Configuring Business Process Choreographer to use an LDAP user registry

This describes how to change an existing Business Process Choreographer configuration to use a Lightweight Directory Access Protocol (LDAP) user registry.

Why and when to perform this task

Steps for this task

  1. Configure the LDAP user registry.
    1. Click Security > Global security make sure that the Enable global security is not enabled.
    2. Under User registries, select LDAP.
    3. Set the user name and password used to run WebSphere Process Server for security purposes. In the Server user ID field type the user name, and in the Server user password field, enter the corresponding password. This ID is not the LDAP administrator user ID. This user ID must exist in the LDAP registry.
    4. From the Type list choose the specific LDAP that you want to use as your user registry.
    5. In the Host field, enter the host name of the LDAP server.
    6. In the Port field, enter the port number on which the LDAP server is listening.
    7. Enter the Base Distinguished Name.

      This value specifies the base distinguished name of the directory service, indicating the starting point for LDAP searches of the directory service.

      For authorization purposes, this field is case sensitive. This specification implies that if a token is received (for example, from another cell or Domino server) the base distinguished name (DN) in the server must match the base DN from the other cell or Domino server exactly. If case sensitivity is not a consideration for authorization, enable the Ignore case field. This field is required for all LDAP directories except for the Domino Directory, where this field is optional.

    8. Enter the Bind Distinguished Name. Enter the user ID that the application server will use to bind to the LDAP server. For example, you can use the same user ID that you entered for the Server user ID.
    9. Enter the Bind Password. Enter the password for the user ID you specified for the Bind Distinguished Name.
    10. Leave the remaining parameters with the default values and confirm your changes. Click OK.
  2. Configure the Lightweight Third Party Authentication (LTPA) mechanism. Under Authentication, open Authentication mechanisms and select LTPA. In the fields Password and Confirm password, enter a password of your choice, then click OK.
  3. Enable global security, Java 2 security, LTPA and LDAP.
    1. Select Enable global security.
    2. Select Enforce Java 2 security.
    3. For Active authentication mechanism, select Lightweight Third Party Authentication (LTPA).
    4. For Active user registry, select Lightweight Directory Access Protocol (LDAP) user registry.
    5. Click OK and save your changes.
  4. Restart WebSphere Process Server.
  5. Log on to the administrative console using the user ID that you specified for the Server user ID in step 1.c.
  6. Add new user mapping for the JMSAPIUser role for the business process container application.
    1. In the administrative console, locate the business process container application. Click Applications > Enterprise Applications > BPEContainer_<your_node>_<your_server>.
    2. Under Additional Properties, click Map RunAs roles to users.
    3. For username, enter a valid user ID that is defined in the LDAP user registry.
    4. For password, enter the password for the user ID.
    5. Select the check box in front of the table row for JMSAPIUser.
    6. Click Apply. This associates the user ID with the role. The user ID is added to the table.
    7. Click OK and save your changes.
  7. Add security role mappings for system administrator and system monitor for the business process container application.
    1. In the administrative console, locate the business process container application. Click Applications > Enterprise Applications > BPEContainer_<your_node>_<your_server>.
    2. Under Additional Properties, click Map security roles to users/group.
    3. Select the check boxes in front of the table rows for BPESystemAdministrator and BPESystemMonitor.
    4. Click Lookup Users
    5. For Search String, enter the character *, and click Search.
    6. In the Available list, select the entry for a user or group that will , then click >> .
    7. Click OK.
    8. Select the check box in front of BPESystemAdministrator, if any other check boxes are selected, clear them.
    9. Click Lookup Groups.
    10. Remove the group, by selecting the group that is displayed in the Selected field, click <<, click OK.
    11. Click OK and save your changes.
  8. Add a new user name mapping for the EscalationUser role for the human task container application.
    1. In the administrative console, locate the human task container application. Click Applications > Enterprise Applications > TaskContainer_<your_node>_<your_server>.
    2. Under Additional Properties, click Map RunAs roles to users.
    3. For username, enter a valid user ID that is defined in the LDAP user registry.
    4. For password, enter the password for the user ID.
    5. Select the check box in front of the table row for EscalationUser.
    6. Click Apply. This associates the user ID with the role. The user ID is added to the table.
    7. Click OK and save your changes.
  9. Add security role mappings for system administrator and system monitor for the human task container application.
    1. In the administrative console, locate the business process container application. Click Applications > Enterprise Applications > TaskContainer_<your_node>_<your_server>.
    2. Under Additional Properties, click Map security roles to users/group.
    3. Select the check boxes in front of the table rows for TaskSystemAdministrator and TaskSystemMonitor.
    4. Click Lookup Users
    5. For Search String, enter the character *, and click Search.
    6. In the Available list, select the entry for the user ID that you specified in step 1.c, then click >> .
    7. Click OK.
    8. Select the check box in front of TaskSystemAdministrator, if any other check boxes are selected, clear them.
    9. Click Lookup Groups.
    10. Remove the group, by selecting the group that is displayed in the Selected field, click <<, click OK.
    11. Click OK and save your changes.
  10. Change the sample LDAP staff plug-in configuration.
    1. In the administrative console, click Resources > Staff plug-in provider > LDAP Staff Plugin Provider.
    2. Under Additional Properties, click Staff Plugin Configuration.
    3. Click LDAP Staff Plugin Configuration sample
    4. Under Additional Properties, click Custom properties.
    5. Set the value of the BaseDN property to the same value that you entered for Base Distinguished Name (DN) in step 1.g.
    6. Set the value of the ProviderURL to the URL for the LDAP server. For example, ldap://host:port, where host and port are the values that you entered in steps 1.e and 1.f.
    7. Click OK and save your changes.
  11. Change the authentication data entries for the J2EE Connector Architecture (J2C).
    1. In the administrative console, click Security > Global Security.
    2. Under JAAS Configuration, click J2C Authentication data .
    3. Change each user alias, and set the user ID and password to values for a valid user ID that is defined in the LDAP user registry. Do not change any database aliases.
    4. Save your changes.
  12. Restart the servers.
    • For ND: Stop the cluster, all node agents, and the deployment manager and restart them.
    • For a single server: Restart the server.
    Note: Use the server user ID that you specified in step 1.c to stop the servers, node agents and deployment manager.
  13. Verify that the Business Process Choreographer applications are running.
    1. In the administrative console, click Applications > Enterprise Applications.
    2. Verify that the applications BPEContainer_node_server, and TaskContainer_node_server are running.

Result

Now all staff queries will be made against the selected LDAP server.

(c) Copyright IBM Corporation 2005, 2006.
This information center is powered by Eclipse technology (http://www.eclipse.org)