Forums » Interstage BPM Knowledgebase Articles

• C.Y. Chen

  

  • 33 posts
   

  June 12, 2012 7:16:02 AM PDT

  Goal:How to Configure Fujitsu Interstage BPM Tenants to Use Microsoft Active Directory

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.0 

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.1

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.2 Build IF1120504

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.2 Build IF1120536

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.2 Build IF1120559

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.2A Build IF1120611

   

  Fact: Fujitsu Interstage BPM (Business Process Manager) Version 11.2A Build IF1120658

   

  Fact: Interstage BPM (Business Process Manager) DDFrameWork Adapter

   

  Fact: Interstage BPM (Business Process Manager) Directory Adapter

   

  Fact: Microsoft Active Directory

   

  Fix:  

  This knowledge base article explains the procedure to configure Interstage BPM (Business Process Manager) Version 11.0 onwards to Version 11.2A to use Microsoft Active Directory as the directory service.

   

  Note that it is possible to configure each tenant in version 11.x to use various directory services.  This article focuses on configuring a tenant to use Microsoft Active Directory.

   

  Step 1:  Deploying console or create a new tenant to use local store (tenant property set to IBPMUserStoreActive=true and DirectoryService=0) first.  Do not configure a tenant to use Active Directory at the beginning.

   

  Step 2:  Provide a user ID and password that are identical to the domain user account residing in Microsoft Active Directory as the tenant owner during the console deployment or tenant creation.  This ID and password will be used in the tenant's properties affecting the following tenant parameters:

  LDAPAccessUserID, LDAPAccessUserPassword, SWAPLinkageUserName, SWAPLinkagePassword, ServerUserName and ServerPassword.

   

  Step 3:  Make sure the new tenant is starting up to use the local store and the tenant can be accessed via BPM console.  In addition, check whether the following conditions are met:

  • the tenant owner which is the ID specified for tenant properties: ServerUserName ,  LDAPAccessUserID and SWAPLinkageUserName
  • the tenant owner has to be a member of Interstage BPM administrative group, default group is called "AdminRole"  See the tenant property AdminRole for the role assigned to be the administrative group.
  • the tenant owner ID and password are identical to that of the domain user account

  Step 4: If all conditions are met in step 3.  We are ready to configure this tenant to use Microsoft Active Directory.  

   

  1. Simply login to Tenant Manager at http://<hostname>:<port>/console/TenantManager.page using your super user account.
  2. Locate the tenant to be reconfigure for its directory service and click to display its tenant "Properties" page, which renders a name value pair list.
  3. Update the following properties and values: 
     DirectoryService=3
     
     IBPMUserStoreActive=false
     
     LDAPAccessUserID=  (specify the DN distinguished name of the domain account in Active Directory; for example, CN=Yuuki Tada,OU=FSW,OU=North America,OU=FJCS,DC=CORP,DC=FC,DC=LOCAL)  If you are not sure what the distinguished name DN is for your domain account, get help from your network administrator.  This account is used as the delegate account to access Active Directory.  If the value is not specified correctly, access to AD will fail.
     
     LDAPDBSuffix= (sample value as OU=North America,OU=FJCS,DC=CORP,DC=FC,DC=LOCAL)
     
     LDAPGroupsDN= (Refer to BPM Administration Guide appendix for the explanation of this tenant property.  Provide the distinguished name for the chosen group here.  Sample value as in OU=FSW,OU=North America,OU=FJCS,DC=CORP,DC=FC,DC=LOCAL)
     
     LDAPServer=ldap://<fully-qualified domain name here or its IP>:389
     
     LDAPUseDefUsersGroups=no (this value should be set to no in version 10.0 or onwards).
     
     LDAPUsersDN=   (Refer to BPM Administration Guide appendix for the explanation of this tenant property.  Provide the distinguished name for the chosen group here. OU=FSW,OU=North America,OU=FJCS,DC=CORP,DC=FC,DC=LOCAL)
     
     
  4. Restart the tenant from TenantManager.page.  Check the tenant's IBPMServer.log to see if the tenant starts up successfully with a ready message.
     
     
  5. Do a test login to the tenant in console http://<hostname>:<port>/console/<TenantName>/  
     
     Note that instead of using TenantManger to update tenant properties, there are exportProperties.bat and  importProperties.bat (.sh file if in UNIX variants environment ), typically found in {Interstage home}serverdeploymentbin, for exporting and importing the tenant properties or system properties.  Just execute the batch file to see the usage.  Detailed instructions for using the utilities are also given in the BPM installation guide.
     
     Note: With the tenant's directory service configured to Active Directory, it means that the users for the tenant are now residing in remote Active Directory, not in users table anymore.  However, the groups can be either local (which resides in database tables) or remote residing in Active Directory. 

  Author: C.Y. Chen
  Attachment: