Configuring single sign-on for an external FileNet Content Manager

To allow access to case information on an external ECM system for an IBM® Business Process Manager user, you must configure cross-cell single sign-on (SSO) access control. This configuration is for the IBM BPM cell and the external IBM FileNet® Content Manager cell. The configuration includes the configuration of the user registry and trusted realm.

Procedure

To configure single sign-on for an external FileNet Content Manager, complete the following steps:

  1. Ensure that FileNet Content Manager is installed on Websphere Application Server v8.5 or higher.
  2. Configure access to a shared user repository. Both IBM BPM and FileNet Content Manager must have access to the same set of users. Therefore, configure both cells to access the same user repository (such as a Lightweight Directory Access Protocol (LDAP) directory). To configure access to a shared user repository, follow these steps:
    1. In the Websphere administrative console on both systems, select Security > Global Security. The Global Security page opens.
    2. In the Available realm definitions drop-down list, select one of these options:
      • If FileNet Content Manager is configured with a federated repository, select Federated Repositories and then click Configure. The Federated Repositories page opens.
      • If FileNet Content Manager is configured with a stand-alone LDAP, select Standalone LDAP and then click Configure. The Standalone LDAP page opens.
    3. Configure your shared user repository with matching user and group attributes.
    4. In any environment, select Require SSL communications for the user repositories (recommended).
    5. Test your LDAP connection. See Configuring Lightweight Directory Access Protocol (LDAP) for federated repositories or Configuring stand-alone Lightweight Directory Access Protocol (LDAP).
    6. If the realm names of IBM BPM and FileNet Content Manager are different (for example, because you set different active realm definitions), make certain that in each cell the realm of the other cell is trusted. From the navigation panel, click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications. Click Trusted authentication realms - inbound. Select Trust realms as indicated below. Click Add external realm and add the realm of the remote cell. Click Apply.
    There is no need to remove or disable any file-based registries on the two systems. The registries can still be useful for administrative functions. Note, however, that users and groups from file-based registries cannot be used in IBM BPM case applications.

    In the WebSphere administrative console of both systems, select Users and Groups > Manage Users and search for the IBM BPM user ID that you are going to define as the ECM administrative user. Verify that the user ID is unique and it is in the shared user repository.

  3. Configure single sign-on with Lightweight Third-Party Authentication (LTPA) keys. As all user IDs are shared, users that are authenticated in either one of the systems, do not need to authenticate again when they connect to the other system. If you are adding a FileNet Content Manager system to an existing IBM BPM installation, you can export the LTPA keys from the IBM BPM system. Then, you can import them to the FileNet Content Manager system. You can also import and export the LTPA keys the other way around. These substeps follow the first approach.

    You might want to increase the number of active keys that WebSphere Application Server returns when the server queries for keys for a particular key set. When you import keys into the cell, active keys are overwritten. The replaced keys become the historic keys. WebSphere keeps, by default, a maximum of 2 keys in the cell. This maximum means that, with a second import, the original key of the cell is paged out. For reliability reasons, you might want to keep these keys.

    1. Select Global security, expand Web and SIP security, select Single sign-on (SSO). Make sure that Enabled is checked and specify a common domain name on both servers
    2. In the WebSphere administrative console of the ECM system, verify that your LoginModule authentication settings do not prevent Single sign-on.
    3. In the WebSphere administrative console of the IBM BPM server, select Security > Global Security. The Global Security page opens.
    4. Click the LTPA link. The LTPA page opens.
    5. Export the LTPA keys to a file. Use an arbitrary password.
    6. Copy the exported file to a location that can be shared with the FileNet Content Manager system.
    7. In the WebSphere administrative console on the FileNet Content Manager system, select Security > Global Security. The Global Security page opens.
    8. Click the LTPA link. The LTPA page opens.
    9. Import the exported LTPA keys. Use the same password that was used for the export.
    10. Restart each WebSphere Application Server.

    You are successful in establishing single sign-on (SSO) between the two systems when the following test works. You can log in to one administration console and then access the other administration console without having to log in again. Log in to the WebSphere Application Server administration console where you exported the LTPA key. In your browser's address bar, enter the URL for the WebSphere Application Server administration console where you imported the LTPA key. If the WebSphere Application Server administration console opens without requiring you to log in, you successfully set up SSO.

    The previous test for a successful single sign-on works only if the administrative user for both cells is identical. An alternate test is to log on to two URLs with an ordinary user from the shared repository; that is, a user without additional administration rights in both cells. For example, in IBM BPM, log in to the /ProcessPortal URL with a user from shared repository. Then, in a new browser tab, specify the URL for the FileNet Content Manager Administration Console for Content Platform Engine.
    Note: Using localhost, a short host name, or the IP address in place of the host name does not work. Single sign-on requires that the browser pass LTPA cookies to the WebSphere Application Server server. These cookies contain the fully qualified host name that must match the specified SSO domain name.
  4. Update the ECM system to support SSL. The default installation of IBM BPM uses SSL. The default installation of FileNet Content Manager uses TCP-IP without SSL. Update the FileNet Content Manager system to support SSL by completing the following substeps:
    1. In the WebSphere administrative console on the FileNet Content Manager system, select Security > Global Security. The Global Security page opens.
    2. Expand the RMI/IIOP security section. A list of inbound and outbound links is displayed.
    3. Click each inbound and outbound link, and then in the Transport drop-down list, select either SSL-required or SSL-supported.
  5. On both the IBM BPM and FileNet Content Manager systems, configure SSL to exchange SSL certificates in both directions between the servers by completing the following substeps:
    1. In the WebSphere admin console, select Security > SSL certificate and key management. The SSL certificate and key management page opens.
    2. Select the Key stores and certificates link. The Key stores and certificates page opens.
    3. Select NodeDefaultTrustStore (for Base Server) or CellDefaultTrustStore (if on a Network Deployment cell).
    4. Either extract the certificate to a file and copy it to the other system to add, or use the Retrieve from port button to connect and retrieve the certificate. For details on retrieving from the port, see Configuring cross-cell security for IBM Process Center
Parent topic: Configuring IBM BPM with a new external ECM server