Planes, trains, and automobiles need to be tuned up regularly to maintain optimum performance. Scales and clocks and other devices of measurement need to be regularly calibrated for precision. Musical instruments need to be kept in tune to, well - sound good. Your business processes are not very different. Performance, precision, and a comfortable aesthetic are all important measurements of a well-defined business topology.
In the same way you know when a car needs a tune up (slow or unresponsive acceleration, decreased performance, higher fuel consumption, and so on), or a guitar is out of tune (that Spinal Tap cover you’re playing sounds even worse than the original version), you’ll notice similar symptoms arise in your business processes. IBM Business Process Manager (BPM) Standard, IBM Business Process Manager Express, and IBM Business Process Manager Advanced V8.0 and IBM Business Monitor V8.0 provide an integrated development and runtime environment based on a key set of service-oriented architecture (SOA) and business process management technologies.Here, I’ll talk about some of the basic steps you can take to ensure your Business Process Manager processes are fully optimized.
The obvious solution for remedying an out of tune guitar is to tune it, using a digital tuner or tuning it against an in-tune guitar. But, if the strings are old, or if there are problems with the neck, or the frets are worn, the guitar won’t stay in tune for long. Similarly, you can tune your business processes using the methods that have been around for so long, but if the basic structure of your business environment is compromised by underlying issues, or is simply out of date, these methods are a temporary fix at best.As an example, consider the fact that 64-bit Java virtual machines (JVM) can accommodate essentially unlimited heap sizes (assuming there is sufficient physical memory to back the heap). Now consider how new frets in addition to new strings will make your lead solos dazzlingly stellar.
An old saying in music is that the song is only as good as the instrument. You may knock off riffs as good as Jimmy Page on a dime store imitation of a Telecaster, but your audience will still groan as loudly as the users of your business processes will when they experience delays and timeouts because of outdated equipment and technology. Choosing the appropriate hardware topology for your Business Process Management environment is the key for ensuring optimal performance. Keep the following tips in mind when designing your topology:
- Deploy the appropriate hardware for your hardware configuration.
- Deploy local modules in the same server.
- Consider using a best practices approach for clustering, instead of a single server configuration.
- Evaluate service providers and external interfaces to maximize throughput capacity.
Tuning just one or two strings on a guitar will not work - all of the strings must be tuned in order for it to be playable. The same is true for your business processes. As such, here’s a quick checklist of tuning tips that cover all areas of your IBM Business Process Manager (BPM) environment:
- Use a 64-bit JVM for all servers.
- Disable tracing, logging, and monitoring when possible.
- Ensure all of your databases are well-tuned.
- If security is required, use Application security, not Java2 security.
- Use an appropriate hardware configuration for performance measurement (not notebooks or desktops).
- If hardware virtualization is used, ensure that adequate processor, memory, and I/O resources are allocated to each virtual machine.
- Minimize network latency and ensure sufficient network bandwidth between all systems in the configuration.
- Do not run production servers in development mode or with a development profile.
- Tune external service providers and external interfaces to ensure that they do not cause a system bottleneck.
- Message-driven bean (MDB) activation specifications.
- Thread pool sizes.
- Settings of data sources for connection pool size and prepared statement cache size.
- Increase the maximum number of connections in the data pool to greater than or equal to the sum of all maximum thread pool sizes.
This list represents just the fundamental requirements for optimal performance. See IBM Business Process Manager V8.0 Performance Tuning and Best Practices, REDP-4935-00 for a complete list of tuning recommendations for all areas of your IBM Business Process Manager topology.
In conclusion, while a well-crafted and perfectly tuned guitar may not be all it takes for you to quit your day job, having perfectly tuned and optimized business processes will make your day job that much more enjoyable.
All users are not created equally. Authorization is the process of ensuring that a user (or other computer system) has permission to perform a given act. IBM Business Process Manager defines a very fine-grained authorization model. Getting this model right – ensuring that only the right people have access to certain resources – is key to securing your Business Process Management environment. Using excerpts from J Keith Wood and Jens Engelke's new IBM Redbooks publication IBM Business Process Manager Security: Concepts and Guidance, here's the top 5 authorization security concerns we are seeing in Business Process Management today.
1. Overuse of administrator privileges
In the Process Center for IBM Business Process Manager, you can grant Admin access simply by selecting users with a check box. There are a lot of implicit permissions granted when you enable this check box. Enable this option only for a few trusted users. Enabling this option grants the user or group the permission to read, edit, create snapshots, and deploy snapshots of any process application. These users can also grant /ProcessCenter Admin rights to any IBM Business Process Manager user and to any process application. Let's be clear - the enabled check box next to a user's name grants them super-user status. Enable this option sparingly.
2. Failure to map participant groups
When a new swimlane is introduced to a IBM Business Process Manager process definition, the default participant group defaults to All Users. It is too easy to just leave the default of All Users in place, or to use already-existing LDAP groups and call it a job well-done. This is an important point: if All Users is allowed to stay, then you are effectively, completely turning off authorization for all tasks in this swimlane. Use a rigorous review process to ensure that each and every swimlane or participant group is mapped to an IBM Business Process Manager private group that includes only those users who should have authority to execute the steps within the swimlane.
3. Overpopulation of groups
Be careful of defining private groups that will be close-but-not-quite exactly what the process definition requires. Use fine-grained groups for each functional role that your process application can conceive.
4. Overuse of tw_authors, tw_admins
The process of ensuring that an author or developer has adequate authorization to create and deploy applications is rather a daunting task. As a result, we see many organizations simply adding their authors and developers into the default groups of tw_authors or tw_admins. Membership in these all-encompassing groups grants these accounts super user status -- and visibility to all process applications that are installed in your environment. This approach is almost universally undesirable. Access to /ProcessCenter and Process Designer should be granted in small, highly related chunks. Create project team groups that closely reflect the roles that these authors or developers play in the processes being modeled.
5. Faith in firewalls
Do not underestimate the amount of information that can be gathered by a curious, motivated, or perhaps mischievous user. If a user can sniff the network traffic, then they can analyze it. If they can analyze it, they can spoof it. It is a short path from unencrypted network traffic to unauthorized access. Specifically, given IBM Business Process Manager’s ability to perform instance-based authorization based upon run-time criteria, it is certainly conceivable that someone might be able to sniff an in-flight process and alter its authorization criteria. Encrypt all communication links between IBM Business Process Manager and LDAP servers, databases, web or proxy servers, and any web services hosts. Also encrypt communication between Process Center and Process Server, Process Designer, and Integration Designer. Finally, encrypt communication between Process Servers and users. It's simply not enough to rely on these communications occurring behind your firewall.
For much more, consult the IBM Redbooks publication called IBM Business Process Manager Security: Concepts and Guidance
.Martin Keen is an IBM Redbooks Project Leader. He leads publications on many areas of IBM software, including WebSphere, Messaging, and Business Process Management. Follow Martin on Twitter at @MartinRTP.
Modified on by Bill Wentworth
Author: Victor Paulo Alves de Almeida
The starting point for any architectural decision is the requirements whether functional or non-functional. We focus primarily on solving the client's problem. However, we have a duty to show the client what the implications are of each decision regarding the environment, administration, maintenance, migration, and resources management that are required for each solution so that the client is provided with tools to assist in decision-making. Sometimes, the client has restrictions or preconceived ideas about the product that should be addressed during the requirement mapping, analysis, and architecture definition.
The goal of this article is to discuss the role of IBM Business Monitor to monitor the IBM Business Process Manager and other sources. Thinking about some aspects of the IT infrastructure, we have some important points that we must consider when you install and configure these products. These points should be considered as you move forward so they have minimal impact to your business.
We can include the IBM Business Monitor as a part of IBM Business Process Manager or leave them separated, which means they can be in the same cell or in different cells. The term cell is a concept of distributed computing that means having many servers logically grouped and managed by a central process. This conceptual discussion of what is possible and what is right to do with the product also influences the architecture definition.
Deciding to put IBM Business Process Manager and IBM Business Monitor together implicitly implies that we are somehow more concerned with monitoring business processes from IBM Business Process Manager and no other business activities from other sources. Even though we have to monitor other sources, when the products are placed in the same cell, monitoring other sources can impact the performance of application processes. When they are placed in separate cells, the application processes are not affected by executing monitoring process or stopping monitoring servers, either by overload, maintenance, or other situations. Also, there is no impact to the application processes.
When we talk about IBM Business Monitor, we are concerned with Business Activity Monitoring, which are those activities that are available through various systems and technologies; not only activities that are related to IBM Business Process Manager. The main role of the IBM Business Monitor is to enable continuous improvement of the business processes by giving end-to-end visibility through the key performance indicators that can come from metrics available at different sources, including, but not limited to, IBM Business Process Manager.
A recurring architectural discussion we have with customers is which kind of installation approach is a better fit for them. When you correctly use IBM Business Monitor in a business context, you can get all the best of its functionality and visibility of your processes.
From a management and infrastructure complexity point-of-view, when you consider the deployment of process and monitoring applications together and stopping and starting clusters, it might be easier to have a single, centralized management console for these activities. Managing both products through a single console does not necessarily imply that IBM Business Monitor is dedicated only to IBM Business Process Manager. Both products are managed together. However, when we talk about having a single deployment environment that is shared for both products, we are implicitly saying that the primary function of the IBM Business Monitor might be to monitor process applications from IBM Business Process Manager. This statement might be different if we had separate environments for each deployment environment or different cells.
From a maintenance of the products point-of-view, such as applying patches, the fact that both products are still together implies the maintenance of both. If they were separated, applying corrections can be made without the same impact as if they were together. The same process can be used when you consider stopping a cluster. For example, if we need to stop the application cluster, it would stop the process and monitoring applications as well.
Another point is that the separation of the environments might create more complexity because the number of allocated resources needed to the solution tends to grow.
From a migration point-of-view, the environment can be difficult depending on your previous choices. For example, if you have one cell with both products together and you decide to migrate from one cell (IBM Business Process Manager plus IBM Business Monitor together) to separate cells (a IBM Business Process Manager cell and a IBM Business Monitor cell), how can you migrate process and monitoring instances from the old, combined environment to a new, separated environment?
The planning and mapping of the pros and cons based on your requirements and assumptions are essential to make the correct decision before starting the installation process.
Let's examine several points to pay attention to when determining whether to have one or two cells.
Being together (one cell):
For single point of management, only one web administrative console is used for both products and servers.
There is no need to cross cell configurations.
If you decide to create only one deployment environment in the same cell:
If you decide to create two deployment environments in the same cell:
You might need to do many extra configuration steps to get the environment working.
Only the WebSphere Deployment Manager profile (dmgr) needs to be augmented by both products.
For maintenance, at least the Deployment Manager will be affected because it has both product binaries together.
Extra steps for the virtual host configuration, context root, and REST providers must be done for each environment.
There will be only one plug-in configuration file (plugin-cfg.xml) that shares the configurations for the applications of both products.
There will be only one unique business space.
Cognos, Performance Data Warehouse, and Common Event Infrastructure (CEI) are hosted on the support cluster that requires many more resources.
There will be an IBM DB2 client on the same host of the members support cluster that is needed for creating a Cognos cube. This component must be considered for resource allocation and performance tuning of the environment.
Extensive use of native processes by Cognos can affect the performance of other applications running on the same Java virtual machine (JVM).
Migration is more complex if you have to migrate from a single to a separated cell.
Being separate (cells for each product):
You will have two points of management with two IBM Integrated Solutions Consoles.
You might need another HTTP instance for the second cell. Otherwise, you have to configure the plugin-cfg.xml file manually.
You will have two business space applications; one for each cell. If you have to use a single presentation layer for process and monitoring applications, such as WebSphere Portal Server, you will have to integrate twice. You will have to integrate once between WebSphere Portal Server and IBM Business Process Manager and once between WebSphere Portal Server and IBM Business Monitor.
Cross-cell configuration will occur between the IBM Business Monitor and the IBM business Process Manager. Both cells must use the same user registry.
The Cognos server is separate and you can tune or give more resources to it.
Maintenance can be done without interfering with the application process environment.
IBM Business Monitor can be used by different sources; not only process applications.
Migration can be done for each product separately.
What do you think?
Have you ever had this kind of discussion? Share your experience and your point of view with us by adding comments below this post.
For more information, refer to the IBM Redbooks publication entitled, IBM Business Process Manager Version 8.0 Production Topologies.
This blog was posted on May 08, 2013 by Bill Wentworth on behalf of Victor Paulo Alves De Almeida (pictured above). Victor is a WebSphere IT Specialist and is based out of Brasilia, Brazil.
When you install WebSphere Lombardi Edition Version 7.2 or the IBM Business Process Manager Version 7.5 products, you find that the Process Center, Process Admin Console, the authoring environment, and the Process Portal all use English as the default language. What do you do if English is not your primary language and you are more proficient in, for example, Spanish? Starting with WebSphere Lombardi Edition Version 7.2 and continuing with the IBM Business Process Manager V7.5 products, support exists for a variety of additional languages through custom localized language packs. These product versions support the following localized language packs:
- Portuguese (Brazil)
- Simplified Chinese
Although these products support the additional languages, you might need to implement a custom language localization. Information on the process is available in the following articles, which are available in the IBM BPM Community:
Note: Free registration is required to access the IBM BPM Community, which provides access to many additional resources including the sample exchange and helpful information provided by IBM and fellow users.
Thanks to Daniel Schoonmaker in IBM Business Process Manager Level 2 Support for recommending this blog article.
We welcome your feedback on this blog article. Did the information help you? Do you have any suggestions? Leave us a comment below and tell us how we did!
Modified on by Joseph Lam - IBM
My notifications has been upgraded!
My notifications received a major upgrade in 2014 to give you a streamlined and a simpler way to receive notifications for critical issues before they become problems.
Refer to the My notifications landing page to learn more about the service, and how you can get started in under a minute!
The information below might be outdated but is available for your reference.
What is My Notifications?
A vital part in ensuring a secure and highly available computing environment is to take a proactive stance at staying informed of critical product support updates through My Notifications.
By signing up with My Notifications you will receive daily or weekly announcements of critical product updates, security bulletins, and other important support information for your IBM products through e-mail, RSS feeds, and/or custom web pages.
Your subscription on My Notifications is completely customizable. You can choose the method of notifications, the type of content to be included, the frequency of updates, and the list of IBM products you would like to be included.
How do I get started with My Notifications?
Follow the instructions below to stay informed of critical updates from IBM Support for your IBM products:
2. Click on “My Notifications” (outlined in the red box below)
3. Sign in with your IBM ID (i.e. firstname.lastname@example.org), or create one if you do not already have an IBM ID.
4. To create a new subscription, click on “Subscribe” (outlined in the red box below).
5. On this screen, choose the product(s) for which you are interested in receiving notifications. You can find your products either by navigating the product groupings, or by searching for the product name (outlined in the red box below).
Option 1: Select your product - choose the product group you are interested in creating a subscription for by selecting a product family. For example: WebSphere. Then choose the products you are interested in creating a subscription for. You can choose multiple products.
Option 2: Search for your product - enter the name of your IBM product into the search box, and click on the “Search” button. For example: WebSphere Application Server. Then select the product you are interested in creating a subscription for. Click on the header link if you are interested in creating a subscription for multiple products (outlined in the red box below):
Tips: If you are unable to locate your product using the two options listed above, try looking into the “Other Software” product group.
7. On this screen you have a number of customization options:
Notify me by:
Ensure that at least “Email” is selected as a notification method. This indicates that your notifications will be sent by e-mail. We also suggest receiving daily emails in plain text (see screen capture below).
Document types: We recommend that you select all of the listed document types. If you prefer not to be alerted of all document types, ensure that at least "Security bulletin" and “Flashes” are selected. These document types include critical product updates, security bulletins, and other important communications from IBM Support (see screen capture below).
Tips: For a description of what each document type includes, click on the “What are these?” link.
8. Once you have finished customizing your subscriptions, click on the “Submit” button.
9. Your subscription has now been created. You will begin receiving critical product updates from IBM Support.
Tips: You can also create multiple subscriptions for different product family, with different subscription options, by repeating the instructions above.
Modified on by Joseph Lam - IBM
This blog entry walks you thru the step-by-step procedure to create a 3-cluster network deployment environment with multiple databases on DB2 for IBM Business Process Manager Advanced V8.5. Setting this environment can be accomplished in many different ways and this blog post approaches the task in a simple, yet commonly used, methodology that is applicable for most platforms. We would love to hear your feedback and would appreciate it if you shared your own experience with us.
This blog is split into the following 2 parts:
Part 1: Modifying the property file for deployment environment creation
Part 2: Creating the deployment Environment
Ensure that the following prerequisite configuration exists for the base system to follow this exercise:
IBM Business Process Manager Advanced Version 8.5 with the required interim fixes
DB2 Enterprise Server Edition 9.7 or 10.1
Part 1: Modifying the property file for deployment environment creation
Complete the following steps:
On the computer where you want to create the deployment environment, locate the appropriate sample properties file in the <install_root>/BPM/samples/config directory. For example, if you want to create a deployment environment with three clusters and multiple databases on DB2, then you need to use the <install_root>/BPM/samples/config/multiplede/Advanced-PS-ThreeClusters-DB2-MultiDB-DE1.properties file.
Take a back up of the previous properties file and make the appropriate changes.
Note: The following example property file includes ONLY some of the important property values. You can use this file as a reference to make the appropriate changes to your property file.
Always use a fully qualified name for bpm.dmgr.hostname. Do not use localhost.
The bpm.de.deferSchemaCreation=true value defers the schema creation and generates the SQL scripts. You can create the tables later.
The bpm.de.psOffline=false value means that the Process Server is online and can be connected to the Process Center.
The bpm.de.authenticationAlias.1.name=DeAdminAlias value is the deployment environment administrator authentication alias.
The bpm.de.authenticationAlias.2.name=ProcessCenterUserAlias value mean that it will use the existing user name in Process Center for this authentication.
The bpm.de.authenticationAlias.3.name=BPM_DB_ALIAS value is the database administrator authentication alias. You can create multiple authentication aliases if you choose to use different users for different databases.
The bpm.cell.authenticationAlias.1.name=CellAdminAlias value is the required user and becomes relevant when you have multiple deployment environments in a cell.
The bpm.de.db.2.databaseName=MEDB value is the single database for the messaging engine.
The bpm.de.db.1.schema value enables you to change the schema names for all the databases except for Process Server ( BPMDB ) and Performance Data Warehouse ( PDWDB ) components
See Part 2: Creating a 3-cluster Network Deployment environment for IBM Business Process Manager Advanced V8.5
The IBM Knowledge Center Open Beta is now live on ibm.com! The Beta will run until the end of February 2014.
You can access the latest IBM Knowledge Center at http://www.ibm.com/support/knowledgecenter/
IBM is improving your technical content experience
IBM Knowledge Center is our new technology designed to bring IBM's technical publications together in a single location, and will replace our individual IBM information centers.
In this version of the Knowledge Center, IBM simplified the user experience, improved search, and refined the overall experience with many other enhancements. You can get help for IBM Knowledge Center by clicking the question mark (Help icon) in the upper right corner of any page of the Knowledge Center. The Help icon will take you to http://www.ibm.com/support/knowledgecenter/doc/kc_help.html
Send us your feedback!
IBM would like you to provide your feedback after you have had some time to use the IBM Knowledge Center, by signing in with your IBM ID and taking a few moments to complete a survey at https://www.ibm.com/software/support/trial/cst/forms/survey.wss?id=5323
Alternatively, you can click on the Feedback button at the bottom of most pages within the IBM Knowledge center to provide IBM with your input.
Known Beta limitations
We are still:
Fine tuning IBM Knowledge Center. So you might experience some minor functional problems.
Configuring and adding content to IBM Knowledge Center. So the content you see might not be exactly what you expect.
Configuring and indexing content for search. So search results might not be exactly what you expect, or might not be in all the languages you expect.
IBM would like as many IBM clients as possible to participate. The IBM Knowledge Center team would like to thank you very much for your time and for helping us make IBM Knowledge Center a better information experience!
Modified on by Bill Wentworth
This blog entry was updated on January 29, 2015 and moved to the Application Integration Middleware blog. Please update your bookmarks to this location.
Modified on by Bill Wentworth
During a residency at the IBM facility in Raleigh, NC USA, where was helping to write the IBM Redbooks publication IBM Business Process Manager V8.0 Production Topologies, I started to think about whether more is better than less.
Before I start, let me point out something about my intention: I wrote this article from a non-technical point-of-view. For sure – from a technical point-of-view – you have a lot of functions, features, and extensions that are really different in the three IBM Business Process Manager product configurations. But, because we are talking about Business Process Management, you should not look at it that much from a technical point-of-view. The main word in Business Process Management is Business! There is nothing about IT in it.
For sure “less,” which means IBM Business Process Manager Express is not really rocket science. If you want to start with a Business Process Management approach in your company, or you really want to implement only one process where not that many things are included, you can use IBM Business Process Manager Express.
More or everything?
This is the point where I have many discussions. As a lot of technical people say, “It’s just a sales and license question.” But is it really? Certainly not.
When I meet with customers, I typically hear: "We are already using the SOA approach and we have our own service layer in place. We do not want to get an additional service layer with IBM Business Process Manager Advanced. So, we are going with IBM Business Process Manager Standard.” But again, is it really just this part that determines which configuration to use? For me, no.
Other people ask themselves, ”Do we plan to integrate with another system?” When the answer is yes, the thought is that you need to use IBM Business Process Manager Advanced. Sorry, but this answer is too easy for me too. Has anyone implemented a real process without any integration or communication with another system? No. In each process, you want, or have to, integrate or communicate with another system. Otherwise, it does not make that much sense. Why do you want to automate an informal process where people still have to look for the data that they need?
For me, it can be very difficult to point out the right things and make the right decision in the end.
My opinion (and please do not hesitate to correct me if I’m wrong) is this: You can’t answer these questions in a general way. You need to analyze what is the best choice for your situation.
Some points that might help you:
Find the long term goal that you have with the Business Process Management approach
If you just want to test the Business Process Management methodology and you do not have the right people to support it, it does not make any sense to go with the biggest platform you can get. Just start and grow into it!
Analyze the processes that you want implement and determine how you want them implemented
It does not make sense to start with the largest and most important process that you have and try to implement everything in the first release. Again, just start and grow into it! If you are doing it right, you will see – your Business Process Management implementation will grow.
Analyze the landscape in which you are working
If you are working in a large company, maybe there are also important factors to consider around you.
At first, forget the money!
Analyze which systems that you want to integrate and look to the future. If you have only one system with a simple web service integration point, maybe IBM Business Process Manager Standard can fulfill your requirements.
Afterward, think in money!
Analyze the pros and cons from a budget perspective. It does not make that much sense for you buy everything. Then, afterward, you discover that you are not able to find the budget for the system or the staffing for your projects.
A very good reference on how to plan and how to start is in the IBM Redbooks publication entitled, Scaling BPM Adoption: From Project to Program with IBM Business Process Manager. You really should have a look at it.
You see – it is not just a purchasing and, for sure, it is not just a technical question. The best approach I see is to go with a Business Process Management Solution Architect to fulfill the steps and help with the decision. But be careful, I am not talking about an IT Architect. It should be a Business Process Management Solution Architect that has experience in other Business Process Management projects. The Business Process Management Solution Architect looks from a business point-of-view with one eye on the IT point-of-view.
So, how do you determine which IBM Business Process Manager product to use? I really would appreciate hearing your opinion about it. Maybe you have your own experiences, have your own view, or you can add a point that I forgot. Perhaps we will get a full list of all of the considerations. Add a comment below so we can find a better or, maybe a general answer, for this question!
Matthias Warkentin is a Business Process Management Analyst, Consultant, and Developer for the IBM Software Services for WebSphere Team. He is based in Zurich, Switzerland.
Let's play a game of word association. What subject comes to mind with the words “engaging” and “terrifying”? Whatever you are thinking, I suspect it wasn't IT security
. Yet those very words describe J Keith Wood and Jens Engelke's new IBM Redbooks publication. In it, they share their experiences of working with IBM customers around the world on securing IBM Business Process Manager solutions. Security pitfalls are everywhere and the stakes could not be higher.
This blog post is part of a series about common Business Process Manager security holes. In this post, we focus specifically on IBM Business Process Manager installation security. Much more information can be found in their Redbooks publication: IBM Business Process Manager Security: Concepts and Guidance.
1. Faith in your firewall
How often have you heard “it is the internal network, so it is secure” ? This is a dangerous posture to take. It is akin to placing all of your eggs in one basket. Can you trust with 100% certainty that your firewall vendors will never release a software update that has a security hole in it? How often is your laptop’s operating system updated with security fixes?
The simple fact is that many studies, from Gartner, Ponemon, the US Federal Bureau of Investigation (FBI), and others, have shown that security breaches are equally likely to be caused by employees as by external agents. Security breaches do not have to be the result of malice. They could be the result of simple, honest mistakes. But in the end, it simply does not matter. The security breach occurred and you have to deal with the consequences. The bottom line on firewall security is this: it is necessary, it is very helpful, but it is not a stand-alone solution to enterprise security.
2. Failure to use SSL between Business Process Manager and the database server
Everyone recognizes that database user accounts should be password protected. What most people fail to recognize is how incredibly easy it is to observe database traffic while it is in transit. The solution to this is simple: SSL. We strongly advise SSL/TLS for the communications link between your Business Process Manager servers and your database servers.
3. Failure to encrypt data at rest
The most powerful argument for encrypting your data is simply this: common sense. If you want to stay out of the security breach headlines, you need to take all elements of security seriously. There are three strategies to consider for the encryption of data at rest: application specific code, database encryption, and operating system and file system encryption. Above all else, do not keep the encryption keys anywhere near the data being encrypted. This is akin to putting bars on your windows, reinforcing door locks, and then leaving the key under the door mat.
4. Failure to use SSL between Process Server and Process Center
During the installation of a Process Server, you specify the host name of the Process Center it will be utilizing as its repository. By default, the protocol used is http://. During Process Server start up, the runtime environment uses this information to communicate back to the Process Center. This communication includes a URL, a user account, and the corresponding password. This information is all an attacker needs to know in order to deploy new snapshots of process applications. An attacker could also deploy his favorite malware application, which monitors the network and carries out denial-of-service attacks. So, take the time to change the protocol to https:// to avoid sending your Business Process Manager admin account name and password in clear text.
5. Overuse of default BusinessProcess Manager accounts
It is common to see one Business Process Manager administrator account used in every place where an account user name and password are created (for example for Administrator, Monitor, and SCA authentication alias roles). We highly advise that you create account names that closely reflect the roles or responsibilities of that account’s intended purpose, and that a human administrator never use an account like bpmAdmin or tw_admin. Every person must have a personal account.
Failure to follow this fine-grained approach promotes a loose attitude towards who gets access to the administrator accounts. For example, if a person is given the bpmadmin account simply to deploy a snapshot to a runtime Process Server environment, then that same person now has access to just about everything else in the Business Process Manager universe.
6. Overuse of trust in certificate authorities
We advise that you reduce the number of certificate authorities in use within your organization to just the bare minimum that is needed. This advise includes the WebSphere DataPower certificate that is supplied with Business Process Manager if you are not making use of DataPower. There is no guarantee that certificate authorities fact-check the identity of the parties who purchase certificates from them.
For more on all these topics, consult the IBM Redbooks publication IBM Business Process Manager Security: Concepts and Guidance. Do you have any Business Process Manager installation security tips or experiences to share? If so, comment on this blog entry and we will respond!
Martin Keen is an IBM Redbooks Project Leader. He leads publications on many areas of IBM software, including WebSphere, Messaging, and Business Process Management. Follow Martin on Twitter at @MartinRTP.
Over the past few weeks, I've seen multiple questions related to the DateTime field and time zones with WebSphere Process Server. The question is why does the timezone get normalized in WebSphere Process Server?
The DateTime field in the original message is usually a local timezone set as: <DueDate>2012-03-06T09:43:54.167-06:00</DueDate>
However, after the data passes through WebSphere Process Server, the time is normalized to UTC/GMT/Zulu time. For example: <DueDate>2012-03-06T15:43:54.167Z</DueDate>
The answer to the question is that the XML functionality and XML components that WebSphere Process Server provide, use the convention to always normalize the datetimes value to the UTC/GMT/ZULU timezone. WebSphere Process Server does not provide options to configure specific timezones for its output. The following document describes this issue: http://www.ibm.com/support/docview.wss?uid=swg21503646
Note:: Although the document is written for web services, the same general principles apply to other situations with XML output.
The key point to remember is that the serialization that WebSphere Process Server uses is one of many possible XML messages. However, the value it has chosen is valid and conforms to XML specifications. So, if your destination service conforms to the full XML apecifications, it should be able to understand and treat the DateTime field exactly the same no matter if it is provided in UTC or a local time zone format.
From a logical point of view, any of the time zones still represent the same point in time. It is the same situation as why the numbers "1.0", "1.00" , and "01.0" are all equal in XML.
There are an infinite number of different possible options that you might want related to the format of the XML message, which is beyond the scope of what can be reasonably provided by the product. As other example, we have run across requests for WebSphere Process Server to customize
- The namespace prefixes chosen
- The order of namespace declarations
- The white space tabbing.
Each of these requests for customizations actually reveal a deficiency in the consuming service not being able to fully understand the XML specification and logically equivalent XML messages. Because there are an infinite amount of options, an architectural decision was made to not provide these customization options, but only ensure that we will provide a message that is valid and logically equivalent.
If customization of the message is desired in a specific format, you can use custom code to modify or adjust the message using a custom DataHandler, WebServiceHandler, or other exit point, where you can work with the XML string directly.
Another option is to declare the field as a string, then the value is not normalized to the UTC time zone. Then, you can use the Java Datetime API with the Java String API to produce the desired format.
Modified on by Joseph Lam - IBM
When I started working with IBM Business Process Manager (BPM), I went to the IBM BPM V8.5 information center to learn about the various components. I navigated my way to the Getting started with IBM Business Process Manager section and found the Hiring Sample Tutorial. When I expanded on the tutorial, I hit a roadblock because the steps to re-create the Hiring Sample process application were not there.
My experience as a new user led to the enrichment of the tutorial, now called the Hiring Tutorial: http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/topic/com.ibm.wbpm.main.doc/tutorial/topics/cbpm_tutorial.html
The Hiring Tutorial covers everything that you need to know to re-create the Hiring Sample process application that is packaged with IBM BPM. As you go though the tutorial, you create the My Hiring Sample process application that has a few enhancements from the packaged Hiring Sample process application. The "Comparison with the packaged Hiring Sample" topic covers the differences between this process application that you create in the tutorial and the packaged Hiring Sample process application.
The Hiring Tutorial is a learning exercise that describes one way of modeling, implementing, and testing a process. Our goal for the tutorial was to document how customers use IBM BPM to model a process. We acknowledge that there is more than one way to use IBM BPM; however, this tutorial gives you the basic skills that you need to be successful at modeling and implementing processes.
The tutorial starts off describing the process requirements so that you understand the process that you are going to model and then breaks into five modules:
Model the process
Implement the process
Create the user interface
Integrate the process with services
Conduct the final playback
Each module contains lessons and builds on the previous module so that you can work with the tutorial from beginning to end. Some lessons contain concepts and related links so that you can learn more about IBM BPM as you make your way through the tutorial.
Why should you do the tutorial?
If you are new to IBM BPM or want to learn some tips and tricks to getting started, then this tutorial is ideal for you. After you complete the tutorial, you will be able to do the following tasks:
Model a process that is based on process requirements.
Implement a process, including data variables and services that are required by the process.
Create the user interface for the process.
Conduct playbacks at each module to validate the work that you completed.
Run and review the process.
We hope that you will find this tutorial useful. Feedback is important to us. If you would like to see something in the IBM BPM information center that you think is missing, let us know by clicking Feedback in any topic and leaving a comment.
Modified on by Bill Wentworth
There are times that under the direction from a database administrator that you might need to manually change a database. This change might be an index to improve performance. You need to consider the following information in regards to indexes. Indexes are useful when:
You want to access a small percentage of the rows in a table, such as less than 5% for a small table and less than 15% for a larger table. Some of the stock IBM Business Process Manager tables can be accessed with a rather large amount of data being retrieved. So, that is why it is important to do it on a per custom index basis.
The index itself can be used to answer the query. For example, it is advantageous to use the primary key index to answer the "select count(*) from T" query using a fast full index scan. It is advantageous because the index is generally many times smaller than the table itself.
Indexes can be a bother when you have over-indexed the table. For example, you have an index on (a,b,c) and (a,b) and (a) or indexes that are never used. Extraneous indexes slow down the database manipulation language (DML) operations of an insert, update, or delete operation unnecessarily.
Indexes are only used to speed up the search for a matching field within the records. It stands to reason that using indexing fields only for output are a waste of disk space and processing time when doing an insert or delete operation. Thus, they should be avoided. Also, given the nature of a binary search, the cardinality or uniqueness of the data is important. Indexing on a field with a cardinality of 2 splits the data in half. Whereas, a cardinality of 1,000 returns approximately 1,000 records. With such a low cardinality, the effectiveness is reduced to a linear sort, and the query optimizer avoids using the index if the cardinality is less than 30% of the record number, which effectively makes the index a waste of space.
Consider the following information when you are determining whether to use database indexes with IBM Business Process Manager:
All applications are different. This fact is why we tend to be conservative at installation time. We only create indexes that we think will benefit all applications. It is not abnormal for a bit of index customization to help an application. If the database design tools recommend creating new indexes to improve query response time, I would recommend that you take that advice. However, I suggest verifying that the indexes provide a benefit using measurements in your lower regions before moving them up to production.
There are costs at run time to maintaining the indexes. Usually, the savings in query response time justify the costs at insert or update operation time. However, I occasionally see the Advisor tools recommend new indexes that provide only marginal benefit when I actually measure them against my application. In these cases, I tend to remove the index from regular use. On general principle, I run with the smallest number of indexes I need to get the best results.
Your database administrator would be the best person to advise you on what indexes he or she believes your IBM Business Process Manager environment would benefit most from because, in most of the cases, it's very application or solution dependent.
Make sure to keep a good list of those custom indexes and temporarily remove them before applying any upgrade. This approach is recommended so that any database modification phase in the upgrade process does not fail because it wants to put an index on something that already has an existing custom index.
Keep in mind that if you report a product problem, IBM Support might ask you to remove any custom indexes (temporarily, at least) as part of troubleshooting or fault isolation processes.
Make sure to keep your database in a good shape by performing regular cleanups of completed instances and tasks. For more information, see the Data querying takes a long time and process server database tables are using too much disk space with WebSphere Lombardi Edition (WLE) and the IBM Business Process Manager (BPM) products technote. It explains the technique that can be used "as is" or you can use it to create your own custom stored procedure based on your cleanup requirements. It is important to perform this task on regular basis; otherwise, the stock IBM Business Process Manager queries response times will increase and additional custom indexes can only make it worse.
Sergii Malynovskyi, who is based Kyiv, Ukraine, is a Team Lead for the WebSphere Lombardi Edition and IBM Business Process Manager Level 2 Support Team.
We encourage you to leave feedback on this article below.
IBM would like you to participate in a beta program to test our new Knowledge Center site. The beta program will run from 18 March to 12 April 2013.
This is an opportunity to help IBM shape the way that we deliver our technical information to you! You will only need to spend an hour or two with our software, and all IBM asks is that you fill out a single survey whenever you would like during the beta period.
IBM plans to replace all documentation that is currently in our many Information Centers with one Knowledge Center. In its first release, IBM Knowledge Center will bring together over 800 individual Information Centers. When it's completed, IBM Knowledge Center, will let you:
- Search and browse across hundreds of IBM products and solutions
- Work with only the products and solutions you want, and easily narrow your search results
- Create and share your own custom document collections
- and much more!
You can help us achieve these goals with your input during our beta program, where we will show you our progress towards delivering a great information experience!
If you are interested in participating in the beta program, please send an email before 12 March to email@example.com
with the subject line "IBM Knowledge Center Beta program" and include:
- Your name
- Your email address
- Your company
- IBM product or products of interest
The Knowledge Center Team looks forward to your participation!Note
: The Knowledge Center beta is not supported through the IBM Support Center.
Thanks to Theresa Hamilton for the information!
Modified on by Bill Wentworth
Because the WebSphere Application Server versions are different for the latest versions of IBM Business Process Manager V8.5 and IBM Business Monitor V8.0.1.x, it can be a difficult task to augment IBM Business Monitor on an existing IBM Business Process Manager installation. Therefore, it limits the topology options.
Besides, even in IBM Integration Designer V8.5, a model generated in the Monitor Model Editor works without problems except when an artifact, that is bundled with the monitor model application, is developed in the same IBM Integration Designer outside the Monitor Model Editor. For example, when you use user-defined functions and you create the Java project in IBM Integration Designer, at compile and deployment time everything seems to work correctly. However, post-deployment, when the the expressions mappings or gating expressions that employ the user-defined functions are attempted, it fails with a java.lang.NoClassDefFoundError error. This problem happens because, by default, the Java project is created to work with a target Java runtime version of 1.7. For IBM Business Monitor, the version has to be version 1.6.
One of the workarounds for this is to create the UDF Java project with target runtime environment as JRE1.6 instead of 1.7. Then, you can proceed with developing the Java classes with the user-defined functions.