Configuring IBM Business Automation Workflow with an external IBM Content Navigator

You can configure IBM Business Automation Workflow to work with an external IBM Content Navigator.

1. Configure access to a shared user repository, such as a Lightweight Directory Access Protocol (LDAP) directory. Both IBM Business Automation Workflow and IBM Content Navigator must have access to the same set of users.
   1. In the administration console on both systems, select Security > Global Security. The Global Security page opens.
   2. In the Available realm definitions drop-down list, select one of these options:
      • If IBM Content Navigator is configured with a federated repository, select Federated Repositories and then click Configure. The Federated Repositories page opens.
      • If IBM Content Navigator is configured with a stand-alone LDAP, select Standalone LDAP and then click Configure. The Standalone LDAP page opens.
   3. Configure your shared user repository with matching user and group attributes.
   4. In any environment, select Require SSL communications for the user repositories (recommended).
   5. Test your LDAP connection. See Configuring Content Platform Engine application server authentication (LDAP) settings.
   6. If the realm names of IBM Business Automation Workflow and IBM Content Navigator are different (for example, because you set different active realm definitions), make certain that in each cell the realm of the other cell is trusted. From the navigation panel, click Security > Global security. Under RMI/IIOP security, click CSIv2 inbound communications. Click Trusted authentication realms - inbound. Select Trust realms as indicated below. Click Add external realm and add the realm of the remote cell. Click Apply.
   7. In the administration console on both systems, select Users and Groups > Manage Users and search for the IBM Business Automation Workflow user ID that you are going to define as the IBM Content Navigator administrative user. Verify that the user ID is unique and it is in the shared user repository.
2. Configure single sign-on (SSO) security for the external IBM Content Navigator, including the configuration of the user registry and trusted realm. Follow the instructions in Configuring single sign-on with LTPA for an external Business Automation Navigator.
3. On both the IBM Business Automation Workflow and IBM Content Navigator systems, configure SSL to exchange SSL certificates in both directions between the servers.
   1. In the administration console, select Security > SSL certificate and key management. The SSL certificate and key management page opens.
   2. Select the Key stores and certificates link. The Key stores and certificates page opens.
   3. Select NodeDefaultTrustStore (for Base Server) or CellDefaultTrustStore (if on a Network Deployment cell).
   4. Either extract the certificate to a file and copy it to the other system to add, or use the Retrieve from port button to connect and retrieve the certificate. For details on retrieving from the port, see Configuring cross-cell security for IBM Workflow Center.
4. Set up a network shared directory between all computers in the IBM Business Automation Workflow cluster and the IBM Content Navigator computer.
   The shared directory must be the same on all computers. The computers must have the same operating system.
   • By default, the shared directory on the IBM Business Automation Workflow computer is install_root/CaseManagement/properties. If you customized the path to the shared directory, use that customized path. You can mount remote file systems. You can also use network file systems or distributed file systems to share files across computers, such as NFS, GPFS, etc.
   • By default, the shared path on the IBM Business Automation Workflow computer is install_root\CaseManagement\properties. If you customized the path to the shared directory, use that customized path. If the path is a UNC path to share files among Windows servers, use a forward slash, for example //WIN129146/shareFolder instead of \\WIN129146/shareFolder.
     1. On the IBM Content Navigator computer, create a folder with the same path as the IBM Business Automation Workflow shared directory.
     2. Share the directories between the computers.

   • For more information on how to change the default network shared directory, see Changing the network shared directory.

   •  Containers: To use an external IBM Business Automation Navigator running in a container, complete the following steps:
     1. Create a folder on the Business Automation Workflow computer. This folder must match the mountPath as seen by the container of the Custom plug-ins for IBM Business Automation Navigator, for example, /opt/ibm/plugins. See Creating volumes and folders for deployment on Kubernetes.
     2. Mount the folder that you created to the same shared directory for Custom plug-ins for IBM Business Automation Navigator, following the instructions in the same topic.
     3. Copy all folders and files from the previous network shared directory to the new network shared directory. By default, the network shared directory on the Business Automation Workflow computer is install_root\CaseManagement\properties.
     4. Run the BPMConfig command with the -update option.

         BPMConfig -update -profile DmgrProfile [-de deName] -networkDirectory new_directory_path

     5. Restart your Business Automation Workflow environment.
5. Optional:  Containers: To use an external IBM Business Automation Navigator running in a container, follow the instructions in Configuring IBM Business Automation Workflow with an external IBM Business Automation Navigator container. Then, return to the next step.
6. Stop the deployment environment. On the IBM Business Automation Workflow computer, run the setExternalNavigator command to configure IBM Business Automation Workflow to use the external IBM Content Navigator.
   Change directories to install_root/profiles/deployment_manager_profile/bin and run the command.
   For example,

   wsadmin.bat -connType none -lang jython
   AdminTask.setExternalNavigator(['-de', 'ProcessCenter', '-icnURL', 'https://icnhostname:ssl_port/navigator', '-icnAdminUser', 'P8Admin', '-icnAdminPassword', 'IBMFileNetP8'])
   AdminConfig.save()

   See setExternalNavigator command.
7. Import the IBM Content Navigator SSL certificate into the IBM Business Automation Workflow Case configuration tool.
   1. On the IBM Business Automation Workflow computer, access https://icn_host_name:ssl_port/navigator to obtain the SSL certificate from the IBM Content Navigator server. See Adding trusted certificates in Liberty.
   2. Import the certificate into the IBM Business Automation Workflow JVM by using the keytool command.
      For example,

      /opt/IBM/baw/java/jre/bin/keytool -import -keystore
      /opt/IBM/baw/java/jre/lib/security/cacerts -storepass changeit -file
      /u/ICN/certificate.crt
      

8. If you are upgrading from IBM Case Manager, return to Upgrading and follow the rest of the steps. If you are configuring an external Content Platform Engine, return to Configuring an existing external Content Platform Engine and follow the rest of the steps. Otherwise, start the deployment environment.
9. With the deployment environment running, run the Business Automation Workflow Case configuration tool to deploy the case plug-ins onto the IBM Content Navigator server.
   For information about the Case configuration tool, which is located under Workflow_install_root/CaseManagement/configure/, see the topic for your environment:

   • Workflow Center: Running the development environment case configuration tasks
   • Workflow Server: Running the production environment configuration tasks
10. Restart the deployment environment.