Configuring multiple deployment environments

You can isolate multiple deployment environments within a single cell in your IBM® Business Process Manager configuration.

See Considerations for multiple deployment environments in the same cell for things to consider prior to making changes to your deployment environment.

You must create unique HTTP endpoints for each deployment environment. Optionally, you can specify different security settings for each deployment environment by creating multiple security domains and attaching one security domain to each deployment environment.

Only users that are assigned to the administrator role can configure multiple security domains. For more information on multiple security domains, see Multiple security domains in the WebSphere® Application Server information center.

To isolate administrative access, you can specify administrative authorization groups to grant administrative access only to the resources of a single deployment environment. Administrative authorization groups are described in the WebSphere Application Server information center at Fine-grained administrative security.

The following tabbed sections provide instructions for three different configuration scenarios that isolate multiple deployment environments within a single cell. Notice that each of these sections includes instructions for configuring dedicated virtual host aliases, which is a mandatory task. Choose the tab that best describes your intended configuration scenario.

View all | View with tabs

Isolating deployment environments

To isolate multiple deployment environments within a single cell, you must configure dedicated virtual host aliases. Complete the following steps:
  1. Create the deployment environments. See Create a Deployment Environment.
  2. Select one of the following methods to create unique HTTP endpoints:
    • Use a dedicated virtual host for each deployment environment. See Step 3.
    • Use dedicated context root prefixes for each deployment environment. See Step 4.
    • Use dedicated Web servers for each deployment environment. See "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.0" or "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.1".
  3. If you have multiple deployment environments in a single cell, and if you want to use the same web server, create a dedicated virtual host for each deployment environment. For each deployment environment (dep_env_name) in the cell, complete the following actions. For more information, see Virtual hosts in the WebSphere Application Server information center.
    1. Decide on the virtual host name, virtual_host_name.
    2. Create a dedicated virtual host. Using the administrative console, navigate to Environment > Virtual hosts and click New.
    3. Specify a name for the new virtual host. For example, vh_de1.
    4. If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port.
    5. If you want to access the web container of the cluster members, add the host name of the cluster member as a host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. Enter the host name of the cluster member and associate it with the WC_defaulthost_secure port.

      Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:

      Deployment environment name: de1

      Cluster name: de1.AppTarget

      Cluster member 1: de1.AppTarget.Member1

      Cluster member 2: de1.AppTarget.Member2

      Virtual host name: vh_de1

      Virtual host aliases in vh_de1:
      • To access IBM Business Process Manager over HTTPS, add the cluster member host names and WC_defaulthost_secure ports to the host alias:
        • Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
        • Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
      • To access IBM Business Process Manager over HTTP, add the WC_defaulthost ports.
        • Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
        • Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
      • If you use an external HTTP server, add the HTTP server's virtual host alias. This is mandatory if you are using an external HTTP server.
        • Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
        • Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
    6. Map the virtual host name, virtual_host_name, to the deployment environment, dep_env_name, by running the updateVirtualHost command on the deployment manager, DmgrProfile.For Linux operating systemFor UNIX operating system
      install_root/profiles/DmgrProfile/bin/updateVirtualHost.sh -d dep_env_name -v virtual_host_name -username username -password password
      For Windows operating system
      install_root\profiles\DmgrProfile\bin\updateVirtualHost -d dep_env_name -v virtual_host_name -username username -password password
      Where DmgrProfile is your deployment manager profile name, username is your user name, and password is the password.
      Tip: For more information about the updateVirtualHost command, see Configuring a virtual host. For information on the BPMVirtualHostInfo object, see Configuring IBM BPM endpoints to match your topology.
    7. If you are using an external HTTP server, regenerate and propagate the HTTP server plug-in.
      1. In the administrative console, navigate to Servers > Server Types > Web Servers.
      2. Select the name of your HTTP server, then click Generate Plug-in.
      3. Select the name of your HTTP server, then click Propagate Plug-in.
        Tip: The administration service must be running on your HTTP server.
  4. Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
  5. Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring IBM BPM endpoints to match your topology.

Configuring security domains

To configure multiple deployment environments and security domains, complete the following steps:
  1. Create the deployment environments. See Create a Deployment Environment.
  2. Select one of the following methods to create unique HTTP endpoints:
    • Use a dedicated virtual host for each deployment environment. See Step 3.
    • Use dedicated context root prefixes for each deployment environment. See Step 4.
    • Use dedicated Web servers for each deployment environment. See "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.0" or "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.1".
  3. If you have multiple deployment environments in a single cell, and if you want to use the same web server, create a dedicated virtual host for each deployment environment. For each deployment environment (dep_env_name) in the cell, complete the following actions. For more information, see Virtual hosts in the WebSphere Application Server information center.
    1. Decide on the virtual host name, virtual_host_name.
    2. Create a dedicated virtual host. Using the administrative console, navigate to Environment > Virtual hosts and click New.
    3. Specify a name for the new virtual host. For example, vh_de1.
    4. If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port.
    5. If you want to access the web container of the cluster members, add the host name of the cluster member as a host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. Enter the host name of the cluster member and associate it with the WC_defaulthost_secure port.

      Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:

      Deployment environment name: de1

      Cluster name: de1.AppTarget

      Cluster member 1: de1.AppTarget.Member1

      Cluster member 2: de1.AppTarget.Member2

      Virtual host name: vh_de1

      Virtual host aliases in vh_de1:
      • To access IBM Business Process Manager over HTTPS, add the cluster member host names and WC_defaulthost_secure ports to the host alias:
        • Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
        • Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
      • To access IBM Business Process Manager over HTTP, add the WC_defaulthost ports.
        • Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
        • Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
      • If you use an external HTTP server, add the HTTP server's virtual host alias. This is mandatory if you are using an external HTTP server.
        • Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
        • Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
    6. Map the virtual host name, virtual_host_name, to the deployment environment, dep_env_name, by running the updateVirtualHost command on the deployment manager, DmgrProfile.For Linux operating systemFor UNIX operating system
      install_root/profiles/DmgrProfile/bin/updateVirtualHost.sh -d dep_env_name -v virtual_host_name -username username -password password
      For Windows operating system
      install_root\profiles\DmgrProfile\bin\updateVirtualHost -d dep_env_name -v virtual_host_name -username username -password password
      Where DmgrProfile is your deployment manager profile name, username is your user name, and password is the password.
      Tip: For more information about the updateVirtualHost command, see Configuring a virtual host. For information on the BPMVirtualHostInfo object, see Configuring IBM BPM endpoints to match your topology.
    7. If you are using an external HTTP server, regenerate and propagate the HTTP server plug-in.
      1. In the administrative console, navigate to Servers > Server Types > Web Servers.
      2. Select the name of your HTTP server, then click Generate Plug-in.
      3. Select the name of your HTTP server, then click Propagate Plug-in.
        Tip: The administration service must be running on your HTTP server.
  4. Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
  5. Create and configure a dedicated security domain for each deployment environment and map each cluster and service integration bus to the dedicated security domain. See Configuring multiple security domains.
    • Every cluster and service integration bus in the deployment environment must be mapped to the same security domain.
    • If you use a dedicated user registry for each security domain, the user realm name for the security domain must be unique.
    • Users that are configured for the deployment environment must exist in the user registry.
  6. To have a user from the security domain of the deployment environment in the bus connector role, you must replace the user in the bus connector role with the users from the realm of the security domain. For each user:
    1. Click Service integration > Buses > BPM.yourDE.Bus > Security > Users and groups in the bus connector role.
    2. Select the user from the global realm. For example, de1Admin and click Delete.
    3. Click New.
    4. Select Users and click Next.
    5. Select the user from the security domain realm.
  7. Click Security > Global security > Custom Properties and set the com.ibm.websphere.security.useAppContextForServletInit custom property to global security. 
    com.ibm.websphere.security.useAppContextForServletInit  = true
    Note: The next steps are only required if you want to have dedicated administrators for each deployment environment.
  8. Configure trusted authentication realms:
    1. Click Security > Global security > Configure > Trusted authentication realms - inbound.
    2. Select the realm name that is associated with the security domain and click Trusted.
  9. For each deployment environment, create a dedicated WebSphere Application Server users that are used to perform WebSphere Application Server administrative functions from either the administrative console or the wsadmin system management scripting interface. These users must be created in the global user registry as only cell scope user are allowed to run wsadmin. If you are using the file registry:
    1. Click Users and Groups > Manage Users > Create.
    2. Create four additional users for each deployment environment. For example:
      • de1WASAdministrator
      • de1WASDeployer
      • de1WASMonitor
      • de1WASOperator
    For more information, see Role-based authorization.
  10. Create a dedicated Administrative Authorization Group (AAG) for each deployment environment:
    1. Click Security > Administrative Authorization Groups > New and input a name for the AAG.
    2. Click the new AAG.
    3. Expand Clusters and select all clusters that belong to the deployment environment.
    4. Expand Business-level applications and select all business level applications that belong to the deployment environment.
    5. Expand Applications and select all applications that belong to the deployment environment.
      Note: Do not map any nodes or node groups.
    6. Save and synchronize your changes.
    7. Click Administrative user roles and press Add.
    8. Assign administrative roles to users:
      • de1WASAdministrator - Administrator
      • de1WASDeployer - Deployer
      • de1WASMonitor - Monitor
      • de1WASOperator - Operator
    9. Add the de1Admin@depenv1_realm deployment environment administrator with the following privileges:
      • Operator
      • Deployer
      • Configurator
      • Monitor
      • Administrator
      • Admin Security Manager
      Note: The security domain realm must be selected when adding the de1Admin@depenv1_realm user.
    10. You can have different user registries in an environment with multiple security domains. To perform certain Process Admin LifeCycle (PAL) administrative functions you must have a user in the security domain of the deployment environment. However, to connect to the wsadmin scripting interface or to call MBeans, the user must be in the user registry of the global security domain. The BPMADminJobUser role maps to an authentication alias for a user that requires the authority to perform actions on the Process Admin LifeCycle (PAL) Admin task. If specified, the system will execute PAL actions from the MBean of type PALService as this user. Create a J2C authentication alias for the BPMAdminJobUser role:
      1. Click Security > Global security > Java Authentication and Authorization Service > J2C authentication data.
      2. - Click New and specify an arbitrary alias name, and the deployment environment administrator user ID and password.
        Note: You must use the password that was specified for the deployment environment administrator during the deployment environment creation.
    11. Map the J2C authentication alias to the BPMAdminJobUser role:
      1. Click Servers > Deployment Environment > yourDE > Authenticatin Aliases.
      2. Select the new J2C authentication alias and map it to the BPMAdminJobUser role.
  11. Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring IBM BPM endpoints to match your topology.

Configuring security domains, and third-party authentication

To configure multiple deployment environments, security domains, and third-party authentication, complete the following steps:
  1. Create the deployment environments. See Create a Deployment Environment.
  2. Select one of the following methods to create unique HTTP endpoints:
    • Use a dedicated virtual host for each deployment environment. See Step 3.
    • Use dedicated context root prefixes for each deployment environment. See Step 4.
    • Use dedicated Web servers for each deployment environment. See "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.0" or "Customizing the Process Server or Process Center cluster to work with a web server on V8.5.0.1".
  3. If you have multiple deployment environments in a single cell, and if you want to use the same web server, create a dedicated virtual host for each deployment environment. For each deployment environment (dep_env_name) in the cell, complete the following actions. For more information, see Virtual hosts in the WebSphere Application Server information center.
    1. Decide on the virtual host name, virtual_host_name.
    2. Create a dedicated virtual host. Using the administrative console, navigate to Environment > Virtual hosts and click New.
    3. Specify a name for the new virtual host. For example, vh_de1.
    4. If you are using an external HTTP server, you must add the HTTP server's virtual host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. For example, navigate to vh_de1 and click New. Then enter the host name of your HTTP server and associate it with the HTTP or HTTPS port.
    5. If you want to access the web container of the cluster members, add the host name of the cluster member as a host alias. Navigate to Environment > Virtual hosts > Name of the virtual host created in previous step > Host Aliases and click New. Enter the host name of the cluster member and associate it with the WC_defaulthost_secure port.

      Here is an example of the host aliases that must be added for a single cluster deployment environment that contains two members:

      Deployment environment name: de1

      Cluster name: de1.AppTarget

      Cluster member 1: de1.AppTarget.Member1

      Cluster member 2: de1.AppTarget.Member2

      Virtual host name: vh_de1

      Virtual host aliases in vh_de1:
      • To access IBM Business Process Manager over HTTPS, add the cluster member host names and WC_defaulthost_secure ports to the host alias:
        • Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost_secure port . For example 9443.
        • Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost_secure port. For example 9443.
      • To access IBM Business Process Manager over HTTP, add the WC_defaulthost ports.
        • Cluster member host name for de1.AppTarget.Member1 on the WC_defaulthost port. For example 9080.
        • Cluster member host name for de1.AppTarget.Member2 on the WC_defaulthost port. For example 9080.
      • If you use an external HTTP server, add the HTTP server's virtual host alias. This is mandatory if you are using an external HTTP server.
        • Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 80
        • Virtual host that corresponds to your HTTP server. For example ihs.virtual.host.for.de1.ibm.com on port 443.
    6. Map the virtual host name, virtual_host_name, to the deployment environment, dep_env_name, by running the updateVirtualHost command on the deployment manager, DmgrProfile.For Linux operating systemFor UNIX operating system
      install_root/profiles/DmgrProfile/bin/updateVirtualHost.sh -d dep_env_name -v virtual_host_name -username username -password password
      For Windows operating system
      install_root\profiles\DmgrProfile\bin\updateVirtualHost -d dep_env_name -v virtual_host_name -username username -password password
      Where DmgrProfile is your deployment manager profile name, username is your user name, and password is the password.
      Tip: For more information about the updateVirtualHost command, see Configuring a virtual host. For information on the BPMVirtualHostInfo object, see Configuring IBM BPM endpoints to match your topology.
    7. If you are using an external HTTP server, regenerate and propagate the HTTP server plug-in.
      1. In the administrative console, navigate to Servers > Server Types > Web Servers.
      2. Select the name of your HTTP server, then click Generate Plug-in.
      3. Select the name of your HTTP server, then click Propagate Plug-in.
        Tip: The administration service must be running on your HTTP server.
  4. Configure dedicated context root prefixes for each deployment environment by running the BPMConfig command. For more information about the BPMConfig command, see BPMConfig command-line utility.
  5. Create and configure a dedicated security domain for each deployment environment and map each cluster and service integration bus to the dedicated security domain. See Configuring multiple security domains.
    • Every cluster and service integration bus in the deployment environment must be mapped to the same security domain.
    • If you use a dedicated user registry for each security domain, the user realm name for the security domain must be unique.
    • Users that are configured for the deployment environment must exist in the user registry.
  6. To have a user from the security domain of the deployment environment in the bus connector role, you must replace the user in the bus connector role with the users from the realm of the security domain. For each user:
    1. Click Service integration > Buses > BPM.yourDE.Bus > Security > Users and groups in the bus connector role.
    2. Select the user from the global realm. For example, de1Admin and click Delete.
    3. Click New.
    4. Select Users and click Next.
    5. Select the user from the security domain realm.
  7. Click Security > Global security > Custom Properties and set the com.ibm.websphere.security.useAppContextForServletInit custom property to global security. 
    com.ibm.websphere.security.useAppContextForServletInit  = true
    Note: The next steps are only required if you want to have dedicated administrators for each deployment environment.
  8. Configure trusted authentication realms:
    1. Click Security > Global security > Configure > Trusted authentication realms - inbound.
    2. Select the realm name that is associated with the security domain and click Trusted.
  9. For each deployment environment, create a dedicated WebSphere Application Server users that are used to perform WebSphere Application Server administrative functions from either the administrative console or the wsadmin system management scripting interface. These users must be created in the global user registry as only cell scope user are allowed to run wsadmin. If you are using the file registry:
    1. Click Users and Groups > Manage Users > Create.
    2. Create four additional users for each deployment environment. For example:
      • de1WASAdministrator
      • de1WASDeployer
      • de1WASMonitor
      • de1WASOperator
    For more information, see Role-based authorization.
  10. Create a dedicated Administrative Authorization Group (AAG) for each deployment environment:
    1. Click Security > Administrative Authorization Groups > New and input a name for the AAG.
    2. Click the new AAG.
    3. Expand Clusters and select all clusters that belong to the deployment environment.
    4. Expand Business-level applications and select all business level applications that belong to the deployment environment.
    5. Expand Applications and select all applications that belong to the deployment environment.
      Note: Do not map any nodes or node groups.
    6. Save and synchronize your changes.
    7. Click Administrative user roles and press Add.
    8. Assign administrative roles to users:
      • de1WASAdministrator - Administrator
      • de1WASDeployer - Deployer
      • de1WASMonitor - Monitor
      • de1WASOperator - Operator
    9. Add the de1Admin@depenv1_realm deployment environment administrator with the following privileges:
      • Operator
      • Deployer
      • Configurator
      • Monitor
      • Administrator
      • Admin Security Manager
      Note: The security domain realm must be selected when adding the de1Admin@depenv1_realm user.
    10. You can have different user registries in an environment with multiple security domains. To perform certain Process Admin LifeCycle (PAL) administrative functions you must have a user in the security domain of the deployment environment. However, to connect to the wsadmin scripting interface or to call MBeans, the user must be in the user registry of the global security domain. The BPMADminJobUser role maps to an authentication alias for a user that requires the authority to perform actions on the Process Admin LifeCycle (PAL) Admin task. If specified, the system will execute PAL actions from the MBean of type PALService as this user. Create a J2C authentication alias for the BPMAdminJobUser role:
      1. Click Security > Global security > Java Authentication and Authorization Service > J2C authentication data.
      2. - Click New and specify an arbitrary alias name, and the deployment environment administrator user ID and password.
        Note: You must use the password that was specified for the deployment environment administrator during the deployment environment creation.
    11. Map the J2C authentication alias to the BPMAdminJobUser role:
      1. Click Servers > Deployment Environment > yourDE > Authenticatin Aliases.
      2. Select the new J2C authentication alias and map it to the BPMAdminJobUser role.
  11. Configure an endpoint for the remote artifact loader (REMOTE_AL scenario) in each deployment environment. See Configuring IBM BPM endpoints to match your topology.
  12. Configure the third party trust association interceptors (TAI) for each dedicated security domain. See Configuring third-party authentication products
  13. Configure InvokeTAIbeforeSSO for each dedicated security domain.