Securing IBM Business Process Manager and applications
Security of IBM® Business Process Manager depends
on securing the runtime environment and securing applications.
Securing the environment involves enabling administrative security, enabling application security, creating profiles with security, and restricting access to critical functions to users or groups assigned to specific roles. For more information, see IBM Business Process Manager security roles.
Application security is turned on by default in IBM Business Process Manager and cannot be turned off.
IBM Business Process Manager security
is based on the WebSphere® Application
Server version
8.5 security. For detailed information, see the 
WebSphere Application
Server Network Deployment Information
Center.
Important: Security tasks can be broadly divided into
those concerning the administration of security in the IBM Business Process Manager environment
and those that are related to the applications running in IBM Business Process Manager. The
security of the server environment is central to the security of applications,
and therefore the two sides should not be thought of in isolation.
For architecture considerations, see Chapter 4: Security architecture
considerations in Business Process
Management Design Guide: Using IBM Business Process Manager.
- Getting started with security
Security is an integral consideration when you are planning to install IBM Business Process Manager, when you are developing and deploying applications, and in the day-to-day running of IBM Business Process Manager. - Managing IBM Business Process Manager users, groups, and teams
IBM Business Process Manager uses the WebSphere Application Server file registry, which you can use to create and maintain IBM BPM users and groups as outlined in the following sections. - Changing IBM Business Process Manager and database passwords
You can change the IBM Business Process Manager and database passwords after completing the installation and configuration. - Configuring external security providers
To use an external security provider, you must add the provider to the federated repository. Several types of repositories are supported, including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories. - Configuring multiple deployment environments
You can isolate multiple deployment environments within a single cell in your IBM Business Process Manager configuration. - Configuring IBM BPM endpoints to match your topology
If the user's browser requests pass through a web server or load-balancing server before the request reaches the IBM BPM server, you must configure the virtual host information that is used by IBM BPM to generate URLs. - Configuring third-party authentication products
To use a third-party authentication product, you must customize various configuration settings. - Security configuration properties
Use the WebSphere command-line administration tool (wsadmin) AdminConfig commands to access and modify IBM Business Process Manager security properties as configuration objects. - Configuring Secure Sockets Layer (SSL) for IBM Business Process Manager
You can enable Secure Sockets Layer (SSL) communication for IBM Business Process Manager. This process enables secure https communication between the Process Center and the Process Server. - Enabling a NIST SP800-131a compliant environment
If you are using IBM BPM V8.5.0.1+, you can configure IBM Business Process Manager to support the National Institute of Standards and Technology (NIST) SP800-131a security standard. SP800-131a requires longer key lengths and stronger cryptography than other standards, such as FIPS 140-2. SP800-131a requires Transport Layer Security (TLS) V1.2. - Configuring cross-cell security for IBM Process Center
Before registering a Process Center with another Process Center in a different cell, you must complete security configuration. Once the security configuration between the cells is completed, a Process Center in one cell can register a Process Center in another cell with HTTPS protocol over Secure Sockets Layer (SSL). - Configuring administrative and application security
The first step in securing your IBM Business Process Manager environment
and your applications is to make sure that administrative
security is enabled. 
In WebSphere Application
Server version 7.0,
administrative security is enabled by default. If you have disabled
administrative security, use the following instructions to enable
it again. - Securing access to timetables in the Business Calendars widget
The Security Roles widget provides you with the ability to secure access to individual timetables in the Business Calendars widget. You use the Security Roles widget to assign roles to the members of an organization. It is these roles that determine the level of access to the timetables. - Setting up security for the Business Space component and Process Portal
If you are using Process Portal with your environment, you must consider security options for the Business Space component. If you want to turn on security, set up application security and designate a user repository. To define administrators, assign a Business Space superuser role. - Security in human tasks and BPEL processes
There are a number of roles associated with human tasks and BPEL processes. These roles are unique to tasks and processes that run in Business Process Choreographer.
Related reference: