You can configure IBM Business Automation
Workflow to run and debug on a
remote on-premises IBM Workflow
Server so users can
choose the remote server to test an instance on the production or test environment to ensure it runs
correctly in that environment.
Procedure
If the IBM Business Automation
Workflow Center and the remote Workflow Server are in the same
domain, set up LTPA token security by selecting . For more information, see How to configure single sign-on (cross-cell
SSO).
-
Use the wsadmin command to update
ContentSecurityPolicyHeaderValue. To determine the previous value, use
AdminTask.getBPMProperty() and add the returned results when you run the
AdminTask.setBPMProperty
commands. For more information, see Security hardening properties.
Add the Workflow Server
hostname to the connect-src, frame-src, frame-ancestors, and script-arc-elem on IBM Workflow
Center. For example,
AdminTask.setBPMProperty(['-name', 'Security.ContentSecurityPolicyHeaderValue', '-value',
"default-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://WS_host:WS_port; img-src 'self' data: blob:; frame-src 'self'
https://WS_host:WS_port; frame-ancestors 'self' https://WS_host:WS_port; script-src-elem 'self'
'unsafe-inline' 'unsafe-eval' https://WS_host:WS_port"])
AdminConfig.save()
Add the Workflow Center
hostname to frame-ancestors on Workflow Server. For example,
AdminTask.setBPMProperty(['-name', 'Security.ContentSecurityPolicyHeaderValue', '-value',
"default-src 'self'; frame-ancestors 'self' https://WC_host:WC_port; script-src 'self'
'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:;
font-src 'self' fonts.gstatic.com data:; worker-src 'self' blob:; child-src 'self' blob:; frame-src
'self' https:"])
AdminConfig.save()
- Use the
wsadmin
command to update
Security.CsrfProtectionOriginWhitelist
on Workflow Server. To determine the
previous value, use AdminTask.getBPMProperty()
and add the returned results when
you run the AdminTask.setBPMProperty
commands. For
example,
AdminTask.setBPMProperty(['-de', DEname, '-name', 'Security.CsrfProtectionOriginWhitelist', '-value', 'https://WC_host:WC_port'])
AdminConfig.save()
- Use the
wsadmin
command to update
Security.CsrfProtectionRefererWhitelist
on Workflow Server. To determine the
previous value, use AdminTask.getBPMProperty()
and add the returned results when
you run the AdminTask.setBPMProperty
commands. For
example,
AdminTask.setBPMProperty(['-de', DEname, '-name', 'Security.CsrfProtectionOriginWhitelist', '-value', 'WC_Host:WC_port'])
AdminConfig.save()
-
To ensure the remote Workflow Server points to the correct
Workflow Center hostname, add
the following lines to the 100Custom.xml file from Workflow Server:
<server>
<rest>
<allowed-origins merge="replace">https://WChost:WCport </allowed-origins>
</rest>
</server>
-
In the WebSphere administrative console, select , and then add the
com.ibm.websphere.security.addSameSiteAttributeToCookie custom property with
value None for Workflow Center and an online Workflow Server.
-
Configure the trust association interceptor (TAI) for Workflow Server. In the WebSphere
administrative console, select and set the value of enabledForDEs to your DE, such as
De1.
Important: To ensure your changes are saved, delete the
userAgentFilter row if you don't have a userAgentFilter value.
-
Add users to the Debug user group for Workflow Server. For more information,
see the steps to add members to a group in Creating and managing groups.
-
Restart the deployment environment.