Configuring multiple deployment environments
You can isolate multiple deployment environments within a single cell in your IBM® Business Process Manager configuration.
See Considerations for multiple deployment environments in the same cell for things to consider prior to making changes to your deployment environment.
You must create unique HTTP endpoints for each deployment environment. Optionally, you can specify different security settings for each deployment environment by creating multiple security domains and attaching one security domain to each deployment environment.
Only users that are assigned to the administrator role can configure multiple security domains. For more information on multiple security domains, see Multiple security domains in the WebSphere® Application Server information center.
To isolate administrative access, you can specify administrative authorization groups to grant administrative access only to the resources of a single deployment environment. Administrative authorization groups are described in the WebSphere Application Server information center at Fine-grained administrative security.
The following tabbed sections provide instructions for three different configuration scenarios that isolate multiple deployment environments within a single cell. Notice that each of these sections includes instructions for configuring dedicated virtual host aliases, which is a mandatory task. Choose the tab that best describes your intended configuration scenario.
- Isolating deployment environments
- Configuring security domains
- Configuring security domains, and third-party authentication
Isolating deployment environments
- Create the deployment environments. See Create a Deployment Environment.
- Select one of the following methods to create unique HTTP endpoints:
- Use a dedicated virtual host for each deployment environment. See Step 3.
- Use dedicated context root prefixes for each deployment environment. See Step 4.
- Use dedicated Web servers for each deployment environment. See "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.0" or "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.1".
- If you have multiple deployment environments
in a single cell, and if you want to use the same web server, create
a dedicated virtual host for each deployment environment. For each
deployment environment (dep_env_name) in the cell,
complete the following actions. For more information, see Virtual hosts in the WebSphere Application
Server information
center.
- Decide on the virtual host name, virtual_host_name.
- Create a dedicated virtual host. Using the administrative console, navigate to New. and click
- Specify a name for the new virtual host. For example, vh_de1.
- If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port. and click
- If you want to access the web container of the cluster members,
add the host name of the cluster member as a host alias. Navigate
to New. Enter the host
name of the cluster member and associate it with the WC_defaulthost_secure port.
Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:
Deployment environment name: de1
Cluster name: de1.AppTarget
Cluster member 1: de1.AppTarget.Member1
Cluster member 2: de1.AppTarget.Member2
Virtual host name: vh_de1
Virtual host aliases in vh_de1:- To access IBM Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
- To access IBM Business
Process Manager over
HTTP, add the WC_defaulthost ports.
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
- If you use an external HTTP server, add the HTTP server's virtual
host alias. This is mandatory if you are using an external HTTP server.
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
and click - To access IBM Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Map the virtual host name, virtual_host_name,
to the deployment environment, dep_env_name, by
running the updateVirtualHost command on the deployment
manager, DmgrProfile.
install_root/profiles/DmgrProfile/bin/updateVirtualHost.sh -d dep_env_name -v virtual_host_name -username username -password password
Where DmgrProfile is your deployment manager profile name, username is your user name, and password is the password.install_root\profiles\DmgrProfile\bin\updateVirtualHost -d dep_env_name -v virtual_host_name -username username -password password
Tip: For more information about the updateVirtualHost command, see Configuring a virtual host. For information on the BPMVirtualHostInfo object, see Configuring IBM BPM endpoints to match your topology. - If you are using an external HTTP server, regenerate and propagate
the HTTP server plug-in.
- In the administrative console, navigate to .
- Select the name of your HTTP server, then click Generate Plug-in.
- Select the name of your HTTP server, then click Propagate
Plug-in. Tip: The administration service must be running on your HTTP server.
- Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
- Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring IBM BPM endpoints to match your topology.
Configuring security domains
- Create the deployment environments. See Create a Deployment Environment.
- Select one of the following methods to create unique HTTP endpoints:
- Use a dedicated virtual host for each deployment environment. See Step 3.
- Use dedicated context root prefixes for each deployment environment. See Step 4.
- Use dedicated Web servers for each deployment environment. See "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.0" or "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.1".
- If you have multiple deployment environments
in a single cell, and if you want to use the same web server, create
a dedicated virtual host for each deployment environment. For each
deployment environment (dep_env_name) in the cell,
complete the following actions. For more information, see Virtual hosts in the WebSphere Application
Server information
center.
- Decide on the virtual host name, virtual_host_name.
- Create a dedicated virtual host. Using the administrative console, navigate to New. and click
- Specify a name for the new virtual host. For example, vh_de1.
- If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port. and click
- If you want to access the web container of the cluster members,
add the host name of the cluster member as a host alias. Navigate
to New. Enter the host
name of the cluster member and associate it with the WC_defaulthost_secure port.
Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:
Deployment environment name: de1
Cluster name: de1.AppTarget
Cluster member 1: de1.AppTarget.Member1
Cluster member 2: de1.AppTarget.Member2
Virtual host name: vh_de1
Virtual host aliases in vh_de1:- To access IBM Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
- To access IBM Business
Process Manager over
HTTP, add the WC_defaulthost ports.
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
- If you use an external HTTP server, add the HTTP server's virtual
host alias. This is mandatory if you are using an external HTTP server.
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
and click - To access IBM Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Map the virtual host name, virtual_host_name,
to the deployment environment, dep_env_name, by
running the updateVirtualHost command on the deployment
manager, DmgrProfile.
install_root/profiles/DmgrProfile/bin/updateVirtualHost.sh -d dep_env_name -v virtual_host_name -username username -password password
Where DmgrProfile is your deployment manager profile name, username is your user name, and password is the password.install_root\profiles\DmgrProfile\bin\updateVirtualHost -d dep_env_name -v virtual_host_name -username username -password password
Tip: For more information about the updateVirtualHost command, see Configuring a virtual host. For information on the BPMVirtualHostInfo object, see Configuring IBM BPM endpoints to match your topology. - If you are using an external HTTP server, regenerate and propagate
the HTTP server plug-in.
- In the administrative console, navigate to .
- Select the name of your HTTP server, then click Generate Plug-in.
- Select the name of your HTTP server, then click Propagate
Plug-in. Tip: The administration service must be running on your HTTP server.
- Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
- Create and configure a dedicated security domain for each deployment
environment and map each cluster and service integration bus to the
dedicated security domain. See Configuring multiple security domains.
- Every cluster and service integration bus in the deployment environment must be mapped to the same security domain.
- If you use a dedicated user registry for each security domain, the user realm name for the security domain must be unique.
- Users that are configured for the deployment environment must exist in the user registry.
- To have a user from the security domain of the deployment environment
in the bus connector role, you must replace the user in the bus connector
role with the users from the realm of the security domain. For each
user:
- Click .
- Select the user from the global realm. For example, de1Admin and click Delete.
- Click New.
- Select Users and click Next.
- Select the user from the security domain realm.
- Click
com.ibm.websphere.security.useAppContextForServletInit = true
Note: The next steps are only required if you want to have dedicated administrators for each deployment environment.
and set the com.ibm.websphere.security.useAppContextForServletInit
custom property to global security. - Configure trusted authentication realms:
- Click .
- Select the realm name that is associated with the security domain and click Trusted.
- For each deployment environment, create a dedicated WebSphere Application
Server users
that are used to perform WebSphere Application
Server administrative
functions from either the administrative console or the wsadmin system
management scripting interface. These users must be created in the
global user registry as only cell scope user are allowed to run wsadmin.
If you are using the file registry:
- Click .
- Create four additional users for each deployment environment.
For example:
- de1WASAdministrator
- de1WASDeployer
- de1WASMonitor
- de1WASOperator
- Create a dedicated Administrative Authorization Group (AAG) for
each deployment environment:
- Click and input a name for the AAG.
- Click the new AAG.
- Expand Clusters and select all clusters that belong to the deployment environment.
- Expand Business-level applications and select all business level applications that belong to the deployment environment.
- Expand Applications and select all applications
that belong to the deployment environment.Note: Do not map any nodes or node groups.
- Save and synchronize your changes.
- Click Administrative user roles and press Add.
- Assign administrative roles to users:
- de1WASAdministrator - Administrator
- de1WASDeployer - Deployer
- de1WASMonitor - Monitor
- de1WASOperator - Operator
- Add the de1Admin@depenv1_realm deployment
environment administrator with the following privileges:
- Operator
- Deployer
- Configurator
- Monitor
- Administrator
- Admin Security Manager
Note: The security domain realm must be selected when adding the de1Admin@depenv1_realm user. - You can have different user registries in an environment with
multiple security domains. To perform certain Process Admin LifeCycle
(PAL) administrative functions you must have a user in the security
domain of the deployment environment. However, to connect to the wsadmin
scripting interface or to call MBeans, the user must be in the user
registry of the global security domain. The BPMADminJobUser role maps
to an authentication alias for a user that requires the authority
to perform actions on the Process Admin LifeCycle (PAL) Admin task.
If specified, the system will execute PAL actions from the MBean of
type PALService as this user. Create a J2C authentication alias for
the BPMAdminJobUser role:
- Click .
- - Click New and specify an arbitrary alias
name, and the deployment environment administrator user ID and password. Note: You must use the password that was specified for the deployment environment administrator during the deployment environment creation.
- Map the J2C authentication alias to the BPMAdminJobUser role:
- Click .
- Select the new J2C authentication alias and map it to the BPMAdminJobUser role.
- Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring IBM BPM endpoints to match your topology.
Configuring security domains, and third-party authentication
- Create the deployment environments. See Create a Deployment Environment.
- Select one of the following methods to create unique HTTP endpoints:
- Use a dedicated virtual host for each deployment environment. See Step 3.
- Use dedicated context root prefixes for each deployment environment. See Step 4.
- Use dedicated Web servers for each deployment environment. See "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.0" or "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.1".
- If you have multiple deployment environments
in a single cell, and if you want to use the same web server, create
a dedicated virtual host for each deployment environment. For each
deployment environment (dep_env_name) in the cell,
complete the following actions. For more information, see Virtual hosts in the WebSphere Application
Server information
center.
- Decide on the virtual host name, virtual_host_name.
- Create a dedicated virtual host. Using the administrative console, navigate to New. and click
- Specify a name for the new virtual host. For example, vh_de1.
- If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port. and click
- If you want to access the web container of the cluster members,
add the host name of the cluster member as a host alias. Navigate
to New. Enter the host
name of the cluster member and associate it with the WC_defaulthost_secure port.
Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:
Deployment environment name: de1
Cluster name: de1.AppTarget
Cluster member 1: de1.AppTarget.Member1
Cluster member 2: de1.AppTarget.Member2
Virtual host name: vh_de1
Virtual host aliases in vh_de1:- To access IBM Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
- To access IBM Business
Process Manager over
HTTP, add the WC_defaulthost ports.
- Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
- Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
- If you use an external HTTP server, add the HTTP server's virtual
host alias. This is mandatory if you are using an external HTTP server.
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
- Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
and click - To access IBM Business
Process Manager over
HTTPS, add the cluster member host names and WC_defaulthost_secure ports
to the host alias:
- Map the virtual host name, virtual_host_name,
to the deployment environment, dep_env_name, by
running the updateVirtualHost command on the deployment
manager, DmgrProfile.
install_root/profiles/DmgrProfile/bin/updateVirtualHost.sh -d dep_env_name -v virtual_host_name -username username -password password
Where DmgrProfile is your deployment manager profile name, username is your user name, and password is the password.install_root\profiles\DmgrProfile\bin\updateVirtualHost -d dep_env_name -v virtual_host_name -username username -password password
Tip: For more information about the updateVirtualHost command, see Configuring a virtual host. For information on the BPMVirtualHostInfo object, see Configuring IBM BPM endpoints to match your topology. - If you are using an external HTTP server, regenerate and propagate
the HTTP server plug-in.
- In the administrative console, navigate to .
- Select the name of your HTTP server, then click Generate Plug-in.
- Select the name of your HTTP server, then click Propagate
Plug-in. Tip: The administration service must be running on your HTTP server.
- Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
- Create and configure a dedicated security domain for each deployment
environment and map each cluster and service integration bus to the
dedicated security domain. See Configuring multiple security domains.
- Every cluster and service integration bus in the deployment environment must be mapped to the same security domain.
- If you use a dedicated user registry for each security domain, the user realm name for the security domain must be unique.
- Users that are configured for the deployment environment must exist in the user registry.
- To have a user from the security domain of the deployment environment
in the bus connector role, you must replace the user in the bus connector
role with the users from the realm of the security domain. For each
user:
- Click .
- Select the user from the global realm. For example, de1Admin and click Delete.
- Click New.
- Select Users and click Next.
- Select the user from the security domain realm.
- Click
com.ibm.websphere.security.useAppContextForServletInit = true
Note: The next steps are only required if you want to have dedicated administrators for each deployment environment.
and set the com.ibm.websphere.security.useAppContextForServletInit
custom property to global security. - Configure trusted authentication realms:
- Click .
- Select the realm name that is associated with the security domain and click Trusted.
- For each deployment environment, create a dedicated WebSphere Application
Server users
that are used to perform WebSphere Application
Server administrative
functions from either the administrative console or the wsadmin system
management scripting interface. These users must be created in the
global user registry as only cell scope user are allowed to run wsadmin.
If you are using the file registry:
- Click .
- Create four additional users for each deployment environment.
For example:
- de1WASAdministrator
- de1WASDeployer
- de1WASMonitor
- de1WASOperator
- Create a dedicated Administrative Authorization Group (AAG) for
each deployment environment:
- Click and input a name for the AAG.
- Click the new AAG.
- Expand Clusters and select all clusters that belong to the deployment environment.
- Expand Business-level applications and select all business level applications that belong to the deployment environment.
- Expand Applications and select all applications
that belong to the deployment environment.Note: Do not map any nodes or node groups.
- Save and synchronize your changes.
- Click Administrative user roles and press Add.
- Assign administrative roles to users:
- de1WASAdministrator - Administrator
- de1WASDeployer - Deployer
- de1WASMonitor - Monitor
- de1WASOperator - Operator
- Add the de1Admin@depenv1_realm deployment
environment administrator with the following privileges:
- Operator
- Deployer
- Configurator
- Monitor
- Administrator
- Admin Security Manager
Note: The security domain realm must be selected when adding the de1Admin@depenv1_realm user. - You can have different user registries in an environment with
multiple security domains. To perform certain Process Admin LifeCycle
(PAL) administrative functions you must have a user in the security
domain of the deployment environment. However, to connect to the wsadmin
scripting interface or to call MBeans, the user must be in the user
registry of the global security domain. The BPMADminJobUser role maps
to an authentication alias for a user that requires the authority
to perform actions on the Process Admin LifeCycle (PAL) Admin task.
If specified, the system will execute PAL actions from the MBean of
type PALService as this user. Create a J2C authentication alias for
the BPMAdminJobUser role:
- Click .
- - Click New and specify an arbitrary alias
name, and the deployment environment administrator user ID and password. Note: You must use the password that was specified for the deployment environment administrator during the deployment environment creation.
- Map the J2C authentication alias to the BPMAdminJobUser role:
- Click .
- Select the new J2C authentication alias and map it to the BPMAdminJobUser role.
- Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring IBM BPM endpoints to match your topology.
- Configure the third party trust association interceptors (TAI) for each dedicated security domain. See Configuring third-party authentication products
- Configure InvokeTAIbeforeSSO for each dedicated security domain.