My dear Debuggers,
From time to time I get some request for instruction about how to configure third party Single-sign-on tools like SideMinder
to be used in a BPM environment.
In a specific case a user was looking for limitation when using BPM and SideMinder together.
When you install / configure the 3rd party authentication tool like SideMinder you may be faced with special security
settings, e.g. configuring 2 parameters (BadCssChars, BadUrlChars) which defines characters that are known for cross
site scripting attacks.
If a request contains such a character, it is blocked by the SiteMinder WebAgent Plugin running inside IBM Http Sserver - and
will not be forwarded to the BPM system.
These configuration may conflicts with settings or parameters needed for a successfully communication with BPM.
So, which character will be needed for a communication with BPM ? They should not be blocked by SideMinder.
BPM (sitting on top of IBM WebSphere Application Server (WAS)) basically inherits WAS support for third party
authentication, which mostly refers to the Trust Association Interceptor (TAI) plug-point. Vendors of 3rd party authentication
products certify WebSphere Application Server as supported targets for Single Sign-On. This is also the case for CA's SiteMinder.
Officially, IBM does not provide support for BPM with SideMinder as a 3rd party authentication product as well as we do not
provide instructions to set up these products within BPM.
Providing support means such a setup / configuration was tested in detail for all of the different version.
Nevertheless, a number of user successfully use BPM in production with these 3rd party product.
If you browse the web searching for documentation you will not find many publications.
From the BPM product documentation, the only part raising that subject is
"Ensure that your third-party authentication product allows URLs to contain all characters that IBM BPM uses.
The default configuration of your third-party authentication product might not allow the characters"<" and ">", which Process Inspector uses.
For information about such restrictions and how you can configure the product to allow these characters, see the documentation for
your third-party authentication product".
From the experiences I made in that problem area I can provide following information about BPM:
a) for Cognos and Monitor communication:
removing //, ./, /. and CSS chars from the exclusion list
b) for Process Portal:
c) for Process Inspector:
< and >
Very likely, this update does not contain a complete set of chars used by BPM but, as already mentioned there isn't such a
You have to go the way of 'try and error' and check the SideMinder log files (e.g. webagent.trace) for errors of blocked characters in URLs.
I hope this will help you improving your debugging knowledge. And if it does not, take two of these and call me in the morning.