Professional Documents
Culture Documents
BPM Administration
Software Release 1.0.3
December 2010
Important Information
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED
ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED
SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR
ANY OTHER PURPOSE.
USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A
LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE
AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER
LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE
SOFTWARE (AND WHICH IS DUPLICATED IN LICENSE.PDF) OR IF THERE IS NO SUCH SOFTWARE
LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED
IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS
AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN
AGREEMENT TO BE BOUND BY THE SAME.
This document contains confidential information that is subject to U.S. and international copyright laws and
treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO
Software Inc.
TIB, TIBCO, TIBCO Adapter, Predictive Business, Information Bus, The Power of Now, TIBCO ActiveMatrix and
TIBCO Silver are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or
other countries.
All other product and company names and marks mentioned in this document are the property of their
respective owners and are mentioned for identification purposes only.
THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL
OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME
TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC
OPERATING SYSTEM PLATFORM.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS.
CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE
INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE
IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN
THIS DOCUMENT AT ANY TIME.
THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR
INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING
BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.
Copyright © 2005-2010 TIBCO Software Inc. ALL RIGHTS RESERVED.
TIBCO Software Inc. Confidential Information
| iii
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How to Contact TIBCO Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 4 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Creating a Server-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating a Client-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating a KeyStore Provider for the Server-as-Client Trust Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating an Instance of the Server-as-Client KeyStore Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Creating a KeyStore Provider for the Server Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating an Instance of the Server's KeyStore Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Amending the SSL Server Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
BPM Administration
iv
| Contents
Amending the SSL Client Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Amending the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Re-Installing Effected Resource Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
BPM Administration
|5
Preface
This document covers information you may need to allow you to administer BPM
using TIBCO ActiveMatrix.
For more information on any of the subjects covered here, see the Administrator
interface documentation for your BPM runtime environment.
Topics
BPM Administration
6
| Typographical Conventions
Typographical Conventions
Convention Use
code font Code font identifies commands, code examples, filenames, pathnames, and
output displayed in a command window. For example:
Use MyCommand to start the foo process.
Key Key name separated by a plus sign indicate keys pressed simultaneously. For
combinations example: Ctrl+C.
Key names separated by a comma and space indicate keys pressed one after the
other. For example: Esc, Ctrl+Q.
The note icon indicates information that is of special interest or importance, for
example, an additional action required only in certain circumstances.
The tip icon indicates an idea that could be useful, for example, a way to apply
the information provided in the current section to achieve a specific result.
The warning icon indicates the potential for a damaging situation, for example,
data loss or corruption if certain steps are taken or not taken.
BPM Administration
Preface 7
|
Convention Use
[ ] An optional item in a command or code syntax.
For example:
MyCommand [optional_parameter] required_parameter
| A logical ’OR’ that separates multiple items of which only one may be chosen.
For example, you can select only one of the following parameters:
MyCommand para1 | param2 | param3
In the next example, the command requires two parameters. The first parameter
can be either param1 or param2 and the second can be either param3 or param4:
MyCommand {param1 | param2} {param3 | param4}
In the next example, the command can accept either two or three parameters.
The first parameter must be param1. You can optionally include param2 as the
second parameter. And the last parameter is either param3 or param4.
MyCommand param1 [param2] {param3 | param4}
BPM Administration
8
| How to Contact TIBCO Support
For comments or problems with this manual or the software it addresses, please
contact TIBCO Support as follows.
• For an overview of TIBCO Support, and information about getting started
with TIBCO Support, visit this site:
http://www.tibco.com/services/support
• If you already have a valid maintenance or support contract, visit this site:
https://support.tibco.com
Entry to this site requires a user name and password. If you do not have a user
name, you can request one.
BPM Administration
|9
This chapter describes how you can set up a shared resource in order to use an
LDAP server to manage identities in a BPM system.
For more information on any of the subjects covered here, see the Administrator
interface documentation for your BPM runtime environment.
Topics
• Introduction, page 10
• Adding and Using New Shared Resource Information, page 11
• Creating a new LDAP Authenticator for Login Requests, page 12
BPM Administration
10
| Chapter 1 Configuring an LDAP Shared Resource
Introduction
BPM Administration
Adding and Using New Shared Resource Information 11
|
To make the new instance available in the list of LDAP sources that is displayed in
Workspace, you may need to close and restart Workspace. It then reloads the list
of LDAP sources, including the new one.
The new Active Directory resource instance is used to create a new LDAP
container. See the TIBCO Workspace User’s Guide for a full description of creating
LDAP containers.
You can then map resources from this Active Directory container to positions and
groups in the organization model, in the normal way as shown in the following
illustration. See the TIBCO Workspace User’s Guide for a full description of
mapping resources.
BPM Administration
12
| Chapter 1 Configuring an LDAP Shared Resource
You need to add an LDAP authenticator for a shared resource to enable logins.
2. Drill down in the View in the left hand pane until you can see the
SharedResourceComposite node options on the right.
3. Click BPMNode in the Available Nodes list and move it to the Selected
Nodes list.
4. Click Save.
BPM Administration
| 13
BPM Administration
14
| Using Properties Files
All properties files, except de.properties, are fully annotated and it is unlikely
you will need to change them. However, if you do, please refer to the annotations
for further information. The following table describes the properties listed in
de.properties. Unless specified, the property value is set to the default value
shown.
BPM Administration
| 15
BPM Administration
16
| Using Properties Files
BPM Administration
| 17
TIBCO ActiveMatrix Administrator provides you with different types and levels
of logging information depending on your requirements.
Loggers
Loggers define which component(s) of BPM are being logged and at which level.
By default you are provided with the following 3 loggers:
The Logger Name you choose restricts the logs you receive to cover particular
components.
You can edit the level of logging information you require in TIBCO ActiveMatrix
Administrator.
You can also add new Logger Names. See the Administrator interface
documentation for your BPM runtime environment for more information.
Appenders
Appenders define where the logging you generate goes. For BPM there are
pre-defined two Appenders, one for BPM components (the Work Manager
Appender) and one for process related logging (the Process Engine Appender).
Both the com.tibco.bx and com.tibco.pvm Loggers send their output to the
Process Engine Appender (the log file is called ProcessEngine.log).
The com.tibco.n2 Logger sends its output to the Work Manager Appender (the
log file is called WorkForceManagement.log). Both log files are found in
<installation home directory
>\config\tibcohost\TibcoHostInstance\nodes\BPMNode\logs.
BPM Administration
18
| Editing Logging Levels
BPM Administration
| 19
You could choose to edit the appender that your logging output gets sent to:
1. Log in to TIBCO ActiveMatrix Administrator.
2. Select Applications.
3. Select amx-bpm-app.
4. Select Configuration and then Logging Configurations. You will see 3
loggers are supplied by default
,
5. Select com.tibco.n2.
6. Click on the Appender column to see a dropdown of the available appenders.
The default appender for com.tibco.n2 is the Work Manager appender.
7. Select the appender you require and click Save.
BPM Administration
20
| Defining Where your Logging Output is Stored
BPM Administration
| 21
Chapter 4 SSL
This chapter describes how you can configure your environment to use your own
security certificate.
Using the "out-of-the-box" configuration, with the certificate that has not been
signed by a Certificate Authority (CA), you will be presented with a dialog
warning you of the "untrusted" certificate when you first login to the Workspace
or Openspace browser. In order to continue, you must tell the browser to accept
the certificate. The instructions will vary according to browser type.
Ideally, you will install/provision your own CA signed certificate, and the
browser will not present any warning dialog.
Topics
The following command-line example uses the Java utility keytool to create (or
update) a key store named "server-side.jks", adding a self-signed certificate with
the alias "bpm-swindon-server". The password to access the key store is
"password". The password to access the alias within that key store is "server123".
The dname (Distinguished Name) identifies the owner of the certificate - and, as
this is a self-signed certificate, the issuer. The Common Name (CN) value of this
name is also used by browsers to verify the host to which the browser is
connecting. That is, the browser will raise a warning if the name of the host from
which the certificate was received does not match this CN value.
The following command can be used to list the content of the key store (output
may vary).
The client-side key store is used to hold the public keys of those certificates which
the client trusts. The following commands will create a key store holding the
public keys of the certificate created above.
Having exported the certificate, you can import it into the client-side key store.
The following command creates, or updates, the key store named "client-side.jsk",
adding the trusted certificate given in the file named "server.cert" under the alias
of "bpm-swindon-server". The password used to access the key store is
"password". No password is needed for the certificate.
The following command can be used to confirm the addition of the certificate to
the client's key store (output may vary).
Clients hold the certificates they trust in a KeyStore. In the case of an SSL Enabled
HttpClient, the client is the server itself, as it communicates with another server.
The following steps will create a KeyStore Provider that manages the KeyStore
holding those certificates that the client will trust.
Select the menu option Shared Objects >Resource Templates.
In the Resource Templates panel, opened in the lower panel, click New. This will
open a dialog to allow the creation of a new Resource Template.
Enter a name for the new client KeyStore Provider (this example will use
KeyStoreClient), and select KeyStore Provider in the Type drop-down.
The dialog will then show the available properties for the KeyStore Provider:
• URL- The physical location of the Key Store file.
• Password - The password used to access the entries within that Key Store.
• Type - The type of Key Store to be used.
For this example we will use the values suitable to the Key Stores created in the
earlier sections.
• URL = C:\SSL\client-side.jsk
• Password = password
• Type = JKS
Having created a template for the KeyStore Provider, we must now create an
instance. Select the menu option Infrastructure > Hosts.
Select AMXAdminHost and the lower panel will show the details of that host.
In this panel, select the tab Resource Instances. Within that tab select the All
Instances entry of the left-hand panel. The right-hand panel will be populated
with the list of the Shared Resource Instances deployed to the AMXAdminHost.
Click New in the list of instances, and a New Resource Instance dialog will
appear. In this dialog select Keystore Provider from the View drop-down, and
select the KeyStoreServer entry in the Type list provided.
Now assign the instance to the BPMNode by selecting that node in the Available
Nodes and clicking the ">" button.
Click Save and Close.
The server will hold its CA authorised certificates in its own Key Store. These are
certificates that have been authorised by a well known authority (for example
VeriSign), and hold the Private Key with which the server will sign any
communication with its clients.
Select the menu option Shared Objects >Resource Templates.
In the Resource Templates panel, opened in the lower panel, click New. This will
open a dialog to allow the creation of a new Resource Template.
Enter a name for the new server KeyStore Provider (this example will use
KeyStoreServer), and select KeyStore Provider in the Type drop-down.
The dialog will then show the available properties for the KeyStore Provider:
• URL - The physical location of the Key Store file.
• Password - The password used to access the entries within that Key Store.
• Type - The type of Key Store to be used.
For this example we will use the values suitable to the Key Stores created in the
earlier sections.
• URL = C:\SSL\server-side.jsk
• Password = password
• Type = JKS
Having created a template for the KeyStore Provider, we must now create an
instance. Select the menu option Infrastructure > Hosts.
Select AMXAdminHost and the lower panel will show the details of that host.
In this panel, select the tab Resource Instances. Within that tab select the All
Instances entry of the left-hand panel. The right-hand panel will be populated
with the list of the Shared Resource Instances deployed to the AMXAdminHost.
Click New in the list of instances, and a New Resource Instance dialog will
appear. In this dialog select Keystore Provider from the View drop-down, and
select the KeyStoreServer entry in the Type list provided.
Now assign the instance to the BPMNode by selecting that node in the Available
Nodes and clicking the ">" button.
Click Save and Close.
The SSL Server Provider provides SSL connectivity to the Http Connector. It holds
a reference to the KeyStore Provider in order to access the Private Keys used to
enable SSL.
Select the menu option Shared Objects >Resource Templates.
In the Resource Templates panel, select SSL Server Provider from the View
drop-down, and click the entry named SslServerRT.
This will present two tabs in the lower panel; General Configuration and
Advanced Configuration.
This is not the same as the password used to access the Key Store itself,
although the two values may be the same (e.g. server123).
The SSL Client Provider provides SSL connectivity to the Http Client, in much the
same way as the SSL Server Provider does for the Http Connector. It holds a
reference to the KeyStore Provider in order to access the Public and Private Keys
used to enable mutual SSL communication between a client and a server.
Select the menu option Shared Objects > Resource Templates.
In the Resource Templates panel, select SSL Client Provider from the View
drop-down, and click the entry named SslClientRT.
This will present two tabs in the lower panel; General Configuration and
Advanced Configuration.
This is not the same as the password used to access the Key Store itself,
although the two values may be the same (e.g. server123).
In the Resource Templates panel, select Identity Provider from the View
drop-down, and click the entry named LdapAspRT_IdentityRT.
Having amended the Resource Templates, changing all the references to the Key
Stores and the Keys held within them, the Shared Resource Instances must be
restarted.
The Shared Resource Instances can be accessed via the menu option
Infrastructure > Hosts.
Select AMXAdminHost and the lower panel will show the details of that host.
In this panel, select the tab Resource Instances. Within that tab select the All
Instances entry of the left-hand panel. The right-hand panel will be populated
with the list of the Shared Resource Instances deployed to the AMXAdminHost.
Search this list for the following named Resource Instances, and uninstall them (in
the order listed) by selecting them and clicking Uninstall. You may need to click
Refresh to the right on the panel in order to verify that each instance has been
uninstalled successfully.
The instances may show as "Out Of Sync", due to the fact that their templates
have been modified.
1. httpConnector
2. OSHttpClientSharedResource
3. LdapAspRT_Identity
4. sslServerRI
5. SslClientRT
6. KeyStoreClient
7. KeyStoreServer
Once each instance has been uninstalled, they must be re-installed. Do this by
selecting the same entries, in the reverse order, and clicking Install.
To help locate the Resource Instances, you can use the View drop-down box to
filter the list by type.
Index
C
customer support 8
L
LDAP Authenticator Resource Template 12
LDAP Shared Resource Instance 11
LDAP Shared Resource Template 11
Logging 17
P
Properties Files 13
S
support, contacting 8
T
technical support 8
BPM Administration