Configuring Secure Socket Layer (SSL) communication for a network deployment environment

The following steps are required to make the communication between the Process Center and the Process Server work with https in a network deployment environment.

Before you begin

Important: IBM® Business Process Manager generates a default signer certificate during profile creation and uses it to sign personal certificates for all of the Java virtual machines in the cell. If you do not want to use the default signer certificate, you must create a personal certificate request to obtain a certificate that is signed by a certificate authority (CA). Refer to Creating a certificate authority request.

1. Import the Process Server WebSphere® Application Server root SSL certificate into Process Center.
   1. On the Process Center WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates.
   2. In the resource table, click CellDefaultTrustStore.
   3. Under Additional Properties, click Signer certificates.
   4. Click Retrieve from port.
   5. Type the values for the Host name, secure Port of the Process Server profile (WC_defaulthost_secure), and Alias, and click Retrieve signer information. The WC_defaulthost_secure is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.
   6. Click Apply and save your changes.
2. Import the Process Center root SSL certificate into Process Server.
   1. In the Process Server WebSphere Application Server administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates > Retrieve from port.
   2. Enter the Host name, secure Port of the Process Center profile (WC_defaulthost_secure), and Alias, and click Retrieve signer information.
      Note: The WC_defaulthost_secure is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.
   3. Click Apply and save your changes.
3. Edit the 100Custom.xml file on the Process Center.
   1. Edit WAS_HOME\profiles\PC dmgr profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-center\config\100Custom.xml to overwrite values from 99Local.xml.

      For example: C:\BPM\profiles\PCDmgr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\config\100Custom.xml.

   2. Open WAS_HOME\profiles\PC dmgr profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-center\config\system\99local.xml.

      For example: C:\BPM\profiles\ProcCtr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\config\system\99local.xml.

   3. Copy all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port> in the 99local.xml file, including the enclosing xml tags, and paste them in to the 100Custom.xml file.
   4. Add merge="mergeChildren" to the parent xml tags that contain the http://<PC_hostname>:<non_secured_port>.
   5. Add merge="replace" to the xml tag that contains the http://<PC_hostname>:<non_secured_port>.
   6. Change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port> and add the corresponding closing XML tags.
   7. Copy the parent tags for the <client-link> that contains http://<PC_hostname>:<non_secured_port> and paste them to the server tag.
   8. Add the server section to the 100custom.xml file.
      1. Add merge="mergeChildren" to the parent xml tags.
      2. Add merge="replace" to the xml tag that contains the http://<PC_hostname>:<non_secured_port>.
      3. Change http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port>.
   9. Add the following lines to the <server> section to enable https for deploying the snapshot and specify the correct Process Center secure port:

      <deploy-snapshot-using-https merge="replace">true</deploy-snapshot-using-https><server-port merge="replace"><PC WC_defaulthost_secure port></server-port> 

      Note: The WC_defaulthost_secure is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.
   10. Open WAS_HOME\profiles\PC dmgr profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-center\config\system\99Sharepoint.xml.

       For example: c:\BPM\profiles\PCDmgr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\config\system\99Sharepoint.xml.

   11. Copy all occurrences of http://<PC_hostname>:<non_secured_port> from the 99Sharepoint.xml, including its parent xml tags, and paste them to the 100Custom.xml file.
   12. Change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port>.
   13. Save and close the 100Custom.xml file.
   Here is an example of the Process Center 100Custom.xml file:

   <properties>
       <!--Properties file for customer cluster scoped properties. -->
   			
   	<!-- set unversioned-po-caching-enable to false for clustering 
       <common merge="mergeChildren">
           <environment-name merge="replace">My Environment</environment-name>
           <default-unversioned-po-cache-size merge="replace">500</default-unversioned-po-cache-size>
   		<default-versioned-po-cache-size merge="replace">500</default-versioned-po-cache-size>
           <unversioned-po-caching-enable merge="replace">false</unversioned-po-caching-enable>
   		<default-webapi-userid-cache-size merge="replace">500</default-webapi-userid-cache-size>
       </common>
       -->
   
       <!-- Sample connector configuration 
       <server>
           <reloadable-jar-location>temp</reloadable-jar-location>
           <reloadable-jar-location-load-only-once>false</reloadable-jar-location-load-only-once>
       </server>
       -->
       
       <!-- Sample default work schedule config.  
   	<server>
   		<default-work-schedule  merge="replace">				
   				<time-schedule>7AM-7PM Every Day</time-schedule>
   				<time-zone>CST</time-zone>
   				<holiday-schedule>empty holiday</holiday-schedule>
   		</default-work-schedule>		
   	</server>
   	-->
       <authoring-environment merge="mergeChildren">
           <images-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</images-prefix>
   
           <portal-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/portal</portal-prefix>                
   
           <repository-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/ProcessCenter</repository-prefix>
   
           <servlet-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</servlet-prefix>
   
           <webapi-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/webapi</webapi-prefix>
           
           <process-help-wiki-url-view merge="replace">https://qastress3.eng1.svl.ibm.com:9443/processhelp/en/%TITLE%?teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-view>
           <process-help-wiki-url-edit merge="replace">https://qastress3.eng1.svl.ibm.com:9443/processhelp/en/Special:Edit?topic=%TITLE%&amp;teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-edit>
   
       </authoring-environment>
   
       <common merge="mergeChildren">
           <portal-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/portal</portal-prefix>
           
           <process-admin-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/ProcessAdmin</process-admin-prefix>
           
           <teamworks-webapp-prefix merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</teamworks-webapp-prefix>
           <webservices merge="mergeChildren">
               <base-url merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks/webservices</base-url>
           </webservices>
   
           <xml-serialization merge="mergeChildren">
               <default-namespace-uri merge="replace">https://qastress3.eng1.svl.ibm.com:9443/schema/</default-namespace-uri>
           </xml-serialization>
           <coach-designer-xsl-url merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks/coachdesigner/transform/CoachDesigner.xsl</coach-designer-xsl-url>
           <office merge="mergeChildren">
               <sharepoint merge="mergeChildren">
                   <default-workspace-site-description merge="replace"><![CDATA[This site has been automatically generated for managing collaborations and documents 
   for the Lombardi TeamWorks process instance: <#= tw.system.process.name #> <#= tw.system.process.instanceId #>
   
   TeamWorks Link:  https://qastress3.eng1.svl.ibm.com:9443/portal/jsp/getProcessDetails.do?bpdInstanceId=<#= tw.system.process.instanceId #>
   
   ]]&gt;</default-workspace-site-description>
               </sharepoint>
           </office>
       </common>
   
       <server merge="mergeChildren">    	    	
           <email merge="mergeChildren">
               <mail-template merge="mergeChildren">
                   <client-link merge="replace">https://qastress3.eng1.svl.ibm.com:9443/teamworks</client-link>
               </mail-template>
           </email>
           <repository-server-url merge="replace">https://qastress3.eng1.svl.ibm.com:9443/ProcessCenter</repository-server-url>
           <deploy-snapshot-using-https merge="replace">true</deploy-snapshot-using-https>
           <server-port merge="replace">9443</server-port>				
   
   	</server>
   			
   </properties>

4. Edit the 100Custom.xml file on the Process Server.
   1. Edit WAS_HOME\profiles\PS dmgr profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-server\config\100Custom.xml to overwrite values from 99Local.xml.

      For example: C:\BPM\profiles\PSDmgr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\config\100Custom.xml.

   2. Open WAS_HOME\profiles\PS dmgr profile name\config\cells\cell name\nodes\node name\servers\app target server name\config\system\99local.xml.

      For example: C:\BPM\profiles\PSDmgr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\config\system\99local.xml.

   3. Copy all occurrences of http://<PS_hostname>:<non_secured_port> in the 99local.xml file, including the enclosing xml tags, and paste them in to the 100Custom.xml file.
   4. Add merge="mergeChildren" to the parent xml tags that contain the http://<PS_hostname>:<non_secured_port>.
   5. Add merge="replace" to the xml tag that contains the http://<PS_hostname>:<non_secured_port>.
   6. Change all occurrences of http://<PS_hostname>:<non_secured_port> to https://<PS_hostname>:<secured_port> and add the corresponding closing XML tags.
   7. Copy the parent tags for the <client-link> that contains http://<PS_hostname>:<non_secured_port> and paste them to the server tag.
   8. Add the server section to the 100custom.xml file.
      1. Add merge="mergeChildren" to the parent xml tags
      2. Add merge="replace" to the xml tag that contains the http://<PS_hostname>:<non_secured_port>.
      3. Change http://<PS_hostname>:<non_secured_port> to https://<PS_hostname>:<secured_port>.
   9. Search for repository-server-url in the server section of the 99local.xml file and copy it to the server section of the 100custom.xml.
   10. Change all occurrences of http://<PC_hostname>:<non_secured_port> to https://<PC_hostname>:<secured_port>.
   11. Add the following lines to the <server> section to enable https for deploying the snapshot and specify the correct Process Server secure port:

       <server-port merge="replace">true<PS WC_defaulthost_secure port></server-port> 

       Note: The WC_defaulthost_secure is located in the WebSphere Application Server administrative console. Navigate to Servers > Server Types > WebSphere Application Servers > SERVER_NAME > Ports.
   12. Open WAS_HOME\profiles\PS dmgr profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-server\config\system\99Sharepoint.xml.

       For example: c:\BPM\profiles\PSDmgr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\config\system\99Sharepoint.xml.

   13. Copy all occurrences of http://<PS_hostname>:<non_secured_port> from the 99Sharepoint.xml, including its parent xml tags, and paste them to the 100Custom.xml file.
   14. Change all occurrences of http://<PS_hostname>:<non_secured_port> to https://<PS_hostname>:<secured_port>.
   15. Save and close the 100Custom.xml file.
   Here is an example of the Process Server 100Custom.xml file:

   <properties>
       <!--Properties file for customer cluster scoped properties. -->
   			
   			
   	<!-- set unversioned-po-caching-enable to false for clustering 
       <common merge="mergeChildren">
           <environment-name merge="replace">My Environment</environment-name>
           <default-unversioned-po-cache-size merge="replace">500</default-unversioned-po-cache-size>
   		<default-versioned-po-cache-size merge="replace">500</default-versioned-po-cache-size>
           <unversioned-po-caching-enable merge="replace">false</unversioned-po-caching-enable>
   		<default-webapi-userid-cache-size merge="replace">500</default-webapi-userid-cache-size>
       </common>
       -->
   
       <!-- Sample connector configuration 
       <server>
           <reloadable-jar-location>temp</reloadable-jar-location>
           <reloadable-jar-location-load-only-once>false</reloadable-jar-location-load-only-once>
       </server>
       -->
       
       <!-- Sample default work schedule config.  
   	<server>
   		<default-work-schedule  merge="replace">				
   				<time-schedule>7AM-7PM Every Day</time-schedule>
   				<time-zone>CST</time-zone>
   				<holiday-schedule>empty holiday</holiday-schedule>
   		</default-work-schedule>		
   	</server>
   	-->
   	
       <authoring-environment merge="mergeChildren">
           <images-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</images-prefix>
   
           <portal-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/portal</portal-prefix>                
   
           <repository-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/ProcessCenter</repository-prefix>
   
           <servlet-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</servlet-prefix>
   
           <use-portal-for-preview merge="replace">true</use-portal-for-preview>
   
           <webapi-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/webapi</webapi-prefix>
           
           <process-help-wiki-url-view merge="replace">https://wpsvm10b.svl.ibm.com:9443/processhelp/en/%TITLE%?teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-view>
           <process-help-wiki-url-edit merge="replace">https://wpsvm10b.svl.ibm.com:9443/processhelp/en/Special:Edit?topic=%TITLE%&amp;teamworksTitle=%TEAMWORKS_TITLE%</process-help-wiki-url-edit>
       </authoring-environment>
   
       <common merge="mergeChildren">
           <portal-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/portal</portal-prefix>
           
           <process-admin-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/ProcessAdmin</process-admin-prefix>
           
           <teamworks-webapp-prefix merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</teamworks-webapp-prefix>
                   
           <webservices merge="mergeChildren">
               <base-url merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks/webservices</base-url>
           </webservices>
           <coach-designer-xsl-url merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks/coachdesigner/transform/CoachDesigner.xsl</coach-designer-xsl-url>
    
           <office merge="mergeChildren">
               <sharepoint merge="mergeChildren">
                   <default-workspace-site-description merge="replace"><![CDATA[This site has been automatically generated for managing collaborations and documents 
   for the Lombardi TeamWorks process instance: <#= tw.system.process.name #> <#= tw.system.process.instanceId #>
   
   TeamWorks Link:  https://wpsvm10b.svl.ibm.com:9443/portal/jsp/getProcessDetails.do?bpdInstanceId=<#= tw.system.process.instanceId #>
   
   ]]&gt;</default-workspace-site-description>
               </sharepoint>
           </office>
       </common>
   
       <server merge="mergeChildren">    	    	
   								
           <!-- email properties -->
           <email merge="mergeChildren">
               <mail-template merge="mergeChildren" >
                   <client-link merge="replace">https://wpsvm10b.svl.ibm.com:9443/teamworks</client-link>
               </mail-template>
           </email>
   
           <repository-server-url merge="replace">https://qastress3.svl.ibm.com:9443/ProcessCenter</repository-server-url>
           <server-port merge="replace">9443</server-port>				
       </server>
   			
   </properties>

5. Optional: If the Process Center and clustered runtime servers were started before you begin to configure SSL, and the LSW_SERVER table on the Process Center database contains the non-secure port of the Process Server, you must delete the Process Server from the Process Center repository.
   1. Stop the Process Server.
   2. From the Servers tab on the Process Center Console, delete Process Server from the Process Center repository.
   3. Delete the record with the non-secure port from the LSW_SERVER table on the Process Center database.
   4. Start the Process Server.
6. Optional: Disable all unsecured ports on the Process Server and Process Center servers. Complete the following steps for all cluster members on all nodes:
   1. Log in to the WebSphere Application Server administrative console, click Servers > Server Types > WebSphere Application Servers.
   2. For each server, click server_name. Then go to Container Settings > Web Container Settings > Web container transport chains.
   3. Click each link for the unsecured port, and deselect the Enabled checkbox. For example, deselect the Enabled checkbox for HttpQueueInboundDefault.
   If the xyz.AppTarget cluster has members on Node1 and Node2, you must complete the steps on both nodes.
7. Verify the Process Server 100Custom.xml file changes in the server.
   1. Open the TeamWorksConfiguration.running.xml file, which is located in the WAS_HOME\profiles\profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-server directory. The TeamWorksConfiguration.running.xml may not be available in every environment.
   2. Confirm the changes in the 100Custom.xml file. For example: C:\BPM\profiles\ProcSrv01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PS1.AppTarget.PS1Node1.0\process-server\TeamWorksConfiguration.running.xml
8. Verify the Process Center 100Custom.xml file changes in the server.
   1. Open the TeamWorksConfiguration.running.xml file, which is located in the WAS_HOME\profiles\profile name\config\cells\cell name\nodes\node name\servers\app target server name\process-center directory. The TeamWorksConfiguration.running.xml may not be available in every environment.
   2. Confirm the changes in the 100Custom.xml file. For example: C:\BPM\profiles\ProcCtr01\config\cells\gascogne01Cell\nodes\gascogneNode01\servers\PC1.AppTarget.PC1Node1.0\process-center\TeamWorksConfiguration.running.xml
9. Restart the Process Server and Process Center servers.
   1. Use the WebSphere Application Server administrative console to stop the clusters.
   2. Stop the node agent and deployment manager.
   3. Re-start the node agent.
   4. Re-start the deployment manager.
   5. Use the WebSphere Application Server administrative console to start the clusters.
10. Verify your configuration.
    1. Log in to the Process Center console using an https connection.
    2. From the Server tab, click runtime server > configure server and confirm that it is opened in a secure browser with https.
11. Import an SSL security certificate into Integration Designer. In order to connect to an HTTPS enabled server, you must import the SSL security certificate (X509Certificate) for the server. The following example is for importing the security certificate using Internet Explorer:
    1. Launch your web browser, and navigate to https://hostname:secure_port/ProcessCenter/login.jsp where hostname represents the fully qualified domain name of the Process Center server, and where secure_port represents the Process Center secure SSL port number.
    2. On the Security Alert window, click View Certificate.
    3. On the Certificate window, click Details.
    4. Click Copy to File to specify where to save the certificate file on your system.
    5. In the wizard, click Next, accept the default values, and click Next.
    6. Type a file name for the security certificate, and click Next. For example, name the file pc_cert.cer, and click Next.
    7. Click Finish. After you have created the SSL certificate, you can import it into the Java JRE that you will be using for Integration Designer.
    8. Copy the certificate to Installation_directory/jdk/jre/bin where Installation_directory represents the directory where you installed Integration Designer.
    9. Open a command prompt, and change the directory to Installation_directory/jdk/jre/bin where Installation_directory represents the directory where you installed Integration Designer.
    10. Run the following command: keytool.exe -import -v -file certificate_file -keystore ..\lib\security\cacerts If you previously imported SSL certificates into Integration Designer, add the -alias key_name parameter to specify a different key name to avoid conflicts. The default value is mykey.
    11. Type the keystore password. The default password is changeit.
    12. Type y to trust the certificate.