Monday, 21 September 2015
Aide Memoire - IBM BPM - Moving from File-Based Registry to LDAP
I'm writing this down as I'll need in the not-too-distant future.
On my current project, we have BPM Advanced 8.5.5 ( plus Business Monitor 8.5.5 and ODM Rules 8.7.0 ), all of which are using the out-of-the-box File-Based Registry for a limited number of end users ( mainly admins, developers and testers ).
We are, of course, migrating this to a real user registry ( Microsoft Active Directory ) in the near future.
To that end, I will need to remember that, for BPM, there are some specific things that need to be done, including: -
When working with the IBM BPM document store, there are multiple scenarios that require a technical user (system user). The technical user is an identity that the system can use to act on its own. For example, a run-as technical user is required for creating default configurations for the domain, object store, and document class definition. A technical user is also required when IBM Business Process Manager connects to the IBM BPM document store using Content Management Interoperability Service (CMIS).
As one of my colleagues succinctly put it: -
In case you can create the exact same users (that is: same user, same password) in LDAP, then you should be able to just add LDAP and remove fileRegistry. It is important to understand the from an internal document store's perspective, a user with the same name is "just a user with the same name". It is NOT the same user and thus does not have access. Make sure to follow the instruction in http://www-01.ibm.com/support/knowledgecenter/SSFTN5_8.5.6/com.ibm.wbpm.admin.doc/topics/tbpmdocauth.html > "Reconfiguring the user registry" to avoid locking yourself out of the embedded document store.
In case the LDAP accounts' passwords (and/or usernames) are different from those in fileRegistry you also need to update authentication aliases and EJB run-as roles. I see documentation for an AdminTask for that purpose