Configuring IBM Business Automation Studio with IBM Business Automation Workflow

You can configure your IBM Business Automation Studio installation to integrate with Workflow Center in IBM Business Automation Workflow.

With this integration, you can build applications that call actions that are bound to Workflow Services (process apps) defined in Business Automation Workflow. You can also use Business Automation Workflow capabilities and, for example, start processes in Business Automation Workflow.

Before you begin

You must have successfully installed and configured Business Automation Studio and IBM Business Automation Application Engine (App Engine) playback server as well as Business Automation Workflow.

You must be running Business Automation Workflow 19.0.0.3 or 19.0.0.2 with interim fix JR61324.

You must have a Business Automation Workflow server whose hostname can be resolved in containers. The hostname must be the same as the Business Automation Workflow root CA certificate common name. Use the following command to verify that your hostname can be resolved in containers:

oc exec pod_name -- curl https://baw_host:baw_port -k

About this task

For your apps to use capabilities in Business Automation Workflow, you must register Business Automation Workflow with App Engine and IBM Resource Registry.

The procedure includes the following high-level steps:

Configure the Business Automation Workflow server to use the same User Management Service (UMS) as Business Automation Studio.
To enable Business Automation Workflow to communicate with Business Automation Studio, App Engine, and Resource Registry, add the shared ICP4A operator root CA certificate to the Business Automation Workflow truststore.
To enable Business Automation Studio and App Engine to communicate with Business Automation Workflow, extract the Business Automation Workflow root CA certificate or proxy root CA certificate.
Add the Business Automation Workflow root CA certificate or proxy root CA certificate to the trusted certificate list for the shared operator custom resource. All the components that are installed with the same custom resource share this list.
Import the Business Automation Workflow toolkits into Business Automation Studio.
Configure Business Automation Workflow with Resource Registry information.
Verify the integration.

Procedure

Configure the Business Automation Workflow server to use the same UMS as Business Automation Studio by following the instructions in Adding IBM Business Automation Workflow and IBM Federated Process Portal to use the User Management Service.
You must run the two commands setupCmdLine and connectToUms in the same command window. Otherwise, the second command fails because the first command sets the environment variables and takes effect only in the current command window. The connectToUms-workflow.zip file is located in the container, so you might want to copy this file to the local file system first, using the following command:
```
oc cp -n namespace \
ums-pod:opt/ibm/wlp/ibmUserManagement/extension/configTemplates/workflow/connectToUms-workflow.zip \
 local-file-path
```
where
- namespace is the namespace that your pods run in
- ums-pod is the pod name that you created for UMS
- local-file-path is the local path of the copied file, for example, /opt/IBM/WebSphere/AppServer/connectToUms-workflow.zip
Make sure that the Business Automation Workflow system uses the same LDAP server as UMS. See Configuring LDAP user registries in Liberty.
If you haven't configured LDAP for UMS, add the UMS administrator user to the Business Automation Workflow file registry and then to the tw_admins group so that you can access the applications and processes with the user that you just added. Make sure that the username and password are the same as the ones you use to log in to UMS.
1. To add the UMS administrator user to the file registry:
  1. Open the Process Admin Console (http://baw-host:9080/ProcessAdmin or https://baw-host:9443/ProcessAdmin).
  2. In the Server Admin area, click the indicator next to User Management to list the available management options.
  3. For User Details, enter the UMS administrator username, full name, and password. Click Add to add the user.
2. To add the UMS administrator user to the tw_admins group:
  1. Click Group Management. Enter tw_admins in Select Group to Modify.
  2. From the list of groups displayed, click tw_admins. Click Add Users and enter your UMS administrator name in Search For Name.
  3. Select the user and click Add Selected.
To enable Business Automation Workflow to communicate with Business Automation Studio, App Engine, and IBM Resource Registry, add the shared operator root CA certificate to the Business Automation Workflow truststore.
1. Extract the ICP4A operator root CA certificate.
  For instructions, see Exporting the operator root CA key and importing it into an external service.
2. Import the root CA certificate to the Business Automation Workflow server.
  
  In the administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates. Click Add and enter your-path/rootCA.crt. Click OK to add the certificate.

To enable Business Automation Studio and App Engine to communicate with Business Automation Workflow, extract the Business Automation Workflow root CA certificate (if you don' t use a proxy) or the proxy root CA certificate (if you do).

To get the Business Automation Workflow certificate, run an OpenSSL command.

For the root CA certificate, run the following command:

openssl s_client -showcerts -verify 5 -connect baw_hostname:baw_port -servername baw_hostname

For the proxy root certificate, run the following command:

openssl s_client -showcerts -verify 5 -connect proxy_hostname:proxy_port -servername proxy_hostname

If you didn't customize your Business Automation Workflow root CA, the results look similar to the following output:

verify depth is 5
CONNECTED(00000005)
depth=1 C = US, O = IBM, OU = Dmgr, OU = PCCell1, OU = Root Certificate, CN = <baw_hostname>
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 C = US, O = IBM, OU = Dmgr, OU = PCCell1, OU = Root Certificate, CN = <baw_hostname>
verify return:1
depth=0 C = US, O = IBM, OU = Node1, OU = PCCell1Node1, CN = <baw_hostname>
verify return:1
---
Certificate chain
0 s:/C=US/O=IBM/OU=Node1/OU=PCCell1Node1/CN=<baw_hostname>
  i:/C=US/O=IBM/OU=Dmgr/OU=PCCell1/OU=Root Certificate/CN=<baw_hostname>
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIGAq4ud30yMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYT
AlVTMQwwCgYDVQQKEwNJQk0xDTALBgNVBAsTBERtZ3IxEDAOBgNVBAsTB1BDQ2Vs
...
-----END CERTIFICATE-----
1 s:/C=US/O=IBM/OU=Dmgr/OU=PCCell1/OU=Root Certificate/CN=<baw_hostname>
  i:/C=US/O=IBM/OU=Dmgr/OU=PCCell1/OU=Root Certificate/CN=<baw_hostname>
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIGAjrOZKp8MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYT
AlVTMQwwCgYDVQQKEwNJQk0xDTALBgNVBAsTBERtZ3IxEDAOBgNVBAsTB1BDQ2Vs
...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/O=IBM/OU=Node1/OU=PCCell1Node1/CN=<baw_hostname>
issuer=/C=US/O=IBM/OU=Dmgr/OU=PCCell1/OU=Root Certificate/CN=<baw_hostname>
...

Find the certificate with the deepest depth. In this case, the deepest depth is 1.
This certificate is the Business Automation Workflow root CA certificate (if you don' t use a proxy) or the proxy root CA certificate (if you do).
Copy the Business Automation Workflow root CA certificate or the proxy root CA certificate and save it to a file in your local file system.
Copy the content that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. In this case, copy and save the following content:
```
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIGAjrOZKp8MA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYT
AlVTMQwwCgYDVQQKEwNJQk0xDTALBgNVBAsTBERtZ3IxEDAOBgNVBAsTB1BDQ2Vs
...
-----END CERTIFICATE-----
```

Add the Business Automation Workflow root CA certificate or proxy root CA certificate to the trusted certificate list for the shared ICP4A operator custom resource. All the components that are installed with the same custom resource share this list.
Follow the instructions in Importing the TLS certificate of an external service.
Import the Business Automation Workflow toolkits into Business Automation Studio.

Download the Start_Process_Configurator and Workflow_Services toolkits from the https://github.com/icp4a/ibm-app-designer-samples/tree/master/contributionFiles and import them into Business Automation Studio manually.
Choose one of the following methods to configure Business Automation Workflow with Resource Registry information.
- Use the Business Automation Workflow REST API with curl or Postman.
  For example, the following command uses base64 to encode your username and password and sends them as authorization in the HTTP header to configure Resource Registry.
```
curl -k https://baw_host:baw_port/rest/bpm/wle/v1/resourceregistry/connection \
      -H "Authorization: Basic $(echo -n ums_admin:ums_password | base64)" \
      -H "Content-Type: application/json" \
      -d '{ "url": "URL", "uname": "user_name", "password": "password" }'
```
  where
  - URL is https://resource-registry-host-name:resource-registry-port
  - user_name is the use name of the Resource Registry writer
  - password is the password of the Resource Registry writer
  You can run the following command to check that Resource Registry information was added successfully,
```
curl -k https://baw_host:baw_port/rest/bpm/wle/v1/resourceregistry/connection \
      -H "Authorization: Basic $(echo -n ums_admin:ums_password | base64)"
```
- Use IBM Workflow Center.
  Log in to IBM Workflow Center at https://baw_host:baw_port/WorkflowCenter with your deployment environment administrator username and password. Set Preferences to Advanced. Select Administration > Resource Registry > Settings and click Edit Settings. Configure the following settings.
  - URL is https://resource-registry-host-name:resource-registry-port
  - user_name is the username of the Resource Registry writer
  - password is the password of the Resource Registry writer
- (Deprecated in 19.0.3) Update the 100custom.xml configuration file in Business Automation Workflow with Resource Registry information. See Location of 100Custom configuration files for where to find the file and follow the instructions in Creating a 100Custom.xml configuration file for how to change the file.
  1. Because clear-text passwords are not recommended in Business Automation Workflow, encrypt your Resource Registry password. See Enabling encrypted passwords in proxy settings,
  2. Add the following content into 100custom.xml under <properties>, which is already in the file.
```
<properties>
    <server>
        <resource-registry>
            <url>https://resource-registry-hostname:resource-registry-port</url>
            <uname>writer username</uname>
            <password>writer password</password>
            <password-encrypted>true</password-encrypted>
        </resource-registry>
    </server>
</properties>
```
    where
    - url is the URL of the Resource Registry, for example, rr.host-IP.nip.io:port
    - uname is the username that is set for the Resource Registry
    - password is the password that you encrypted for the Resource Registry
    - password-encrypted tells the Resource Registry that the password is encrypted
  3. Restart the whole environment, including the cluster server, nodes, and deployment manager, to synchronize the 100custom.xml file across all nodes.
Verify that Business Automation Studio is configured with Business Automation Workflow.
1. Log in to Business Automation Studio (https://bastudio_host_name:bastudio_port/BAStudio) with your username and password.
2. Set Preferences to Advanced.
3. Select Apps > Toolkits and make sure that the Workflow Services were added. Click Details to see information about them. In Snapshots, you can see the current version of the Workflow Services.
4. Create a sample app that incorporates the Workflow Services to make sure they are working correctly.