Securing the messaging engines underlying the IBM Process Server and Performance Data Warehouse for IBM Business Process Manager (BPM)

Resolving The Problem

By default, as shipped, the IBM Process Server bus and the Performance Data Warehouse bus are unsecured. You will typically want to secure both buses. To secure them, follow these steps:

1. Enable bus security.
   
   
1. Expand Security and select Bus Security. You see a list of the buses that are available on your system. The list should include both of the following buses:
   
   
• The IBM Process Server bus (PROCSVR.cell-name.Bus)
• The Performance Data Warehouse bus (PERFDW.cell-name.Bus)
  
  
2. Under the Security column, each bus is marked as having security either enabled or disabled. By default, the IBM Process Server bus and the Performance Data Warehouse bus have security disabled, as indicated by the Disabled link in the Security column. Select the bus that you want to secure and click the Disabled link. This action takes you directly to the "Security configuration" page for that bus.
   
   
3. In the security configuration page for the selected bus, click Enable bus security.
   
   
2. Add the appropriate users, groups, or both to the bus connector role. Ensure that the user you identify in the authentication alias (see step 3) is a member of this role. Only users in the bus connector role are allowed to connect to the bus:
   
   
1. On the bus security configuration page, click the Users and Groups in the bus connector role link.
   
   
2. You will see a list of users that have been assigned the bus connector role for this particular bus. If the user that you are using to connect to the bus is not in the list of users and is not a member of any of the groups listed, click New to open a wizard, which will enable you to find the user or group, as appropriate.
   
   
3. Add an authentication alias to the bus activation specification. Completing this action makes it possible to centrally and securely manage access IDs that are being used to access buses.
   
   
1. Navigate to Resources > JMS > JMS Providers.
   
   
2. Choose the default messaging provider for the correct cluster or server scope.
   
   
3. Under Additional Properties, click Activation Specifications.
   
   
4. Select an existing authentication alias, or create a new one, that you want to associate with the bus. If you are creating a new authentication alias, make sure you use the primary administrator user name and password for the new authentication alias. Ensure that the identity that is associated with the authentication alias is in the bus connector role for that bus as described in step 2. Set this authentication alias activation specification property to the authentication alias you selected or created. The following table lists the relevant activation specifications:

Bus	Activation Specification
ProcSrv	EventMgrControlActivationSpec
ProcSrv	EventMgrMessageActivationSpec
ProcSrv	InterServerActivationSpec
ProcSrv	cacheMessageActivationSpec
PerfDW	DataDefLoaderActivationSpec
PerfDW	PostLoadCalculationActivationSpec
PerfDW	RepresentationManagerActivationSpec
PerfDW	ViewManagerActivationSpec

5. Ensure that the proper authentication aliases are referenced in the 50AppServer.xml configuration file, in all of its relevant locations, including the 50AppServer.xml file for the Performance Data Warehouse, and the 50AppServer.xml file for the Process Center or for the Process Server. To verify, look for the following segment in 50AppServer.xml. Un-comment the jms-auth element and use the same user name and password that you established in step 2b:
   
   <!--  These properties are needed when JMS connections require authentication. For instance, when using Embedded MQ you will be required to uncomment these properties ~EMBEDMQ_COMMENT~
   <jms-auth merge="mergeChildren">
   <user>tw_user</user>
   <password>93UVSloSQlXuw4hQz8juEA==:LQKvvMytJN1xqhTa2D89Ig==</password>
   </jms-auth>
   ~EMBEDMQ_UNCOMMENT~-->
   
6. The directory paths where you make these changes for 50AppServer.xml depends on whether you have installed a stand-alone server environment, a clustered network deployment environment, or a single server network deployment environment, as shown below:
   
   
• Path for a stand-alone server configuration
  stand-alone-profile-root\config\cells\cell-name\nodes\standalone-node-name\servers\server-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml
  
  
• Path for a network deployment cluster configuration
  
  
• For the network deployment cluster:
  DMGR-profile-root\config\cells\cell-name\clusters\cluster-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml
  
  
• For each cluster member:
  DMGR-profile-root\config\cells\cell-name\nodes\node-name\servers\server-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml
  
  
  Note: In the network deployment Performance Data Warehouse cluster environment, the 50AppServer.xml file is not available in the cluster scope. If new Performance Data Warehouse cluster members are created after the security enablement, you must ensure that the proper authentication aliases are referenced for the new members as well.
  
  
• Path for a network deployment single-server configuration
  DMGR-profile-root\config\cells\cell-name\nodes\custom-node-name\servers\server-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml
  
  
7. Use the IBM BPM EncryptPassword utility to encrypt the password for the 50AppServer.xml file. Instructions for using the utility are available in the Encrypting passwords topic within the Business Process Manager 7.5 Information Center.
   
   
8. If you are using a network deployment cluster configuration, synchronize the nodes.
   
   
9. Restart the server and make sure that you do not see any new exceptions related to the Process Server and the Performance Data Warehouse buses.
   
   
4. Set user and password values for the HTTP event listener. When Java™ Message Service (JMS) connections are secured and require authentication, you must set the jmsUser and jmsPassword values in the HTTPEventListener.properties file, as follows:
   
   
   <constant classkey="jmsUser">JMS_USER</constant>
   <constant classkey="jmsPassword">JMS_PASSWORD_ENCRYPTED</constant>
   <constant classkey="jmsPasswordEncrypted">true</constant>
   
   
   These values should match the user name and password that you established in Step 2b. If you established admin as the user name in Step 2b, then use admin for JMS_USER and use the admin password for JMS_PASSWORD_ENCRYPTED. Use the IBM BPM EncryptPassword utility to encrypt the jmsPassword value for the HTTPEventListener.
   
   
5. Ensure secure transmission of passwords from external clients for topic connection factories and queue connection factories.
   
   
1. Navigate to Resources > JMS > Queue Connection Factories, Resources > JMS –> Topic Connection Factories to locate the following connection factories:
   
   

Bus	Connection Factories
ProcSrv	QueueConnectionFactory
ProcSrv	TopicConnectionFactory
ProcSrv	cacheMessageConnectionFactory
ProcSrv	eventMgrMessageConnectionFactory
ProcSrv	TWClientConnectionFactory
ProcSrv	TWClientConnectionFactoryNoTX
PerfDW	DataDefLoaderConnectionFactory
PerfDW	ViewManagerConnectionFactory
PerfDW	PostLoadCalculationConnectionFactory
PerfDW	RepresentationManagerConnectionFactory

2. To ensure secure transmission of passwords from external clients, set the "Provider endpoints" property to support a secured endpoint by adding a pointer to a secured endpoint. For example, if your configuration already shows this endpoint:
   
   qastress50.eng1.svl.ibm.com:7301:BootstrapBasicMessaging
   
   Then, add a secured endpoint, so that you will have:
   
   qastress50.eng1.svl.ibm.com:7301:BootstrapBasicMessaging
   ,qastress50.eng1.svl.ibm.com:7302:BootstrapSecureMessaging
   
   The port numbers come from the SIB_ENDPOINT_SECURE_ADDRESS of the individual messaging engine's server or the individual cluster members. You might also want to consider retaining a non-SSL-protected endpoint by including "hostname:7276:BootstrapBasicMessaging" in the list of supported endpoints.
   
   If you have multiple entries, delimit them with a comma, as shown below:
   
   
   
3. Set "Target inbound transport chain" to "InboundSecureMessaging".
   
   
6. Revise the ssl.client.props file for keystore and truststore configuration, as in the following sample:
   
   Note: You must complete this step as part of configuring IBM Process Designer. The values used in the ssl.client.props file for keystore and truststore configuration must be consistent with the SSL configuration name and the truststore that are used in the IBM Process Center.
   
   
com.ibm.ssl.defaultAlias=DefaultSSLSettings
com.ibm.ssl.performURLHostNameVerification=false
com.ibm.ssl.validationEnabled=false
com.ibm.security.useFIPS=false

com.ibm.jsse2.checkRevocation=false
com.ibm.security.enableCRLDP=false

com.ibm.ssl.alias=DefaultSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmPKIX
com.ibm.ssl.keyManager=IbmX509
com.ibm.ssl.contextProvider=IBMJSSE2
com.ibm.ssl.enableSignerExchangePrompt=gui

# KeyStore information
com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
com.ibm.ssl.keyStore=etc/key.p12
com.ibm.ssl.keyStorePassword={xor}Nj0yKDM6
com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.keyStoreProvider=IBMJCE
com.ibm.ssl.keyStoreFileBased=true

# TrustStore information
com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
com.ibm.ssl.trustStore=etc/trust.p12
com.ibm.ssl.trustStorePassword={xor}Nj0yKDM6
com.ibm.ssl.trustStoreType=PKCS12
com.ibm.ssl.trustStoreProvider=IBMJCE
com.ibm.ssl.trustStoreFileBased=true
com.ibm.ssl.trustStoreReadOnly=false