Configuring external security providers

To use an external security provider, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.

About this task

The default installation of IBM® Business Process Manager provides a federated repository that contains the WebSphere® Application Server file registry.

The following steps show an example of configuring an LDAP security provider (such as Microsoft Active Directory) with the federated repository. For more information about how to configure other supported repositories, such as Tivoli Directory Server, refer to the Configuring LDAP as the user account registry section of the IBM Business Process Manager V7.5 Production Topologies IBM Redbook.
Note: IBM recommends that you configure the LDAP security provider using a federated repository (also referred to as virtual member manager).
Restriction:
  • You must search for users by the user ID in stand-alone LDAP user repositories. Searching for users by user first name or last name is not supported in this configuration.
  • If you are using Active Directory as a user repository, and you search for a user name that contains a letter with a diacritical mark, the search will ignore the diacritical mark and will return all user names that contain the character, regardless of whether the character has a diacritical mark. For example, a search on user names that contain the letter e with an accent mark will return not just those user names, but also user names that include e with any other accent mark or e with no accent mark.
Important: The connection with an embedded Enterprise Content Management (ECM) system might be lost if users are deleted and recreated. Refer to Administering the technical user for the IBM BPM document store.

Procedure

  1. Log in to the WebSphere Application Server administrative console.
  2. Click Security > Global security.
  3. Under User account repository, select Federated repositories from the list of Available realm definitions.
  4. Click Configure.
  5. Under Related items, click Manage repositories.
  6. Click Add > LDAP Repository and specify parameters for the provider that you want to add. For example, to add Microsoft Active Directory, specify values such as the following examples:
    Table 1. Parameters for adding a provider
    Parameter Example values
    Repository identifier SALOMLDAP // change to suit
    Directory type Microsoft Windows Active Directory
    Primary host name 10.1.5.18
    Bind distinguished name cn=LDAP_USER,CN=Users,DC=COMPANYQA,DC=com
    Bind password pwsaaswp
  7. Click OK and then Save.
  8. On the Federated repositories page, click Add Base entry to Realm and specify values such as the following examples:
    Table 2. Parameters for adding a base entry to a realm
    Base entry name Example values
    Distinguished name of a base entry that uniquely identifies this set of entries in the realm cn=Users,DC=COMPANYQA,DC=com
    Distinguished name of a base entry in this repository cn=Users,DC=COMPANYQA,DC=com
  9. Click OK and then Save.

    If your external security provider (LDAP) contains many entries, you must increase the maximum number of search results in federated repositories. A full synchronization queries all entries in LDAP. This process is limited by the maximum search value in the wimconfig.xml. In WebSphere Application Server, the default maximum search results is 4500 entries. This value is not the maximum number of LDAP users or groups that WebSphere Application Server can handle; rather, it is the maximum number that is returned based on the configuration value in the wimconfig.xml file. Check the SystemOut.log file for the CWWIM1018E error code. If you have this issue, you can increase the maximum search results in the wimconfig.xml file as described in the MaxResultsExceededException occurs during LDAP repository search topic in the WebSphere Application Server Information Center. After the change, restart both the WebSphere Application Server and IBM BPM servers, then complete a full synchronization.

  10. On the Global Security page, click Set as current and then click Apply.
  11. Shut down all IBM BPM servers. For a network deployment environment, you must shut down all of the servers, node agents, and deployment manager.
  12. Make sure that no duplicate users exist in the WebSphere Application Server file registry and the security provider that you just added. If duplicate users exist, errors will occur when you run IBM Business Process Manager product components.
  13. Start all IBM BPM servers. For a network deployment environment, you must restart all of the servers, node agents, and deployment manager.

    If you have configured a server cluster for your runtime environment, stop and restart all servers in the cluster.

Parent topic: Securing IBM Business Process Manager and applications