Adding IBM Business Automation Workflow and IBM Federated Process Portal to use the User Management Service
Add IBM® Business
Automation Workflow and IBM Federated
Process Portal to use the User Management Service (UMS) for single sign-on (SSO) in either a production
environment or a quick start environment with a single server that uses a Derby
database.
Important:
- If you are using UMS version 1.0.0 that shipped with IBM Business Automation Workflow V18.0.0.1, you must manually update configuration properties in the wlp/ibmUserManagement/extension/configTemplates/workflow/connectToUms.jy script file.
- For UMS version 1.0.1 and later, the configuration properties are in a dedicated file and all required files are provided in a single .zip package.
To add an IBM Business
Automation Workflow server to use User Management Service for single sign-on, perform the following actions:
- Copy the file wlp/ibmUserManagement/extension/configTemplates/workflow/connectToUms-workflow.zip to the IBM Business Automation Workflow environment (on the dmgr machine), and extract it to a separate directory for each IBM Business Automation Workflow system. You will need the contents of this directory if you want to modify or delete your SSO configuration.
- Apply a matching configuration to the IBM Business
Automation Workflow system by performing the following actions:
- Edit the provided properties file connectToUms-workflow.properties and set appropriate values
for the variables:
ums_host
- The host name of your User Management Service.
ums_port
- The HTTPS port of your User Management Service.
oidcop_url_prefix
- The full URL prefix of your User Management Service. This value
can usually be calculate from
ums_host
andums_port
, but if you are using port 443, you can omit the port number. If this parameter is empty, the value used defaults to https://ums_host:ums_port/oidc/endpoint/ums. oidc_client_id
- The client identifier that is being registered with the User Management Service.
oidc_client_name
- A description of the client that is being registered with the User Management Service. The default value for this parameter is set to the
value of the
client_id
parameter. oidc_client_secret
- The secret for the client that is being registered with the User Management Service.
baw_cellname
- WebSphere cell name of this environment:
baw_de
- The name of the IBM Business Automation Workflow deployment environment:
baw_clustername
- Cluster where to install the OpenID Connect Relying Party application (typically AppTarget). For a standalone environment leave this blank "" .
baw_nodename
andbaw_servername
- Server where to install the OpenID Connect Relying Party application. In a standalone
(non-clustered) environment. Values will be ignored, if
baw_clustername
is provided. redirect_uris: (uri_1, uri_2,.. uri_n)
- This parameter specifies the full URLs in the OpenID Connect Relying Party to which the user can
be redirected after successful authentication. For example,
redirect_uris = https://baw_host:baw_port/oidcclient/ums
. The port number must be defined explicitly, even if you are using port 443. BAW_federated_portal = (true | false)
- To set configuration and Oauth settings for Process Portal and register it set this value to
true
. portal_redirect_uri
- The full URL in the OpenID Connect Relying Party to which the user can be redirected after
successful authentication. For example,
https://baw_host:baw_port/ProcessPortal/tokenReceiver.html
. The port number must be defined explicitly, even if you are using port 443. oidc_portal_client_id
- The client identifier that is being registered with the Offering Party. Unless specified, this
parameter value is generated from
oidc_client_name
+ "-ProcessPortal
". oidc_portal_client_name
- A description for the client that is being registered with the OP. Unless specified, this
parameter is set to the
client_id
parameter value by default. reauthAllowed
- Set to
true
if clients are allowed to reauthorize. The default value isfalse
. logoutTimeoutInSeconds
- Timeout before user is logged out after they see reauthorization modal. The default value is 60 seconds.
logoutTimeoutInSecondsWhileReauth
- Timeout before user is logged out after they started the re-authorization process. The default value is 120 seconds.
registerProductionConfiguration
- For UMS versions 1.0.0 to 1.0.3 only, this can be set to the value
true
orfalse
. If it is set totrue
then the following properties apply. - autoAcceptCertificate
- Set to
true
to automatically accept the certificates of the User Management Service server. - certificateFingerprint
- If you specify this optional parameter, the User Management Service fingerprint must match the value specified.
- ums_username
- Optionally specifies the user management admin user. This value must match your User Management Service configuration. If the user name is passed as a command line parameter, this parameter is ignored.
- ums_password
- Optionally specifies the user management admin user password. This value must match your User Management Service configuration. If the password is passed as a command line parameter, this parameter is ignored
Important: For a production environment, set oidcop_url_prefix for all clones to the URL of your web server. Set the same value for the attribute issuerIdentifier on the openidConnectProvider configuration element in each clone's wlp/usr/servers/serverName/server.xml file. For example:
As part of the OpenID Connect protocol, the User Management Service issues ID tokens in JSON Web Token (JWT) format, as specified in RFC 7519. One of the claims in these tokens is<openidConnectProvider id="ums" oauthProviderRef="oidcOAuthProvider" issuerIdentifier="https://umshost/oidc/endpoint/ums" />
issuer
, which is used to identify the entity that issued the token. This step is required because by default, the User Management Service specifies the URL of the server as the issuer, which works for a quick start single server, but doesn't work for multiple servers. For more information, see openidConnectProvider - OpenID Connect Server Provider (openidConnectProvider). - Set up the environment variables that points to IBM Business
Automation Workflow installation directory:
- Open a command prompt and navigate to the following directory:
- Linux: /opt/IBM/WebSphere/AppServer/profiles/profile_name/bin
- Windows: drive:\Program Files\IBM\WebSphere\AppServer\profiles\profile_name\bin
Where profile_name is the profile name of the Deployment Manager (typically, this is
Dmgr01
) and drive: is the system drive on which the file directory is stored. For example:C:
orD:
. - Execute the following script:
- Linux:
. setupCmdLine.sh
- Windows:
setupCmdLine.bat
- Linux:
- Open a command prompt and navigate to the following directory:
- Make sure that the Deployment Manager is running.
- Make sure that the User Management Service is running.
- To start the Liberty server named
serverName, issue the following command from the wlp\bin
directory:
server start serverName
- To stop the Liberty server named
serverName, issue the following command from the wlp\bin
directory:
server stop serverName
- To start the Liberty server named
serverName, issue the following command from the wlp\bin
directory:
- Run
connectToUms.bat
orconnectToUms.sh
to execute the parameters of your customized properties file. For example:
For example, on Windows:connectToUms.[bat|sh][action][options...]
Where action can be one of the following:connectToUms.bat add -username <user name> -password <password> -ums_username <User Management admin user> -ums_password <User Management admin user password>
add
- Add a client.
remove
- Remove an existing client.
modify
- Modify an existing client.
-? | -help
- This help message.
u <username> | -username <username>
- The user name of the Administrator role on WebSphere® Application Server. This administrator must be configured at the cell level, not at the cluster, node, or server level.
-p <password> | -password <password>
- The password of the WebSphere Application Server (unencrypted).
-ums_username <UMS username>
- User name of User Management Server administrator.
-ums_password <UMS password>
- The user password of User Management Server administrator (unencrypted).
Note: The batch file performs the following actions:- Register the WebSphere provided OpenID Connect Relying Party Trust Association Interceptor (TAI).
- Configure custom properties for the TAI to point to the User Management Service.
- Install the WebSphere provided OpenID Connect application.
- Import the SSL certificate of the User Management Service into IBM Business Automation Workflow default trust store.
- Configures a logout exit page so that users log out of the User Management Service after logging out of IBM Business Automation Workflow.
- Register IBM Business Automation Workflow as a client with the OpenID Connect Provider.
- Register Process Portal as a client with the OpenID Connect Provider.
- Configure OAuth for Process Portal.
- Configure Mashups Config Service for Process Portal.
For more information, see Configuring an OpenID Connect Provider to accept client registration requests.
- Edit the provided properties file connectToUms-workflow.properties and set appropriate values
for the variables:
- Save and synchronize the configuration and restart your environment. For information about synchronizing, see Synchronizing nodes using the wsadmin scripting tool.