The following steps are required to make the communication
between the Process Center and the Process Server work with https
in a network deployment environment.
Before you begin
- IBM® Business
Process Manager generates
a default signer certificate during profile creation and uses it to
sign personal certificates for all of the Java virtual machines in
the cell. If you do not want to use the default signer certificate,
you must create a personal certificate request to obtain a certificate
that is signed by a certificate authority (CA). Refer to Creating a certificate authority request.
- To import an SSL security certificate into Integration Designer,
see Importing an SSL security certificate into Integration Designer.
- Ensure that the Common Name field of the SSL certificate matches
the host name that will be used to access the server. For information
on troubleshooting connection problems, see SSL fails when host name configuration fails.
- If the name of a server certificate does not match the host name
of a server, an SSL connection failure may occur with the IOException
message HTTPS hostname wrong. To help
resolve this problem, you can add a Subject Alternative Name (SAN)
set to the server certificate. Information about SAN sets is found
in the topic SSL fails when host name configuration fails.
About this task
HTTPS is set as the default for communication from Process
Center to Process Server. If you want to change to insecure HTTP,
see
Changing to insecure HTTP communication.
Procedure
- Import the Process Server WebSphere® Application
Server root SSL
certificate into Process Center.
- In the Process Center WebSphere Application
Server administrative
console, click .
- Enter the Host name, secure Port of
the Process Server profile (WC_defaulthost_secure), and Alias,
and click Retrieve signer information. You
can retrieve the signer information for any of the servers listed.
Note: The WC_defaulthost_secure profile is located in the WebSphere Application
Server administrative
console. Navigate to .
- Click Apply and save your changes.
- Import the Process Center root SSL certificate into Process
Server.
- In the Process Server WebSphere Application
Server administrative
console, click .
- Enter the Host name, secure Port of
the Process Center profile (WC_defaulthost_secure), and Alias,
and click Retrieve signer information. You
can retrieve the signer information for any of the servers listed.
Note: The WC_defaulthost_secure profile is located in the WebSphere Application
Server administrative
console. Navigate to .
- Click Apply and save your changes.
- Open WAS_HOME\bin and
run the following commands on both the Process Center and the Process
Server to change internal links to use HTTPS and secured port.
Note: You only need to run this command if you have upgraded
from a version prior to 8.5.0.1.
For example:
# Run the following commands on both the Process Center and Process Server.
wsadmin -conntype NONE -lang jython
wsadmin> ps = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name
/BPMClusterConfigExtension:/environment_type:/")
# For the environment_type variable, specify "BPMProcessCenter" when running in a
# Process Center environment or specify "BPMProcessServer" when running in a Process Server environment.
wsadmin> print ps # See how many process servers you listed
wsadmin> print AdminConfig.show(ps) #look at useHTTPSURLPrefixes to see the current value
wsadmin> AdminConfig.modify(ps, [['useHTTPSURLPrefixes', 'true']])
wsadmin> print AdminConfig.show(ps) #verify your change
wsadmin> AdminConfig.save()
wsadmin> exit
- Optional: Disable all unsecured ports on all
Process Center and Process Server servers.
- Log in to the WebSphere Application
Server administrative
console and navigate to .
- For each server, click the server link, then go to .
- Click each link for the unsecured port, for example, HttpQueueInboundDefault,
and clear the Enabled check box.
- Repeat these steps for all WebSphere Application
Server cluster members
on all nodes. For example, if the xxx.AppTarget cluster
has members on Node1 and Node2, these steps must be performed on both
nodes.
- Optional: In the Process Center WebSphere Application
Server administrative
console, click and check
the Requires SSL check box.
- Optional: In the Process Server WebSphere Application
Server administrative
console, click and check
the Requires SSL check box.
- Specify HTTPS URLs and ports for all Representational State
Transfer (REST) services for your environment by using the REST service
administrative console page.
- Click .
- Select all from the Scope
selection pull-down menu.
- Click on the REST service provider in Provider
Application field and specify the Host name
or virtual host in a load-balanced environment and the Port.
Important: For a REST Services
Gateway deployment manager, use the deployment manager host name and
port; do not use the IHS host name and port.
- Click Apply and save your changes.
- To make sure that Process Server connects
to Process Center using SSL, specify an HTTPS URL for the processCenterUrl variable,
as described in Using wsadmin commands to customize the Process Server settings used to connect to Process Center.
Note: This
step is not required if you have already provided the intended processCenterUrl value
when running the BPMConfig command.
- Set the deploySnapshotUsingHttps property
to true to make sure that the Process Center connects
to the Process Server using SSL for online deployment. Run the following
commands on both the Process Center and the Process Server.
# Run the following commands on both the Process Center and Process Server.
wsadmin -conntype NONE -lang jython
wsadmin> ps = AdminConfig.getid("/Cell:/ServerCluster:application_cluster_name
/BPMClusterConfigExtension:/environment_type:/BPMServerSecurity:/")
# For the environment_type variable, specify "BPMProcessCenter" when running in a
# Process Center environment or specify "BPMProcessServer" when running in a Process Server environment.
wsadmin> print AdminConfig.show(ps) #look at deploySnapshotUsingHttps to see the current value
wsadmin> AdminConfig.modify(ps, [['deploySnapshotUsingHttps', 'true']]) # default value is false
wsadmin> print AdminConfig.show(ps) #verify your change
wsadmin> AdminConfig.save()
wsadmin> exit
Note: See below for details on the version
support differences:
- IBM Business Process Manager V8.5.0.1
and later Process Centers will use the deploySnapshotUsingHttps property
setting for IBM Business Process Manager V8.5.0.0
Process Servers.
- IBM Business Process Manager V8.5.0.1
and later Process Centers will not use the deploySnapshotUsingHttps property
setting for IBM Business Process Manager V8.5.0.1
Process Servers. They will use the full URL, including protocol, as
it was sent by the Process Server.
- IBM Business Process Manager V8.5.0.0
Process Centers will use the deploySnapshotUsingHttps property
setting for IBM Business Process Manager V8.5.0.0
Process Servers.
- Restart the Process Server and Process Center servers.
- Use the WebSphere Application
Server administrative
console to stop the clusters.
- Stop the node agent and deployment manager.
- Restart the deployment manager.
- Restart the node agent.
- Use the WebSphere Application
Server administrative
console to start the clusters.
- Verify your configuration.
- Log in to the Process Center console using an https
connection.
- From the Server tab, click and
confirm that it is opened in a secure browser with https.