Configuring Secure Sockets Layer (SSL) communication in a network deployment environment

If you are using IBM® Business Process Manager V8.5.0.0, the following steps are required to make the communication between the Process Center and the Process Server work with HTTPS in a network deployment environment.

Before you begin

  • IBM Business Process Manager generates a default signer certificate during profile creation and uses it to sign personal certificates for all of the Java virtual machines in the cell. If you do not want to use the default signer certificate, you must create a personal certificate request to obtain a certificate that is signed by a certificate authority (CA). Refer to Creating a certificate authority request.
  • To import an SSL security certificate into Integration Designer, see Importing an SSL security certificate into Integration Designer.
  • If the 100Custom.xml does not yet exist in the PROFILE_HOME\config\cells\cell_name\nodes\node_name\servers\server_name\server_type\config directory, create it as described in Managing IBM Process Server configuration settings.
  • Ensure that the Common Name field of the SSL certificate matches the host name that will be used to access the server. For information on troubleshooting connection problems, see SSL fails when host name configuration fails.

About this task

If you are using IBM Business Process Manager V8.5.0.1, HTTPS is set as the default for communication from Process Center to Process Server. If you want to change to insecure HTTP, see Changing to insecure HTTP communication between Process Center and Process Server.

Procedure

  1. Import the Process Server WebSphere® Application Server root SSL certificate into Process Center.
    1. In the Process Center WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.
    2. Enter the Host name, secure Port of the Process Server profile (WC_defaulthost_secure), and Alias, and click Retrieve signer information. You can retrieve the signer information for any of the servers listed.
      Note: The WC_defaulthost_secure profile is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.
    3. Click Apply and save your changes.
  2. Import the Process Center root SSL certificate into Process Server.
    1. In the Process Server WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.
    2. Enter the Host name, secure Port of the Process Center profile (WC_defaulthost_secure), and Alias, and click Retrieve signer information. You can retrieve the signer information for any of the servers listed.
      Note: The WC_defaulthost_secure profile is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.
    3. Click Apply and save your changes.
  3. Open WAS_HOME\bin and run the following commands on both the Process Center and the Process Server to change internal links to use HTTPS and secured port.
    Note: You only need to run this command if you have upgraded from a version prior to 8.5.0.1.
    For example: 
    wsadmin -conntype NONE -lang jython
wsadmin> ps = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name/BPMClusterConfigExtension:/BPMProcessServer:/") # You must use BPMProcessCenter or BPMProcessServer depending on your environment 
wsadmin> print ps # See how many process servers you listed 
wsadmin> print AdminConfig.show(ps) #look at useHTTPSURLPrefixes to see the current value 
wsadmin> AdminConfig.modify(ps, [['useHTTPSURLPrefixes', 'true']]) 
wsadmin> print AdminConfig.show(ps) #verify your change
wsadmin> AdminConfig.save()
wsadmin> exit
  4. Optional: Disable all unsecured ports on all Process Center and Process Server servers.
    1. Log in to the WebSphere Application Server administrative console and navigate to Servers > Server Types > WebSphere Application Servers.
    2. For each server, click the server link, then go to Container Settings > Web Container Settings > Web container transport chains.
    3. Click each link for the unsecured port, for example, HttpQueueInboundDefault, and clear the Enabled check box.
    4. Repeat these steps for all WebSphere Application Server cluster members on all nodes. For example, if the xxx.AppTarget cluster has members on Node1 and Node2, these steps must be performed on both nodes.
  5. Optional: In the Process Center WebSphere Application Server administrative console, click Security > Global security > Web and SIP security > Single sign-on (SSO) and check the Requires SSL check box.
  6. Optional: In the Process Server WebSphere Application Server administrative console, click Security > Global security > Web and SIP security > Single sign-on (SSO) and check the Requires SSL check box.
  7. Specify HTTPS URLs and ports for all Representational State Transfer (REST) services for your environment by using the REST service administrative console page.
    1. Click Services > REST services > REST service providers.
    2. Select all from the Scope selection pull-down menu.
    3. Click on the REST service provider in Provider Application field and specify the Host name or virtual host in a load-balanced environment and the Port.
      Important: For a REST Services Gateway deployment manager, use the deployment manager host name and port; do not use the IHS host name and port.
    4. Click Apply and save your changes.
  8. To make sure that Process Server connects to Process Center using SSL, specify an HTTPS URL for the processCenterUrl variable, as described in Modifying IBM Process Server connection properties .
    Note: If you are using IBM BPM V8.5.0.1, this step is not required if you have already provided the intended processCenterUrl value when running the BPMConfig command.
  9. Set the deploySnapshotUsingHttps property to true to make sure that the Process Center connects to the Process Server using SSL for online deployment. Run the following commands on both the Process Center and the Process Server. 
    wsadmin -conntype NONE -lang jython
wsadmin> ps = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name/BPMClusterConfigExtension:/BPMProcessCenter:/BPMServerSecurity:/") # You must use BPMProcessCenter or BPMProcessServer depending on your environment
wsadmin> print AdminConfig.show(ps) #look at deploySnapshotUsingHttps to see the current value
wsadmin> AdminConfig.modify(ps, [['deploySnapshotUsingHttps', 'true']]) # default value is false
wsadmin> print AdminConfig.show(ps) #verify your change 
wsadmin> AdminConfig.save()
wsadmin> exit
    Note: See below for details on the version support differences:
    • IBM Business Process Manager V8.5.0.1 and later Process Centers will use the deploySnapshotUsingHttps property setting for IBM Business Process Manager V8.5.0.0 Process Servers.
    • IBM Business Process Manager V8.5.0.1 and later Process Centers will not use the deploySnapshotUsingHttps property setting for IBM Business Process Manager V8.5.0.1 Process Servers. They will use the full URL, including protocol, as it was sent by the Process Server.
    • IBM Business Process Manager V8.5.0.0 Process Centers will use the deploySnapshotUsingHttps property setting for IBM Business Process Manager V8.5.0.0 Process Servers.
  10. Restart the Process Server and Process Center servers.
    1. Use the WebSphere Application Server administrative console to stop the clusters.
    2. Stop the node agent and deployment manager.
    3. Re-start the node agent.
    4. Re-start the deployment manager.
    5. Use the WebSphere Application Server administrative console to start the clusters.
  11. Verify your configuration.
    1. Log in to the Process Center console using an https connection.
    2. From the Server tab, click runtime server > configure server and confirm that it is opened in a secure browser with https.
Parent topic: Configuring Secure Sockets Layer (SSL) for IBM Business Process Manager