Tib Amx Bpm Admin

TIBCO ActiveMatrix®

BPM AdministrationSoftware Release 1.0.3December 2010

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN LICENSE.PDF) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.TIB, TIBCO, TIBCO Adapter, Predictive Business, Information Bus, The Power of Now, TIBCO ActiveMatrix and TIBCO Silver are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or other countries.All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.Copyright © 2005-2010 TIBCO Software Inc. ALL RIGHTS RESERVED.TIBCO Software Inc. Confidential Information

| iii

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

How to Contact TIBCO Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1 Configuring an LDAP Shared Resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Adding and Using New Shared Resource Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Add a New Shared Resource Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Add a New Shared Resource Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Use the LDAP Shared Resource in Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Creating a new LDAP Authenticator for Login Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Create an LDAP Authenticator Resource Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Add a New Resource Instance for this Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Deploy an Application to the BPMNode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Log in to Workspace as a User from this LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 BPM Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3 Defining Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Loggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Appenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Editing Logging Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Defining Where your Logging Output is Stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 4 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Creating a Server-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Creating a Client-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Creating a KeyStore Provider for the Server-as-Client Trust Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating an Instance of the Server-as-Client KeyStore Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating a KeyStore Provider for the Server Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating an Instance of the Server's KeyStore Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Amending the SSL Server Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

BPM Administration

iv | Contents

Amending the SSL Client Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Amending the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Re-Installing Effected Resource Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

BPM Administration

| 5

Preface

This document covers information you may need to allow you to administer BPM using TIBCO ActiveMatrix.

For more information on any of the subjects covered here, see the Administrator interface documentation for your BPM runtime environment.

Topics

• Typographical Conventions, page 6

• How to Contact TIBCO Support, page 8

BPM Administration

6 | Typographical Conventions

Typographical Conventions

The following typographical conventions are used in this manual.

Table 1 General Typographical Conventions

Convention Use

code font Code font identifies commands, code examples, filenames, pathnames, and output displayed in a command window. For example:

Use MyCommand to start the foo process.

bold code

font Bold code font is used in the following ways:

• In procedures, to indicate what a user types. For example: Type admin.

• In large code samples, to indicate the parts of the sample that are of particular interest.

• In command syntax, to indicate the default parameter for a command. For example, if no parameter is specified, MyCommand is enabled: MyCommand [enable | disable]

italic font Italic font is used in the following ways:

• To indicate a document title. For example: See TIBCO BusinessWorks Concepts.

• To introduce new terms For example: A portal page may contain several portlets. Portlets are mini-applications that run in a portal.

• To indicate a variable in a command or code syntax that you must replace. For example: MyCommand pathname

Key combinations

Key name separated by a plus sign indicate keys pressed simultaneously. For example: Ctrl+C.

Key names separated by a comma and space indicate keys pressed one after the other. For example: Esc, Ctrl+Q.

The note icon indicates information that is of special interest or importance, for example, an additional action required only in certain circumstances.

The tip icon indicates an idea that could be useful, for example, a way to apply the information provided in the current section to achieve a specific result.

The warning icon indicates the potential for a damaging situation, for example, data loss or corruption if certain steps are taken or not taken.

BPM Administration

Preface | 7

Table 2 Syntax Typographical Conventions

Convention Use

[ ] An optional item in a command or code syntax.

For example:

MyCommand [optional_parameter] required_parameter

| A logical ’OR’ that separates multiple items of which only one may be chosen.

For example, you can select only one of the following parameters:

MyCommand para1 | param2 | param3

{ } A logical group of items in a command. Other syntax notations may appear within each logical group.

For example, the following command requires two parameters, which can be either the pair param1 and param2, or the pair param3 and param4.

MyCommand {param1 param2} | {param3 param4}

In the next example, the command requires two parameters. The first parameter can be either param1 or param2 and the second can be either param3 or param4:

MyCommand {param1 | param2} {param3 | param4}

In the next example, the command can accept either two or three parameters. The first parameter must be param1. You can optionally include param2 as the second parameter. And the last parameter is either param3 or param4.

MyCommand param1 [param2] {param3 | param4}

BPM Administration

8 | How to Contact TIBCO Support

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, please contact TIBCO Support as follows.

• For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site:

http://www.tibco.com/services/support

• If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you can request one.

BPM Administration

http://www.tibco.com/services/support

https://support.tibco.com

| 9

Chapter 1 Configuring an LDAP Shared Resource

This chapter describes how you can set up a shared resource in order to use an LDAP server to manage identities in a BPM system.

For more information on any of the subjects covered here, see the Administrator interface documentation for your BPM runtime environment.

Topics

• Introduction, page 10

• Adding and Using New Shared Resource Information, page 11

• Creating a new LDAP Authenticator for Login Requests, page 12

BPM Administration

10 | Chapter 1 Configuring an LDAP Shared Resource

Introduction

Directory Engine allows organizational resources to be resolved from a user provided Directory Server. This Directory Server must be accessible using the Lightweight Directory Access Protocol (LDAP). These LDAP sources are supplied to Directory Engine by the TIBCO runtime as LDAP shared resources, which are configured and administered by the TIBCO Administrator tool. Once configured, LDAP shared resources will allow a user to search, view and map organizational resources resolved in the specified LDAP shared resource.

To enable an organizational resource to log in to BPM, a matching LDAP authenticator must be provided by the TIBCO Administrator tool. This LDAP authenticator must be given exactly the same name as the LDAP shared resource an organizational resource was mapped from, with a prefix of auth-.

So for example, if an organization resource "Clint Hill" has been mapped from an LDAP shared resource called "MyCompany", then for "Clint Hill" to log in a matching LDAP authenticator named "amxbpm-auth-MyCompany" must also be created.

This chapter covers:

• Adding and Using New Shared Resource Information

• Creating a new LDAP Authenticator for Login Requests

BPM Administration

Adding and Using New Shared Resource Information | 11

Adding and Using New Shared Resource Information

Add a New Shared Resource TemplateSee the Administrator interface documentation for your BPM runtime environment for more information about resource templates, including instructions on editing an existing resource template once you have created it.

Add a New Shared Resource InstanceCreate and install a resource instance using the template you just created using the resource template LDAPQuery.

See the Administrator interface documentation for your BPM runtime environment for instructions on creating and installing resource instances.

Use the LDAP Shared Resource in WorkspaceOnce you have created the new shared resource instance, you can access it in Workspace and use it to create new LDAP containers and map resources to organization model entities.

The new Active Directory resource instance is used to create a new LDAP container. See the TIBCO Workspace User’s Guide for a full description of creating LDAP containers.

You can then map resources from this Active Directory container to positions and groups in the organization model, in the normal way as shown in the following illustration. See the TIBCO Workspace User’s Guide for a full description of mapping resources.

To make the new instance available in the list of LDAP sources that is displayed in Workspace, you may need to close and restart Workspace. It then reloads the list of LDAP sources, including the new one.

BPM Administration

12 | Chapter 1 Configuring an LDAP Shared Resource

Creating a new LDAP Authenticator for Login Requests

You need to add an LDAP authenticator for a shared resource to enable logins.

Create an LDAP Authenticator Resource TemplateCreate and install an LDAP Authenticator Resource Template. See the Administrator interface documentation for your BPM runtime environment for instructions on creating and installing resource instances.

Add a New Resource Instance for this AuthenticatorCreate and install a resource instance using the template just created using the resource template LDAPAuthenticationProvider. See the Administrator interface documentation for your BPM runtime environment for instructions on creating and installing resource instances.

Deploy an Application to the BPMNodeFor information on creating, configuring and deploying an application, refer to the Administrator interface documentation for your BPM runtime environment.

To deploy an application to the BPMnode:

1. Select the Distribution tab.

2. Drill down in the View in the left hand pane until you can see the SharedResourceComposite node options on the right.

3. Click BPMNode in the Available Nodes list and move it to the Selected Nodes list.

4. Click Save.

Log in to Workspace as a User from this LDAPIt will now be possible to login to the workspace as a mapped user from this LDAP Container. See the TIBCO Workspace User’s Guide.

BPM Administration

| 13

Chapter 2 BPM Properties Files

The BPM Properties files are located in the following location:

<installation root directory>/config/bpm/configuration:

brm.properties BRM Engine Properties file

dac.properties Deadline and Calendar Properties file

de.properties Directory Engine Properties file

EmailChannelProperties Work Presentation Email Channel Properties file

GIChannelProperties.properties Work Presentation GI Channel Properties file

WPProperties.properties Work Presentation Core Properties file

BPM Administration

14 | Using Properties Files

Using Properties Files

All properties files, except de.properties, are fully annotated and it is unlikely you will need to change them. However, if you do, please refer to the annotations for further information. The following table describes the properties listed in de.properties. Unless specified, the property value is set to the default value shown.

Table 1 Properties in de.properties

Property Name Default Value Description

monitor.enable false Optional.

Specifies that the framework should monitor the de.properties file for changes.

monitor.interval 5 seconds The frequency (in milliseconds) at which the framework should check the properties file for modifications.

SqlInClauseLimit 900 The maximum number of elements used within an SQL "in" clause.

NamedEntityCacheSize 50 The size of the NamedEntity ID sequence cache.

UserSettingCacheSize 50 The size of the UserSetting ID sequence cache.

LdapIDCacheSize 50 The size of the cache for the LDAP sequence ID numbers.

SystemActionCacheSize 10 The size of the cache for the System Action sequence ID numbers.

SystemActionPrivilegeCacheSize

50 The size of the cache for System Action or Privilege association sequence ID numbers.

LdapRetryAttempts 5 The maximum number of attempts to reconnect to a LDAP server if the LDAP connection ends abruptly due to a failed connection, or a LDAP server crash.

LdapRetryWait 500 The time interval (in milliseconds) between each reconnection attempt.

BPM Administration

| 15

IgnoreCaseOnLogin false Specifies if the authentication service should ignore the case for the login name.

LdapPageSize 1000 Specifies whether paging of LDAP search results is supported, and the page size to be used.

Paging is a LDAPv3 extension (RFC 2696). If the LDAP server used supports this extension, you can configure the page size by setting this property to a positive integer that specifies the maximum number of rows to be included in each page of the search results.

For LDAP servers that do not support LDAPv3, set this property to -1 to disable paging.

Table 1 Properties in de.properties

Property Name Default Value Description

BPM Administration

16 | Using Properties Files

BPM Administration

| 17

Chapter 3 Defining Logging Information

TIBCO ActiveMatrix Administrator provides you with different types and levels of logging information depending on your requirements.

LoggersLoggers define which component(s) of BPM are being logged and at which level. By default you are provided with the following 3 loggers:

The Logger Name you choose restricts the logs you receive to cover particular components.

You can edit the level of logging information you require in TIBCO ActiveMatrix Administrator.

You can also add new Logger Names. See the Administrator interface documentation for your BPM runtime environment for more information.

AppendersAppenders define where the logging you generate goes. For BPM there are pre-defined two Appenders, one for BPM components (the Work Manager Appender) and one for process related logging (the Process Engine Appender).

Both the com.tibco.bx and com.tibco.pvm Loggers send their output to the Process Engine Appender (the log file is called ProcessEngine.log).

The com.tibco.n2 Logger sends its output to the Work Manager Appender (the log file is called WorkForceManagement.log). Both log files are found in <installation home directory >\config\tibcohost\TibcoHostInstance\nodes\BPMNode\logs.

com.tibco.bx Logging of BPM Applications

com.tibco.pvm Logging of Process Engine components

com.tibco.n2 Logging of BPM Work Manager components

BPM Administration

18 | Editing Logging Levels

Editing Logging Levels

See the Administrator interface documentation for your BPM runtime environment for more information about editing logging levels.

BPM Administration

| 19

Defining Where your Logging Output is Stored

You could choose to edit the appender that your logging output gets sent to:

1. Log in to TIBCO ActiveMatrix Administrator.

2. Select Applications.

3. Select amx-bpm-app.

4. Select Configuration and then Logging Configurations. You will see 3 loggers are supplied by default

,

5. Select com.tibco.n2.

6. Click on the Appender column to see a dropdown of the available appenders. The default appender for com.tibco.n2 is the Work Manager appender.

7. Select the appender you require and click Save.

BPM Administration

20 | Defining Where your Logging Output is Stored

BPM Administration

| 21

Chapter 4 SSL

This chapter describes how you can configure your environment to use your own security certificate.

Topics

• Creating a Server-Side Key Store, page 22

• Creating a Client-Side Key Store, page 23

• Creating a KeyStore Provider for the Server Key Store, page 29

• Creating an Instance of the Server's KeyStore Provider, page 31

• Creating a KeyStore Provider for the Server Key Store, page 29

• Creating an Instance of the Server's KeyStore Provider, page 31

• Amending the SSL Server Provider, page 33

• Amending the SSL Client Provider, page 35

• Amending the Identity Provider, page 37

• Re-Installing Effected Resource Instances, page 38

Using the "out-of-the-box" configuration, with the certificate that has not been signed by a Certificate Authority (CA), you will be presented with a dialog warning you of the "untrusted" certificate when you first login to the Workspace or Openspace browser. In order to continue, you must tell the browser to accept the certificate. The instructions will vary according to browser type.

Ideally, you will install/provision your own CA signed certificate, and the browser will not present any warning dialog.

TIBCO N2 User’s Guide

22 | Creating a Server-Side Key Store

Creating a Server-Side Key Store

The following command-line example uses the Java utility keytool to create (or update) a key store named "server-side.jks", adding a self-signed certificate with the alias "bpm-swindon-server". The password to access the key store is "password". The password to access the alias within that key store is "server123". The dname (Distinguished Name) identifies the owner of the certificate - and, as this is a self-signed certificate, the issuer. The Common Name (CN) value of this name is also used by browsers to verify the host to which the browser is connecting. That is, the browser will raise a warning if the name of the host from which the certificate was received does not match this CN value.

The following command can be used to list the content of the key store (output may vary).


| 23

Creating a Client-Side Key Store

The client-side key store is used to hold the public keys of those certificates which the client trusts. The following commands will create a key store holding the public keys of the certificate created above.

Having exported the certificate, you can import it into the client-side key store. The following command creates, or updates, the key store named "client-side.jsk", adding the trusted certificate given in the file named "server.cert" under the alias of "bpm-swindon-server". The password used to access the key store is "password". No password is needed for the certificate.

The following command can be used to confirm the addition of the certificate to the client's key store (output may vary).


24 | Creating a Client-Side Key Store


| 25

Creating a KeyStore Provider for the Server-as-Client Trust Store

Clients hold the certificates they trust in a KeyStore. In the case of an SSL Enabled HttpClient, the client is the server itself, as it communicates with another server. The following steps will create a KeyStore Provider that manages the KeyStore holding those certificates that the client will trust.

Select the menu option Shared Objects >Resource Templates.

In the Resource Templates panel, opened in the lower panel, click New. This will open a dialog to allow the creation of a new Resource Template.


26 | Creating a KeyStore Provider for the Server-as-Client Trust Store

Enter a name for the new client KeyStore Provider (this example will use KeyStoreClient), and select KeyStore Provider in the Type drop-down.

The dialog will then show the available properties for the KeyStore Provider:

• URL- The physical location of the Key Store file.

• Password - The password used to access the entries within that Key Store.

• Type - The type of Key Store to be used.

For this example we will use the values suitable to the Key Stores created in the earlier sections.

• URL = C:\SSL\client-side.jsk

• Password = password

• Type = JKS

Save these settings.


| 27

Creating an Instance of the Server-as-Client KeyStore Provider

Having created a template for the KeyStore Provider, we must now create an instance. Select the menu option Infrastructure > Hosts.

The Hosts panel will list the available hosts.

Select AMXAdminHost and the lower panel will show the details of that host.


28 | Creating an Instance of the Server-as-Client KeyStore Provider

In this panel, select the tab Resource Instances. Within that tab select the All Instances entry of the left-hand panel. The right-hand panel will be populated with the list of the Shared Resource Instances deployed to the AMXAdminHost.

Click New in the list of instances, and a New Resource Instance dialog will appear. In this dialog select Keystore Provider from the View drop-down, and select the KeyStoreServer entry in the Type list provided.

Now assign the instance to the BPMNode by selecting that node in the Available Nodes and clicking the ">" button.

Click Save and Close.


| 29

Creating a KeyStore Provider for the Server Key Store

The server will hold its CA authorised certificates in its own Key Store. These are certificates that have been authorised by a well known authority (for example VeriSign), and hold the Private Key with which the server will sign any communication with its clients.


In the Resource Templates panel, opened in the lower panel, click New. This will open a dialog to allow the creation of a new Resource Template.


30 | Creating a KeyStore Provider for the Server Key Store

Enter a name for the new server KeyStore Provider (this example will use KeyStoreServer), and select KeyStore Provider in the Type drop-down.

The dialog will then show the available properties for the KeyStore Provider:

• URL - The physical location of the Key Store file.

• Password - The password used to access the entries within that Key Store.

• Type - The type of Key Store to be used.

For this example we will use the values suitable to the Key Stores created in the earlier sections.

• URL = C:\SSL\server-side.jsk

• Password = password

• Type = JKS

Save these settings.


| 31

Creating an Instance of the Server's KeyStore Provider

Having created a template for the KeyStore Provider, we must now create an instance. Select the menu option Infrastructure > Hosts.




32 | Creating an Instance of the Server's KeyStore Provider


Click New in the list of instances, and a New Resource Instance dialog will appear. In this dialog select Keystore Provider from the View drop-down, and select the KeyStoreServer entry in the Type list provided.

Now assign the instance to the BPMNode by selecting that node in the Available Nodes and clicking the ">" button.

Click Save and Close.


| 33

Amending the SSL Server Provider

The SSL Server Provider provides SSL connectivity to the Http Connector. It holds a reference to the KeyStore Provider in order to access the Private Keys used to enable SSL.


In the Resource Templates panel, select SSL Server Provider from the View drop-down, and click the entry named SslServerRT.


34 | Amending the SSL Server Provider

This will present two tabs in the lower panel; General Configuration and Advanced Configuration.

The only properties to be modified are in the General Configuration tab:

• Keystore Provider Having Identity - The KeyStore Provider managing the server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to select the instance created in the earlier section.

• Key Alias to Access Identity - This is the alias (or name) by which the Private Key is referenced within the Key Store (e.g. bpm-swindon-server).

• Alias Password - This is the password required to access the Private Key.

• Keystore Provider as Trust Store - The KeyStore Provider managing the server-as-client's trusted certificates (e.g. KeyStoreClient). Use the "picker" icon to select the instance created in the earlier section.

Save these changes.

This is not the same as the password used to access the Key Store itself, although the two values may be the same (e.g. server123).


| 35

Amending the SSL Client Provider

The SSL Client Provider provides SSL connectivity to the Http Client, in much the same way as the SSL Server Provider does for the Http Connector. It holds a reference to the KeyStore Provider in order to access the Public and Private Keys used to enable mutual SSL communication between a client and a server.

Select the menu option Shared Objects > Resource Templates.

In the Resource Templates panel, select SSL Client Provider from the View drop-down, and click the entry named SslClientRT.

This will present two tabs in the lower panel; General Configuration and Advanced Configuration.



36 | Amending the SSL Client Provider

• Keystore Provider as Trust - The KeyStore Provider managing the server-as-client's trusted certificates (e.g. KeyStoreClient). Use the "picker" icon to select the instance created in the earlier section.

• Keystore Provider having Identity - The KeyStore Provider managing the server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to select the instance created in the earlier section.


• Key Alias Password - This is the password required to access the Private Key..

Save these changes.

This is not the same as the password used to access the Key Store itself, although the two values may be the same (e.g. server123).


| 37

Amending the Identity Provider

In the Resource Templates panel, select Identity Provider from the View drop-down, and click the entry named LdapAspRT_IdentityRT.


• Keystore Provider having Identity - The KeyStore Provider managing the server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to select the instance created in the earlier section.


• Key Alias Password - This is the password required to access the Private Key. Note: This is not the same as the password used to access the Key Store itself; although, the two values may be the same (e.g. server123).


38 | Re-Installing Effected Resource Instances

Re-Installing Effected Resource Instances

Having amended the Resource Templates, changing all the references to the Key Stores and the Keys held within them, the Shared Resource Instances must be restarted.

The Shared Resource Instances can be accessed via the menu option Infrastructure > Hosts.




| 39


Search this list for the following named Resource Instances, and uninstall them (in the order listed) by selecting them and clicking Uninstall. You may need to click Refresh to the right on the panel in order to verify that each instance has been uninstalled successfully.

1. httpConnector

2. OSHttpClientSharedResource

3. LdapAspRT_Identity

4. sslServerRI

5. SslClientRT

6. KeyStoreClient

7. KeyStoreServer

Once each instance has been uninstalled, they must be re-installed. Do this by selecting the same entries, in the reverse order, and clicking Install.

The instances may show as "Out Of Sync", due to the fact that their templates have been modified.

To help locate the Resource Instances, you can use the View drop-down box to filter the list by type.


40 | Re-Installing Effected Resource Instances


BPM Administration

| 41

Index

C

customer support 8

L

LDAP Authenticator Resource Template 12LDAP Shared Resource Instance 11LDAP Shared Resource Template 11Logging 17

P

Properties Files 13

S

support, contacting 8

T

technical support 8

Tib Amx Bpm Admin

Documents

Transcript of Tib Amx Bpm Admin