This describes how to change an existing Business Process Choreographer
configuration to use a Lightweight Directory Access Protocol (LDAP) user registry.
Why and when to perform this task
Steps for this task
- Configure the LDAP user registry.
- Click make sure that the Enable global
security is not enabled.
- Under User registries, select LDAP.
- Set the user name and password used to run WebSphere Process Server for security
purposes. In the Server user ID field type
the user name, and in the Server user password field,
enter the corresponding password. This ID is not the LDAP administrator user
ID. This user ID must exist in the LDAP registry.
- From the Type list choose the specific
LDAP that you want to use as your user registry.
- In the Host field, enter the
host name of the LDAP server.
- In the Port field, enter the
port number on which the LDAP server is listening.
- Enter the Base Distinguished Name.
This value specifies the base distinguished name of the directory
service, indicating the starting point for LDAP searches of the directory
service.
For authorization purposes, this field is case sensitive. This
specification implies that if a token is received (for example, from another
cell or Domino server) the base distinguished name (DN) in the server must
match the base DN from the other cell or Domino server exactly. If case sensitivity
is not a consideration for authorization, enable the Ignore case field.
This field is required for all LDAP directories except for the Domino Directory,
where this field is optional.
- Enter the Bind Distinguished Name. Enter the user ID that the application server will use to bind to the
LDAP server. For example, you can use the same user ID that you entered for
the Server user ID.
- Enter the Bind Password. Enter
the password for the user ID you specified for the Bind Distinguished
Name.
- Leave the remaining parameters with the default values and confirm
your changes. Click OK.
- Configure the Lightweight Third Party Authentication (LTPA) mechanism. Under Authentication, open Authentication
mechanisms and select LTPA. In the fields Password and Confirm
password, enter a password of your choice, then click OK.
- Enable global security, Java 2 security, LTPA and LDAP.
- Select Enable global security.
- Select Enforce Java 2 security.
- For Active authentication mechanism,
select Lightweight Third Party Authentication (LTPA).
- For Active user registry, select Lightweight
Directory Access Protocol (LDAP) user registry.
- Click OK and save your changes.
- Restart WebSphere Process Server.
- Log on to the administrative console using the user ID that you
specified for the Server user ID in step 1.c.
- Add new user mapping for the JMSAPIUser role
for the business process container application.
- In the administrative console, locate the business process container
application. Click .
- Under Additional Properties, click Map
RunAs roles to users.
- For username, enter a valid user ID that
is defined in the LDAP user registry.
- For password, enter the password for
the user ID.
- Select the check box in front of the table row for JMSAPIUser.
- Click Apply. This associates the user
ID with the role. The user ID is added to the table.
- Click OK and save your changes.
- Add security role mappings for system administrator and system
monitor for the business process container application.
- In the administrative console, locate the business process container
application. Click .
- Under Additional Properties, click Map
security roles to users/group.
- Select the check boxes in front of the table rows for BPESystemAdministrator and BPESystemMonitor.
- Click Lookup Users
- For Search String, enter the character *,
and click Search.
- In the Available list, select the entry
for a user or group that will , then click >> .
- Click OK.
- Select the check box in front of BPESystemAdministrator,
if any other check boxes are selected, clear them.
- Click Lookup Groups.
- Remove the group, by selecting the group that is displayed in
the Selected field, click <<,
click OK.
- Click OK and save your changes.
- Add a new user name mapping for the EscalationUser role
for the human task container application.
- In the administrative console, locate the human task container
application. Click .
- Under Additional Properties, click Map
RunAs roles to users.
- For username, enter a valid user ID that
is defined in the LDAP user registry.
- For password, enter the password for
the user ID.
- Select the check box in front of the table row for EscalationUser.
- Click Apply. This associates the user
ID with the role. The user ID is added to the table.
- Click OK and save your changes.
- Add security role mappings for system administrator and system
monitor for the human task container application.
- In the administrative console, locate the business process container
application. Click .
- Under Additional Properties, click Map
security roles to users/group.
- Select the check boxes in front of the table rows for TaskSystemAdministrator and TaskSystemMonitor.
- Click Lookup Users
- For Search String, enter the character *,
and click Search.
- In the Available list, select the entry
for the user ID that you specified in step 1.c,
then click >> .
- Click OK.
- Select the check box in front of TaskSystemAdministrator,
if any other check boxes are selected, clear them.
- Click Lookup Groups.
- Remove the group, by selecting the group that is displayed in
the Selected field, click <<,
click OK.
- Click OK and save your changes.
- Change the sample LDAP staff plug-in configuration.
- In the administrative console, click .
- Under Additional Properties, click Staff
Plugin Configuration.
- Click LDAP Staff Plugin Configuration sample
- Under Additional Properties, click Custom
properties.
- Set the value of the BaseDN property
to the same value that you entered for Base Distinguished Name
(DN) in step 1.g.
- Set the value of the ProviderURL to the
URL for the LDAP server. For example, ldap://host:port,
where host and port are the values that
you entered in steps 1.e and 1.f.
- Click OK and save your changes.
- Change the authentication data entries for the J2EE Connector Architecture
(J2C).
- In the administrative console, click .
- Under JAAS Configuration, click J2C
Authentication data .
- Change each user alias, and set the user ID and password to
values for a valid user ID that is defined in the LDAP user registry. Do not
change any database aliases.
- Save your changes.
- Restart the servers.
- For ND: Stop the cluster, all node agents, and the deployment manager
and restart them.
- For a single server: Restart the server.
Note: Use the server user ID that you specified in step
1.c to
stop the servers, node agents and deployment manager.
- Verify that the Business Process Choreographer applications are
running.
- In the administrative console, click .
- Verify that the applications BPEContainer_node_server, and TaskContainer_node_server are
running.
Result
Now all staff queries will be made against the selected LDAP server.