The products are configured in two different cells. Both
cells need access the same users, single sign-on (SSO), and Secure
Sockets Layer (SSL).
Before you begin
Topic scope: This topic applies
to the following products:
- IBM® Business Process Manager Standard
- IBM Business Process Manager Advanced
Before you configure a cross-cell setup, complete the
following tasks:
- Install and configure IBM Case Manager V5.1
or later in one cell.
- Install and configure IBM Business Process Manager Advanced or IBM Business Process Manager Standard in
another cell.
Procedure
- Configure so that the IBM BPM and IBM Case Manager cells
have access to the same users. There are different possible
ways to achieve this, depending on your choice of user account repository.
For example, if you have an existing LDAP server, you could make it
available to both cells.
- Identify the necessary search filters that match your user
repository definitions. Both cells require identical filter
strings for the following searches:
- User
- Group
- Group membership
You must inspect the definitions for your user repository to
be able to determine the correct filter strings. For
example, if you use a LDAP server that has the following definitions.- Group: groupOfNames
- OrgContainer: organization;organizationalUnit;domain;container
- PersonAccount: inetOrgPerson
The appropriate search filters would be the following:- User search filter: (&(objectClass=inetOrgPerson)(uid={0}))
- Group search filter: (&(cn={0})(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames)))
- Group membership search filter: (|(&(objectclass=groupOfNames)(member={0}))(&(objectclass=groupOfUniqueNames)(uniqueMember={0})))
- Collect information about the user repository. Depending
on the type of user repository you use, collect appropriate information
such as the server host name, port number, login property, certificate
mapping, and LDAP base entry distinguished name.
- On the IBM Case Manager server,
add the user directory to the federated realm.
- Start the Enterprise Manager and connect to the IBM Case Manager P8
domain.
- To start the Create a Directory
Configuration wizard, right-click Enterprise Manager,
select Properties, select the Directory
configuration tab, and click Add.
The Create a Directory Configuration Wizard window
opens.
- Enter all the information that is required
by the wizard about your user repository.
- Add a base entry for the user repositoryto
the federated realm. In the administrative console, click then in the User account repository section,
click then enter the required
information about the user repository. Click OK and Save.
Note: If
you use an LDAP server, make sure that you specify EXACT_DN for
the certificate mapping.
- Restart the IBM Case Manager environment.
- Verify that you can search the user
repository. In the administrative console, click . In the Search for users section
enter a string in the Search for field that
should match some existing users in the repository, for example a*,
click Search and verify that matching users
are found.
- On the IBM BPM server,
add the user directory to the federated realm.
- Add a base entry for the user repositoryto
the federated realm. In the administrative console, click then in the User account repository section,
click then enter the required
information about the user repository. Click OK and Save.
Note: If
you use an LDAP server, make sure that you specify EXACT_DN for
the certificate mapping.
- Restart the IBM BPM environment.
- Verify that you can search the user
repository. In the administrative console, click . In the Search for users section
enter a string in the Search for field that
should match some existing users in the repository, for example a*,
click Search and verify that matching users
are found.
- Configure cross-cell single sign-on (SSO).
- Verify that automatic key generation is turned off. Perform the following steps for all participating cells for IBM BPM and IBM Case Manager.
- In the administration console, click
- Expand the branches of the tree down to either the inbound or
outbound management scope that contains the key set group, and then
click the scope link for the cell.
- In the Related Items section, click Key
Set Groups.
- Click the key set group NodeLTPAKeySetGroup.
- Clear the Automatically generate keys option.
- Click OK and Save to
save the changes to the master configuration.
- Start the server again to activate the changes.
- Remember to perform steps 6.a.i to 6.a.vii for
all participating cells for both products.
- Share a common LTPA key between all participating cells.
As an example, the following steps illustrate exporting the LTPA key
from the IBM BPM server and importing it into the keystore of
one IBM Case Manager cell.
- In the IBM BPM administration console click , then in the Authentication section,
click LTPA.
- In the Cross-cell single sign-on section
enter a new strong password and a key file name. The file is created
in the server's profile root directory unless a fully-qualified path
is specified.
- Click Export keys then OK.
- Transfer the exported key file in binary mode to the
file system of the IBM Case Manager cell.
- In the IBM Case Manager administration console, click , then in the Authentication section,
click LTPA.
- In the Cross-cell single sign-on section
enter the password and a key file name.
- Click Import keys then OK.
- If your setup includes more cells, repeat steps 6.b.iv to 6.b.vii for each additional cell.
- Set the same domain name for SSO. Perform
the following steps for all participating IBM BPM and IBM Case Manager.
cells.
- In the administration console, click .
- In the Authentication cache settings section,
expand Web and SIP security, then click Single
sign-on (SSO).
- In the General Properties section, specify
the following configuration values:
- Select the Enabled option.
- For Requires SSL, enter the domain name
that you are using for the servers, for example, example.com.
- Make sure that the Interoperability Mode and Web
inbound security attribute propagation options are both
selected.
- Click OK and save the changes to
the master configuration.
- Remember to perform steps 6.c.i to 6.c.iii.4 for
all participating cells.
- Verify that SSO works across the cells. If
you have Business Space configured
on IBM BPM perform the following actions:
- Using a web browser, open the IBM BPM Business Space client by entering
a URL similar to the following example http://bpmserver.example.com:9080/BusinessSpace.
- Log on using a user name and password that is stored in the shared
LDAP server.
- Without closing the IBM BPM Business Space tab, press Control-T to
open a new tab in the browser.
- In the new browser tab, open the IBM Case Manager case
client by entering a URL similar to the following example http://icmserver.example.com:9080/CaseClient.
- If you are automatically logged in as the same user without having
to enter a user ID and password in the case client then the SSO is
working.
- Configure SSL by exchanging the server SSL certificates.
- Extract the root SSL certificate from the IBM BPM server. Perform the following actions using the administration console
on the IBM BPM server.
- Click .
- Select the root certificate then click Extract.
- Enter a file name for the exported certificate, for example, c:\bpmserverCert.pem,
and click OK.
Note: If you are using a remote desktop connection, the exported
certificate will be saved on the machine from which you started the
administration console.
- Transfer the exported certificate file in binary mode
to the IBM Case Manager file system.
- Add the IBM BPM server
certificate to the IBM Case Manager server. Perform the following actions using the administration console
on the IBM Case Manager server.
- Click .
- Click Add.
- Enter an alias, for example, bpmserver.
- Enter the file name of the IBM BPM server
certificate, for example, c:\bpmserverCert.pem,
and click OK.
- Save the changes.
- Extract the root SSL certificate from the IBM Case Manager server. Perform the following actions using the administration console
on the IBM Case Manager server.
- Click .
- Select the root certificate then click Extract.
- Enter a file name for the exported certificate, for example, c:\icmserverCert.pem,
and click OK.
Remember: If you are using a remote desktop connection,
the exported certificate will be saved on the machine from which you
started the administration console.
- Transfer the exported certificate file in binary mode
to the IBM BPM file system.
- Add the IBM Case Manager server
certificate to the IBM BPM server. Perform the following actions using the administration console
on the IBM BPM server.
- Click .
- Click Add.
- Enter an alias, for example, icmserver.
- Enter the file name of the IBM BPM server
certificate, for example, c:\icmserverCert.pem,
and click OK.
- Save the changes.
Results
The cross-cell setup is configured, including SSO and SSL.
What to do next
Register the
IBM BPM widgets
in
IBM Case Manager.