Configuring VMM and IBM Business Process Manager for optimized group membership synchronization

Use this task to configure Virtual Member Manager (VMM) and IBM® Business Process Manager for optimized group membership synchronization.

About this task

To configure VMM and IBM Business Process Manager for optimized group membership synchronization, you make all file changes in the deployment manager profile (DmgrProfile). After you are finished, you stop the JVMs, deployment manager, and node agents, and then you restart the deployment manager, synchronize the node agents, and start the servers.

Procedure

Check whether attached LDAP directories show, for a group entry, an attribute that lists all direct or indirect user members. For example, for a group entry, IBM Tivoli Directory Server shows the ibm-allmembers attribute, which can be queried directly to retrieve all user members of the group.
- If such an attribute exists, make sure that it is configured for user member retrieval (see 3).
- If no such attribute exists, in the subsequent steps, use the LDAP attribute by which user or subgroup members of a group entry are identified in the LDAP directory; for example, members or uniqueMembers.
Define a VMM property for identifying either of the following elements:
- All user members of a Group entity, later on referred to as groupusermember.
- The direct user and subgroup members of a Group entity, later on referred to as groupmember.
Extend the VMM entity type Group to include an extra property named groupusermember or groupmember. The file is called wimxmlextension.xml and is located in the BPM_install_dir/profiles/profile/config/cells/cell/wim/model directory. BPM_install_dir is the directory where IBM Business Process Manager is installed. If this directory contains no such file, create a file called wimxmlextension.xml. For example, IBM/BPM/v8.5/profiles/DmgrProfile/config/cells/PCCell1/wim/model/wimxmlextension.xml

In a cluster, the wimxmlextension.xml file is located in the deployment manager for each server of the cluster.
The file must contain the extension definition:
```
<sdo:datagraph xmlns:sdo="commonj.sdo"
        xmlns:wim="http://www.ibm.com/websphere/wim">
      <wim:schema>
    	<wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="STRING"
            multiValued="true" propertyName="groupusermember">
          <wim:applicableEntityTypeNames>Group</wim:applicableEntityTypeNames>
        </wim:propertySchema>
      </wim:schema>
    </sdo:datagraph>
```
or
```
<sdo:datagraph xmlns:sdo="commonj.sdo"
        xmlns:wim="http://www.ibm.com/websphere/wim">
      <wim:schema>
    	<wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="STRING"
            multiValued="true" propertyName="groupmember">
          <wim:applicableEntityTypeNames>Group</wim:applicableEntityTypeNames>
        </wim:propertySchema>
      </wim:schema>
    </sdo:datagraph>
```

For each LDAP directory that is configured for VMM, define the mapping between the VMM property name groupusermember or groupmember and the corresponding available LDAP attribute; for example, ibm-allMembers or uniqueMembers. In the BPM_install_dir/profiles/profile/config/cells/cell/wim/config/wimconfig.xml file (in a cluster, on the deployment manager for each server of the cluster), include the following entry:

<config:repositories xsi:type="config:LdapRepositoryType" ...>
    	...
    	<config:attributeConfiguration>
    	...
    	<config:attributes name="ibm-allMembers" propertyName="groupusermember">
    	  <config:entityTypes>Group</config:entityTypes>
    	</config:attributes>
    	...
      </config:attributeConfiguration>
    </config:repositories>

<config:repositories xsi:type="config:LdapRepositoryType" ...>
    	...
    	<config:attributeConfiguration>
    	...
    	<config:attributes name="uniqueMembers" propertyName="groupmember">
    	  <config:entityTypes>Group</config:entityTypes>
    	</config:attributes>
    	...
      </config:attributeConfiguration>
    </config:repositories>

For each LDAP directory that is configured for VMM, tune your LDAP configuration in the wimconfig.xml file to allow for the retrieval of all groups in one VMM query.
Refer to the VMM tuning documents. Select an appropriate setting for configurationProvider->maxSearchResults and adapt other values, such as ldapServers->connectTimeout and attributesCache->cacheSize, as necessary.
Enable the use by IBM BPM of the groupusermember or groupmember properties. In the 100Custom.xml file, include the following entry:
```
<common merge="mergeChildren">
    		<security>
    			<vmm-options>
    				<group-user-member-prop>groupusermember</group-user-member-prop>
    			</vmm-options>
    		</security>
    	</common>
```
or
```
<common merge="mergeChildren">
    		<security>
    			<vmm-options>
    				<group-member-prop>groupmember</group-member-prop>		
    			</vmm-options>
    		</security>
    	</common>
```
A sample 100Custom.xml file is located in the deployment manager, in the BPM_install_dir/profiles/profile/config/cells/cell/nodes/node/servers/server/process-center|process-server/config directory. For example, the location can be: C:/IBM/BPM/v8.5/profiles/DmgrProfile/config/cells/PCCell1/nodes/Node1/servers/ProcessServer.AppCluster.Node1.0/process-server/config/100Custom.xml
After all files are created or updated, stop all IBM BPM JVMs, node agent, and deployment manager.
Start the servers in the following order by running the appropriate commands.
1. Start Deployment Manager.
2. Run a syncNodes command in the node profile. For more information, see the WebSphere® Application Server synchronization process page.
3. Start nodeAgent.
4. Start the messaging servers.
5. Start AppTarget servers.
6. Start the Support server.