When connecting to remote systems from your BPMN processes and service flows, you need an cannot hard code user names and passwords in your service flow. A good means for decoupling authentication data from your code is using J2C authentication aliases:
- they can be easily maintained in WebSphere's admin console: Java 2 Connector authentication data entry settings
- they can be easily maintained using wsadmin scripting: Configuring new Java 2 Connector authentication data entries using wsadmin
- by default, their values are obfuscated in WebSphere configuration files, but
- there is a plug-point if you require encryption (Encrypting WebSphere Application Server system passwords)
- in WebSphere V9, they can be encrypted with product features (Encrypting passwords by using AES)
- using J2C auth aliases, credentials are ONLY on the system that uses them (in contrast to BPM's environment variables that can be set in Process Center and are part of snapshot deployment to an online Process Server)
Reading userid and password from a J2C alias using privileged Java code running in a WebSphere server is easy: Listing 9 in Advanced security consideration
While it is tempting to build a Service flow (or integration service on older releases) that reads this data and provides it to "the real" service flow that needs it for an outbound invocation, this approach can have severe downsides from a security perspective: it implies that you create local variables in your service flow representing either username and password or the Java PasswordCredential. If you temporarily store sensitive information in service variables, there is a risk of these variables being persisted as part of the service's execution context - which should be in violation with your corporate security policies.
A better approach is to create a .js file with the following content:
You can then upload the file as a "Server file":
From your service flow, you can easily invoke it form your service flow.
|var creds = getCreds("BPMUserAlias");
log.info("username: " + creds.username);
log.info("password: " + java.lang.String(creds.password));