IBM Support

Securing the messaging engines underlying the IBM Process Server and Performance Data Warehouse for IBM Business Process Manager (BPM)

Troubleshooting


Problem

The buses underlying the IBM Process Server and Performance Data Warehouse are shipped unsecured; to secure the buses, you need to complete additional steps.

Resolving The Problem

By default, as shipped, the IBM Process Server bus and the Performance Data Warehouse bus are unsecured. You will typically want to secure both buses. To secure them, follow these steps:

  1. Enable bus security.

    1. Expand Security and select Bus Security. You see a list of the buses that are available on your system. The list should include both of the following buses:

      • The IBM Process Server bus (PROCSVR.cell-name.Bus)
      • The Performance Data Warehouse bus (PERFDW.cell-name.Bus)

    2. Under the Security column, each bus is marked as having security either enabled or disabled. By default, the IBM Process Server bus and the Performance Data Warehouse bus have security disabled, as indicated by the Disabled link in the Security column. Select the bus that you want to secure and click the Disabled link. This action takes you directly to the "Security configuration" page for that bus.

    3. In the security configuration page for the selected bus, click Enable bus security.

  2. Add the appropriate users, groups, or both to the bus connector role. Ensure that the user you identify in the authentication alias (see step 3) is a member of this role. Only users in the bus connector role are allowed to connect to the bus:

    1. On the bus security configuration page, click the Users and Groups in the bus connector role link.

    2. You will see a list of users that have been assigned the bus connector role for this particular bus. If the user that you are using to connect to the bus is not in the list of users and is not a member of any of the groups listed, click New to open a wizard, which will enable you to find the user or group, as appropriate.

  3. Add an authentication alias to the bus activation specification. Completing this action makes it possible to centrally and securely manage access IDs that are being used to access buses.

    1. Navigate to Resources > JMS > JMS Providers.

    2. Choose the default messaging provider for the correct cluster or server scope.

    3. Under Additional Properties, click Activation Specifications.

    4. Select an existing authentication alias, or create a new one, that you want to associate with the bus. If you are creating a new authentication alias, make sure you use the primary administrator user name and password for the new authentication alias. Ensure that the identity that is associated with the authentication alias is in the bus connector role for that bus as described in step 2. Set this authentication alias activation specification property to the authentication alias you selected or created. The following table lists the relevant activation specifications:
    5. BusActivation Specification
      ProcSrvEventMgrControlActivationSpec
      ProcSrvEventMgrMessageActivationSpec
      ProcSrvInterServerActivationSpec
      ProcSrvcacheMessageActivationSpec
      PerfDWDataDefLoaderActivationSpec
      PerfDWPostLoadCalculationActivationSpec
      PerfDWRepresentationManagerActivationSpec
      PerfDWViewManagerActivationSpec
    6. Ensure that the proper authentication aliases are referenced in the 50AppServer.xml configuration file, in all of its relevant locations, including the 50AppServer.xml file for the Performance Data Warehouse, and the 50AppServer.xml file for the Process Center or for the Process Server. To verify, look for the following segment in 50AppServer.xml. Un-comment the jms-auth element and use the same user name and password that you established in step 2b:

      <!--  These properties are needed when JMS connections require authentication. For instance, when using Embedded MQ you will be required to uncomment these properties ~EMBEDMQ_COMMENT~
      <jms-auth merge="mergeChildren">
      <user>tw_user</user>
      <password>93UVSloSQlXuw4hQz8juEA==:LQKvvMytJN1xqhTa2D89Ig==</password>
      </jms-auth>
      ~EMBEDMQ_UNCOMMENT~-->

    7. The directory paths where you make these changes for 50AppServer.xml depends on whether you have installed a stand-alone server environment, a clustered network deployment environment, or a single server network deployment environment, as shown below:

      • Path for a stand-alone server configuration
        stand-alone-profile-root\config\cells\cell-name\nodes\standalone-node-name\servers\server-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml

      • Path for a network deployment cluster configuration

        • For the network deployment cluster:
          DMGR-profile-root\config\cells\cell-name\clusters\cluster-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml

        • For each cluster member:
          DMGR-profile-root\config\cells\cell-name\nodes\node-name\servers\server-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml


          Note: In the network deployment Performance Data Warehouse cluster environment, the 50AppServer.xml file is not available in the cluster scope. If new Performance Data Warehouse cluster members are created after the security enablement, you must ensure that the proper authentication aliases are referenced for the new members as well.

      • Path for a network deployment single-server configuration
        DMGR-profile-root\config\cells\cell-name\nodes\custom-node-name\servers\server-name\process-center|process-server|performance-data-warehouse \config\system\50AppServer.xml

    8. Use the IBM BPM EncryptPassword utility to encrypt the password for the 50AppServer.xml file. Instructions for using the utility are available in the Encrypting passwords topic within the Business Process Manager 7.5 Information Center.

    9. If you are using a network deployment cluster configuration, synchronize the nodes.

    10. Restart the server and make sure that you do not see any new exceptions related to the Process Server and the Performance Data Warehouse buses.

  4. Set user and password values for the HTTP event listener. When Java™ Message Service (JMS) connections are secured and require authentication, you must set the jmsUser and jmsPassword values in the HTTPEventListener.properties file, as follows:


    <constant classkey="jmsUser">JMS_USER</constant>
    <constant classkey="jmsPassword">JMS_PASSWORD_ENCRYPTED</constant>
    <constant classkey="jmsPasswordEncrypted">true</constant>


    These values should match the user name and password that you established in Step 2b. If you established admin as the user name in Step 2b, then use admin for JMS_USER and use the admin password for JMS_PASSWORD_ENCRYPTED. Use the IBM BPM EncryptPassword utility to encrypt the jmsPassword value for the HTTPEventListener.

  5. Ensure secure transmission of passwords from external clients for topic connection factories and queue connection factories.

    1. Navigate to Resources > JMS > Queue Connection Factories, Resources > JMS –> Topic Connection Factories to locate the following connection factories:

    2. BusConnection Factories
      ProcSrvQueueConnectionFactory
      ProcSrvTopicConnectionFactory
      ProcSrvcacheMessageConnectionFactory
      ProcSrveventMgrMessageConnectionFactory
      ProcSrvTWClientConnectionFactory
      ProcSrvTWClientConnectionFactoryNoTX
      PerfDWDataDefLoaderConnectionFactory
      PerfDWViewManagerConnectionFactory
      PerfDWPostLoadCalculationConnectionFactory
      PerfDWRepresentationManagerConnectionFactory
    3. To ensure secure transmission of passwords from external clients, set the "Provider endpoints" property to support a secured endpoint by adding a pointer to a secured endpoint. For example, if your configuration already shows this endpoint:

      qastress50.eng1.svl.ibm.com:7301:BootstrapBasicMessaging

      Then, add a secured endpoint, so that you will have:

      qastress50.eng1.svl.ibm.com:7301:BootstrapBasicMessaging
      ,qastress50.eng1.svl.ibm.com:7302:BootstrapSecureMessaging

      The port numbers come from the SIB_ENDPOINT_SECURE_ADDRESS of the individual messaging engine's server or the individual cluster members. You might also want to consider retaining a non-SSL-protected endpoint by including "hostname:7276:BootstrapBasicMessaging" in the list of supported endpoints.

      If you have multiple entries, delimit them with a comma, as shown below:


    4. Set "Target inbound transport chain" to "InboundSecureMessaging".

  6. Revise the ssl.client.props file for keystore and truststore configuration, as in the following sample:

    Note: You must complete this step as part of configuring IBM Process Designer. The values used in the ssl.client.props file for keystore and truststore configuration must be consistent with the SSL configuration name and the truststore that are used in the IBM Process Center.

    • com.ibm.ssl.defaultAlias=DefaultSSLSettings
      com.ibm.ssl.performURLHostNameVerification=false

      com.ibm.ssl.validationEnabled=false
      com.ibm.security.useFIPS=false

      com.ibm.jsse2.checkRevocation=false
      com.ibm.security.enableCRLDP=false

      com.ibm.ssl.alias=DefaultSSLSettings
      com.ibm.ssl.protocol=SSL_TLS
      com.ibm.ssl.securityLevel=HIGH
      com.ibm.ssl.trustManager=IbmPKIX
      com.ibm.ssl.keyManager=IbmX509
      com.ibm.ssl.contextProvider=IBMJSSE2
      com.ibm.ssl.enableSignerExchangePrompt=gui

      # KeyStore information
      com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
      com.ibm.ssl.keyStore=etc/key.p12
      com.ibm.ssl.keyStorePassword={xor}Nj0yKDM6
      com.ibm.ssl.keyStoreType=PKCS12
      com.ibm.ssl.keyStoreProvider=IBMJCE
      com.ibm.ssl.keyStoreFileBased=true

      # TrustStore information
      com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
      com.ibm.ssl.trustStore=etc/trust.p12
      com.ibm.ssl.trustStorePassword={xor}Nj0yKDM6
      com.ibm.ssl.trustStoreType=PKCS12
      com.ibm.ssl.trustStoreProvider=IBMJCE
      com.ibm.ssl.trustStoreFileBased=true
      com.ibm.ssl.trustStoreReadOnly=false
.

For a general overview of the procedure for setting SSL client properties, see the ssl.client.propsclient configuration file topic.

[{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}},{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Product Synonym

BPM

Document Information

Modified date:
15 June 2018

UID

swg21499518