Configuring cross-cell security for IBM Process Center

Before registering a Process Center with another Process Center in different cell, you must complete security configuration. Once the security configuration between the cells is completed, a Process Center in one cell can register a Process Center in another cell with HTTPS protocol over Secure Sockets Layer (SSL).

Before you begin

Before you configure a cross-cell setup, install and configure IBM® Business Process Manager Advanced or IBM Business Process Manager Standard in another cell.

About this task

This topic applies to the following products:
  • IBM Business Process Manager Standard
  • IBM Business Process Manager Advanced

In simple proof-of-concept scenarios where you want to demonstrate Process Center registration and sharing capabilities without setting up security trust, HTTP protocol can be specified during the Process Center registration step. This type of setup assumes that same set of users exist in the user registry of both Process Centers. For proof of concept scenarios, the primary username and password should be the same on both Process Centers.

This document describes the minimum security setup required to establish trust among the cells participating in Process Center sharing. The setup in a production environment can be as simple as described here or can be more complex based on the specific security guidelines for your environment.

Important: The security realms of the participating cells must be same. For example, they have the same set of users and groups.

Procedure

  1. Configure SSL by exchanging the server SSL certificates.

    Extract the root SSL certificate from Process Center server B. Perform the following actions using the administrative console on Process Center server A.

    1. Click Security > SSL certificate and key management > Key stores and certificates > DefaultTrustStore > Signer certificates.
    2. Click Retrieve from port.
    3. Specify the host name and secure socket layer port (for example, the admin host secure port) of the remote Process Center server.
    4. Specify an alias name you want to use for the root signer.
    5. Click Retrieve signer information and verify that the retrieved signer information is correct.
    6. Click OK to save the root signer in the local truststore.
    7. Repeat steps 1.a through 1.f on Process Center server B to retrieve the root signer of Process Center server A.
    Alternately, Process Center administrators can extract the root signer to a file, copy the file to the file system of the other Process Center, and import the signer certificate from the file.
    Note: If you are using a remote host to access the administrative console, the extracted certificate will be saved on the standalone server or deployment manager server, not the remote host.
  2. Share the LTPA keys.
    The following steps describe how to export the LTPA key from Process Center server B and importing it in to the keystore of Process Center server A.
    Note: When there are multiple cells involved, one set of LTPA keys are shared among them. Because of this, administrators must:
    • Plan which set of LTPA keys to use in the organization.
    • Ensure that the automatic LTPA key generation is turned off. Otherwise, the cells can fall out of synchronization for the keys if new set is generated.
    • Ensure that you set the "Maximum number of keys referenced" value large enough to keep the historic keys for as long as the longest lasting process instance is active. The default setting is to hold one historic LTPA key only. You can find this setting in the administrative console by navigating to Security > SSL certificate and key management > Key sets > CellLTPAKeyPair.
    For more information, see Configuring LTPA and working with keys.
    1. In the administrative console of the remote Process Center server, click Security > Global Security.
    2. In the Authentication section, click LTPA.
    3. In the Cross-cell single sign-on section, enter a new Password and a Fully qualified key file name.
    4. Click Export keys then OK.
    5. Transfer the exported key file in binary mode to the file system of the local Process Center cell.
      1. In the administrative console of the remote Process Center server, click Security > Global Security.
      2. In the Authentication section, click LTPA.
      3. In the Cross-cell single sign-on section, enter a new Password and a Fully qualified key file name.
      4. Click Import keys then OK.
    6. If your setup includes additional cells, repeat the previous steps for each additional cell.
    Process Centers A and B now share the same LTPA keys.
Parent topic: Creating a secure environment