A few weeks ago on this blog, we announced the first Beta release of IBM Support Assistant 5.0 - the start of a new generation of troubleshooting tools using a cloud-based architecture to deliver maximum flexibility and power. This initial release was provided in the form of a set of files for a J2EE enterprise application that you could deploy in your own pre-existing WebSphere Application Server.
Today, following the announcement of the WebSphere Liberty Profile, we are proud to offer a second option for installing IBM Support Assistant 5.0: you can now download a single zip file that contains a lightweight application server, with the entire IBM Support Assistant 5.0 application pre-installed. All you have to do is unzip the file (on a shared server server or on your private workstation), start the process, and you are ready to get to work! We've provided packages for Linux, Windows 32-bits and Windows 64-bits.
Both types of installation packages can be found at the "Download" button at the bottom of the main page at http://www.ibm.com/support/docview.wss?uid=swg27024922. We expect that these two alternative installation options will serve a wide variety of needs in different environments.
As always, please let us know what you think, and you can look forward to seeing further enhancements in our IBM Support Assistant 5.0 strategy over the coming months.
On Tuesday, June 26th, Version 7.0.0 Fix Pack 5 was released for the following Business Process Management products:
The list above links to the download and installation information for each product.
We hope that your experience with this fix pack exceeds your expectations. However, there might be times when you need to contact IBM Support to resolve issues. To help expedite the support process, the following documents are available to explain the information that IBM Support needs to resolve both general and specific functional product issues:
WebSphere Business Monitor
WebSphere Enterprise Service Bus
WebSphere Integration Developer
WebSphere Process Server
Are you a WebSphere Lombardi Edition Version 7.2 customer? If so, read on...
Fix Packs, by their very nature, link together various changes to the product code like the various pieces of your favorite jigsaw puzzle. Each change from a customer Problem Management Report (PMR) is a puzzle piece that is assembled together with other puzzle pieces, tested, and assembled together to form a fix pack. Changes in one fix pack typically depend on the changes from previous fix packs to work correctly. For changes to WebSphere Lombardi Edition Version 7.2, we previously required that you install each of the fix packs individually and in sequential order due to dependencies between them. However, on Friday, July 6th, 2012, the fix pack strategy for Version 7.2 changed when we released Version 7.2.0 Fix Pack 4. This fix pack is very significant as it is the first fix pack for this release that includes all of the changes from all of the previous fix packs and additional fixes. It removes the requirement to install all previous fix packs prior to installing this fix pack. In fact, fix packs 1, 2, and 3 are no longer available. The following graphic illustrates the fix pack strategy change:
To see a list of the changes that are addressed in this cumulative fix pack and to download it, see the Fix List for WebSphere Lombardi Edition 7.2 and 7.1.
There are literally hundreds of technical documents out there to help you learn about the different areas of WebSphere Integration Developer and IBM Integration Designer. From planning to deployment, from design to configuration, and from installation to diagnosis, this extensive library of resources can take really take some time to go through.
The Knowledge Engineering team aims to simplify this task for you by creating what we call Knowledge Collections - compilations of links that are focused on a specific topic, so you can easily see a list of resources centered on a common subject.
Fresh off the press is the Diagnostic Knowledge Collection for WebSphere Integration Developer, and IBM Integration Designer. This Diagnostic Knowledge Collection contains a list of links to technotes that are designed to help you with the diagnosis and troubleshooting process:
Let us know how you like this new Knowledge Collection! And as always if there is a specific Knowledge Collection you would like to see on the web don't hesitate to jot us a quick note - we love your feedback
Information centers are a great way to learn about your IBM products. They offer a powerful and intuitive interface for browsing and finding technical information on the products that you use and maintain; how to plan for and prepare your environment for the product, installation and migration, administration and the securing of the environment, samples and scenarios, troubleshooting and support - the list goes on and on. You also have the option to access these information centers online or by saving copies to your local system.
But the focus of this article is not the information centers themselves, but the technology behind them - the IBM Eclipse Help System (IEHS).
The latest version of the IBM Eclipse Help System (IEHS) contains changes that include more features and additional fixes. It is highly recommended that you upgrade if you are using a local version of the information center for the following products:
- IBM Business Process Manager
- WebSphere Business Monitor/IBM Business Monitor
- WebSphere Business Compass
- WebSphere Process Server
- WebSphere Enterprise Service Bus
Version 7.5.1 product releases:
Version 7.5 product releases:Version 7.0 product releases: Version 6.2 product releases:Version 6.1.2 product releases:
Source: Nalini Mohan, IBM Business Process Management Information Development
In response to customer feedback, the IBM Business Process Manager Version 8.0 Information Center has a new feature for users who prefer to have customized information specific to the configuration of the Business Process Manager product that they are planning to install. The new Interactive Installation and Configuration Guide feature offers you the ability to select:
- The Business Process Management Standard, IBM Business Process Manager Express, or IBM Business Process Manager Advanced product offering
- Your preferred database
- Your operating system
- The level of user (Administrator or non-administrator)
- The type of installation
- The type of profile.
These options are available as radio buttons in response to multiple choice questions. By submitting answers to these questions, you can generate a custom set of installation and configuration instructions for common stand-alone and network deployment environments. The following screen shot shows the new Interactive Installation and Configuration Guide, which is available at http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0mx/topic/com.ibm.wbpm.imuc.doc/topics/bpm_roadmap_form.jsp
Comments about this new feature as well as the content of the blog are welcome.
By Sharath Srinivas, IBM Business Process Manager L2 Support.
Updated: September 7, 2012
This blog is split into the following 3 parts:
- Create the deployment environment as shown in the following video:
- Save the changes.
- Generate the SQL scripts for messaging engines by running the sibDDLGenerator command from the E:\IBM\bpm80\bin directory. For example:
- E:\IBM\bpm80\bin>sibDDLGenerator -system db2 -platform windows -schema PROCESSSERVER_ME -user PS_BPMUSER > E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB\ProcessServer_ME.sql
- E:\IBM\bpm80\bin>sibDDLGenerator -system db2 -platform windows -schema PERFORMANCEDW_ME -user PS_BPMUSER > E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB\PerformanceDW_ME.sql
Note: The PROCESSSERVER_ME and PERFORMANCEDW_ME schema names that are used for ProcessServer and PerformanceDW messaging engines respectively are created in the PS_MEDB database. Output files are created in the E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB directory as redirected in the previous command.
- Complete the following database activities:
Important: If the Business Process Manager database user ID has administrator privileges, then complete the steps in section 15.1. If not, then complete the steps in section 15.2.
Run the following commands:
b. db2 ATTACH to DB2 user PS_BPMUSER using <Password>
c. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_BPMDB\createDatabase.sql
Note: Profile name - Dmgr01 , Database Name - PS_BPMDB
d. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\PerformanceDW\DB2\PS_PDWDB\createDatabase.sql
e. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\BusinessSpace\DE1.WebApp\DB2\PS_CMNDB\createDatabase.sql
f. db2 create database PS_MEDB automatic storage yes using codeset UTF-8 territory US pagesize 32768
g. db2 connect to PS_MEDB user PS_BPMUSER using <password>
h. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB\ProcessServer_ME.sql
Note: Messaging engine database objects script generated in step 14.
i. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB\PerformanceDW_ME.sql
j. db2 connect to PS_BPMDB user PS_BPMUSER using <Password>
k. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_BPMDB\createTable_ProcessServer.sql
l. db2 -tdGO -vf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_BPMDB\createProcedure_ProcessServer.sql
m. db2 connect to PS_PDWDB user PS_BPMUSER using <Password>
n. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_PDWDB\createTable_PerformanceDW.sql
o. db2 connect to PS_CMNDB user PS_BPMUSER using <Password>
p. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\BusinessSpace\DE1.WebApp\DB2\PS_CMNDB\createTable_BusinessSpace.sql
Go to step 16.
Important: If the Business Process Manager database user does not have administrator privilege, then run the following commands:
b. db2 ATTACH to DB2 user db2admin using <Password>
Note: The db2admin user needs to have administrator privilege.
c. db2 create database PS_BPMDB automatic storage yesÃÂÃÂ using codeset UTF-8 territory US pagesize 32768
db2 UPDATE DB CFG FOR PS_BPMDB USING LOGFILSIZ 4096 DEFERRED
db2 UPDATE DB CFG FOR PS_BPMDB USING LOGSECOND 64 DEFERRED
Note: SQL commands in step (c) are available in <install Root>/profiles/dbscripts/<ProcessServer or PerformanceDW or BusinessSpace >/<databse type>/createDatabase.sql
d. Repeat step (c ) for other two databases PS_PDWDB and PS_CMNDB
e. db2 create database PS_MEDB automatic storage yes using codeset UTF-8 territory US pagesize 32768
f. db2 connect to PS_MEDB user db2admin using <password>
g. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB\ProcessServer_ME.sql
Note: Messaging engine database objects script generated in step 14
h. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\SIB\PerformanceDW_ME.sql
i. db2 connect to PS_BPMDB user db2admin using <Password>
j. db2 Grant CREATETAB on database to user PS_BPMUSER
k. Repeat steps (i and j) for other two databases PS_PDWDB and PS_CMNDB
l. db2 connect to PS_BPMDB user PS_BPMUSER using <Password>
m. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_BPMDB\createTable_ProcessServer.sql
n. db2 -tdGO -vf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_BPMDB\createProcedure_ProcessServer.sql
o. db2 connect to PS_PDWDB user PS_BPMUSER using <Password>
p. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\ProcessServer\DB2\PS_PDWDB\createTable_PerformanceDW.sql
q. db2 connect to PS_CMNDB user PS_BPMUSER using <Password>
r. db2 -tvf E:\IBM\bpm80\profiles\Dmgr01\dbscripts\BusinessSpace\DE1.WebApp\DB2\PS_CMNDB\createTable_BusinessSpace.sql
- In the Administrative console, select System administration > Save changes to master repository.
- Run the bootstrapProcessServerData command from the profile/bin directory. For example:
E:\IBM\bpm80\profiles\Dmgr01\bin>bootstrapProcessServerData -dbJDBCClasspath E:\IBM\bpm80\jdbcdrivers\DB2 -clusterName DE1.AppTarget
- Check the E:\IBM\bpm80\profiles\Dmgr01\logs\bootstrapProcesServerData.<time_stamp>.log file for any errors.
- Start the node agent and messaging cluster, support cluster, web cluster, and the app cluster in that order.
By Sharath Srinivas, IBM Business Process Manager L2 Support.
This blog is split into the following 3 parts:
For this exercise, the deployment manager and the custom nodes are set up on the same system that is used for Process Center. Change them appropriately for your environment.
- Create a response file, which is used by the manageprofiles command, for the deployment manager. Here is a sample response file:
Note: PS_CMNDB is the database name for the Process Server CommonDB
- Run the manageprofiles command from the E:\IBM\bpm80\bin directory.
E:\IBM\bpm80\bin>manageprofiles -response E:\IBM\bpm80\BPM\samples\manageprofiles\PSStd_Dmgr_DB2_DATASERVER.response
- Check the E:\IBM\bpm80\logs\manageprofiles\Dmgr01_create.log file -- Profile name - Dmgr01
Check for INSTCONFSUCCESS. If you see INSTCONFFAILED, search for SEVERE / error
- Start the deployment manager. For example:
- Check the following log files:
- Create a custom profile response file. Here is a sample response file:
- Run manageprofiles command from E:\IBM\bpm80\bin directory. For example:
E:\IBM\bpm80\bin>manageprofiles -response E:\IBM\bpm80\BPM\samples\manageprofiles\PSStd_Custom.response
Note: The deployment manager needs to be started and running.
- Check for the following message in E:\IBM\bpm80\logs\manageprofiles\Custom01_create.log file.
ADMU0003I: Node customNode has been successfully federated.
- Log on to https://localhost:9044/ibm/console/logon.jsp
- Check System administration > Nodes and make sure that the new custom node is federated.
Note: Follow steps 6 to 8 for additional custom nodes.
- Verify that custom nodes are synchronized. In the administrative console, click System administration > Nodes.
See Part 3 of 3
By Sharath Srinivas, IBM Business Process Manager L2 Support.
Updated: September 7, 2012
This blog entry walks you thru the step-by-step procedure to create a stand-alone Process Center server and a Remote Messaging, Remote Support and Web pattern-based network deployment environment for the Process Server. Setting this environment can be accomplished in many different ways and this blog post approaches the task in a simple, yet commonly used, methodology that is applicable for most platforms. We would love to hear your feedback and would appreciate it if you shared your own experience with us.
This blog is split into the following 3 parts:
Complete the following steps:
- Ensure that the following prerequisite configuration exists for the base system to follow this exercise:
IBM Business Process Manager Version 8.0 is installed in the following directory: E:\IBM\bpm80
Note: E:\IBM\bpm80 is used as a sample path in this exercise. You can change it appropriately for your environment.
- Create a response file to use for the manageprofiles command. Here is a sample response file used to create stand alone Process Center profile configured against DB2.
Note: dbUserId=BPMUSER is the user ID for all of the Business Process Manager databases if the specific user IDs are not provided for each component database.
- Run the manageprofiles command from the E:\IBM\bpm80\bin directory. For example:
E:\IBM\bpm80\bin>manageprofiles -response E:\IBM\bpm80\BPM\samples\manageprofiles\PCStd_StandAlone_DB2.response
- Check the E:\IBM\bpm80\logs\manageprofiles\<Profile_Name>_create.log file for INSTCONFSUCCESS. If you see INSTCONFFAILED, search for SEVERE or error.
- Complete these database activities:
Note: SQL scripts are generated in the E:\IBM\bpm80\profiles\<profile_name>\dbscripts\ directory.
Important: If the IBM Business Process Manager database user ID ( BPMUSER ) has the administrator privileges then complete the steps in section 5.1. If not, then follow the steps in section 5.2.
Follow these commands:
b. db2 ATTACH to DB2 user BPMUSER using <password>
Note: DB2 is the default instance name, change if your database instance name is different
c. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\ProcessServer\DB2\PC_BPMDB\createDatabase.sql
Note: Profile name - ProcCtr , Database Name - PC_BPMDB
d. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\PerformanceDW\DB2\PC_PDWDB\createDatabase.sql
e. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\BusinessSpace\Node01_ProcCtrServer\DB2\PC_CMNDB\createDatabase.sql
f. db2 connect to PC_BPMDB user BPMUSER using <Password>
g. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\ProcessServer\DB2\PC_BPMDB\createTable_ProcessServer.sql
h. db2 -tdGO -vf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\ProcessServer\DB2\PC_BPMDB\createProcedure_ProcessServer.sql
i. db2 connect to PC_PDWDB user BPMUSER using <Password>
j. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\PerformanceDW\DB2\PC_PDWDB\createTable_PerformanceDW.sql
k. db2 connect to PC_CMNDB user BPMUSER using <Password>
l. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\BusinessSpace\Node01_ProcCtrServer\DB2\PC_CMNDB\createTable_BusinessSpace.sql
Go to step 6
Important: If the Business Process Manager database user ID ( BPMUSER) does not have administrator privilege, then follow these steps:
a. Generate the SQL scripts for messaging engines and run the sibDDLGenerator command from E:\IBM\bpm80\bin directory.
E:\IBM\bpm80\bin>sibDDLGenerator -system db2 -platform windows -schema MEDPS00 -user BPMUSER > E:\IBM\bpm80\profiles\ProcCtr\dbscripts\SIB\ProcessServer_ME.sql
E:\IBM\bpm80\bin>sibDDLGenerator -system db2 -platform windows -schema MEDPE00 -user BPMUSER > E:\IBM\bpm80\profiles\ProcCtr\dbscripts\SIB\PerformanceDW_ME.sql
Note: The MEDPS00 and MEDPE00 schema names that are used for ProcessServer and PerformanceDW respectively are default names and should not be changed unless you use a DbDesignGenerator command to generate dbDesign file and plan to use it while creating profile. Output files are created in the E:\IBM\bpm80\profiles\ProcCtr\dbscripts\SIB directory as redirected in the previous command.
c. db2 ATTACH to DB2 user db2admin using <Password>
Note: The db2admin user needs to have administrator privilege.
d. db2 create database PC_BPMDB automatic storage yes using codeset UTF-8 territory US pagesize 32768
db2 UPDATE DB CFG FOR PC_BPMDB USING LOGFILSIZ 4096 DEFERRED
db2 UPDATE DB CFG FOR PC_BPMDB USING LOGSECOND 64 DEFERRED
Note: SQL commands in step (d) are available in <install Root>/profiles/dbscripts/<ProcessServer or PerformanceDW or BusinessSpace >/<databse type>/createDatabase.sql
e. Repeat step (d) for other two databases PC_PDWDB and PC_CMNDB
f. db2 connect to PC_BPMDB user db2admin using <Password>
g. db2 Grant CREATETAB on database to user BPMUSER
h. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\SIB\ProcessServer_ME.sql
Note: Messaging engine database objects script generated in step (a), use PerformanceDW_ME.sql for PC_PDWDB
i. Repeat steps (f,g and h) for PC_PDWDB and steps ( f and g ) for PC_CMNDB
j. db2 connect to PC_BPMDB user BPMUSER using <Password>
k. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\ProcessServer\DB2\PC_BPMDB\createTable_ProcessServer.sql
l. db2 -tdGO -vf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\ProcessServer\DB2\PC_BPMDB\createProcedure_ProcessServer.sql
m. db2 connect to PC_PDWDB user BPMUSER using <Password>
n. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\PerformanceDW\DB2\PC_PDWDB\createTable_PerformanceDW.sql
o. db2 connect to PC_CMNDB user BPMUSER using <Password>
p. db2 -tvf E:\IBM\bpm80\profiles\ProcCtr\dbscripts\BusinessSpace\Node01_ProcCtrServer\DB2\PC_CMNDB\createTable_BusinessSpace.sql
- Run the bootstrapProcessServerData command from the profile\bin directory. For example:
E:\IBM\bpm80\profiles\ProcCtr\bin>bootstrapProcessServerData -dbJDBCClasspath E:\IBM\bpm80\jdbcdrivers\DB2
- Check the E:\IBM\bpm80\profiles\ProcCtr\logs\bootstrapProcesServerData.<time_stamp>.log file for any errors.
- Start the Process Center server. For example:
- Check the E:\IBM\bpm80\profiles\ProcCtr\logs\ProcCtrServer\SystemOut.logand startServer.log files for any errors.
- Check the E:\IBM\bpm80\profiles\ProcCtr\logs\AboutThisProfile.txt file for detail and port information.
- Log in using the default port numbers. For example:
See Part 2 of 3
Every quarter the Knowledge Engineering team puts together a
list of high-value content, most requested documents, and links that we think
will help you in answering your questions related to the BPM products, and we call
these our “featured documents”.
These “featured documents” often include the latest updates
to the different BPM products, documents that have been proven useful in
solving technical issues in the past, important alerts that we think you should
be aware of, and some of the highest accessed links that many of our customers
have found helpful to them.
The “featured documents” are divided into three main
sections to help you find the content you need even faster:
In the spotlight: High-value content, alerts and updates for
your BPM product
Plan: Information that helps you plan and manage your BPM
Education: Useful resources to further hone your skills in your BPM product
So head over to the featured documents for your BPM products
below, and start digging away at the articles!
Part 1 of 4: Pre-migration considerations
This blog is an effort to explain some of the pre-migration considerations through post-migration steps to make the overall migration experience a sweet one. As you may be aware, migration can be very complex and time consuming. I hope this post helps you avoid some of the pitfalls.
This blog is split into the following 4 parts to keep it simple and compact:
It focuses on migrating a typical WebSphere Process Server Network Deployment v7.x golden topology on source machine to an IBM Business Process Manager Advanced v8.0 Remote Messaging, Remote Support pattern deployment environment on target machine running the same operating system as the source system. Note: These steps are applicable only if you are migrating to the remote target system. We would love to hear your feedback and appreciate you sharing your own experience with us.
- WebSphere Process Server v7.0.0 Fix Pack 4 is installed in the following path for this exercise: c:\WPS70 on source machine
- IBM Business Process Manager Advanced V8.0 is installed in the following path for this exercise: C:\BPM80 on target machine
Note: C:\BPM80 is used as a sample path in this exercise and you can change it, as appropriate, to your environment
If your applications uses WebSphere Adapters or CICS Adapters then see the Runtime premigration checklist
document on how to update the applications before you begin runtime migration procedures.
Before migrating, you need to backup the whole source environment and prepare the remote target environment. Follow these steps:
- Check the following link to ensure your database version is supported and, if need be, upgrade your database and test it out:
- Install the migration target product, IBM Business Process Manager Advanced V8.0, with required interim fixes on a separate machine running the same operating system as the source system.
For fixes, see: http://www.ibm.com/support/docview.wss?uid=swg27025131
- Create a default WebSphere Application Server profile on the system that has the new version installed and the same operating system as the source system.
Use the Profile Management Tool or the manageprofiles command on IBM Business Process Manager Advanced V8.0 machine. For example:
c:\BPM80\bin>manageprofiles -create -profileName TestAppSrv -nodeName TestNode -serverName Testserver -cellName TestCell -hostName vmwbil2w7d -winserviceCheck false -templatePath C:\BPM80\profileTemplates\default
Note: Provide the full computer name for the -hostName parameter.
Note: This profile is created to export the remote machine's details through the BPMCreateRemoteMigrationUtilities command and profile itself is not used for the IBM Business Process Manager Advanced environment.
You can delete this profile after the migration process is completed.
- Check the SystemOut.log file on the source machine (WebSphere Process Server V7.x ). If you find any unexpected errors, then resolve them before migration.
- Synchronize the nodes in case there are any changes. Click System administration > Save changes to master repository > Synchronize changes with Node
- Set the Ulimit value to 8192 on the both the source and target systems. On UNIX-based operating systems, this change helps to avoid errors during migration due to too many open files based on the size and complexity of the cell and applications.
- Set the com.ibm.ssl.enableSignerExchangePrompt property to false in the <profile home>/properties/ssl.client.props file to avoid having the WASPostUpgrade wait indefinitely for the username and password to be entered.
For details, refer to the Changing the signer auto-exchange prompt at the client topic in the information center.
- Stop the AppTarget, support, messaging, node agents, and deployment manager in that order in the source system.
- Connect to the CommonDB database schema and run the following SQL command
select count(*) from w_statement
where pred_id=(select id from w_uri where uri like '%changeSetState')
and obj_id IN (select id from w_obj_lit_string where litval IN ('DRAFT', 'PENDING' , 'APPROVED'))
If the previous SQL command returns one or more records, then run the following command
update w_statement set obj_id=(select id from w_obj_lit_string where litval='PUBLISHED')
where pred_id=(select id from w_uri where uri like '%changeSetState')
and obj_id IN (select id from w_obj_lit_string where litval IN ('DRAFT', 'PENDING' , 'APPROVED'))
- Backup the WebSphere Process Server V7.x environment
- Backup the full WebSphere Process Server V 7.x installation directory, depending on your platform. On the Windows operating system, back up the directory as a compressed (zip) file. On Unix-based operating systems, use the “tar -cvf” command to back up the directory.
- Run the backupConfig command to back up the configuration files for the deployment manager and every node. For example:
C:\WPS70\bin>backupConfig C:\WPS70\profileBackup\Dmgr.zip -profileName Dmgr01
C:\WPS70\bin>backupConfig C:\WPS70\profileBackup\Custom01.zip -profileName Custom01
- Backup the databases that are used by WebSphere Process Server and those databases that are used for the deployed applications. Backup the following databases that are configured by any of the migration source profiles according to the documentation for your databases:
Backup the .nifRegistry file. The .nifRegistry file identifies the installation root for all installed WebSphere Process Server products. It also identifies the installation root for all installed WebSphere Application Server products. It is located at the following directories:
- Business Process Choreographer Database
- Business Space database
- Common database
- Common Event Infrastructure Database
- Messaging Engine Database
Note: Back up the database and transaction logs ( step 13 ) at the same time to keep transaction logs synchronized with the database.
Take a backup of source tranlog and Partnerlog files. They are located in the <Install Root>/profiles/<profile name>/tranlog directory.
- Linux/UNIX-based operating systems: /opt/.ibm/.nif/.nifregistry
- Windows operating systems: C:\Windows\.nifregistry
Create the remote migration utilities image. Run the BPMCreateRemoteMigrationUtilities command on the target system to create an archive file. The file contains all the commands and their prerequisites that need to be invoked on the system containing the source profile to be migrated. For example: c:\BPM80\bin>BPMCreateRemoteMigrationUtilities remoteMigrationUtilities.zip
Note: By default, the remoteMigrationUtilities.zip file is created in the <Install Root>/util/migration directory.
Copy the remote migration utilities ( remoteMigrationUtilities.zip file from step 14 ) from the target system to the source system. Then, extract the remote migration utilities on the source system into their own unique directory. For example:
Copy C:\BPM80\util\migrationremoteMigrationUtilities.zip to C:\WPS70\migration80
Extract C:\WPS70\migration80\remoteMigrationUtilities.zip to C:\WPS70\migration80\util
Continue to Part 2.
Part 2 of 4: Migration
This entry is continued from Part 1 of 4. See the other parts of this blog at the following locations:
It is highly recommended that you check for errors and warnings in the log files at each step. This part walks you through the actual migration of deployment manager and the commonDB.
- Create a snapshot of the source profile. Run the BPMSnapshotSourceProfile command from the C:\WPS70\migration80\util\bin directory where remoteMigrationUtilities.zip is extracted in step 15. For example:
C:\WPS70\migration80\util\bin>BPMSnapshotSourceProfile.bat -remoteMigration true "C:\WPS70" Dmgr01 C:\Dmgr_snapshot
After the BPMSnapshotSourceProfile command is complete, the following log files are generated in the C:\Dmgr_snapshot\logs directory:
WASPreUpgrade.profilename.timestamp.log / trace
BPMSnapshotSourceProfile.profilename.timestamp.log / trace
Check the C:\Dmgr_snapshot\logs\BPMSnapshotSourceProfile.Dmgr01.timestamp.log file for the "CWMCO0823I: The BPMSnapshotSourceProfile command finished successfully" message.
Note: The snapshot directory for this exercise is C:\Dmgr_snapshot. Change it, as appropriate, for your environment. This directory should not be located in the source or target product installation directories.
Note: The -remoteMigration parameter in the command indicates that
the target profile will not be created on the same machine.
- Copy the source snapshot directory (C:\Dmgr_snapshot) from step 16 to the same directory on the remote target system. For example:
C:\>robocopy C:\Dmgr_snapshot \\ <remote target IP>\c$\Dmgr_snapshot /E
Note: You can use robocopy or alternative tools on Windows operating systems as it helps to avoid running into paths that are too long errors.
Note: Now, you have the C:\Dmgr_snapshot directory on the target system.
- Create the target profile. For example:
C:\BPM80\bin>BPMCreateTargetProfile.bat -remoteMigration true c:\Dmgr_snapshot Dmgr01
After the BPMCreateTargetProfile command finishes, the following log files are generated under the C:\Dmgr_snapshot\logs directory:
Check the C:\Dmgr_snapshot\logs\BPMCreateTargetProfile.profilename.timestamp.log file for the "CWMCO0838I: The profile was created or augmented successfully" message.
Note: This profile will not be ready for use until the BPMMigrateProfile command is used to migrate the source profile to the new target profile.
- Migrate the source profile to the target profile. For example:
C:\BPM80\bin>BPMMigrateProfile.bat -username admin -password admin c:\Dmgr_snapshot Dmgr01
After the BPMMigrateProfile command is complete, the following log files are generated under the C:\Dmgr_snapshot\logs directory:
BPMMigrateProfile.profilename.timestamp.log / trace
WASPostUpgrade.profilename.timestamp.log / trace
BPMProfileUpgrade.profilename.timestamp.log / trace
Check the C:\Dmgr_snapshot\logs\BPMMigrateProfile.profilename.timestamp.log file for the "CWMCO0822I: The BPMMigrateProfile command finished successfully" message.
- Check the migration status by using the BPMMigrationStatus command to verify the current state of the migration. For example:
Note: Scan the file system under the profile directory for occurrences of the old host name value. Analyze the configuration where the old host name is still being used and replace it with the new host name unless the old host name is needed, such as if the database is still present on the old host name machine.
- Run the BPMGenerateUpgradeSchemaScripts command-line utility to generate SQL scripts for each database that you are going to upgrade. Open the c:\Dmgr_snapshot\DatabaseInfo.txt file and note the database and schema name for CommonDB to be used for BPMGenerateUpgradeSchemaScripts command.
C:\BPM80\bin>BPMGenerateUpgradeSchemaScripts WPRCSDB.WPRCSDB C:\Dmgr_snapshot
After the BPMGenerateUpgradeSchemaScripts command, database scripts are generated in the C:\Dmgr_snapshot\<DB Type>\<Database name.Schema Name> directory.
Note: WPRCSDB.WPRCSDB is the dabatase.Schemaname for this exercise. Replace that value, as appropriate, for your environment.
Note: The DatabaseInfo.txt file in the snapshot_directory lists the
deployment targets with the corresponding component mapping to a
database schema. The values are defined as name-value pairs with values in the form of DatabaseName.SchemaName.
- Copy the generated database scripts onto the database host system and run the following commands:
C:\>db2 connect to WPRCSDB user <WPS commonDB user> using password
C:\>db2 -tvf C:\DBScript\DB2\WPRCSDB.WPRCSDB\upgradeSchema_SchemaStatus.sql
Note: The WebSphere Process Server commonDB user needs to have the create table privilege. Otherwise, the database administrator needs to run this SQL script and grant permissions to the WebSphere Process Server commonDB user on the table that is created.
Note: The upgradeSchema700_DirectDeploy.sql is not required for IBM Business Process Manager Advanced V8.0.
Important note: Alternatively, you can run the SQL scripts using the upgradeSchema.bat | sh file that was generated along with the SQL scripts. The upgradeSchema.bat | sh file is recommended if you are at a different source and/or target version than what is used in this exercise. The number of scripts to be run and their names might change for a different version. Refer to the information center for details on your specific version.
- Start the target (migrated) deployment manager.
Note: Back up the new deployment manager in case you need to rollback and restore from a custom node failure.
Continue to Part 3
Part 3 of 4: Migration
This entry is continued from Part 2 of 4. See the other parts of this blog at the following locations:
It is highly recommended that you check for errors and warnings in the log files at each step. This part walks you through the migration of custom nodes and upgrading the Business Process Choreographer (BPC) database.
- Edit the wsadmin.properties file in the WebSphere Process Server V7.x custom node to change the com.ibm.ws.scripting.host and com.ibm.ws.scripting.port parameters to point to the remote target IBM Business Process Manager Advanced V8.0 deployment manager that you created in step 18.
Take a backup of the C:\WPS70\profiles\Custom01\properties\wsadmin.properties file and then change the values for following parameters:
Note: host and port values from newly created IBM Business Process Manager Advanced V8.0 target deployment manager are set in the source custom node wsadmin.properties file for each federated node in the source environment.
- Run the syncNode command. For example:
C:\WPS70\profiles\Custom01\bin>syncNode vmwbil2w7d 8879 -username admin -password admin
Check C:\WPS70\profiles\Custom01\logs\syncNode.log file.
- If target IBM Business Process Manager Advanced V8.0 custom node is on a different system than the one hosting the newly created target V8.0 deployment manager then repeat steps 3, 14, and 15 from part 1 of 4 .
- Repeat steps 16 to 20 from part 2 of 4 for each target custom node.
Note: Change the command parameter values, as appropriate, for your custom node profiles.
Note: Take a back up of the deployment manager and custom node after completing step 27 in case if you need to restore the deployment manager or the custom node.
- Run the BPMGenerateUpgradeSchemaScripts command-line utility to generate SQL scripts for Business Process Choreographer database that is to be upgraded.
Open the c:\Dmgr_snapshot\DatabaseInfo.txt file and note the database and schema name for Business Process Choreographer database to be used for BPMGenerateUpgradeSchemaScripts command.
C:\BPM80\bin>BPMGenerateUpgradeSchemaScripts.bat BPEDB.BPEDB c:\Custom01
Note: BPEDB.BPEDB is the dabatase.Schemaname of Business Process Choreographer database for this exercise. Replace that value, as appropriate, for your environment.
Important note: Provide the right values for tablespaces when you are prompted by the command.
- Run the following commands to upgrade Business Process Choreographer database.
C:\>db2 connect to BPEDB user BPMUSER using password
C:\>db2 -tvf C:\Custom1\DB2\BPEDB.BPEDB\upgradeSchema_SchemaStatus.sql
C:\>db2 -tvf C:\Custom01\DB2\BPEDB.BPEDB\upgradeSchema7003.sql > C:\Custom01\DB2\BPEDB.BPEDB\sql1.log
Note: Alternatively, you can run the SQL scripts using the upgradeSchema.bat | sh file that was generated along with the SQL scripts. The upgradeSchema.bat | sh file is recommended if you are at a different source and/or target versions than what is used in this exercise.
Important note: If you have not enabled the "Shared Work Items" feature that was introduced in WebSphere Process Server V7.0.0 Fix Pack 3, then run the upgradeSchema700.sql file instead of the upgradeSchema7003.sql file in the 4th command for this step.
If your source environment is WebSphere Process Server V7.0.0 Fix Pack 3, 4, or later minor versions, you will have two versions of upgrade schema scripts generated for the Business Process Choreographer database. If you enabled the "Shared Work Items" feature that was introduced in WebSphere Process Server V7.0.0 Fix Pack 3, you must remove those generated scripts with "700" in the file name before executing the upgradeSchema.bat or upgradeSchema.sh command. If that is not the case you must remove the script with "7003" in the file name.
Note: The BPMUSER that is used for connecting to the Business Process Choreographer database is required to have the necessary permissions as explained in the Databases topic within the information center.
Note: For Microsoft SQL Servers, there are two types of upgrade schema scripts that are generated for the Business Process Choreographer database: One is ugradeSchemaXXX.sql (where "XXX" is the source version) and the other is upgradeSchemaXXXUnicode.sql . The upgradeSchemaXXXUnicode.sql script is for a Microsoft SQL Server with Unicode support. You must remove the upgradeSchemaXXX.sql script before executing the upgradeSchema.bat or upgradeSchema.sh script if the Microsoft SQL Server in your environment is Unicode supported. If the Microsoft SQL Server in your environment is not Unicode supported, you must remove the upgradeSchemaXXXUnicode.sql script.
- Start the custom node. For Example:
- Migrate the cluster configuration for the clustered nodes. Migrate the cluster-scoped configuration using the BPMMigrateCluster command from the <target install root>/bin directory on the system that contains the deployment manager. For example:
C:\BPM80\bin>BPMMigrateCluster.bat C:\Dmgr_snapshot DE1.Messaging Dmgr01
After using the BPMMigrateCluster command, the following log files are generated under the C:\Dmgr_snapshot\logs directory:
BPMMigrateCluster.dmgrprofilename.clustername.timestamp.log / trace
Note: TheC:\Dmgr_snapshot directory is the deployment manager snapshot directory.
DE1.Messaging is the cluster name
Dmgr01 is the deployment manager profile name
- Repeat step 31 for each cluster ( Messaging, Support, AppTarget ) in your environment.
Note: Take a backup of the deployment manager and custom nodes.
- Run the syncNode command from each node to manually synchronize the nodes.
Part 4 of 4: Migration
This entry is continued from Part 3 of 4. See the other parts of this blog at the following locations:
It is highly recommended that you check for errors and warnings in the log files at each step. This part walks you through the migration of business space data and configuring the additional features for IBM Business Process Manager Advanced V8.0.
- Copy the preMigrateBusinessSpace700.sql script from C:\BPM80\profiles\Dmgr01\dbscripts\BusinessSpace\DE1.Support\DB2\WPRCSDB to the database host machine and run the following commands:
C:\>db2 connect to WPRCSDB user BPMUSER using password
C:\>db2 -tvf C:\bus_space_DBScript\preMigrateBusinessSpace700.sql
Note: This script might need to be modified if the default values do not match your environment.
Note: The script is located in the following directory: <Dmgr profile>/dbscripts/BusinessSpace/cluster_name/DBType/<database name>
Note: BPMUSER might need permissions to create tablespace, schema, table, index and alter table, and drop table as explained in the Databases topic within the information center.
- Run the upgradeBSpaceSchema command from the <install_root>/BusinessSpace/scripts directory. For example:
C:\BPM80\BusinessSpace\scripts>upgradeBSpaceSchema.bat -profileName Dmgr01 -clusterName DE1.Support
After running the upgradeBSpaceSchema command, the following log/trc files are created in the C:\BPM80\profiles\Dmgr01\logs\ directory:
Note: The -clusterName parameter value is the support cluster and the -profileName parameter value should be the deployment manager profile.
- Migrate the Business Space schema. Copy the migrateBusinessSpaceSchema700.sql file from <the Dmgr profile>/dbscripts/BusinessSpace/<cluster name>/<DBType>/<database name> directory to the database host and run the following command:
C:\>db2 -tvf C:\wps_apps\migration\bus_space\migrateBusinessSpaceSchema700.sql
Note: The BPMUSER that is used for connecting to the business space database is required to have necessary permissions as explained in the Databases topic in the information center.
- To prevent timeout errors, modify the com.ibm.SOAP.requestTimeout property by editing the soap.client.props file, which is located in the properties subdirectory of the profile_root directory. Change the com.ibm.SOAP.requestTimeout value from 180 to a larger value, such as 1800. Set the com.ibm.SOAP.requestTimeout=1800 property and value in the <profile root>/properties/soap.client.props file to avoid possible connection timeout issue.
- Sometimes you might run into transaction time out errors, depending upon the network and database speed. You might need to change the transaction time out values on all servers. In the Administrative Console, click Servers > Server Types > WebSphere application servers > server_name > Container Services > Transaction Service and change the values for the Total transaction lifetime timeout and Maximum transaction timeout to 800
Note: Apply these changes only if they are required for your environment.
- Start the messaging cluster.
- Start the support cluster.
- Migrate the business space data. On the node for which the target server was started, run the migrateBSpaceData script using the -dbcopy option to copy the business space data from version 7.0.x to 8.0. For example:
C:\BPM80\BusinessSpace\scripts>migrateBSpaceData -host vmwbil2w7d -port 8882 -user admin -password admin -dbcopy
After using the migrateBSpaceData command, the following log/trc files are created in C:\BPM80\logs directory:
Note: The -host parameter is the business space server host name, the -port parameter refers to the SOAP port number of the business space server in the cluster.
- Stop each of the migration target servers in the support cluster. For example:
C:\BPM80\profiles\Custom01\bin>stopServer.bat <server name> -username <user name> -password <password>
- Modify the oobLoadedStatus.properties file to confirm that the following three values are true. Check all of your nodes for the oobLoadedStatus.properties file (this file will exist on only one of the nodes), and make all modifications. The oobLoadedStatus.properties file is located at <install root>\profiles\<Custom profile name>\BusinessSpace\<cluster name>\mm.runtime.prof\public\ directory.
Set the following values to true:
- Start each server in the support cluster.
- Run the migrateBSpaceData script using the -dbupgrade option to upgrade the business space data from Version 7.0.x to 8.0. For example:
C:\BPM80\BusinessSpace\scripts>migrateBSpaceData -host vmwbil2w7d.eng1 -port 8882 -user admin -password admin -dbupgrade
Note: The -host parameter is the business space server host name and the -port parameter refers to the SOAP port number of the Business Space server in the cluster.
- Remove the obsolete database tables for business space. For example:
Copy postMigrateBusinessSpace700.sql from C:\BPM80\profiles\Dmgr01\dbscripts\BusinessSpace\DE1.Support\DB2\WPRCSDB to database host system
C:\>db2 connect to WPRCSDB user BPMUSER using password
C:\>db2 -tvf C:\bus_space_DBScript\postMigrateBusinessSpace700.sql
Note: The postMigrateBusinessSpace700.sql file is located in the <Dmgr profile>/dbscripts/BusinessSpace/<Cluster name>/<DBType>/<database name>directory.
- Create the database design file by using the database design tool DBDesignGenerator, which are located in the <install root>/util/dbUtils directory in target Business Process Manager Advanced Version 8.0 system.
Important: Select appropriately to generate scripts for the process server, performance data warehouse databases and process server, and performance data warehouse messaging engines.
For more information, see Configuring the Process Server and Performance Data Warehouse using a command the information center.
- Copy the generated database scripts to database host system and run the scripts to create the required databases and database objects. Refer to step 15 in Creating a Remote Messaging, Remote Support and Web pattern ( RMRSW)-based Network Deployment environment for IBM Business Process Manager Standard Version 8.0 (Part 3) for reference. Apply only the required steps and change it appropriately for your environment.
- Configure the Process Server, Performance Data Warehouse, and Process Portal by running the BPMConfigureProcessServer comman. For example:
C:\BPM80\profiles\Dmgr01\bin>BPMConfigureProcessServer.bat -psClusterName DE1.AppTarget -perfDWClusterName DE1.Support -processPortalClusterName DE1.Support -dbDesign C:\BPM80\util\dbUtils\bpm.standard.nd.dbDesign
After you run the BPMConfigureProcessServer command, the following log/trc files are created in C:\BPM80\profiles\Dmgr01\logs\ directory:
C:\BPM80\profiles\Dmgr01\logs\BPMConfigureProcessServer.<Dmgr profile name>.<time stamp>.log file
Note: With 3 Clusters: Process Server deployed to application cluster, Process Portal and Performance Data Warehouse deployed to support cluster, all the bus members deployed to messaging engine cluster.
Note: -psClusterName DE1.AppTarget refers to the application target, -perfDWClusterName DE1.Support and -processPortalClusterName DE1.Support refers to Support cluster, -dbDesign refers to the DBDesign file that was created in step 47.
- Run the bootstrapProcessServerData script. For example:
C:\BPM80\profiles\Dmgr01\bin>bootstrapProcessServerData -dbJDBCClasspath C:\BPM80\jdbcdrivers\DB2 -clusterName DE1.AppTarget
After running the bootstrapProcessServerDat command, the following log/trc files are generated in the C:\BPM80\profiles\Dmgr01\logs directory:
bootstrapProcesServerData.DE1.<AppTarget cluster Name>.<Time stamp>.log
Note: -clusterName DE1.AppTarget refers to the application target cluster.
- Configure a routing server for the IBM Business Process Manager Process Portal as described in the Configuring a routing server for IBM Business Process Manager (BPM) Process Portal in a three or four cluster topology technote.
- Restart your environment.
- Remove the Compatibility Mode. For example:
Let's play a game of word association. What subject comes to mind with the words “engaging” and “terrifying”? Whatever you are thinking, I suspect it wasn't IT security
. Yet those very words describe J Keith Wood and Jens Engelke's new IBM Redbooks publication. In it, they share their experiences of working with IBM customers around the world on securing IBM Business Process Manager solutions. Security pitfalls are everywhere and the stakes could not be higher.
This blog post is part of a series about common Business Process Manager security holes. In this post, we focus specifically on IBM Business Process Manager installation security. Much more information can be found in their Redbooks publication: IBM Business Process Manager Security: Concepts and Guidance.
1. Faith in your firewall
How often have you heard “it is the internal network, so it is secure” ? This is a dangerous posture to take. It is akin to placing all of your eggs in one basket. Can you trust with 100% certainty that your firewall vendors will never release a software update that has a security hole in it? How often is your laptop’s operating system updated with security fixes?
The simple fact is that many studies, from Gartner, Ponemon, the US Federal Bureau of Investigation (FBI), and others, have shown that security breaches are equally likely to be caused by employees as by external agents. Security breaches do not have to be the result of malice. They could be the result of simple, honest mistakes. But in the end, it simply does not matter. The security breach occurred and you have to deal with the consequences. The bottom line on firewall security is this: it is necessary, it is very helpful, but it is not a stand-alone solution to enterprise security.
2. Failure to use SSL between Business Process Manager and the database server
Everyone recognizes that database user accounts should be password protected. What most people fail to recognize is how incredibly easy it is to observe database traffic while it is in transit. The solution to this is simple: SSL. We strongly advise SSL/TLS for the communications link between your Business Process Manager servers and your database servers.
3. Failure to encrypt data at rest
The most powerful argument for encrypting your data is simply this: common sense. If you want to stay out of the security breach headlines, you need to take all elements of security seriously. There are three strategies to consider for the encryption of data at rest: application specific code, database encryption, and operating system and file system encryption. Above all else, do not keep the encryption keys anywhere near the data being encrypted. This is akin to putting bars on your windows, reinforcing door locks, and then leaving the key under the door mat.
4. Failure to use SSL between Process Server and Process Center
During the installation of a Process Server, you specify the host name of the Process Center it will be utilizing as its repository. By default, the protocol used is http://. During Process Server start up, the runtime environment uses this information to communicate back to the Process Center. This communication includes a URL, a user account, and the corresponding password. This information is all an attacker needs to know in order to deploy new snapshots of process applications. An attacker could also deploy his favorite malware application, which monitors the network and carries out denial-of-service attacks. So, take the time to change the protocol to https:// to avoid sending your Business Process Manager admin account name and password in clear text.
5. Overuse of default BusinessProcess Manager accounts
It is common to see one Business Process Manager administrator account used in every place where an account user name and password are created (for example for Administrator, Monitor, and SCA authentication alias roles). We highly advise that you create account names that closely reflect the roles or responsibilities of that account’s intended purpose, and that a human administrator never use an account like bpmAdmin or tw_admin. Every person must have a personal account.
Failure to follow this fine-grained approach promotes a loose attitude towards who gets access to the administrator accounts. For example, if a person is given the bpmadmin account simply to deploy a snapshot to a runtime Process Server environment, then that same person now has access to just about everything else in the Business Process Manager universe.
6. Overuse of trust in certificate authorities
We advise that you reduce the number of certificate authorities in use within your organization to just the bare minimum that is needed. This advise includes the WebSphere DataPower certificate that is supplied with Business Process Manager if you are not making use of DataPower. There is no guarantee that certificate authorities fact-check the identity of the parties who purchase certificates from them.
For more on all these topics, consult the IBM Redbooks publication IBM Business Process Manager Security: Concepts and Guidance. Do you have any Business Process Manager installation security tips or experiences to share? If so, comment on this blog entry and we will respond!
Martin Keen is an IBM Redbooks Project Leader. He leads publications on many areas of IBM software, including WebSphere, Messaging, and Business Process Management. Follow Martin on Twitter at @MartinRTP.
My name is Martin Keen, and I wrote this blog post. Or did I? How do you know I'm Martin Keen? Does it matter which Martin Keen (the one who works for IBM, or the one who owns a shoe company)? That's where authentication comes in – the process of proving the identity of a user.
Authentication is particularly important in IBM Business Process Manager because it determines who has access to your Business Process Manager applications. Using excerpts from J Keith Wood and Jens Engelke's new IBM Redbooks publication IBM Business Process Manager Security: Concepts and Guidance
, here's the top 5 authentication security concerns that you need to consider with Business Process Management today.1. Weak password policies
When we are asked to create a password, we humans nearly universally create passwords that are easy to remember. Easy to remember nearly always means easy to guess.
Brute force attacks against weak passwords are quick and relatively easy with tools easily downloaded from the Internet. Brute force refers to “just try” as often as you can. One way to prevent brute force attacks is a lock-out policy (lock a user account after x failed attempts). Other approaches slow attackers down by enforcing x seconds of wait time between login attempts or using captcha to verify they are interacting with a human user.
To make matters worse, most people will reuse passwords across multiple web sites. The administrators of these web sites then can (and often do) take this list of freely given user IDs and passwords and attempt to use these same credentials with other web sites. It is incredibly easy and surprisingly effective.2. Failure to change default passwords
IBM Business Process Manager ships with eight default accounts (tw_admin, tw_author, and so forth), and each of them had as their passwords their usernames (tw_admin + tw_admin, and so forth). We have seen, in the field, that these default passwords are not always changed. Anyone who has any familiarity with IBM Business Process Manager would have a reasonable chance of gaining administrative access, based simply upon the knowledge of the factory-default password. IBM Business Process Manager V7.5.1 improves the situation, in that the main Business Process Manager administrative account name and password are specified at installation time. So, even if someone had intimate knowledge of IBM Business Process Manager, they still would have to guess the administrative account name as well as the password. However, the following default accounts are still created: tw_admin, tw_author, tw_portal_admin, tw_runtime_server, tw_user, tw_webservice, and bpmAuthor. We advise that you remove these default accounts and, instead, map actual users in your organization into the groups and roles which these accounts fill, by default. 3. Unencrypted communications channels
A failure to use Secure Sockets Layer (SSL) over all Business Process Manager-related communications channels is common. A simple network protocol analyzer, which is freely downloadable from the Internet, can be used to eavesdrop on network communications. Encrypt the communications channels and eliminate the possibility of these types of attacks before the opportunity arises.4. Insecure LDAP connections
A bind account name and password are exchanged at each step of the IBM Business Process Manager to LDAP conversation. The deployment manager and node agents, the IBM Business Process Manager application servers (including /ProcessAdmin, /ProcessCenter and /portal), plus the Process Designer, all communicate with the Lightweight Directory Access Protocol (LDAP) server and issue this same bindRequest. Unless you secure your LDAP server using encryption (SSL), you are leaving your corporate LDAP server open to browsing each and every time an IBM Business Process Manager user logs into their /portal In box. We advise you to enforce encryption using SSL over the communications channel between the IBM Business Process Manager servers and your LDAP servers; be sure to disable non-SSL traffic; and create a specific SSL truststore and alias for the LDAP server.5. Insecure Single Sign-On (SSO) solutions
Single Sign-On (SSO) is the ability to share credentials across systems. There are many SSO solutions that can be purchased and integrated into IBM Business Process Manager. Many SSO technologies rely upon cookies or HTTP headers to carry the user’s credentials with each HTTP request. Often, these credentials are encrypted. Unfortunately, that fact that these credentials are encrypted does not matter—an encrypted header can still be sniffed, copied, and injected into a hacker’s browser HTTP requests. The fact that the human hacker cannot read the contents of the encrypted header in no way diminishes the opportunity for attack; he/she will just paste into his/her browser the contents of this encrypted header, thereby impersonating the original SSO credentials. We advise that you bring in an outside security professional to review your SSO solution to ensure that it meets all leading security practices before you put any such code into use.
For much more, consult the IBM Redbooks publication IBM Business Process Manager Security: Concepts and Guidance
. Do you have any Business Process Manager authentication security tips or experiences to share? If so, comment on this blog entry and we will respond!Martin Keen is an IBM Redbooks Project Leader. He leads publications on many areas of IBM software, including WebSphere, Messaging, and Business Process Management. Follow Martin on Twitter at @MartinRTP.
All users are not created equally. Authorization is the process of ensuring that a user (or other computer system) has permission to perform a given act. IBM Business Process Manager defines a very fine-grained authorization model. Getting this model right – ensuring that only the right people have access to certain resources – is key to securing your Business Process Management environment. Using excerpts from J Keith Wood and Jens Engelke's new IBM Redbooks publication IBM Business Process Manager Security: Concepts and Guidance, here's the top 5 authorization security concerns we are seeing in Business Process Management today.
1. Overuse of administrator privileges
In the Process Center for IBM Business Process Manager, you can grant Admin access simply by selecting users with a check box. There are a lot of implicit permissions granted when you enable this check box. Enable this option only for a few trusted users. Enabling this option grants the user or group the permission to read, edit, create snapshots, and deploy snapshots of any process application. These users can also grant /ProcessCenter Admin rights to any IBM Business Process Manager user and to any process application. Let's be clear - the enabled check box next to a user's name grants them super-user status. Enable this option sparingly.
2. Failure to map participant groups
When a new swimlane is introduced to a IBM Business Process Manager process definition, the default participant group defaults to All Users. It is too easy to just leave the default of All Users in place, or to use already-existing LDAP groups and call it a job well-done. This is an important point: if All Users is allowed to stay, then you are effectively, completely turning off authorization for all tasks in this swimlane. Use a rigorous review process to ensure that each and every swimlane or participant group is mapped to an IBM Business Process Manager private group that includes only those users who should have authority to execute the steps within the swimlane.
3. Overpopulation of groups
Be careful of defining private groups that will be close-but-not-quite exactly what the process definition requires. Use fine-grained groups for each functional role that your process application can conceive.
4. Overuse of tw_authors, tw_admins
The process of ensuring that an author or developer has adequate authorization to create and deploy applications is rather a daunting task. As a result, we see many organizations simply adding their authors and developers into the default groups of tw_authors or tw_admins. Membership in these all-encompassing groups grants these accounts super user status -- and visibility to all process applications that are installed in your environment. This approach is almost universally undesirable. Access to /ProcessCenter and Process Designer should be granted in small, highly related chunks. Create project team groups that closely reflect the roles that these authors or developers play in the processes being modeled.
5. Faith in firewalls
Do not underestimate the amount of information that can be gathered by a curious, motivated, or perhaps mischievous user. If a user can sniff the network traffic, then they can analyze it. If they can analyze it, they can spoof it. It is a short path from unencrypted network traffic to unauthorized access. Specifically, given IBM Business Process Manager’s ability to perform instance-based authorization based upon run-time criteria, it is certainly conceivable that someone might be able to sniff an in-flight process and alter its authorization criteria. Encrypt all communication links between IBM Business Process Manager and LDAP servers, databases, web or proxy servers, and any web services hosts. Also encrypt communication between Process Center and Process Server, Process Designer, and Integration Designer. Finally, encrypt communication between Process Servers and users. It's simply not enough to rely on these communications occurring behind your firewall.
For much more, consult the IBM Redbooks publication called IBM Business Process Manager Security: Concepts and Guidance
.Martin Keen is an IBM Redbooks Project Leader. He leads publications on many areas of IBM software, including WebSphere, Messaging, and Business Process Management. Follow Martin on Twitter at @MartinRTP.
Modified on by SteveWebb
Remember, We Still Love Your Feedback!
By Maryam Ahmed
Did you find an answer that solved your issue? Have trouble finding what you need? Please let us know! Whether you have comments, questions, suggestions or ratings, we love to receive your feedback. Help us serve you better by sharing your feedback!
Did you know?
Business Process Manager experts review every single piece of feedback received on our IBM Support content
Business Process Manager experts are networking on Twitter, Facebook, and blogs
You can leave us feedback in numerous ways: Check out our feedback example to see how you can reach us!
When a business process has a user interface, it is possible for the process to accept end-user input to enable human-machine interaction. Using IBM Business Process Manager, the interface is implemented as a process application that contains one or more human services. In turn, each human service contains Coaches, which are the implemented interfaces. With Version 8.0, Coaches can be implemented as either Heritage Coaches or Next Generation Coaches, which are referred as Coaches hereafter. The benefits of a Coach versus a Heritage Coach include, introducing concept of Coach View to facilitate view component reuse, Web 2.0 appearance, and behavior enablement with client-side model. This article focuses on using Coach Views.
Note: Visual representations are available within this document when you see text within [ ].
We start with analyzing a common use case scenario, ask user for personal information, and confirm input. We have chosen this specific scenario due to its popular usage within applications, such as user registration, online shopping, request submission, and so on. As shown in the following figure, two interfaces, user input interface and confirmation interface, are to be implemented with two Coaches within a Human Service, which is, in turn, contained in a simple Business Process.
Between the two interfaces, personal information is a common element that is shared. Therefore, we can develop a Coach View, [Person-CV], and use it as a component for both user input interface and confirmation interface.
Developing User Input Confirmation Process
Our first step is to create a new process application, User Input Confirmation, which is a container for all our development artifacts. We launch IBM Process Designer and we see the initial screen, Process Center. On its right hand side, we select Create New Process App
to create the application, User Input Confirmation with Acronym UIC as shown in the following image: [Create-User-Input-Confirmation-App
Once created, we highlight the application and click Open in Designer as shown in this image: [Open-in-Designer].
After the application is opened in Process Designer, we need to create a new Business Process Definition (BPD), User Input Confirmation BPD, to model our business process. We hover our mouse over Processes so that a + sign is displayed next to it. We click + and select Business Process Definition from the
pop-up menu to bring up the BPD creation wizard. See this image to view the selection. [Create-Business-Process-Definition]. The following image shows the creation wizard: [Open-BPD-Creation-Wizard]
We type in the name of the BPD and click Finish. The BPD is created with default Start and End activities and opened in Designer. See this image to see the new BPD: [Open-Created-BPD]
The next step is to add a Human Service, User Input Confirmation HS to User Input Confirmation BPD and wire the User Input Confirmation HS with Start and End activities.
We have two ways to implement the task.
The second approach is to drag and drop an activity from toolkit palette, rename it as User Input
Confirmation HS and connect the activities, Start, User Input Confirmation HS, and End. See the following image: [Drag-Drop-Activity]
- Highlight User Interface click + next to it, and select Human Service from the pop-up menu. See the following image to see the selection: [Create-Human-Service]
- Type in User Input Confirmation HS in the Human Service creation wizard as shown in the following image: [Create-User-Input-Confirmation-HS]
- Click Finish. The User Input Confirmation HS is created and opened in Designer.
- Toggle on drop-down menu, as shown in the following image, to display User Input Confirmation BPD in the Designer: [Toggle-on-Drop-Down]
- Click User Interface and select User Input Confirmation HS from the pop-up menu. See the following image: [Drag-Drop-User-Input-Confirmation-HS]
- Hold down the mouse button to drag and drop it into User Input Confirmation BPD canvas.See the following image: [Add-User-Input-Confirmation-HS-to-BPD]
- Click the [Sequence Flow] from the toolkit palette, mouse hover over Start, and it turns to [Hover-over-Start].
- Hold down mouse button and drag the mouse toward User Input Confirmation HS to create a link from Start to User Input Confirmation HS. See the following image: [Connect-Start-to-User-Input-Confirmation-HS]
- Follow the same steps to link the User Input Confirmation HS and End. Click [Selection-Tool] to change the mouse mode to tool kit selection.
- Save changes with Ctrl+S.
So far, the process application User Input Confirmation is created and opened in Process Designer. The Use Input Confirmation BPD, which contains User Input Confirmation HS, is the only process developed with this application. The process diagram is shown as below.
In this section, we focus on Coach development. As previously discussed, we need to develop a shared Coach View, Person CV. We notice that the Coach View represents an underline data structure, a Business Object (BO) that we named Person. Therefore, we start off with creating the Business Object, Person. To create the Person Business Object, complete the following steps:
- Hover on Data to bring up the + sign, click +, and choose Business Object from the pop-up menu. See the following image: [Create-Business-Object]
- Type in the name Person. See the following image: [Create-Person]
- Click Finish.
Person is created and
opened for editing as shown in the following image: [Created-Person
We need to add the following parameters to Person.
To add the parameters to Person, complete the following steps:
- Click [Add] in the Parameters section. A new parameter named Untitled1 with a String type is
- In the Parameter Properties section, change Untitled1 to firstName as shown in the following image: [Change-Untitled1-to-firstName]
- Follow the same steps to add lastName and email. See the following image: [Person-Business-Object]
After Person is created, we add a private variable, person, to the User Input Confirmation HS. This variable, person, is used to transfer data within the Human Services, that is, between the Coaches.Complete the following steps:
- Toggle on the downward to switch to User Input Confirmation HS.
- Click the Variables tab.
- Click Add Private and a Untitled1 private variable is created as shown in the following image: [Select-Variables-Tab]
- Change the Name to person and change the Variable Type by clicking [Select] and select Person as the data type for person variable. See the following image: [Choose-Person-Data-Type]
- Save the changes.
Here are the results:
Then, we need to create Coach View, Person CV. We know that Person CV presents the person data in a HTML form. Therefore, the input fields of Person CV are bound to Person parameters accordingly. Complete the following steps:
- Hover on User Interface to display the + sign.
- Click + to choose the Coach view from the pop-up menu.
See the following image: [Choose-Coach-View]
- Name the new Coach View as Person CV as shown in the following image: [Create-Coach-View-Person-CV]
- Click Finish.
Person CV is created and opened in Layout view. See the following image:
Next, we need to add a Business Data variable, person of BO type Person, to the Coach View, so that we can bind Person parameters to the Coach View fields.Complete the following steps:
- Click Variables to switch to Variables view.
- Click + next to Business Data. A new Business Data variable is created. See the following image: [Add-Business-Data-Variable]
- On the [Variables] tab, change the Name to person. See the following image: [Business-Data-Variable-Person]
- Click Select and choose Person from the pop-up list.
The Variable Type is changed into Person [Business-Data-Variable-Person-with-Data-Type-Person]
- Save the changes.
Switch back to Layout view by clicking on Layout. We need to add three Input Text fields into Person CV, firstName, lastName, and email. Complete the following steps:
- Select the [Vertical Section] while holding
down the mouse button and drag it to the canvas as shown in the following image: [Add-Vertical-Section-to-Person-CV]
- Change the Label to Person Section as shown in the following image:
- Drag the [Text] field to the Person Section as shown in the following image:
- Change the Label to First Name as shown in the following image:
- Click [Change] next to Control ID and change the text to firstName.
Note: The Control ID is an unique identifier that is used to identify the component and firstName within the current Coach View. Its uniqueness is enforced by the development environment. See the following image:
- Click [Select] next to Binding and choose firstName from the pop-up list. See the following image:
- Save the changes. See the following image:
- Follow the same steps to add another two Text fields under Text field, First Name.
- Save changes.
Now, we need to add two Coaches, User input form NG, and Input confirmation form NG to the User Input Confirmation HS. Complete the following steps:
- Open User Input Confirmation HS in Process Designer by selecting it from the User Interface pop-up list.
- In Diagram view, click Coach, hold down mouse button, and drag it to the canvas. See the following image: [Drag-Drop-Coach]
- Change the Name to User input form NG and save the changes. See the following image:
- Follow the same steps to add another Coach and Input confirmation form NG. See the following image:
- Click the Coaches tab to implement these two Coaches.
- While User input form NG highlighted and selected, drag a Vertical Section into the Canvas and change its label as User Input Form. See the following image: [Drag-Drop-User-Input-Form]
- Add a Coach View and Person CV, and bind it to private variable, person, as shown in the following image:
- Drag a Button to the canvas and change the Label to Submit. As shown in the following image: [Drag-Drop-Button]
- Click and highlight the Input confirmation form NG and follow the same steps to add a vertical section labeled Input Confirmation Form, a Person CV bound to person, and a button labeled Confirm.
See the following image: [Input-Confirmation-Form-NG-(Person-CV)]
Here is a view of the Confirmation button: [Input-Confirmation-Form-NG-(Confirm-Button)]
- Click the Diagram tab to switch to the Diagram view.
- Using Sequence Flow, link the Start towards User input form NG, then towards Input confirmation form NG, and at last End as shown in the following image: [Complete-User-Input-Confirmation-HS]
- Save the changes.
Testing the Application
Now that our application is fully developed, we are ready to execute it. Complete the following steps:
- Open the process from the Processes pop-up menu.
- Click the run button at the right-hand corner. This action brings up the Process Inspector. See the following image: [Switch-to-Process-Inspector]
The process stops at the User Input Confirmation HS.
- Open up Process Portal by clicking the [Refresh] button on the Process Inspector. See the following image:
- Log in with your user ID as admin and Password as admin.
Note: Depending on your configuration, your portal URL, login ID, and password might be different from shown here.
See the following image: [Login-Process-Portal]
The default screen shows My Tasks.
See the following image: [Display-My-Tasks]
- Click Step: User Input Confirmation HS to claim the task.
See the following image: [Claim-Task-User-Input-Confirmation-HS]
- If you are prompted, click Claim Task. The User input form NG is executed and User Input Form is displayed. See the following image: [Display-User-Input-Form]
We can key in personal information as shown in the following image:
- Click the Submit button. The
application continues with executing the Input confirmation form NG. We see that the personal data input fields are pre-populated with previous user input as shown in the following image: [User-Input-in-Input-Confirmation-Form]
- Click the Confirm button and the task is completed. See the following image:
If we switch back to Process Inspector and click Refresh
, we see that the process status is changed to Completed.
See the following image:
In this article, we discussed how to implement a Human Service activity containing Next Generation Coaches. We developed two Coaches, User input form NG and Input confirmation form NG, which share reusable view component, Coach View and Person CV. We demonstrated that by using the Coach View, the development of a process with user interface is simplified.
If you have any feedback on this article, leave a comment below and we will respond. We welcome your feedback!
When you contact IBM Support, a Problem Management Record, or PMR, is opened to track your concern and its resolution. Many of those PMRs reference support documents that are used to resolve a specific issue. We are able to analyze those records to find issue trends that are affecting many of our IBM Business Process Manager customers. When we look at the top 10 most referenced support documents in PMRs, we find several of the MustGather documents. If you are not familiar with these documents, they explain the type of information that IBM Support needs to expedite the resolution of your issue. These documents include requests for information about your operating environment and requests for certain files that can help us diagnose your issue. The following MustGather documents are available to help us help you:
In addition to the "MustGather" documents, IBM Support Assistant Version 5.0 can help you determine the root cause of an issue and find possible documented resolutions. In fact, Version 5.0 Beta 2 was just released within the last few weeks of this post.
Now, let us get back to the topic at hand and count down the 10 most referenced documents (excluding "MustGather" documents) in IBM Business Process Manager PMRs. Here are the most referenced documents from August to October of this year:
#10: Profile upgrade instructions for V7.5.0 Fix Pack 1 (V126.96.36.199) IBM Business Process Manager product installations with existing profiles
This document provides instructions for upgrading existing profiles in V7.5.0 Fix Pack 1 (V188.8.131.52) for the IBM Business Process Manager products.
#9: Configuring a routing server for IBM Business Process Manager (BPM) Process Portal in a three- or four-cluster topology
In a three- or four-cluster topology, Process Portal requires a routing server. The information center provides information on several stand-alone products that you can use as a routing server. However, if you do not want to use a stand-alone product as a routing server, this document explains how to configure a WebSphere proxy server using the WebSphere Administrative Console.
#8: The Process Portal for the IBM Business Process Manager (BPM) products does not render properly when using Load Balancer
When you enable Load Balancer or specify "localhost" as host name during IBM Business Process Manager server installation, the Process Portal user interface does not have any Cascading Style Sheet (CSS) styling. However, this document explains how you can edit the 100Custom.xml file to resolve the problem.
#7: Configuring SSL for IBM Business Process Manager (BPM) V7.5.x
The information center for IBM Business Process Manager Version 7.5 does not explain how to configure secure sockets layer (SSL) communications. However, this document includes an attachment that explains the step-by-step process complete with many screen captures to guide you along the way.
#6: Version 7.5.1 Fix Pack 1 for the IBM Business Process Manager products
This document is the actual download document for IBM Business Process Manager Version 7.5.1 Fix Pack 1. Before downloading the product update, be sure to read the installation instructions first.
#5: Performance tuning considerations when IBM Business Process Manager (BPM) is running in a virtual machine
You can run IBM Business Process Manager in a virtual machine. However, this document provides links to both IBM and non-IBM resources that explain some additional things to consider when you run servers in a virtual machine (VM) environment.
#4: Changing the database information for Process Server and the Performance Data Warehouse for the IBM Business Process Manager (BPM) products
Because the database configuration information is saved across the file system, this document provides detailed steps on how to change the database information for the Process Server and the Performance Data Warehouse Database.
#3: Configuration file overview and explanation for Lombardi Teamworks, WebSphere Lombardi Edition (WLE), and the IBM Business Process Manager (BPM) products
This document explains how the configuration files load the data and provide some best practices for maintaining those files.
#2: Fix list for IBM Business Process Manager Version 7.5 products and WebSphere Enterprise Service Bus Version 7.5
This document provide a list of fixes that are available for Version 7.5 and 7.5.1. Each fix pack lists the issues that are fixed it in (APARS) from customer-reported PMRs and provides links, as applicable, to the closing information for the issue. You might want to bookmark this document to quickly find the latest fix packs for your environment. You can always follow us on Twitter @IBM_BPM and we will announce the fix packs as they are available!
And the #1 most referenced document in an IBM Business Process Manager PMR is...
#1: IBM Business Process Manager Advanced Edition Version 7.5: Configuring a Clustered Process Server
This document is a step-by-step guide on how to how to set up a clustered Process Server, including Business Space and HTTP Server, in a production environment on Red Hat Enterprise Linux using Oracle 11g
We always welcome your feedback on our blogs and other support content. Feel free to let us know what you think in the comment section of this blog entry or in the feedback section for any of our support content. Remember, we love your feedback!