Enabling security for the Business Space component

If you expect to use a secured environment, enable security before you configure Process Portal. However, if needed, you can enable security manually later. To turn on security for Process Portal you must enable both application security and administrative security for the Business Space component.

Before you begin

Before you complete this task, you must have completed the following tasks:

Check that your user ID is registered in the user registry for your product.

About this task

The Business Space component is preconfigured to ensure authentication and authorization of access. Users are prompted to authenticate when accessing Process Portal URLs. Unauthenticated users are redirected to a login page.

The Business Space component is configured to be accessed by HTTPS by default. If you prefer HTTP because Process Portal is already behind a firewall, you can switch to HTTP by running the configBSpaceTransport.py script. The configBSpaceTransport.py script has parameters to switch to either HTTP or HTTPS if you want to change from a previous setting. See Designating HTTP or HTTPS settings for Process Portal: .

To enable authenticated access to Process Portal, you must have a user registry configured and application security enabled. Authorization to spaces and page content is handled internally as part of managing spaces.

Procedure

For complete instructions on security, see the security documentation for your product.
For the Business Space application, on the Global security administrative console page, select both Enable administrative security and Enable application security.
If you want to enable or remove security after you have configured the Business Space component with your IBM® Business Process Manager profile, you must modify the noSecurityAdminInternalUserOnly property in the ConfigServices.properties file.
The noSecurityAdminInternalUserOnly property specifies the administrator ID for Process Portal when security is disabled. By default, Business Space configuration sets the property to BPMAdministrator if security is disabled. When security is enabled, by default this property is set to the application server admin ID. If you want to enable or remove security after you have configured the Business Space component, use the application server admin ID.
1. Modify the ConfigServices.properties file noSecurityAdminInternalUserOnly property to set it to the application server admin ID. The ConfigServices.properties file is located at profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties for a stand-alone server or deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties for a cluster.
2. Run the updatePropertyConfig command using the wsadmin scripting client.
  Important: For Windows, the value for the propertyFileName parameter must be the full path to the file, and all backslashes must be double, for example:AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name -propertyFileName "profile_root\\BusinessSpace\\node_name\\server_name\\mm.runtime.prof\\config\\ConfigService.properties" -prefix "Mashups_"]').
  - For a stand-alone server:
    The following example uses Jython:
```
AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name 
-propertyFileName "profile_root\BusinessSpace\node_name\server_name
\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"]')
AdminConfig.save()
```
    The following example uses Jacl:
```
$AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name
 -propertyFileName "profile_root\BusinessSpace\node_name\server_name
\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"}
$AdminConfig save
```
  - For a cluster:
    The following example uses Jython:
```
AdminTask.updatePropertyConfig('[-clusterName cluster_name -propertyFileName
 "deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\
config\ConfigService.properties" -prefix "Mashups_"]')
AdminConfig.save()
```
    The following example uses Jacl:
```
$AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName
 "deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\
config\ConfigService.properties" -prefix "Mashups_"}
$AdminConfig save
```
3. Restart the server.
4. Log in to Process Portal and reassign the owners of the default spaces to the new administrator ID.

What to do next

After the administrative security and application security are turned on, you receive a prompt for a user ID and password when you log in to Process Portal. You must use a valid user ID and password from the selected user registry in order to log on. After you turn on administrative security, whenever you return to the administrative console, you must log in with the user ID that has administrative authority.
If you want to change the user account repository from the default for your product profile, follow the steps in Selecting the user account repository for Process Portal: Selecting the user account repository for dashboards.
If you have a cross-cell environment where Process Portal is remote from where IBM Business Process Manager is running, and the nodes are not in the same cell, set up single-sign-on (SSO) and Secure Sockets Layer (SSL) certificates. Follow the instructions in Setting up SSO and SSL for Process Portal: .
To designate who can perform administrator actions in the Process Portal environment, see Assigning the superuser role: .