Optional: Configuring Application Designer with Business Automation Workflow with toolkit contributions on premise

Finish configuring your IBM Business Automation Studio installation to integrate with Workflow Center in IBM Business Automation Workflow on premise.

With this integration, you can build applications that call actions that are bound to Workflow Services (process apps) defined in Business Automation Workflow. You can also use Business Automation Workflow capabilities and, for example, start processes in Business Automation Workflow.

Before you begin

Before the Business Automation Studio installation, you must have followed the procedure described in Preparing to configure Application Designer with Business Automation Workflow with toolkit contributions on premise.

Procedure

  1. To use the IBM Cloud Pak Platform UI (Zen) to connect to Identity and Access Management (IAM), create an OpenID Connect Relying Party (RP) Trust Association Interceptor (TAI) that accepts Zen tokens.
    Because only JSON Web Tokens (JWT) are required, you can follow the instructions in Configuring authentication with JSON Web Tokens (JWT). See the following example values:
    <openidConnectClient
        id="zenJWT"
        inboundPropagation="required"
        jwkEndpointUrl="https://internal-nginx-svc:12443/auth/jwks"
        signatureAlgorithm="RS256"
        issuerIdentifier="KNOXSSO"
        uniqueUserIdentifier="username"
        groupIdentifier="permissions"
        audiences="DSX"
        realmName="jwtrealm">
      </openidConnectClient>
    Important:
    • jwkEndpointUrl must point to the Zen route, not the Zen internal service. Business Automation Workflow must trust the certificate of that route, which means it must import the Zen certificate.
    • Make sure that the Business Automation Workflow system uses the same LDAP server as IAM.
    • The mapIdentityToRegistryUser=true or useRealm parameters must be configured based on your configuration requirements. See OpenID Connect Relying Party custom properties.
    1. To configure the TAI, in the WebSphere administrative console, select Global Security > Trust Association > interceptors and add a new Interceptor Class Name com.ibm.ws.security.oidc.client.RelyingParty.
      Specify its properties. You can get the jwkEndpointUrl from the cluster's external route for the ibm-nginx-svc. In the cluster, look in one of the Liberty-based pods in the /opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/zen_oidc.yml file. Use the same issuerIdentifier.
    2. Add a filter value of Authorization%==Bearer to enable only JWT for Bearer requests. 
      This configuration depends on whether Business Automation Workflow is configured for SSO. If not, then Authorization%==Bearer will work.
      Table 1. Sample properties
      Property Value
      provider_1.useJwtFromRequest <required>
      provider_1.identifier zen
      provider_1.issuerIdentifier KNOXSSO
      provider_1.jwkEndpointUrl https://cpd-ent-test.apps.bas-test.cp.example.com/auth/jwks
      provider_1.filter Authorization%=Bearer
      provider_1.audiences DSX
      provider_1.signatureAlgorithm RS256
      provider_1.groupIdentifier permissions
      provider_1.mapIdentityToRegistryUser true
         
    3. The users in the cluster must be available in the LDAP configured for WebSphere® Application Server. One way to ensure this is to do the following steps:
      1. Add IAM LDAP to the federated repository.
      2. Synchronize the nodes and restart the server.
    4. To enable Business Automation Workflow to communicate with Business Automation Studio, Application Engine, and IBM Resource Registry, add the shared operator root CA certificate to the Business Automation Workflow truststore.
      1. In the WebSphere administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates. Click Retrieve from port.
      2. Add the Zen URL from OpenShift as host, 443 as port, and an alias.
      3. Click Retrieve Signer Information. Click OK and Save.
  2. Import the Business Automation Workflow toolkits into Business Automation Studio.

    Download the Start_Process_Configurator and Workflow_Services toolkits from https://github.com/icp4a/baw-toolkit/blob/master/README.md and import them into Business Automation Studio manually.

  3. Choose one of the following methods to configure Business Automation Workflow with Resource Registry information.
    • Use the Business Automation Workflow REST API with curl or Postman.
      For example, the following command uses base64 to encode your Business Automation Workflow deployment environment (DE) administrator username and password and sends them as authorization in the HTTP header to configure Resource Registry.
      curl -u baw_de_admin:baw_de_password
      -kLX POST https://baw_host:baw_port/rest/bpm/wle/v1/resourceregistry/connection \
      -H "Content-Type: application/json" \
      -d '{ "url": "URL", "uname": "username", "password": "password" }'
      where
      • For OpenShift platforms, URL is https://cluster's external route for the ibm-nginx-svc/resreg
      • For other platforms, URL is https://resource-registry-host-name:resource-registry-port
      • username is the username of the Resource Registry writer
      • password is the password of the Resource Registry writer
      You can run the following command to check that Resource Registry information was added successfully,
      curl -u baw_de_admin:baw_de_password 
      -kLX GET https://baw_host:baw_port/rest/bpm/wle/v1/resourceregistry/connection
    • Use IBM Workflow Center.
      Log in to IBM Workflow Center at https://baw_host:baw_port/WorkflowCenter with your deployment environment administrator username and password. Set Preferences to Advanced. Select Administration > Resource Registry > Settings and click Edit Settings. Configure the following settings.
      • URL is https://resource-registry-host-name:resource-registry-port
      • user_name is the username of the Resource Registry writer
      • password is the password of the Resource Registry writer
    • (Deprecated in 19.0.0.3) Update the 100custom.xml configuration file in Business Automation Workflow with Resource Registry information. See Location of 100Custom configuration files for where to find the file and follow the instructions in Creating a 100Custom.xml configuration file for how to change the file.
      1. Because clear-text passwords are not recommended in Business Automation Workflow, encrypt your Resource Registry password. See Enabling encrypted passwords in proxy settings,
      2. Add the following content into 100custom.xml under <properties>, which is already in the file.
        <properties>
            <server>
                <resource-registry>
                    <url>https://resource-registry-hostname:resource-registry-port</url>
                    <uname>writer username</uname>
                    <password>writer password</password>
                    <password-encrypted>true</password-encrypted>
                </resource-registry>
            </server>
        </properties>
        where
        • url is the URL of the Resource Registry, for example, rr.host-IP.nip.io:port
        • uname is the username that is set for the Resource Registry
        • password is the password that you encrypted for the Resource Registry
        • password-encrypted tells the Resource Registry that the password is encrypted
      3. Restart the whole environment, including the cluster server, nodes, and deployment manager, to synchronize the 100custom.xml file across all nodes.
  4. Verify that Business Automation Studio is configured with Business Automation Workflow.
    1. Log in to Business Automation Studio (https://bastudio_host_name:bastudio_port/BAStudio) with your username and password.
    2. Set Preferences to Advanced.
    3. Select Apps > Toolkits and make sure that the Workflow Services were added. Click Details to see information about them. In Snapshots, you can see the current version of the Workflow Services.
    4. Create a sample app that incorporates the Workflow Services to make sure they are working correctly.