Securely integrate an LDAP user registry with IBM Business Process Manager

IBM® Business Process Manager includes an internal security provider for user access management. However, you may want to leverage an existing user registry, such as an enterprise user directory in LDAP, instead of recreating and maintaining the users and groups in the BPM internal user service. In addition, you may need to secure the communication between IBM BPM and the LDAP server to protect personal information. This article describes how to do both.

Share:

Mark Connell (mconnell@au1.ibm.com), Certified IT Specialist, IBM

Mark Connell photoMark Connell is a Certified IT Specialist on the IBM Software Services for WebSphere team in Australia. During his 16 years with IBM, Mark has specialized in System z, Power Systems and Enterprise Content Management. In his current role he has led the design and delivery of several large business process management projects.



Shili Yang (shiliy@ca.ibm.com), Certified IT Specialist, IBM

Shili Yang photoShili Yang is a Certified IT Specialist on the IBM Software Services for WebSphere team in Canada. Previously, Shili worked as a member of the BPM SWAT team, as well as the BPM Architecture and Advanced Technology team, focusing on the end-to-end integration aspect of the IBM BPM product portfolio.



07 August 2013

Also available in Russian

Introduction

IBM BPM V8 comes with an internal security provider for user access management and a set of default users and groups to run and administer IBM BPM environments and enable you to get up and running quickly out of the box. Additional users and groups can be created and maintained within the internal user system.

However, the internal user registry alone may not be sufficient for your needs. You may need to leverage an existing user registry external to IBM BPM, for instance an enterprise user directory in an LDAP server, to authenticate users and authorize access instead of recreating and maintaining the users and groups in the internal system. Because IBM BPM is now hosted on WebSphere® Application Server configured with a single federated repository containing only the internal provider, the LDAP directory can be added to the federated repository to achieve integration. The Installation and Configuration Guide in the product document library (Resources) provides detailed set-up information. This article includes the step-by-step instructions for completeness, supplemented with screen captures.

What's not included in the product documentation, but is often important, especially in an enterprise or production environment, is how to secure the communication between IBM BPM and the LDAP server to protect sensitive personal information such as user ids and passwords. SSL provides an industry standard protocol for transmitting data in a secure manner over an insecure network. SSL defines methods for authentication, data encryption, and message integrity for a reliable transport protocol. How to set up a secure connection between BPM and an LDAP directory over SSL is the focus of the article. Without this protection, the data exchanged between the servers is sent in the clear, and thus exposes the environment, application and its users to significant risk of security attacks.

In this article, you'll learn how to:

  1. Register an LDAP provider with the embedded application server in IBM BPM.
  2. Manage access for the LDAP users and groups.
  3. Secure the LDAP connection using Secure Sockets Layer (SSL) communications.

The instructions and screen shots in this article are captured with both WebSphere Lombardi Edition V7.2 and IBM BPM V8 with the IBM employee directory known as IBM BluePages that runs on a Tivoli Directory Server. These instructions are not specific to this implementation, and apply to other standard LDAP servers.

The configuration steps are carried out in the WebSphere Application Server administrative console. Lombardi and IBM BPM V7.5 originally shipped with WebSphere Application Server V7, while BPM V8 ships with WebSphere Application Server V8. The configuration steps are the same for both versions of WebSphere Application Server, but information shown by the console differs slightly in V8. Where the information provided in the Administration Console differs between the two versions, screenshots form both V7 and V8 have been included.


Register an LDAP user directory with WebSphere Application Server

Note: Make sure no duplicate users exist between the BPM internal security provider and the security provider that you're about to add. If duplicate users exist, you will get exceptions when you run IBM BPM components.

  1. Start the WebSphere administrative console for BPM from the Start menu, as shown in Figure 1.
    Figure 1. Start the admin console for BPM
    Start the admin console for BPM
  2. Log on as tw_user. The default password for the tw_user account is tw_user.
  3. Select to Security > Global security, as shown in Figures 2 and 3.
    Figure 2. V7: Global security
    V7: Global security
    Figure 3. V8: Global security
    V8: Global security
  4. Under User account repository, click the Configure next to Federated repositories, which is already set as the default for BPM.
  5. Under Related items, click Manage repositories, as shown in Figure 4.
    Figure 4. Manage repositories
    Manage repositories
  6. Click Add in V7 or Add and choose the LDAP repository in WAS 8, and enter parameters for the LDAP provider that you want to add, as shown in Figure 5 and 6.
    Figure 5. V7: Add repository
    V7: Add repository
    Figure 6. V8: Select and add repository
    V8: Select and add repository

    For example, to add the IBM BluePages server, you would use the values shown in Figure 7.

    Figure 7. Example repository values
    Example repository values
  7. Click OK and then click Save.
  8. Go back to the Federated repositories page (step 5) and click Add Base entry to Realm, as shown in Figure 8.
    Figure 8. Add base entry to realm
    Add base entry to realm
  9. Provide values for the LDAP server, as shown in the example in Figure 9, then click OK and then Save.
    Figure 9. LDAP server values
    >LDAP server values
  10. Go back to the repository page (BluePages in our example). Under Additional Properties, click LDAP entity types, as shown in Figure 10.
    Figure 10. LDAP server configuration
    LDAP server configuration
  11. Then select Group, as shown in Figure 11.
    Figure 11. LDAP server configuration (continued)
    LDAP server configuration (continued)
  12. Specify the object classes and search bases, as shown in Figure 12.
    Figure 12. Group entity type settings
    Group entity type settings
  13. Click OK and then click Save.
  14. Still under LDAP entity types, click OrgContainer, and specify the object classes and search bases, as shown in Figure 13.
    Figure 13. OrgContainer entity type settings
    OrgContainer entity type settings
  15. Click OK and then click Save.
  16. Still under LDAP entity types, click PersonAccount and specify the object classes and search bases, as shown in Figure 14.
    Figure 14. PersonAccount entity type settings
    PersonAccount entity type settings
  17. Click OK and then click Save.
  18. Shut down and then restart all WebSphere Application Server servers.

Grant access to LDAP users and groups

Once you've configured the LDAP directory and the internal IBM BPM security provider, the users and groups from both providers are available for selection in IBM BPM. An LDAP user or group can be added to a default group in the exact same way as if the user or group being added exists in the BPM internal user registry, using the following steps:

  1. Select User Management in the IBM BPM Process Admin console.
  2. In the Add User and Groups dialog, enter the name of an LDAP user or group, such as the AIM_BPM_SWAT group, or shiliy@ca.ibm.com for an individual user that exists in the BluePages directory.
  3. Once the search results are returned, select the users or groups to add and click Add Selected, as shown in Figure 15 and 16.
    Figure 15. Add group
    Add group
    Figure 16. Add user
    Add user

Configure the SSL connection to the LDAP server

The application server embedded in IBM BPM provides several methods to secure communication between a server and a client, including support for SSL. The two main steps to enable SSL with an LDAP server are to add the digital certificate of the LDAP server to the trusted key store, and to switch to the secure port for encrypted data exchange.

Import the LDAP server certificate

To import the LDAP certificate, do the following:

  1. Log on to the WebSphere administrative console as tw_user with a password of tw_user.
  2. Select Security > SSL certificate and key management, as shown in Figure 17.
    Figure 17. Select SSL certificate and key management
    Select SSL certificate and key management
  3. Click Key stores and certificates, as shown in Figure 18.
    Figure 18. Click key stores and certificates
    Click key stores and certificates
  4. Click NodeDefaultTrustStore, as shown in Figure 19.
    Figure 19. Click NodeDefaultTrustStore
    Click NodeDefaultTrustStore
  5. Click Signer Certificates, as shown in Figure 20.
    Figure 20. Click Signer Certificates
    Click Signer Certificates
  6. Click Retrieve from port, as shown in Figure 21.

    Note: As describec in APAR PM37795 (fix available in WebSphere Application Server V7.0.0.17), the Retrieve from Port action only gets the server certificate, not the signing certificate, which causes a problem when it expires, which is within a year for the default self-signed certificate that is used and shown in the example. Please apply the APAR before using it.

    Figure 21. Retrieve from port
    Retrieve from port
  7. Type in the information for your LDAP server on the General Properties page, and click Retrieve Signer Information. For example, the information for the the IBM BluePages server is:
    • Host: bluepages.ibm.com
    • Port: 636, this is the default for SSL secure port for LDAP servers
    • Alias: bluepages
    Figure 22. LDAP server properties
    LDAP server properties
  8. After the details of the signer certificate are retrieved and populated, as shown in Figure 23, click OK and then Save.
    Figure 23. Signer certificate information
    Signer certificate information
  9. Now the LDAP server certificate is successfully added to the trusted store, and listed, as shown in Figure 24.
    Figure 24. Server certificate added to trusted store
    Server certificate added to trusted store

Switch to an SSL connection to the LDAP server

It's quite straightforward to switch to use SSL once the certificate is added to the store.

  1. Complete steps 1-6 in Register an LDAP user directory with WebSphere Application Server.
  2. Instead of the non-security port of 389, enter the security / SSL port of the LDAP server (the default is 636) and check Require SSL Communications, as shown in Figure 25.
    Figure 25. Check Require SSL Communications
    Check Require SSL Communications
  3. Click OK and then Save.
  4. Shut down and restart all IBM BPM servers.

Users can access and work with IBM BPM as usual once the servers are restarted. The data is now exchanged securely over the SSL connection behind the scene, and there is no difference in the user experience.

Resources

IBM WebSphere Lombardi V7

IBM Business Process Manager V8

Other

  • developerWorks BPM zone: Get the latest technical resources on IBM BPM solutions, including downloads, demos, articles, tutorials, events, webcasts, and more.
  • IBM BPM Journal: Get the latest articles and columns on BPM solutions in this quarterly journal, also available in both Kindle and PDF versions.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere
ArticleID=940017
ArticleTitle=Securely integrate an LDAP user registry with IBM Business Process Manager
publish-date=08072013