The following steps are required to make the communication
between the Workflow Center and the Workflow Server work with https
in a network deployment environment.
Before you begin
- IBM® Business Automation
Workflow generates
a default signer certificate during profile creation and uses it to
sign personal certificates for all of the Java virtual machines in
the cell. If you do not want to use the default signer certificate,
you must create a personal certificate request to obtain a certificate
that is signed by a certificate authority (CA). Refer to Creating a certificate authority request.
- To import an SSL security certificate into Integration Designer,
see Importing an SSL security certificate into Integration Designer.
- Ensure that the Common Name field of the SSL certificate matches
the host name that will be used to access the server. For information
on troubleshooting connection problems, see SSL fails when host name configuration fails.
- If the name of a server certificate does not match the host name
of a server, an SSL connection failure may occur with the IOException
message HTTPS hostname wrong. To help
resolve this problem, you can add a Subject Alternative Name (SAN)
set to the server certificate. Information about SAN sets is found
in the topic SSL fails when host name configuration fails.
About this task
HTTPS is set as the default for communication from Workflow Center to Workflow Server. If you want to change to insecure HTTP, see
Re-enabling HTTP access in Business Automation Workflow temporarily .
Procedure
- Import the Workflow Server WebSphere® Application
Server root SSL
certificate into Workflow Center.
- In the Workflow Center WebSphere Application
Server administrative
console, click .
- Enter the Host name, secure Port of
the Workflow Server profile (WC_defaulthost_secure), and Alias,
and click Retrieve signer information. You
can retrieve the signer information for any of the servers listed.
Note: The WC_defaulthost_secure profile is located in the WebSphere Application
Server administrative
console. Navigate to .
- Click Apply and save your changes.
-
Import the Workflow Center root SSL certificate
into Workflow Server.
-
In the Workflow Server
WebSphere Application
Server administrative console, click .
-
Enter the Host name, secure Port of the Workflow Center profile (WC_defaulthost_secure), and
Alias, and click Retrieve signer information. You can
retrieve the signer information for any of the servers listed.
Note: The WC_defaulthost_secure profile is located in the WebSphere Application
Server administrative console. Navigate to .
-
Click Apply and save your changes.
-
Open WAS_HOME\bin and run the following commands on
both Workflow Center and Workflow Server to change internal links to use HTTPS and
secured port.
Note: You only need to run this command if you have upgraded from a version prior to 8.5.0.1.
For example:
# Run the following commands on both the Workflow Center and Workflow Server.
wsadmin -conntype NONE -lang jython
wsadmin> ps = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name
/BPMClusterConfigExtension:/environment_type:/")
# For the environment_type variable, specify "BPMProcessCenter" when running in a
# Workflow Center environment or specify "BPMProcessServer" when running in a Workflow Server environment.
wsadmin> print ps # See how many Workflow Servers you listed
wsadmin> print AdminConfig.show(ps) #look at useHTTPSURLPrefixes to see the current value
wsadmin> AdminConfig.modify(ps, [['useHTTPSURLPrefixes', 'true']])
wsadmin> print AdminConfig.show(ps) #verify your change
wsadmin> AdminConfig.save()
wsadmin> exit
- Optional: Disable all unsecured ports on all
Workflow Center and Workflow Server servers.
- Log in to the WebSphere Application
Server administrative
console and navigate to .
- For each server, click the server link, then go to .
- Click each link for the unsecured port, for example, HttpQueueInboundDefault,
and clear the Enabled check box.
- Repeat these steps for all WebSphere Application
Server cluster members
on all nodes. For example, if the
xxx.AppTarget
cluster
has members on Node1 and Node2, these steps must be performed on both
nodes.
- Optional: In the Workflow Center WebSphere Application
Server administrative
console, click and check
the Requires SSL check box.
- Optional: In the Workflow Server WebSphere Application
Server administrative
console, click and check
the Requires SSL check box.
- Specify HTTPS URLs and ports for all Representational State
Transfer (REST) services for your environment by using the REST service
administrative console page.
- Click .
- Select all from the Scope
selection pull-down menu.
- Click on the REST service provider in Provider
Application field and specify the Host name
or virtual host in a load-balanced environment and the Port.
Important: For a REST Services
Gateway deployment manager, use the deployment manager host name and
port; do not use the IHS host name and port.
- Click Apply and save your changes.
- To make sure that Workflow Server connects
to Workflow Center using SSL, specify an HTTPS URL for the
processCenterUrl
variable,
as described in . Note: This
step is not required if you have already provided the intended processCenterUrl
value
when running the BPMConfig command.
- Set the
deploySnapshotUsingHttps
property
to true
to make sure that the Workflow Center connects
to the Workflow Server using SSL for online deployment. Run the following
commands on both the Workflow Center and the Workflow Server. # Run the following commands on both the Workflow Center and Workflow Server.
wsadmin -conntype NONE -lang jython
wsadmin> ps = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name
/BPMClusterConfigExtension:/environment_type:/BPMServerSecurity:/")
# For the environment_type variable, specify "BPMProcessCenter" when running in a
# Workflow Center environment or specify "BPMProcessServer" when running in a Workflow Server environment.
wsadmin> print AdminConfig.show(ps) #look at deploySnapshotUsingHttps to see the current value
wsadmin> AdminConfig.modify(ps, [['deploySnapshotUsingHttps', 'true']]) # default value is false
wsadmin> print AdminConfig.show(ps) #verify your change
wsadmin> AdminConfig.save()
wsadmin> exit
Note: Version support differences:
- IBM Business
Automation Workflow V8.5.0.1 and later Workflow Centers will use the
deploySnapshotUsingHttps
property setting for IBM Business
Automation Workflow V8.5.0.0 Workflow Servers.
- IBM Business
Automation Workflow V8.5.0.1 and later Workflow Centers will not use the
deploySnapshotUsingHttps
property setting for IBM Business
Automation Workflow V8.5.0.1 Workflow Servers. They will use the full URL, including
protocol, as it was sent by the Workflow Server.
- IBM Business
Automation Workflow V8.5.0.0 Workflow Centers will use the
deploySnapshotUsingHttps
property setting for IBM Business
Automation Workflow V8.5.0.0 Workflow Servers.
- Restart the Workflow Server and Workflow Center servers.
- Use the WebSphere Application
Server administrative
console to stop the clusters.
- Stop the node agent and deployment manager.
-
Restart the deployment manager.
-
Restart the node agent.
- Use the WebSphere Application
Server administrative
console to start the clusters.
- Verify your configuration.
- Log in to the Workflow Center console using an https
connection.
- From the Server tab, click and
confirm that it is opened in a secure browser with https.