Configure Process Designer to access Process Center using Secure Socket Layer (SSL)

The following steps are required to make the communication between Process Designer and Process Center work using SSL.

Procedure

  1. Navigate to the Process Designer installation location, for example: C:\IBM\ProcessDesigner\v8.5.0.
  2. Open the eclipse.ini file.
  3. Locate -Dcom.ibm.bpm.processcenter.url and modify it to specify the correct Process Center URL. For example, Dcom.ibm.bpm.processcenter.url=http://localhost:9080.
  4. Change http://PC_hostname:non_secured_port to https://PC_hostname:secured-port.
  5. Save and close the eclipse.ini file.
  6. Navigate to the sas.client.props file. For example: C:\IBM\ProcessDesigner\resources.
  7. Modify the following section to specify SSL client support. 
    # Does this client support/require SSL connections?  
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=true
  8. Modify the security configuration properties using the WebSphere command-line administration tool (wsadmin) AdminConfig commands. See Security configuration properties.
  9. In the WebSphere Application Server administrative console, click Security > Global security > RMI/IIOP Security > CSIv2 inbound communications.
  10. Verify that the Propagate security attributes option is selected.
  11. Verify that Supported is selected in the Client certificate authentication drop-down menu.
  12. Verify that SSL-required is selected in the Transport drop-down menu.
  13. Add the IBM HTTP Server (IHS) signer certificate to the truststore specified for the Process Designer in the eclipse.ini file:
    1. Export the IHS signer certificate from the default browser.
    2. Import the IHS signer certificate to ./etc/trust.p12 by invoking PD_HOME\AppClient\java\jre\bin\ikeyman.
    3. Navigate to the Process Designer installation location, for example: C:\IBM\ProcessDesigner\v8.5.0.
    4. Open the eclipse.ini file.
    5. Add the following line: -Djavax.net.ssl.trustStore=./etc/trust.p12.
    6. Save and close the eclipse.ini file.
  14. Launch Process Designer and verify access to the Process Center using SSL.
  15. Optional: If you have created and configured your own truststore, you must modify one of the following configuration files to point to the correct location for your truststore:
    • Standalone configuration: NodeDefaultTrustStore
    • Network deployment configuration: CellDefaultTrustStore
    Note: When Process Designer is downloaded, by default a trust.p12 file will be included with the compressed file. The trust.p12 file that is included reflects what is specified for the NodeDefaultTrustStore (stand-alone server) or CellDefaultTrustStore (network deployment environment) found in the Administrator console under Global Security > SSL certificate and key management > Key stores and certificates. The information in the trust.p12 file with the password WebAS is included in the compressed file. If you have a custom truststore with a different password or have multiple truststores, the information from the custom truststore is included in the Process Designer compressed file, instead of the default truststore.
  16. Verify your configuration.
    1. Log in to the Process Designer.
    2. Right-click the Process Apps tab and select Properties.
    3. Confirm that the Address: (URL) section contains the https://PC hostname:secured port secure address.
Parent topic: Configuring Secure Sockets Layer (SSL) for IBM Business Process Manager
Related information:
Troubleshooting and support for IBM Business Process Manager

Configuring SSL for a reverse proxy

Procedure

If you are using a reverse proxy, perform one of the following steps to import the SSL certificate for the reverse proxy:

  1. Create a trust store named trust.p12 which has the SSL certificate from the reverse proxy and put it in the BPM\Lombardi\tools\designer folder under the Process Center installation tree. The trust store must be named trust.p12, trust store must be of type PKCS12 and the trust store password must be set to WebAS.
  2. Alternatively, import the SSL certificate from the reverse proxy server into WebSphere Application Server (where Process Center and Process Server run). The reverse proxy certificate will be automatically included in the Process Designer download package.
    1. In the WebSphere Application Server administrative console, click Global Security > SSL certificate and key management >Key stores and certificates >CellTrustStore
    2. Enter the hostname and port of the reverse proxy server and click Retrieve from port.
    Note: When Process Designer is downloaded, by default a trust.p12 file will be included with the compressed file. The trust.p12 file that is included reflects what is specified for the NodeDefaultTrustStore (stand-alone server) or CellDefaultTrustStore (network deployment environment) found in the Administrator console under Global Security > SSL certificate and key management > Key stores and certificates. The information in the trust.p12 file with the password WebAS is included in the compressed file. If you have a custom truststore with a different password or have multiple truststores, the information from the custom truststore is included in the Process Designer compressed file, instead of the default truststore.
  3. If Process Designer was installed before step 1 or 2, download Process Designer and reinstall.