If you expect to use a secured environment, enable security
before you configure Process Portal. However, if needed, you can enable
security manually later. To turn on security for Process Portal you
must enable both application security and administrative security
for the Business Space component.
Before you begin
Before you complete this task, you
must have completed the following tasks:
- Check that your user ID is registered in the user registry for
your product.
About this task
The Business Space component
is preconfigured to ensure authentication and authorization of access.
Users are prompted to authenticate when accessing Process Portal URLs.
Unauthenticated users are redirected to a login page.
The Business Space component is
configured to be accessed by HTTPS by default. If you prefer HTTP
because Process Portal is
already behind a firewall, you can switch to HTTP by running the configBSpaceTransport.py script.
The configBSpaceTransport.py script has parameters
to switch to either HTTP or HTTPS if you want to change from a previous
setting. See Designating HTTP or
HTTPS settings for Process Portal.
To enable authenticated access to Process Portal,
you must have a user registry configured and application security
enabled. Authorization to spaces and page content is handled internally
as part of managing spaces.
Procedure
- For complete instructions on security, see the security
documentation for your product.
- For the Business Space application,
on the Global security administrative console
page, select both Enable administrative security and Enable
application security.
- If you want to enable or remove security after you have
configured the Business Space component
with your IBM® Business Process Manager profile,
you must modify the noSecurityAdminInternalUserOnly property
in the ConfigServices.properties file.
The noSecurityAdminInternalUserOnly property
specifies the administrator ID for Process
Portal when security is disabled.
By default, Business Space configuration sets the property to BPMAdministrator if
security is disabled. When security is enabled, by default this property
is set to the application server admin ID. If you want to enable or
remove security after you have configured the Business Space component,
use the application server admin ID.
- Modify the ConfigServices.properties file noSecurityAdminInternalUserOnly property
to set it to the application server admin ID. The ConfigServices.properties file
is located at profile_root\BusinessSpace\node_name\server_name\mm.runtime.prof\config\ConfigService.properties for
a stand-alone server or deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\config\ConfigService.properties for
a cluster.
- Run the updatePropertyConfig command
using the wsadmin scripting client.
Important: For
Windows, the value for the propertyFileName parameter
must be the full path to the file, and all backslashes must be double,
for example: AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name -propertyFileName
"profile_root\\BusinessSpace\\node_name\\server_name\\mm.runtime.prof\\config\\ConfigService.properties"
-prefix "Mashups_"]').
- For a stand-alone server:
The following example uses Jython:
AdminTask.updatePropertyConfig('[-serverName server_name -nodeName node_name
-propertyFileName "profile_root\BusinessSpace\node_name\server_name
\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"]')
AdminConfig.save()
The
following example uses Jacl:
$AdminTask updatePropertyConfig {-serverName server_name -nodeName node_name
-propertyFileName "profile_root\BusinessSpace\node_name\server_name
\mm.runtime.prof\config\ConfigService.properties" -prefix "Mashups_"}
$AdminConfig save
- For a cluster:
The following example uses Jython:
AdminTask.updatePropertyConfig('[-clusterName cluster_name -propertyFileName
"deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\
config\ConfigService.properties" -prefix "Mashups_"]')
AdminConfig.save()
The following example uses Jacl:
$AdminTask updatePropertyConfig {-clusterName cluster_name -propertyFileName
"deployment_manager_profile_root\BusinessSpace\cluster_name\mm.runtime.prof\
config\ConfigService.properties" -prefix "Mashups_"}
$AdminConfig save
- Restart the server.
- Log in to Process Portal and reassign the owners of the default
spaces to the new administrator ID.
What to do next
- After the administrative security and application security are
turned on, you receive a prompt for a user ID and password when you
log in to Process Portal.
You must use a valid user ID and password from the selected user registry
in order to log on. After you turn on administrative security, whenever
you return to the administrative console, you must log in with the
user ID that has administrative authority.
- If you want to change the user account repository from the default
for your product profile, follow the steps in Selecting the user account repository for Process Portal.
- If you have a cross-cell environment where Process
Portal is remote from where IBM Business Process Manager is
running, and the nodes are not in the same cell, set up single-sign-on
(SSO) and Secure Sockets Layer (SSL) certificates. Follow the instructions
in Setting up SSO and SSL for Process Portal.
- To designate who can perform administrator actions in the Process Portal environment,
see Assigning the superuser
role.