Clients must be authenticated by providing a user name and password from the user registry when administrative security is enabled. If a client tries to access a secured application without being authenticated, an exception is generated.
| Client | Authentication options | Notes |
|---|---|---|
| Web services clients | You can use WS-Security/SOAP authentication | |
| Web or HTTP clients | HTTP Basic authentication (the browser prompts the client for a user name and password) | These clients reference JSPs, Servlets, and HTML documents |
| Java™ clients | JAAS | |
| All clients | SSL client authentication |
Some of the components of the IBM Business Process Manager infrastructure have authentication aliases that are used to authenticate the runtime code for access to databases and the messaging engine. The IBM Business Process Manager installer collects the user name and passwords to create these aliases.
Some runtime components have message-driven beans (MDBs) that are configured with a runAs role. The IBM Business Process Manager installer collects the user name and password for the runAs role.
Several components of IBM Business Process Manager use
predefined aliases for authenticating with messaging engines and databases. 
During profile creation, these authentication aliases
are given a default value of the main administrator user identity
and password. You should configure these aliases to correspond to
other users in your user account repository.
The
user names and passwords in the applicable response file are associated
with these aliases.
