TIBCO ActiveMatrix®

BPM Administration
Software Release 1.0.3
December 2010
Important Information
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED
ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED
SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR
ANY OTHER PURPOSE.
USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A
LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE
AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER
LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE
SOFTWARE (AND WHICH IS DUPLICATED IN LICENSE.PDF) OR IF THERE IS NO SUCH SOFTWARE
LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED
IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS
AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN
AGREEMENT TO BE BOUND BY THE SAME.
This document contains confidential information that is subject to U.S. and international copyright laws and
treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO
Software Inc.
TIB, TIBCO, TIBCO Adapter, Predictive Business, Information Bus, The Power of Now, TIBCO ActiveMatrix and
TIBCO Silver are either registered trademarks or trademarks of TIBCO Software Inc. in the United States and/or
other countries.
All other product and company names and marks mentioned in this document are the property of their
respective owners and are mentioned for identification purposes only.
THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL
OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME
TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC
OPERATING SYSTEM PLATFORM.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS.
CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE
INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE
IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN
THIS DOCUMENT AT ANY TIME.
THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR
INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING
BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.
Copyright © 2005-2010 TIBCO Software Inc. ALL RIGHTS RESERVED.
TIBCO Software Inc. Confidential Information
 | iii

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
How to Contact TIBCO Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1 Configuring an LDAP Shared Resource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Adding and Using New Shared Resource Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Add a New Shared Resource Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Add a New Shared Resource Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Use the LDAP Shared Resource in Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Creating a new LDAP Authenticator for Login Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Create an LDAP Authenticator Resource Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Add a New Resource Instance for this Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Deploy an Application to the BPMNode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Log in to Workspace as a User from this LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 2 BPM Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3 Defining Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Loggers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Appenders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Editing Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Defining Where your Logging Output is Stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 4 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Creating a Server-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating a Client-Side Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating a KeyStore Provider for the Server-as-Client Trust Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating an Instance of the Server-as-Client KeyStore Provider. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Creating a KeyStore Provider for the Server Key Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating an Instance of the Server's KeyStore Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Amending the SSL Server Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

BPM Administration
iv
| Contents
Amending the SSL Client Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Amending the Identity Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Re-Installing Effected Resource Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

BPM Administration
 |5

Preface

This document covers information you may need to allow you to administer BPM
using TIBCO ActiveMatrix.
For more information on any of the subjects covered here, see the Administrator
interface documentation for your BPM runtime environment.

Topics

• Typographical Conventions, page 6

• How to Contact TIBCO Support, page 8

BPM Administration
6
| Typographical Conventions

Typographical Conventions

The following typographical conventions are used in this manual.

Table 1 General Typographical Conventions

Convention Use
code font Code font identifies commands, code examples, filenames, pathnames, and
output displayed in a command window. For example:
Use MyCommand to start the foo process.

bold code Bold code font is used in the following ways:

font
• In procedures, to indicate what a user types. For example: Type admin.
• In large code samples, to indicate the parts of the sample that are of
particular interest.
• In command syntax, to indicate the default parameter for a command. For
example, if no parameter is specified, MyCommand is enabled:
MyCommand [enable | disable]

italic font Italic font is used in the following ways:

• To indicate a document title. For example: See TIBCO BusinessWorks Concepts.
• To introduce new terms For example: A portal page may contain several
portlets. Portlets are mini-applications that run in a portal.
• To indicate a variable in a command or code syntax that you must replace.
For example: MyCommand pathname

Key Key name separated by a plus sign indicate keys pressed simultaneously. For
combinations example: Ctrl+C.
Key names separated by a comma and space indicate keys pressed one after the
other. For example: Esc, Ctrl+Q.

The note icon indicates information that is of special interest or importance, for
example, an additional action required only in certain circumstances.

The tip icon indicates an idea that could be useful, for example, a way to apply
the information provided in the current section to achieve a specific result.

The warning icon indicates the potential for a damaging situation, for example,
data loss or corruption if certain steps are taken or not taken.

BPM Administration
 Preface 7
|

Table 2 Syntax Typographical Conventions

Convention Use
[ ] An optional item in a command or code syntax.
For example:
MyCommand [optional_parameter] required_parameter

| A logical ’OR’ that separates multiple items of which only one may be chosen.
For example, you can select only one of the following parameters:
MyCommand para1 | param2 | param3

{ } A logical group of items in a command. Other syntax notations may appear

within each logical group.
For example, the following command requires two parameters, which can be
either the pair param1 and param2, or the pair param3 and param4.
MyCommand {param1 param2} | {param3 param4}

In the next example, the command requires two parameters. The first parameter
can be either param1 or param2 and the second can be either param3 or param4:
MyCommand {param1 | param2} {param3 | param4}

In the next example, the command can accept either two or three parameters.
The first parameter must be param1. You can optionally include param2 as the
second parameter. And the last parameter is either param3 or param4.
MyCommand param1 [param2] {param3 | param4}

BPM Administration
8
| How to Contact TIBCO Support

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, please
contact TIBCO Support as follows.
• For an overview of TIBCO Support, and information about getting started
with TIBCO Support, visit this site:
http://www.tibco.com/services/support
• If you already have a valid maintenance or support contract, visit this site:
https://support.tibco.com
Entry to this site requires a user name and password. If you do not have a user
name, you can request one.

BPM Administration
 |9

Chapter 1 Configuring an LDAP Shared Resource

This chapter describes how you can set up a shared resource in order to use an
LDAP server to manage identities in a BPM system.
For more information on any of the subjects covered here, see the Administrator
interface documentation for your BPM runtime environment.

Topics

• Introduction, page 10
• Adding and Using New Shared Resource Information, page 11
• Creating a new LDAP Authenticator for Login Requests, page 12

BPM Administration
10
| Chapter 1 Configuring an LDAP Shared Resource

Introduction

Directory Engine allows organizational resources to be resolved from a user

provided Directory Server. This Directory Server must be accessible using the
Lightweight Directory Access Protocol (LDAP). These LDAP sources are supplied
to Directory Engine by the TIBCO runtime as LDAP shared resources, which are
configured and administered by the TIBCO Administrator tool. Once configured,
LDAP shared resources will allow a user to search, view and map organizational
resources resolved in the specified LDAP shared resource.
To enable an organizational resource to log in to BPM, a matching LDAP
authenticator must be provided by the TIBCO Administrator tool. This LDAP
authenticator must be given exactly the same name as the LDAP shared resource
an organizational resource was mapped from, with a prefix of auth-.
So for example, if an organization resource "Clint Hill" has been mapped from an
LDAP shared resource called "MyCompany", then for "Clint Hill" to log in a
matching LDAP authenticator named "amxbpm-auth-MyCompany" must also be
created.
This chapter covers:
• Adding and Using New Shared Resource Information
• Creating a new LDAP Authenticator for Login Requests

BPM Administration
 Adding and Using New Shared Resource Information 11
|

Adding and Using New Shared Resource Information

Add a New Shared Resource Template

See the Administrator interface documentation for your BPM runtime
environment for more information about resource templates, including
instructions on editing an existing resource template once you have created it.

Add a New Shared Resource Instance

Create and install a resource instance using the template you just created using
the resource template LDAPQuery.
See the Administrator interface documentation for your BPM runtime
environment for instructions on creating and installing resource instances.

Use the LDAP Shared Resource in Workspace

Once you have created the new shared resource instance, you can access it in
Workspace and use it to create new LDAP containers and map resources to
organization model entities.

To make the new instance available in the list of LDAP sources that is displayed in
Workspace, you may need to close and restart Workspace. It then reloads the list
of LDAP sources, including the new one.

The new Active Directory resource instance is used to create a new LDAP
container. See the TIBCO Workspace User’s Guide for a full description of creating
LDAP containers.
You can then map resources from this Active Directory container to positions and
groups in the organization model, in the normal way as shown in the following
illustration. See the TIBCO Workspace User’s Guide for a full description of
mapping resources.

BPM Administration
12
| Chapter 1 Configuring an LDAP Shared Resource

Creating a new LDAP Authenticator for Login Requests

You need to add an LDAP authenticator for a shared resource to enable logins.

Create an LDAP Authenticator Resource Template

Create and install an LDAP Authenticator Resource Template. See the
Administrator interface documentation for your BPM runtime environment for
instructions on creating and installing resource instances.

Add a New Resource Instance for this Authenticator

Create and install a resource instance using the template just created using the
resource template LDAPAuthenticationProvider. See the Administrator interface
documentation for your BPM runtime environment for instructions on creating
and installing resource instances.

Deploy an Application to the BPMNode

For information on creating, configuring and deploying an application, refer to
the Administrator interface documentation for your BPM runtime environment.
To deploy an application to the BPMnode:
1. Select the Distribution tab.

2. Drill down in the View in the left hand pane until you can see the
SharedResourceComposite node options on the right.
3. Click BPMNode in the Available Nodes list and move it to the Selected
Nodes list.
4. Click Save.

Log in to Workspace as a User from this LDAP

It will now be possible to login to the workspace as a mapped user from this
LDAP Container. See the TIBCO Workspace User’s Guide.

BPM Administration
 | 13

Chapter 2 BPM Properties Files

The BPM Properties files are located in the following location:

<installation root directory>/config/bpm/configuration:

brm.properties BRM Engine Properties file

dac.properties Deadline and Calendar Properties file

de.properties Directory Engine Properties file

EmailChannelProperties Work Presentation Email Channel

Properties file

GIChannelProperties.properties Work Presentation GI Channel Properties

file

WPProperties.properties Work Presentation Core Properties file

BPM Administration
14
| Using Properties Files

Using Properties Files

All properties files, except de.properties, are fully annotated and it is unlikely
you will need to change them. However, if you do, please refer to the annotations
for further information. The following table describes the properties listed in
de.properties. Unless specified, the property value is set to the default value
shown.

Table 1 Properties in de.properties

Property Name Default Value Description

monitor.enable false Optional.
Specifies that the framework should monitor the
de.properties file for changes.

monitor.interval 5 seconds The frequency (in milliseconds) at which the

framework should check the properties file for
modifications.

SqlInClauseLimit 900 The maximum number of elements used within

an SQL "in" clause.

NamedEntityCacheSize 50 The size of the NamedEntity ID sequence cache.

UserSettingCacheSize 50 The size of the UserSetting ID sequence cache.

LdapIDCacheSize 50 The size of the cache for the LDAP sequence ID

numbers.

SystemActionCacheSize 10 The size of the cache for the System Action

sequence ID numbers.

SystemActionPrivilege 50 The size of the cache for System Action or

CacheSize
Privilege association sequence ID numbers.

LdapRetryAttempts 5 The maximum number of attempts to reconnect

to a LDAP server if the LDAP connection ends
abruptly due to a failed connection, or a LDAP
server crash.

LdapRetryWait 500 The time interval (in milliseconds) between each

reconnection attempt.

BPM Administration
 | 15

Table 1 Properties in de.properties

Property Name Default Value Description

IgnoreCaseOnLogin false Specifies if the authentication service should
ignore the case for the login name.

LdapPageSize 1000 Specifies whether paging of LDAP search results

is supported, and the page size to be used.
Paging is a LDAPv3 extension (RFC 2696). If the
LDAP server used supports this extension, you
can configure the page size by setting this
property to a positive integer that specifies the
maximum number of rows to be included in each
page of the search results.
For LDAP servers that do not support LDAPv3,
set this property to -1 to disable paging.

BPM Administration
16
| Using Properties Files

BPM Administration
 | 17

Chapter 3 Defining Logging Information

TIBCO ActiveMatrix Administrator provides you with different types and levels
of logging information depending on your requirements.

Loggers
Loggers define which component(s) of BPM are being logged and at which level.
By default you are provided with the following 3 loggers:

com.tibco.bx Logging of BPM Applications

com.tibco.pvm Logging of Process Engine components

com.tibco.n2 Logging of BPM Work Manager components

The Logger Name you choose restricts the logs you receive to cover particular
components.
You can edit the level of logging information you require in TIBCO ActiveMatrix
Administrator.
You can also add new Logger Names. See the Administrator interface
documentation for your BPM runtime environment for more information.

Appenders
Appenders define where the logging you generate goes. For BPM there are
pre-defined two Appenders, one for BPM components (the Work Manager
Appender) and one for process related logging (the Process Engine Appender).
Both the com.tibco.bx and com.tibco.pvm Loggers send their output to the
Process Engine Appender (the log file is called ProcessEngine.log).
The com.tibco.n2 Logger sends its output to the Work Manager Appender (the
log file is called WorkForceManagement.log). Both log files are found in
<installation home directory
>\config\tibcohost\TibcoHostInstance\nodes\BPMNode\logs.

BPM Administration
18
| Editing Logging Levels

Editing Logging Levels

See the Administrator interface documentation for your BPM runtime

environment for more information about editing logging levels.

BPM Administration
 | 19

Defining Where your Logging Output is Stored

You could choose to edit the appender that your logging output gets sent to:
1. Log in to TIBCO ActiveMatrix Administrator.
2. Select Applications.
3. Select amx-bpm-app.
4. Select Configuration and then Logging Configurations. You will see 3
loggers are supplied by default
,

5. Select com.tibco.n2.
6. Click on the Appender column to see a dropdown of the available appenders.
The default appender for com.tibco.n2 is the Work Manager appender.
7. Select the appender you require and click Save.

BPM Administration
20
| Defining Where your Logging Output is Stored

BPM Administration
 | 21

Chapter 4 SSL

This chapter describes how you can configure your environment to use your own
security certificate.

Using the "out-of-the-box" configuration, with the certificate that has not been
signed by a Certificate Authority (CA), you will be presented with a dialog
warning you of the "untrusted" certificate when you first login to the Workspace
or Openspace browser. In order to continue, you must tell the browser to accept
the certificate. The instructions will vary according to browser type.
Ideally, you will install/provision your own CA signed certificate, and the
browser will not present any warning dialog.

Topics

• Creating a Server-Side Key Store, page 22

• Creating a Client-Side Key Store, page 23
• Creating a KeyStore Provider for the Server Key Store, page 29
• Creating an Instance of the Server's KeyStore Provider, page 31
• Creating a KeyStore Provider for the Server Key Store, page 29
• Creating an Instance of the Server's KeyStore Provider, page 31
• Amending the SSL Server Provider, page 33
• Amending the SSL Client Provider, page 35
• Amending the Identity Provider, page 37
• Re-Installing Effected Resource Instances, page 38

TIBCO N2 User’s Guide

22
| Creating a Server-Side Key Store

Creating a Server-Side Key Store

The following command-line example uses the Java utility keytool to create (or
update) a key store named "server-side.jks", adding a self-signed certificate with
the alias "bpm-swindon-server". The password to access the key store is
"password". The password to access the alias within that key store is "server123".
The dname (Distinguished Name) identifies the owner of the certificate - and, as
this is a self-signed certificate, the issuer. The Common Name (CN) value of this
name is also used by browsers to verify the host to which the browser is
connecting. That is, the browser will raise a warning if the name of the host from
which the certificate was received does not match this CN value.

The following command can be used to list the content of the key store (output
may vary).

TIBCO N2 User’s Guide

 | 23

Creating a Client-Side Key Store

The client-side key store is used to hold the public keys of those certificates which
the client trusts. The following commands will create a key store holding the
public keys of the certificate created above.

Having exported the certificate, you can import it into the client-side key store.
The following command creates, or updates, the key store named "client-side.jsk",
adding the trusted certificate given in the file named "server.cert" under the alias
of "bpm-swindon-server". The password used to access the key store is
"password". No password is needed for the certificate.

The following command can be used to confirm the addition of the certificate to
the client's key store (output may vary).

TIBCO N2 User’s Guide

24
| Creating a Client-Side Key Store

TIBCO N2 User’s Guide

 | 25

Creating a KeyStore Provider for the Server-as-Client Trust Store

Clients hold the certificates they trust in a KeyStore. In the case of an SSL Enabled
HttpClient, the client is the server itself, as it communicates with another server.
The following steps will create a KeyStore Provider that manages the KeyStore
holding those certificates that the client will trust.
Select the menu option Shared Objects >Resource Templates.

In the Resource Templates panel, opened in the lower panel, click New. This will
open a dialog to allow the creation of a new Resource Template.

TIBCO N2 User’s Guide

26
| Creating a KeyStore Provider for the Server-as-Client Trust Store

Enter a name for the new client KeyStore Provider (this example will use
KeyStoreClient), and select KeyStore Provider in the Type drop-down.

The dialog will then show the available properties for the KeyStore Provider:
• URL- The physical location of the Key Store file.
• Password - The password used to access the entries within that Key Store.
• Type - The type of Key Store to be used.
For this example we will use the values suitable to the Key Stores created in the
earlier sections.
• URL = C:\SSL\client-side.jsk
• Password = password
• Type = JKS

Save these settings.

TIBCO N2 User’s Guide

 | 27

Creating an Instance of the Server-as-Client KeyStore Provider

Having created a template for the KeyStore Provider, we must now create an
instance. Select the menu option Infrastructure > Hosts.

The Hosts panel will list the available hosts.

Select AMXAdminHost and the lower panel will show the details of that host.

TIBCO N2 User’s Guide

28
| Creating an Instance of the Server-as-Client KeyStore Provider

In this panel, select the tab Resource Instances. Within that tab select the All
Instances entry of the left-hand panel. The right-hand panel will be populated
with the list of the Shared Resource Instances deployed to the AMXAdminHost.

Click New in the list of instances, and a New Resource Instance dialog will
appear. In this dialog select Keystore Provider from the View drop-down, and
select the KeyStoreServer entry in the Type list provided.

Now assign the instance to the BPMNode by selecting that node in the Available
Nodes and clicking the ">" button.
Click Save and Close.

TIBCO N2 User’s Guide

 | 29

Creating a KeyStore Provider for the Server Key Store

The server will hold its CA authorised certificates in its own Key Store. These are
certificates that have been authorised by a well known authority (for example
VeriSign), and hold the Private Key with which the server will sign any
communication with its clients.
Select the menu option Shared Objects >Resource Templates.

In the Resource Templates panel, opened in the lower panel, click New. This will
open a dialog to allow the creation of a new Resource Template.

TIBCO N2 User’s Guide

30
| Creating a KeyStore Provider for the Server Key Store

Enter a name for the new server KeyStore Provider (this example will use
KeyStoreServer), and select KeyStore Provider in the Type drop-down.

The dialog will then show the available properties for the KeyStore Provider:
• URL - The physical location of the Key Store file.
• Password - The password used to access the entries within that Key Store.
• Type - The type of Key Store to be used.
For this example we will use the values suitable to the Key Stores created in the
earlier sections.
• URL = C:\SSL\server-side.jsk
• Password = password

• Type = JKS

Save these settings.

TIBCO N2 User’s Guide

 | 31

Creating an Instance of the Server's KeyStore Provider

Having created a template for the KeyStore Provider, we must now create an
instance. Select the menu option Infrastructure > Hosts.

The Hosts panel will list the available hosts.

Select AMXAdminHost and the lower panel will show the details of that host.

TIBCO N2 User’s Guide

32
| Creating an Instance of the Server's KeyStore Provider

In this panel, select the tab Resource Instances. Within that tab select the All
Instances entry of the left-hand panel. The right-hand panel will be populated
with the list of the Shared Resource Instances deployed to the AMXAdminHost.

Click New in the list of instances, and a New Resource Instance dialog will
appear. In this dialog select Keystore Provider from the View drop-down, and
select the KeyStoreServer entry in the Type list provided.

Now assign the instance to the BPMNode by selecting that node in the Available
Nodes and clicking the ">" button.
Click Save and Close.

TIBCO N2 User’s Guide

 | 33

Amending the SSL Server Provider

The SSL Server Provider provides SSL connectivity to the Http Connector. It holds
a reference to the KeyStore Provider in order to access the Private Keys used to
enable SSL.
Select the menu option Shared Objects >Resource Templates.

In the Resource Templates panel, select SSL Server Provider from the View
drop-down, and click the entry named SslServerRT.

TIBCO N2 User’s Guide

34
| Amending the SSL Server Provider

This will present two tabs in the lower panel; General Configuration and
Advanced Configuration.

The only properties to be modified are in the General Configuration tab:

• Keystore Provider Having Identity - The KeyStore Provider managing the
server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to
select the instance created in the earlier section.
• Key Alias to Access Identity - This is the alias (or name) by which the Private
Key is referenced within the Key Store (e.g. bpm-swindon-server).
• Alias Password - This is the password required to access the Private Key.

This is not the same as the password used to access the Key Store itself,
although the two values may be the same (e.g. server123).

• Keystore Provider as Trust Store - The KeyStore Provider managing the

server-as-client's trusted certificates (e.g. KeyStoreClient). Use the "picker"
icon to select the instance created in the earlier section.
Save these changes.

TIBCO N2 User’s Guide

 | 35

Amending the SSL Client Provider

The SSL Client Provider provides SSL connectivity to the Http Client, in much the
same way as the SSL Server Provider does for the Http Connector. It holds a
reference to the KeyStore Provider in order to access the Public and Private Keys
used to enable mutual SSL communication between a client and a server.
Select the menu option Shared Objects > Resource Templates.

In the Resource Templates panel, select SSL Client Provider from the View
drop-down, and click the entry named SslClientRT.

This will present two tabs in the lower panel; General Configuration and
Advanced Configuration.

The only properties to be modified are in the General Configuration tab:

TIBCO N2 User’s Guide

36
| Amending the SSL Client Provider

• Keystore Provider as Trust - The KeyStore Provider managing the

server-as-client's trusted certificates (e.g. KeyStoreClient). Use the "picker"
icon to select the instance created in the earlier section.
• Keystore Provider having Identity - The KeyStore Provider managing the
server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to
select the instance created in the earlier section.
• Key Alias to Access Identity - This is the alias (or name) by which the Private
Key is referenced within the Key Store (e.g. bpm-swindon-server).
• Key Alias Password - This is the password required to access the Private Key..

This is not the same as the password used to access the Key Store itself,
although the two values may be the same (e.g. server123).

Save these changes.

TIBCO N2 User’s Guide

 | 37

Amending the Identity Provider

In the Resource Templates panel, select Identity Provider from the View
drop-down, and click the entry named LdapAspRT_IdentityRT.

The only properties to be modified are in the General Configuration tab:

• Keystore Provider having Identity - The KeyStore Provider managing the
server's authorised certificates (e.g. KeyStoreServer). Use the "picker" icon to
select the instance created in the earlier section.
• Key Alias to Access Identity - This is the alias (or name) by which the Private
Key is referenced within the Key Store (e.g. bpm-swindon-server).
• Key Alias Password - This is the password required to access the Private Key.
Note: This is not the same as the password used to access the Key Store itself;
although, the two values may be the same (e.g. server123).

TIBCO N2 User’s Guide

38
| Re-Installing Effected Resource Instances

Re-Installing Effected Resource Instances

Having amended the Resource Templates, changing all the references to the Key
Stores and the Keys held within them, the Shared Resource Instances must be
restarted.
The Shared Resource Instances can be accessed via the menu option
Infrastructure > Hosts.

The Hosts panel will list the available hosts.

Select AMXAdminHost and the lower panel will show the details of that host.

TIBCO N2 User’s Guide

 | 39

In this panel, select the tab Resource Instances. Within that tab select the All
Instances entry of the left-hand panel. The right-hand panel will be populated
with the list of the Shared Resource Instances deployed to the AMXAdminHost.

Search this list for the following named Resource Instances, and uninstall them (in
the order listed) by selecting them and clicking Uninstall. You may need to click
Refresh to the right on the panel in order to verify that each instance has been
uninstalled successfully.

The instances may show as "Out Of Sync", due to the fact that their templates
have been modified.

1. httpConnector
2. OSHttpClientSharedResource
3. LdapAspRT_Identity
4. sslServerRI
5. SslClientRT
6. KeyStoreClient
7. KeyStoreServer
Once each instance has been uninstalled, they must be re-installed. Do this by
selecting the same entries, in the reverse order, and clicking Install.

To help locate the Resource Instances, you can use the View drop-down box to
filter the list by type.

TIBCO N2 User’s Guide

40
| Re-Installing Effected Resource Instances

TIBCO N2 User’s Guide

 | 41

Index

C
customer support 8

L
LDAP Authenticator Resource Template 12
LDAP Shared Resource Instance 11
LDAP Shared Resource Template 11
Logging 17

P
Properties Files 13

S
support, contacting 8

T
technical support 8

BPM Administration