Configuring external security providers

To use an external security provider, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.

Before you begin

Log in to the WebSphere® Administrative console.

About this task

The default installation of IBM® Business Process Manager standalone provides a federated repository that contains the internal security provider and file repository while the default installation of IBM Business Process Manager network deployment provides a federated repository that contains the file repository.

To update group membership that is triggered by a script or administrative task to avoid time consuming refresh operations, see JR48507: PROVIDE SCRIPTS AND ADMINISTRATIVE TASKS TO MANUALLY TRIGGER GROUP MEMBERSHIP REFRESH.

The following steps show an example of configuring an LDAP security provider (such as Microsoft Active Directory) with the federated repository. For more information about how to configure other supported repositories, such as Tivoli Directory Server, refer to the Configuring LDAP as the user account registry section of the IBM Business Process Manager V7.5 Production Topologies IBM Redbook.

Procedure

  1. From the WebSphere Application Server administrative console, click Security > Global security.
  2. Under User account repository, select Federated repositories from the list of Available realm definitions.
  3. Click Configure.
  4. Under Related items, click Manage repositories.
  5. Click Add and enter parameters for the provider that you want to add. For example, to add Microsoft Active Directory, enter parameters similar to these:
    Table 1. External security provider parameters
    Purpose Parameter
    Repository identifier MYLDAP
    Directory type Microsoft Windows Active Directory
    Primary host name 10.1.5.18
    Bind distinguished name cn=LDAP_USER,CN=Users,DC=MYCOMPANY,DC=com
    Bind password mypassword
  6. Click OK, then Save.
  7. Click Add Base entry to Realm and then enter values similar to these:
    Table 2. Base entry values
    Purpose Value
    Distinguished name of a base entry that uniquely identifies this realm entry DC=MYCOMPANY,DC=com
    Distinguished name of a base entry in this repository cn=Users,DC=MYCOMPANY,DC=com
  8. Click OK, then Save.
  9. On the Global Security page, click Set as current and then click Apply.

    If your external security provider (LDAP) contains many entries, you must increase the maximum number of search results in federated repositories. A full synchronization queries all entries in LDAP. This process is limited by the maximum search value in the wimconfig.xml. In WebSphere Application Server, the default maximum search results is 4500 entries. This value is not the maximum number of LDAP users or groups that WebSphere Application Server can handle; rather, it is the maximum number that is returned based on the configuration value in the wimconfig.xml file. Check the SystemOut.log file for the CWWIM1018E error code. If you have this issue, you can increase the maximum search results in the wimconfig.xml file as described in the MaxResultsExceededException occurs during LDAP repository search topic in the WebSphere Application Server Information Center. After the change, restart both the WebSphere Application Server and IBM BPM servers, then complete a full synchronization.

  10. Shut down all IBM BPM servers.
  11. Make sure no duplicate users exist in the internal security provider and the external security provider that you just added. If duplicate users exist, errors will occur when you run product components.
  12. Restart all IBM BPM servers.

What to do next

Some IBM Business Process Manager functionality requires current data from your external security provider in order to function properly. If you see unexpected results with routing of activities, team data in scoreboards, or other aspects of IBM BPM that could be caused by a lag between IBM BPM and your external security provider, you can use the Synchronization option in the Process Admin Console to resolve those issues.
  1. You must log in to the Process Admin Console.
  2. In the Server Admin area of the Process Admin Console, click the indicator next to User Management to list the available management options.
  3. Click User Synchronization.
  4. In the User Management > Synchronize window, choose one of the following options:
    • Full Synchronize

      Synchronizes IBM BPM with all user accounts in your configured external provider.

    • Add

      Click Add, then enter a user name, and repeat this action to create a list of user names. Then click Synchronize to synchronize only the user accounts in the created list.

Parent topic: Securing IBM Business Process Manager and applications
Related tasks:
Managing the realm in a federated repository configuraiton
Configuring Lightweight Directory Access Protocol user registries
Configuring standalone custom registries
Configuring local operating system registries