Configure Process Engine security

Use the Security tab to configure the Process Engine security connection and to set the region password.

Security connection

Process Engine relies on a Content Engine server for authentication and directory service access (for example, performing queries for user and group information). Configuring the Process Engine security connection involves specifying a Content Engine server for this purpose.

You must configure or update Process Engine security after:

For information about how security accounts are documented using display names and variable designators, see Users and groups required by FileNet P8 Platform.

To configure Process Engine security

  1. Select the Security/General tab in the Process Engine node. The current security configuration displays.
    Content Engine URI The URI (Uniform Resource Identifier) identifying a Content Engine server in the FileNet P8 domain.

    Service username

    pe_service_user

    A valid user name. Process Engine uses pe_service_user when connecting to the Content Engine server.

    This user must:

    • Be a member of the group specified in the Process Engine Administrator Group (pe_admin_group).
    • Belong, if security has already been configured, to the Process Engine Administrator Group specified previously.

    TIP For detailed instructions on changing the Service Username when security has already been configured, see below.

    Service username password

    The password of pe_service_user. Empty or null passwords are not allowed.

    NOTE  You must re-enter the password each time you make changes to the security configuration. If the pe_service_user password changes after you have configured security, Process Engine on each server will fail. If this occurs, update the password and restart all servers in the Process Engine system.

    Administrator group

    pe_admin_group

    A valid group name. Members of pe_admin_group automatically have administrative privileges for Process Engine.

    TIP For detailed instructions on changing the Administrator Group (pe_admin_group) when security has already been configured, see below.

    Configuration group

    pe_config_group

    (Optional) A valid group name. Members of pe_config_group automatically have configuration privileges for the Process Engine workflow database.

    If a group name is entered, members of pe_config_group or the Process Engine Administrator Group (pe_admin_group) can make configuration changes to the workflow database. If this is left blank, anyone can make these changes.

    Debug Indicates whether debugging information is provided. Do not turn on debugging unless you are directed to do so by your service representative.
  2. Click Apply.

To change the service user or administrator group when Process Engine security has already been configured

The group membership requirements on the user assigned to the Service Username can make changing the service user and Process Engine Administrator Group at the same time seem complicated. The important thing to remember is to not delete the existing user or group from your directory service until the change is complete.

Use the example below to help you coordinate the necessary changes. Use a similar procedure if you are simply changing or moving the administrative group without changing the service user.

  Service user Administrative group
Current Administrator Domain Admins
New PEAdmin PEAdministrators
  1. In your directory service, do the following steps:
    1. Create user PEAdmin if it doesn't already exist.
    2. Add PEAdmin to the Domain Admins group.
    3. Create the PEAdministrators group if it doesn't already exist.
    4. Add PEAdmin to the PEAdministrators group.
  2. In Process Task Manager, change the Service Username and Process Engine Administrator Group values to the new user and new group distinguished names. Click Apply to save your changes.
  3. In your directory service, you can now remove PEAdmin from the Domain Admins group. You can also delete the Domain Admins group if desired.
  4. Restart all servers in the Process Engine system for the changes to take effect and to update the user and group cache information.

Region password

Each isolated region has a password associated with it. The password ensures that requests received by the Process Engine server are legitimate. The password you enter here must match the password entered when creating an isolated region object using Enterprise Manager.

To set a password for an isolated region

  1. Select the Security/Region Passwords tab in the Process Engine node.
  2. To add a region and its password, click Add and enter Isolated Region and Password as they were entered in the PE Region Ids on the Content Engine server. All passwords for the same region
  3. To delete a region and its password, select the region and click Delete. You cannot delete a region from this list as long as the region exists in the workflow database.

    TIP Use the vwtool regions command to view the regions that exist in the workflow database.

  4. To modify an existing password, select the password and update as desired.
  5. Click Apply.