 8
BPM Administration
6 | Typographical Conventions
Typographical Conventions
The following typographical conventions are used in this manual.
Table 1 General Typographical Conventions
Convention Use
code font Code font identifies commands, code examples, filenames, pathnames, and output displayed in a command window. For example:
Use MyCommand to start the foo process.
bold code
font Bold code font is used in the following ways:
• In procedures, to indicate what a user types. For example: Type admin.
• In large code samples, to indicate the parts of the sample that are of particular interest.
• In command syntax, to indicate the default parameter for a command. For example, if no parameter is specified, MyCommand is enabled: MyCommand [enable | disable]
italic font Italic font is used in the following ways:
• To indicate a document title. For example: See TIBCO BusinessWorks Concepts.
• To introduce new terms For example: A portal page may contain several portlets. Portlets are mini-applications that run in a portal.
• To indicate a variable in a command or code syntax that you must replace. For example: MyCommand pathname
Key combinations
Key name separated by a plus sign indicate keys pressed simultaneously. For example: Ctrl+C.
Key names separated by a comma and space indicate keys pressed one after the other. For example: Esc, Ctrl+Q.
The note icon indicates information that is of special interest or importance, for example, an additional action required only in certain circumstances.
The tip icon indicates an idea that could be useful, for example, a way to apply the information provided in the current section to achieve a specific result.
The warning icon indicates the potential for a damaging situation, for example, data loss or corruption if certain steps are taken or not taken.
BPM Administration
Preface | 7
Table 2 Syntax Typographical Conventions
Convention Use
[ ] An optional item in a command or code syntax.
For example:
MyCommand [optional_parameter] required_parameter
| A logical ’OR’ that separates multiple items of which only one may be chosen.
For example, you can select only one of the following parameters:
MyCommand para1 | param2 | param3
{ } A logical group of items in a command. Other syntax notations may appear within each logical group.
For example, the following command requires two parameters, which can be either the pair param1 and param2, or the pair param3 and param4.
MyCommand {param1 param2} | {param3 param4}
In the next example, the command requires two parameters. The first parameter can be either param1 or param2 and the second can be either param3 or param4:
MyCommand {param1 | param2} {param3 | param4}
In the next example, the command can accept either two or three parameters. The first parameter must be param1. You can optionally include param2 as the second parameter. And the last parameter is either param3 or param4.
MyCommand param1 [param2] {param3 | param4}
BPM Administration
8 | How to Contact TIBCO Support
How to Contact TIBCO Support
For comments or problems with this manual or the software it addresses, please contact TIBCO Support as follows.
• For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site:
http://www.tibco.com/services/support
• If you already have a valid maintenance or support contract, visit this site:
https://support.tibco.com
Entry to this site requires a user name and password. If you do not have a user name, you can request one.
BPM Administration
| 9
Chapter 1 Configuring an LDAP Shared Resource
This chapter describes how you can set up a shared resource in order to use an LDAP server to manage identities in a BPM system.
For more information on any of the subjects covered here, see the Administrator interface documentation for your BPM runtime environment.
Topics
• Introduction, page 10
• Adding and Using New Shared Resource Information, page 11
• Creating a new LDAP Authenticator for Login Requests, page 12
BPM Administration
10 | Chapter 1 Configuring an LDAP Shared Resource
Introduction
Directory Engine allows organizational resources to be resolved from a user provided Directory Server. This Directory Server must be accessible using the Lightweight Directory Access Protocol (LDAP). These LDAP sources are supplied to Directory Engine by the TIBCO runtime as LDAP shared resources, which are configured and administered by the TIBCO Administrator tool. Once configured, LDAP shared resources will allow a user to search, view and map organizational resources resolved in the specified LDAP shared resource.
To enable an organizational resource to log in to BPM, a matching LDAP authenticator must be provided by the TIBCO Administrator tool. This LDAP authenticator must be given exactly the same name as the LDAP shared resource an organizational resource was mapped from, with a prefix of auth-.
So for example, if an organization resource "Clint Hill" has been mapped from an LDAP shared resource called "MyCompany", then for "Clint Hill" to log in a matching LDAP authenticator named "amxbpm-auth-MyCompany" must also be created.
This chapter covers:
• Adding and Using New Shared Resource Information
• Creating a new LDAP Authenticator for Login Requests
BPM Administration
Adding and Using New Shared Resource Information | 11
Adding and Using New Shared Resource Information
Add a New Shared Resource TemplateSee the Administrator interface documentation for your BPM runtime environment for more information about resource templates, including instructions on editing an existing resource template once you have created it.
Add a New Shared Resource InstanceCreate and install a resource instance using the template you just created using the resource template LDAPQuery.
See the Administrator interface documentation for your BPM runtime environment for instructions on creating and installing resource instances.
Use the LDAP Shared Resource in WorkspaceOnce you have created the new shared resource instance, you can access it in Workspace and use it to create new LDAP containers and map resources to organization model entities.
The new Active Directory resource instance is used to create a new LDAP container. See the TIBCO Workspace User’s Guide for a full description of creating LDAP containers.
You can then map resources from this Active Directory container to positions and groups in the organization model, in the normal way as shown in the following illustration. See the TIBCO Workspace User’s Guide for a full description of mapping resources.
To make the new instance available in the list of LDAP sources that is displayed in Workspace, you may need to close and restart Workspace. It then reloads the list of LDAP sources, including the new one.
BPM Administration
12 | Chapter 1 Configuring an LDAP Shared Resource
Creating a new LDAP Authenticator for Login Requests
You need to add an LDAP authenticator for a shared resource to enable logins.
Create an LDAP Authenticator Resource TemplateCreate and install an LDAP Authenticator Resource Template. See the Administrator interface documentation for your BPM runtime environment for instructions on creating and installing resource instances.
Add a New Resource Instance for this AuthenticatorCreate and install a resource instance using the template just created using the resource template LDAPAuthenticationProvider. See the Administrator interface documentation for your BPM runtime environment for instructions on creating and installing resource instances.
Deploy an Application to the BPMNodeFor information on creating, configuring and deploying an application, refer to the Administrator interface documentation for your BPM runtime environment.
To deploy an application to the BPMnode:
1. Select the Distribution tab.
2. Drill down in the View in the left hand pane until you can see the SharedResourceComposite node options on the right.
3. Click BPMNode in the Available Nodes list and move it to the Selected Nodes list.
4. Click Save.
Log in to Workspace as a User from this LDAPIt will now be possible to login to the workspace as a mapped user from this LDAP Container. See the TIBCO Workspace User’s Guide.
BPM Administration
| 13
Chapter 2 BPM Properties Files
The BPM Properties files are located in the following location:
<installation root directory>/config/bpm/configuration:
brm.properties BRM Engine Properties file
dac.properties Deadline and Calendar Properties file
de.properties Directory Engine Properties file
EmailChannelProperties Work Presentation Email Channel Properties file
GIChannelProperties.properties Work Presentation GI Channel Properties file
WPProperties.properties Work Presentation Core Properties file
BPM Administration
14 | Using Properties Files
Using Properties Files
All properties files, except de.properties, are fully annotated and it is unlikely you will need to change them. However, if you do, please refer to the annotations for further information. The following table describes the properties listed in de.properties. Unless specified, the property value is set to the default value shown.
Table 1 Properties in de.properties
Property Name Default Value Description
monitor.enable false Optional.
Specifies that the framework should monitor the de.properties file for changes.
monitor.interval 5 seconds The frequency (in milliseconds) at which the framework should check the properties file for modifications.
SqlInClauseLimit 900 The maximum number of elements used within an SQL "in" clause.
NamedEntityCacheSize 50 The size of the NamedEntity ID sequence cache.
UserSettingCacheSize 50 The size of the UserSetting ID sequence cache.
LdapIDCacheSize 50 The size of the cache for the LDAP sequence ID numbers.
SystemActionCacheSize 10 The size of the cache for the System Action sequence ID numbers.
SystemActionPrivilegeCacheSize
50 The size of the cache for System Action or Privilege association sequence ID numbers.
LdapRetryAttempts 5 The maximum number of attempts to reconnect to a LDAP server if the LDAP connection ends abruptly due to a failed connection, or a LDAP server crash.
LdapRetryWait 500 The time interval (in milliseconds) between each reconnection attempt.
BPM Administration
| 15
IgnoreCaseOnLogin false Specifies if the authentication service should ignore the case for the login name.
LdapPageSize 1000 Specifies whether paging of LDAP search results is supported, and the page size to be used.
Paging is a LDAPv3 extension (RFC 2696). If the LDAP server used supports this extension, you can configure the page size by setting this property to a positive integer that specifies the maximum number of rows to be included in each page of the search results.
For LDAP servers that do not support LDAPv3, set this property to -1 to disable paging.
Table 1 Properties in de.properties
Property Name Default Value Description
BPM Administration
16 | Using Properties Files
BPM Administration
| 17
Chapter 3 Defining Logging Information
TIBCO ActiveMatrix Administrator provides you with different types and levels of logging information depending on your requirements.
LoggersLoggers define which component(s) of BPM are being logged and at which level. By default you are provided with the following 3 loggers:
The Logger Name you choose restricts the logs you receive to cover particular components.
You can edit the level of logging information you require in TIBCO ActiveMatrix Administrator.
You can also add new Logger Names. See the Administrator interface documentation for your BPM runtime environment for more information.
AppendersAppenders define where the logging you generate goes. For BPM there are pre-defined two Appenders, one for BPM components (the Work Manager Appender) and one for process related logging (the Process Engine Appender).
Both the com.tibco.bx and com.tibco.pvm Loggers send their output to the Process Engine Appender (the log file is called ProcessEngine.log).
The com.tibco.n2 Logger sends its output to the Work Manager Appender (the log file is called WorkForceManagement.log). Both log files are found in <installation home directory >\config\tibcohost\TibcoHostInstance\nodes\BPMNode\logs.
com.tibco.bx Logging of BPM Applications
com.tibco.pvm Logging of Process Engine components
com.tibco.n2 Logging of BPM Work Manager components
BPM Administration
18 | Editing Logging Levels
Editing Logging Levels
See the Administrator interface documentation for your BPM runtime environment for more information about editing logging levels.
BPM Administration
| 19
Defining Where your Logging Output is Stored
You could choose to edit the appender that your logging output gets sent to:
1. Log in to TIBCO ActiveMatrix Administrator.
2. Select Applications.
3. Select amx-bpm-app.
4. Select Configuration and then Logging Configurations. You will see 3 loggers are supplied by default
,
5. Select com.tibco.n2.
6. Click on the Appender column to see a dropdown of the available appenders. The default appender for com.tibco.n2 is the Work Manager appender.
7. Select the appender you require and click Save.
BPM Administration
20 | Defining Where your Logging Output is Stored
BPM Administration
| 21
Chapter 4 SSL
This chapter describes how you can configure your environment to use your own security certificate.
Topics
• Creating a Server-Side Key Store, page 22
• Creating a Client-Side Key Store, page 23
• Creating a KeyStore Provider for the Server Key Store, page 29
• Creating an Instance of the Server's KeyStore Provider, page 31
• Creating a KeyStore Provider for the Server Key Store, page 29
• Creating an Instance of the Server's KeyStore Provider, page 31
• Amending the SSL Server Provider, page 33
• Amending the SSL Client Provider, page 35
• Amending the Identity Provider, page 37
• Re-Installing Effected Resource Instances, page 38
Using the "out-of-the-box" configuration, with the certificate that has not been signed by a Certificate Authority (CA), you will be presented with a dialog warning you of the "untrusted" certificate when you first login to the Workspace or Openspace browser. In order to continue, you must tell the browser to accept the certificate. The instructions will vary according to browser type.
Ideally, you will install/provision your own CA signed certificate, and the browser will not present any warning dialog.
TIBCO N2 User’s Guide
22 | Creating a Server-Side Key Store
Creating a Server-Side Key Store
The following command-line example uses the Java utility keytool to create (or update) a key store named "server-side.jks", adding a self-signed certificate with the alias "bpm-swindon-server". The password to access the key store is "password". The password to access the alias within that key store is "server123". The dname (Distinguished Name) identifies the owner of the certificate - and, as this is a self-signed certificate, the issuer. The Common Name (CN) value of this name is also used by browsers to verify the host to which the browser is connecting. That is, the browser will raise a warning if the name of the host from which the certificate was received does not match this CN value.
The following command can be used to list the content of the key store (output may vary).
TIBCO N2 User’s Guide
| 23
Creating a Client-Side Key Store
The client-side key store is used to hold the public keys of those certificates which the client trusts. The following commands will create a key store holding the public keys of the certificate created above.
Having exported the certificate, you can import it into the client-side key store. The following command creates, or updates, the key store named "client-side.jsk", adding the trusted certificate given in the file named "server.cert" under the alias of "bpm-swindon-server". The password used to access the key store is "password". No password is needed for the certificate.
The following command can be used to confirm the addition of the certificate to the client's key store (output may vary).
TIBCO N2 User’s Guide
24 | Creating a Client-Side Key Store
TIBCO N2 User’s Guide
| 25
Creating a KeyStore Provider for the Server-as-Client Trust Store
Clients hold the certificates they trust in a KeyStore. In the case of an SSL Enabled HttpClient, the client is the server itself, as it communicates with another server. The following steps will create a KeyStore Provider that manages the KeyStore holding those certificates that the client will trust.
Select the menu option Shared Objects >Resource Templates.
In the Resource Templates panel, opened in the lower panel, click New. This will open a dialog to allow the creation of a new Resource Template.
TIBCO N2 User’s Guide
26 | Creating a KeyStore Provider for the Server-as-Client Trust Store
Enter a name for the new client KeyStore Provider (this example will use KeyStoreClient), and select KeyStore Provider in the Type drop-down.
The dialog will then show the available properties for the KeyStore Provider:
• URL- The physical location of the Key Store file.
• Password - The password used to access the entries within that Key Store.
• Type - The type of Key Store to be used.
For this example we will use the values suitable to the Key Stores created in the earlier sections.
• URL = C:\SSL\client-side.jsk
• Password = password
• Type = JKS
Save these settings.
TIBCO N2 User’s Guide
| 27
Creating an Instance of the Server-as-Client KeyStore Provider
Having created a template for the KeyStore Provider, we must now create an instance. Select the menu option Infrastructure > Hosts.
The Hosts panel will list the available hosts.
Select AMXAdminHost and the lower panel will show the details of that host.
TIBCO N2 User’s Guide
28 | Creating an Instance of the Server-as-Client KeyStore Provider
In this panel, select the tab Resource Instances. Within that tab select the All Instances entry of the left-hand panel. The right-hand panel will be populated with the list of the Shared Resource Instances deployed to the AMXAdminHost.
Click New in the list of instances, and a New Resource Instance dialog will appear. In this dialog select Keystore Provider from the View drop-down, and select the KeyStoreServer entry in the Type list provided.
Now assign the instance to the BPMNode by selecting that node in the Available Nodes and clicking the ">" button.
Click Save and Close.
TIBCO N2 User’s Guide
| 29
Creating a KeyStore Provider for the Server Key Store
The server will hold its CA authorised certificates in its own Key Store. These are certificates that have been authorised by a well known authority (for example VeriSign), and hold the Private Key with which the server will sign any communication with its clients.
Select the menu option Shared Objects >Resource Templates.
In the Resource Templates panel, opened in the lower panel, click New. This will open a dialog to allow the creation of a new Resource Template.
TIBCO N2 User’s Guide
30 | Creating a KeyStore Provider for the Server Key Store
Enter a name for the new server KeyStore Provider (this example will use KeyStoreServer), and select KeyStore Provider in the Type drop-down.
The dialog will then show the available properties for the KeyStore Provider:
• URL - The physical location of the Key Store file.
• Password - The password used to access the entries within that Key Store.
• Type - The type of Key Store to be used.
For this example we will use the values suitable to the Key Stores created in the earlier sections.
• URL = C:\SSL\server-side.jsk
• Password = password
• Type = JKS
Save these settings.
TIBCO N2 User’s Guide
| 31
Creating an Instance of the Server's KeyStore Provider
Having created a template for the KeyStore Provider, we must now create an instance. Select the menu option Infrastructure > Hosts.
The Hosts panel will list the available hosts.
Select AMXAdminHost and the lower panel will show the details of that host.
TIBCO N2 User’s Guide
32 | Creating an Instance of the Server's KeyStore Provider
In this panel, select the tab Resource Instances. Within that tab select the All Instances entry of the left-hand panel. The right-hand panel will be populated with the list of the Shared Resource Instances deployed to the AMXAdminHost.
Click New in the list of instances, and a New Resource Instance dialog will appear. In this dialog select Keystore Provider from the View drop-down, and select the KeyStoreServer entry in the Type list provided.
Now assign the instance to the BPMNode by selecting that node in the Available Nodes and clicking the ">" button.
Click Save and Close.
TIBCO N2 User’s Guide
| 33
Amending the SSL Server Provider
The SSL Server Provider provides SSL connectivity to the Http Connector. It holds a reference to the KeyStore Provider in order to access the Private Keys used to enable SSL.
Select the menu option Shared Objects >Resource Templates.
In the Resource Templates panel, select SSL Server Provider from the View drop-down, and click the entry named SslServerRT.
TIBCO N2 User’s Guide
34 | Amending the SSL Server Provider
This will present two tabs in the lower panel; General Configuration and Advanced Configuration.
The only properties to be modified are in the General Configuration tab:
• Keystore Provider Having Identity - The KeyStore Provider managing the server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to select the instance created in the earlier section.
• Key Alias to Access Identity - This is the alias (or name) by which the Private Key is referenced within the Key Store (e.g. bpm-swindon-server).
• Alias Password - This is the password required to access the Private Key.
• Keystore Provider as Trust Store - The KeyStore Provider managing the server-as-client's trusted certificates (e.g. KeyStoreClient). Use the "picker" icon to select the instance created in the earlier section.
Save these changes.
This is not the same as the password used to access the Key Store itself, although the two values may be the same (e.g. server123).
TIBCO N2 User’s Guide
| 35
Amending the SSL Client Provider
The SSL Client Provider provides SSL connectivity to the Http Client, in much the same way as the SSL Server Provider does for the Http Connector. It holds a reference to the KeyStore Provider in order to access the Public and Private Keys used to enable mutual SSL communication between a client and a server.
Select the menu option Shared Objects > Resource Templates.
In the Resource Templates panel, select SSL Client Provider from the View drop-down, and click the entry named SslClientRT.
This will present two tabs in the lower panel; General Configuration and Advanced Configuration.
The only properties to be modified are in the General Configuration tab:
TIBCO N2 User’s Guide
36 | Amending the SSL Client Provider
• Keystore Provider as Trust - The KeyStore Provider managing the server-as-client's trusted certificates (e.g. KeyStoreClient). Use the "picker" icon to select the instance created in the earlier section.
• Keystore Provider having Identity - The KeyStore Provider managing the server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to select the instance created in the earlier section.
• Key Alias to Access Identity - This is the alias (or name) by which the Private Key is referenced within the Key Store (e.g. bpm-swindon-server).
• Key Alias Password - This is the password required to access the Private Key..
Save these changes.
This is not the same as the password used to access the Key Store itself, although the two values may be the same (e.g. server123).
TIBCO N2 User’s Guide
| 37
Amending the Identity Provider
In the Resource Templates panel, select Identity Provider from the View drop-down, and click the entry named LdapAspRT_IdentityRT.
The only properties to be modified are in the General Configuration tab:
• Keystore Provider having Identity - The KeyStore Provider managing the server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to select the instance created in the earlier section.
• Key Alias to Access Identity - This is the alias (or name) by which the Private Key is referenced within the Key Store (e.g. bpm-swindon-server).
• Key Alias Password - This is the password required to access the Private Key. Note: This is not the same as the password used to access the Key Store itself; although, the two values may be the same (e.g. server123).
TIBCO N2 User’s Guide
38 | Re-Installing Effected Resource Instances
Re-Installing Effected Resource Instances
Having amended the Resource Templates, changing all the references to the Key Stores and the Keys held within them, the Shared Resource Instances must be restarted.
The Shared Resource Instances can be accessed via the menu option Infrastructure > Hosts.
The Hosts panel will list the available hosts.
Select AMXAdminHost and the lower panel will show the details of that host.
TIBCO N2 User’s Guide
| 39
In this panel, select the tab Resource Instances. Within that tab select the All Instances entry of the left-hand panel. The right-hand panel will be populated with the list of the Shared Resource Instances deployed to the AMXAdminHost.
Search this list for the following named Resource Instances, and uninstall them (in the order listed) by selecting them and clicking Uninstall. You may need to click Refresh to the right on the panel in order to verify that each instance has been uninstalled successfully.
1. httpConnector
2. OSHttpClientSharedResource
3. LdapAspRT_Identity
4. sslServerRI
5. SslClientRT
6. KeyStoreClient
7. KeyStoreServer
Once each instance has been uninstalled, they must be re-installed. Do this by selecting the same entries, in the reverse order, and clicking Install.
The instances may show as "Out Of Sync", due to the fact that their templates have been modified.
To help locate the Resource Instances, you can use the View drop-down box to filter the list by type.
TIBCO N2 User’s Guide
40 | Re-Installing Effected Resource Instances
TIBCO N2 User’s Guide
BPM Administration
| 41
Index
C
customer support 8
L
LDAP Authenticator Resource Template 12LDAP Shared Resource Instance 11LDAP Shared Resource Template 11Logging 17
P
Properties Files 13
S
support, contacting 8
T
technical support 8