Advanced setup
Running as a service
To run the application as a service, enter the following commands as the root user:
cp <PM_HOME>/bin/pm*.service /etc/systemd/system/
chmod 664 /etc/systemd/system/pmweb.service
chmod 664 /etc/systemd/system/pmengine.service
chmod 664 /etc/systemd/system/pmanalytics.service
chmod 664 /etc/systemd/system/pmaccelerators.service
chmod 664 /etc/systemd/system/pmmonitoring.service
systemctl daemon-reload
systemctl enable pmengine.service
systemctl enable pmweb.service
systemctl enable pmanalytics.service
systemctl enable pmaccelerators.service
systemctl enable pmmonitoring.service
You must modify the *.service
files to set the following configurations:
-
The correct
RUNAS
user -
The correct PM_HOME path
Service start and stop
Use the following commands to test the service:
systemctl start pmengine
systemctl start pmweb
systemctl start pmanalytics
systemctl start pmaccelerators
systemctl start pmmonitoring
systemctl stop pmengine
systemctl stop pmweb
systemctl stop pmanalytics
systemctl stop pmaccelerators
systemctl stop pmmonitoring
Important:
If you have SELinux active, you must perform additional tasks that are identified with SELinux.
The email service is used to send a password reset email to the user.
To enable the email service, edit the email
section of <PM_HOME>/etc/processmining.conf
as follows:
email: {
from: "sender@mycompany.com" #optional, if empty user field will be used
user:"theaccount@mycompany.com",
password:"2bTPnxKK6rsf3z6VNpcEqA==",
smtp: {
starttls: {
enable: true,
required: true
},
auth: true,
host: "smtp.mycompany.com",
port: "465",
socketFactory: {
port: "465" ,
fallback: false
}
},
sendgrid : {
apikey: ""
#host: "" #optional, if empty default value is https://api.sendgrid.com/v3/mail/send
}
},
Using SendGrid
If instead of SMTP is preferred to adopt SendGrid as mailer following configurations are required:
- Specify the
email.from
field (required). - Specify the
sendgrid.sendgrid.apikey
with your product api key (required). - Define your SengGrid
host
(optional). - Replace the
smtp
profile withsendgrid
into profile section as in the example.
profiles: [
...
...
"sendgrid", # smtp | sendgrid
...
...
]
Note: You must store the password in an encrypted format before saving the password in the file. See the "Password Encryption" section for more details.
Data encryption at rest
File system
You can encrypt the data files (CSV) that were uploaded into IBM Process Mining with AWS Key Management Service (KMS).
To encrypt the data files, you must edit the encryption
section in: <PM_HOME>/etc/processmining.conf
as follows:
encryption: {
aws: {
enabled: true,
# test
region: "eu-west-1",
accessKeyId: "<YOUR AWS ACCESS KEY>",
secretKey: "<YOUR AWS SECRET KEY>",
# arn of the key
cmkId: "arn:aws:kms:eu-west-1:992429998518:key/30be1e99-e584-4de5-a2bd-8c9927990f73"
}
},
Thereafter, edit the engine.defaults.project.encryptSourceData
section and set the value to true
.
Warning: The AWS KMS and Server must be in the same AWS region.
Note: The previous configuration must be provided during the first setup. If you enable the CSV encryption and some projects are already created, you must redo the upload of those CSV files.
Database
Data encryption features are natively provided by the following databases:
-
MongoDB Enterprise
-
MongoDB Atlas
JVM memory settings
You must set the Java Heap memory settings according to the RAM that is available on the server.
Edit the following properties in <PM_HOME>/bin/environment.conf
to set these configurations:
"JVM_MAX_HEAP_ENGINE"
The suggested value is 16 g on a server with 32 Gb RAM available.
The suggested value is 24 g on a server with more than 64 Gb RAM available.
"JVM_MAX_DIRECT_MEMORY_ENGINE"
The default value of 2g is usually adequate to optimize the performance.
"JVM_MAX_HEAP"
The default value of 2g is usually adequate to optimize the performance.
"JVM_MAX_DIRECT_MEMORY"
The default value of 1g is usually adequate to optimize the performance.
After changing the JVM settings, you must restart the server to make the change effective.
Operating system settings
When you create many projects and snapshots that you plan to use regularly, apply the following settings to as many files as possible:
/etc/sysctl.conf
fs.file-max = 2097152
sudo sysctl -p
sudo vi /etc/security/limits.conf
* soft nofile 500000
ulimit -Sn
Enabling advanced security on Nginx
For a production environment, it is suggested to enable Nginx advanced security configurations.
Mitigate slow-post attack
This configuration is useful to mitigate DDOS slow-post attacks.
For this edit the file /etc/nginx/conf.d/processmining.conf
and
- Uncomment sections related to 'DODS slow-post mitigate attack'
client_body_timeout 5s;
client_header_timeout 5s;
location /signin {
limit_req zone=one;
limit_conn addr 10;
proxy_pass http://localhost:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
And
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;
Prevent Host Header Injection
For this edit the file /etc/nginx/conf.d/processmining.conf
and
- Replace
server_name _;
withserver_name <CURRENT PUBLIC HOSTNAME>
;- That is,
server_name pm.mycompany.com;
- That is,
- Uncomment the section
Prevent Host Header Injection
. This allows logging in to a dedicated file request with an invalid hostname as target.- Update section that is related to certificates
Secure integration with Task Mining web application
In a production environment, it is recommended to set the Task Mining web application hostname correctly.
Edit the sso.redirect
section in <PM_HOME>/etc/processmining.conf
as follows:
sso: {
redirect: {
# This must be filled, for security reason, in production environment with the taskmining hostname. I.e. tm.mycompany.com
allow: ""
},
Automatic Update of End Activities
The automatic update of end activities can be enabled through the following configuration parameter:
engine: {
defaults: {
endActivity: {
enable: true
},
If this parameter (Or the environment variable END_ACTIVITY) is not present or it has a value different from “true”, the automatic update is disabled.
Generating a key pair for the process app configuration
A key pair contains a public key and a private key that enable the Process App services to communicate with IBM Process Mining and SAP Procure-to-Pay. You can generate the key pair for Process App using the generateKeyPair.sh
script.
For more information about using the generateKeyPair.sh
script to generate key pair, see Creating private key and public key for Process App. However, if you require
to remove the existing key pairs and replace them with a new key pair manually, do the following steps:
-
Go to the
/opt/processmining/etc
cd /opt/processmining/etc
-
Delete the existing key pair files,
acf-ext-publicKey.der
,acf-core-privateKey.der
andkeypair-callsToAcf.pem
rm -i acf-ext-publicKey.der rm -i acf-core-privateKey.der rm -i keypair-callsToAcf.pem
-
Generate an RSA key pair in the
.pem
formatopenssl genrsa -out keypair-callsToAcf.pem 2048
-
Run the following command to export the public key in the
.der
format to the<PM_HOME>/etc
directory after generating the key pairs:openssl rsa -in keypair-callsToAcf.pem -outform DER -pubout -out acf-ext-publicKey.der
-
Run the following command to export the private key in the
.der
format to the{PM_HOME}/etc
directory after generating the key pairs:openssl pkcs8 -topk8 -nocrypt -in keypair-callsToAcf.pem -outform DER -out acf-core-privateKey.der
Generating the JWT signkeys for process app
You can generate JWT signkeys to establish and secure communication between the Process App services and applications. By default, two signkeys, one each for IBM Process Mining and SAP Procure-to-Pay, are available in the basic settings. If you want to generate new JWT signkeys, use the following key generator portal: https://asecuritysite.com/encryption/keygen.
To generate a JWT signkey in the key generator tool, do the following steps:
-
In the Passphrase field, type a passphrase of your choice.
-
Select the encryption algorithm as illustrated below to generate and encrypt two signkeys, one for IBM Process Mining and one for SAP Procure-to-Pay:
-
Copy the generated JWT signkeys to the following locations:
- First generated key for IBM Process Mining:
- Copy to the
ProcessMiningService
field in theissuer.jwt.key
section in the<PM_HOME>/etc/accelerator-core.properties
file - Copy to the
secret
field in theaccelerator
section in the<PM_HOME>/etc/processmining.conf
file
- Second generated key for SAP Procure-to-Pay:
- Copy to the
SapP2pService
field in theissuer.jwt.key
section in the<PM_HOME>/etc/accelerator-core.properties
file - Copy to the
pm.accelerator.jwt.key
field in the<PM_HOME>/etc/accelerators/batch-sap-p2p.properties
file
Configuring the settings for RPA bot generation
You can use IBM Process Mining to generate RPA bots. To do so, it is mandatory that the Task Mining environment is linked to the Process Mining environment and that the active vendors are defined in the configuration file.
To link the Task Mining application to the Process Mining application, you must update the etc/processmining.conf
file with the following configuration:
taskmining : {
url : "https://pm-qa-candidate-task-miner.fyre.ibm.com"
}
Note: You must update the value for URL with the URL to Task Mining application in your device.
You must mention the allowed set of active vendors in the etc/processmining.conf
file. To define the active vendors for an installation, update the etc/processmining.conf
file with the following configuration:
rpa : {
activeVendors : "IBM_RPA,UI_PATH"
}