Configuring security domains
To configure multiple deployment environments and security domains, complete the following steps.
About this task
Procedure
- Create the deployment environments. See Create a Deployment Environment.
- Select one of the following methods to create unique HTTP
endpoints:
- Use a dedicated virtual host for each deployment environment. See Step 3.
- Use dedicated context root prefixes for each deployment environment. See Step 4.
- Use dedicated web servers for each deployment environment. See Customizing IBM BPM to work with a web server.
- If you have multiple deployment environments
in a single cell, and if you want to use the same web server, create
a dedicated virtual host for each deployment environment. For each
deployment environment (dep_env_name) in the cell,
complete the following actions. For more information, see Virtual hosts in the WebSphere® Application
Server information
center.
- Decide on the virtual host name, virtual_host_name.
- Create a dedicated virtual host. Using the administrative console, navigate to Environment > Virtual hosts and click New.
- Specify a name for the new virtual host. For example, vh_de1.
- If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port.
- If you want to access the web container of the cluster
members, add the host name of the cluster member as a host alias.
Navigate to Environment > Virtual
hosts > Name of the virtual host created
in previous step > Host Aliases and click New. Enter the host
name of the cluster member and associate it with the WC_defaulthost_secure port.
Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:
Deployment environment name: de1
Cluster name: de1.AppTarget
Cluster member 1: de1.AppTarget.Member1
Cluster member 2: de1.AppTarget.Member2
Virtual host name: vh_de1
Virtual host aliases in vh_de1:- To access IBM® Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
- To access IBM Business
Process Manager over
HTTP, add the WC_defaulthost ports.
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
- If you use an external HTTP server, add the HTTP server's virtual
host alias. This is mandatory if you are using an external HTTP server.
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
- To access IBM® Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Map the virtual host name, virtual_host_name,
to the deployment environment, dep_env_name, by
running the BPMConfig command:
install_root/bin/BPMConfig.sh -update -profile profile_name -de dep_env_name -virtualHost virtual_host_name
install_root\bin\BPMConfig.bat -update -profile profile_name -de dep_env_name -virtualHost virtual_host_name
Tip: For more information about the BPMConfig command, see BPMConfig command-line utility. For information on the IBM BPM virtual host, see Configuring endpoints to match your topology. - If you are using an external HTTP server, regenerate
and propagate the HTTP server plug-in.
- In the administrative console, navigate to Servers > Server Types > Web Servers.
- Select the name of your HTTP server, then click Generate Plug-in.
- Select the name of your HTTP server, then click Propagate
Plug-in. Tip: The administration service must be running on your HTTP server.
- Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
- Create and configure a dedicated security domain for each
deployment environment and map each cluster and service integration
bus to the dedicated security domain. See Configuring multiple security domains.
- Every cluster and service integration bus in the deployment environment must be mapped to the same security domain.
- If you use a dedicated user registry for each security domain, the user realm name for the security domain must be unique.
- Users that are configured for the deployment environment must exist in the user registry.
- To have a user from the security domain of the deployment
environment in the bus connector role, you must replace the user in
the bus connector role with the users from the realm of the security
domain. For each user:
- Click Service integration > Buses > BPM.yourDE.Bus > Security > Users and groups in the bus connector role.
- Select the user from the global realm. For example, de1Admin and click Delete.
- Click New.
- Select Users and click Next.
- Select the user from the security domain realm.
- Click Security > Global
security > Custom Properties and set the com.ibm.websphere.security.useAppContextForServletInit
custom property to global security.
com.ibm.websphere.security.useAppContextForServletInit = true
- Configure trusted authentication realms:
- Click Security > Global security > Configure > Trusted authentication realms - inbound.
- Select the realm name that is associated with the security domain and click Trusted.
- Configure Virtual Member Manager (VMM) access for the security
domain:
- From the Deployment Manager, launch wsadmin with
the following command:
wsadmin -lang jython -user AdminUserID - password AdminUserIDPassword
- At the wsadmin prompt, run following
command:
AdminTask.mapIdMgrGroupToRole('[-roleName IdMgrReader -groupId ALLAUTHENTICATED -securityDomainName your_security_domain_name]')
- Save the configuration changes by running the following
command:
AdminConfig.save()
Note: The next steps are required only if you want to have dedicated administrators for each deployment environment. - From the Deployment Manager, launch wsadmin with
the following command:
- For each deployment environment, create at least one dedicated WebSphere Application
Server user that
is used to perform WebSphere Application
Server administrative
functions from either the administrative console or the wsadmin system
management scripting interface. The user must be created in the global
user registry as only a cell scope user is allowed to run wsadmin.
If you are using the file registry:
- Click Users and Groups > Manage Users > Create.
- Create four additional users for each deployment environment.
For example:
- de1WASAdministrator
- de1WASDeployer
- de1WASMonitor
- de1WASOperator
- Create a dedicated Administrative Authorization Group (AAG)
for each deployment environment:
- Click Security > Administrative Authorization Groups > New and input a name for the AAG.
- Click the new AAG.
- Expand Clusters and select all clusters that belong to the deployment environment.
- Expand Business-level applications and select all business level applications that belong to the deployment environment.
- Expand Applications and select
all applications that belong to the deployment environment. Note: Do not map any nodes or node groups.
- Save and synchronize your changes.
- Click Administrative user roles and press Add.
- Assign administrative roles to users:
- de1WASAdministrator - Administrator
- de1WASDeployer - Deployer
- de1WASMonitor - Monitor
- de1WASOperator - Operator
- Add the de1Admin@depenv1_realm deployment
environment administrator with the following privileges:
- Operator
- Deployer
- Configurator
- Monitor
- Administrator
- Admin Security Manager
Note: The security domain realm must be selected when adding the de1Admin@depenv1_realm user. - You can have different user registries in an environment
with multiple security domains. To perform certain Process Admin LifeCycle
(PAL) administrative functions you must have a user in the security
domain of the deployment environment. However, to connect to the wsadmin
scripting interface or to call MBeans, the user must be in the user
registry of the global security domain. The BPMADminJobUser role maps
to an authentication alias for a user that requires the authority
to perform actions on the Process Admin LifeCycle (PAL) Admin task.
If specified, the system will execute PAL actions from the MBean of
type PALService as this user. Create a J2C authentication alias for
the BPMAdminJobUser role:
- Click Security > Global security > Java Authentication and Authorization Service > J2C authentication data.
- Click New and specify an arbitrary alias
name, and the deployment environment administrator user ID and password. Note: You must use the password that was specified for the deployment environment administrator during the deployment environment creation.
- Map the J2C authentication alias to the BPMAdminJobUser role:
- Click Servers > Deployment Environment > yourDE > Authenticatin Aliases.
- Select the new J2C authentication alias and map it to the BPMAdminJobUser role.
- Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring endpoints to match your topology.
Parent topic: Configuring multiple deployment environments