Friday, 15 May 2015

Business Process Management Design Guide: Using IBM Business Process Manager

IBM® Business Process Manager (IBM BPM) is a comprehensive business process management (BPM) suite that provides visibility and management of your business processes. IBM BPM supports the whole BPM lifecycle approach: 

• Discover and document
• Plan
• Implement
• Deploy
• Manage
• Optimize
Process owners and business owners can use this solution to engage directly in the improvement of their business processes.

IBM BPM excels in integrating role-based process design, and provides a social BPM experience. It enables asset sharing and creating versions through its Process Center. The Process Center acts as a unified repository, making it possible to manage changes to the business processes with confidence.

IBM BPM supports a wide range of standards for process modeling and exchange. Built-in analytics and search capabilities help to further improve and optimize the business processes.

This IBM Redbooks® publication provides valuable information for project teams and business people that are involved in projects using IBM BPM. It describes the important design decisions that you face as a team. These decisions invariably have an effect on the success of your project.

These decisions range from the more business-centric decisions, such as which should be your first process, to the more technical decisions, such as solution analysis and architectural considerations.

Table of contents

Chapter 1. Introduction to successful business process management
Chapter 2. Approaches and process discovery
Chapter 3. Solution analysis and architecture considerations
Chapter 4. Security architecture considerations
Chapter 5. Design considerations and patterns
Chapter 6. Business-centric visibility
Chapter 7. Performance and IT-centric visibility

Thursday, 14 May 2015

Continuing to learn - IBM BPM and IBM Business Monitor to DB2 via SSL/TLS

I've written a couple of posts on the WebSphere User Group blog here: -

My next trick will be to force WebSphere Application Server (WAS) to use a specific encryption standard, namely TLS version 1.2.

In DB2, this can be enforced as follows: -

db2 update dbm config using SSL_VERSIONS TLSV12

for version 1.2 or: -

db2 update dbm config using SSL_VERSIONS TLSV1

for version 1.0, or: -

db2 update dbm config using SSL_VERSIONS NULL

to revert back to SSL.

If you set the parameter to null or TLSv1, the parameter enables support for TLS version 1.0 (RFC2246) and TLS version 1.1 (RFC4346).

Note: During SSL handshake, the client and the server negotiate and find the most secure version to use either TLS version 1.0 or TLS version 1.1. If there is no compatible version between the client and the server, the connection fails. If the client supports TLS version 1.0 and TLS version 1.1, but the server support TLS version 1.0 only, then TLS version 1.0 is used.
If you set the parameter to TLSv12 (RFC5246), the parameter enables support for TLS version 1.2. This setting is required to comply with NIST SP 800-131A.

If you set the parameter to TLSv12 and TLSv1, the parameter enables support for TLS version 1.2 with the option to fall back on TLS version 1.0 and 1.1.

All of the SSL-related settings can be queried thusly: -

db2 get dbm config | grep SSL

 SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/keystore.kdb
 SSL server stash file                   (SSL_SVR_STASH) = /home/db2inst1/keystore.sth
 SSL server certificate label            (SSL_SVR_LABEL) =
 SSL service name                         (SSL_SVCENAME) = db2c_ssl
 SSL cipher specs                      (SSL_CIPHERSPECS) = 
 SSL versions                             (SSL_VERSIONS) = 
 SSL client keydb file                  (SSL_CLNT_KEYDB) = 
 SSL client stash file                  (SSL_CLNT_STASH) = 

Note that we also have SSL_CIPHERSPECS to specify the cipher specifications that one wishes to use, as per this: -

and: -

Wednesday, 13 May 2015

IBM Cognos - Working with SSL/TLS Keystore

This is an ongoing voyage of discovery, as I seek to replicate my success: -

( this is a post that I authored for the WebSphere User Group on their Global WebSphere Community site )

with IBM Business Monitor.

Whilst the DB2 and WAS aspects ( configuring the DB2 instance and listener for SSL, updating the WAS JDBC data sources, adding the DB2 signer certificate into he WAS trust store etc. ) are the same, the Cognos BI engine is quite different.

I don't yet have it cracked, but I did discover a few more things about Cognos BI today, specifically in terms of where it keeps its own SSL/TLS key store.

It's here: -

-rw-r--r-- 1 wasadmin wasadmins 19728 May 13 16:07 /opt/IBM/WebSphere/AppServer/profiles/BAMCell1AppSrv01/cognos/SupClusterMember1/configuration/certs/CAMKeystore

Why do I know this ?

Because I wanted to test a hypothesis by adding the DB2 server's signer certificate to it.

This is how I first retrieved the signer certificate: -

openssl s_client -showcerts -connect localhost:60007 </dev/null > ~/db2.cer

and I happily verified the certificate: -

openssl x509 -fingerprint -noout -text -in ~/db2.cer

SHA1 Fingerprint=FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
        Version: 3 (0x2)
        Serial Number: 1681898445175821098 (0x17574db98cfc932a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=com, DC=ibm, DC=uk,
            Not Before: May 11 10:01:51 2015 GMT
            Not After : May 11 10:01:51 2016 GMT
        Subject: DC=com, DC=ibm, DC=uk,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

    Signature Algorithm: sha1WithRSAEncryption

However, when I tried to add it to the Cognos key store: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

I saw this: -

keytool error: java.lang.Exception: Input not an X.509 certificate

Happily a quick Google search later, and I found this: -

which says, in part: -

While I agree with Ari's answer (and upvoted it :), I needed to do an extra step to get it to work with Java on Windows (where it needed to be deployed):

openssl s_client -showcerts -connect < /dev/null | openssl x509 -outform DER > derp.der

Before adding the openssl x509 -outform DER conversion, I was getting an error from keytool on Windows complaining about the certificate's format. Importing the .der file worked fine.

I re-retrieved the certificate from DB2: -

openssl s_client -showcerts -connect localhost:60007 </dev/null | openssl x509 -outform DER > ~/db2.cer

( adding in the relevant Hogwarts magic to get the resulting file in x509 DER ) and was then able to import it: -

/opt/IBM/WebSphere/AppServer/java/jre/bin/keytool -import -file ~/db2.cer -alias DB2 -keystore CAMKeystore -storepass MONITOR -storetype PKCS12

Owner:, DC=uk, DC=ibm, DC=com
Issuer:, DC=uk, DC=ibm, DC=com
Serial number: 17574db98cfc932a
Valid from: 11/05/15 11:01 until: 11/05/16 11:01
Certificate fingerprints:
 MD5:  81:B0:E7:81:A3:1B:79:64:07:1B:41:9E:7E:0A:F3:08
 SHA1: FC:BB:C1:24:4E:6E:B8:55:5B:33:87:69:C7:E2:10:E4:E6:0F:7A:CC
Trust this certificate? [no]:  y
Certificate was added to keystore

which is nice.

Did that fix my problem ? Alas, no, but it's another step on the journey to ......... ?

Tuesday, 12 May 2015

IBM Integration Designer - 101

I'm learning to get to grips with IBM Integration Designer (IID) at present, hence my post on the WUG here: -

Part of my self-enablement has come from a pair of tutorials, cannily called Hello World, that I found a few days ago: -

I was using older ( version 7.5.1 ) editions of these two tutorials, although they worked perfectly ( user errors notwithstanding !! ).

However, here's the more up-to-date source for the most recent versions of IBM BPM: -

Interestingly, Hello World seems to have disappeared with the latest version of the product.

In addition, BPM 8.5.6 also has some tutorials in the Knowledge Centre here: -

which is nice.

Monday, 11 May 2015

WebSphere Liberty Profile and IBM HTTP Server - Exchanging SSL Certificates

This one is for a friend of mine, TonyH, who asked this question earlier.

I don't claim to understand his requirements, but he asked: -

What's the best way to export certs from liberty so I can import them into the IHS keystore?

I'm running Liberty Profile on my Mac and IBM HTTP Server (IHS) on a Red Hat VM.

I started by downloading the Liberty Profile Runtime from here: -

which resulted in: -

-rw-r--r--@  1 davehay  staff  60261097 11 May 18:26 wlp-runtime-

and installed it: -

java -jar wlp-runtime-

to here: -


I then followed Oliver Rebmann's excellent blog post: -

to setup a SSL key store and certificate, as follows: -

cd /Users/davehay/Liberty/wlp/bin
./securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365

and added the relevant configuration to my server's configuration: -

vi /Users/davehay/Liberty/wlp/usr/servers/defaultServer/server.xml

adding the lines highlighted below: -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

    <!-- Enable features -->

    <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
    <httpEndpoint id="defaultHttpEndpoint"
                  httpsPort="9443" />

    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />


and started Liberty: -

/Users/davehay/Liberty/wlp/bin/server start

Having validated that I could connect to Liberty on port 9443 ( see the httpsPort directive above ): -

I then used the openssl tool to retrieve the certificate from port 9443 to a file: -

openssl s_client -showcerts -connect localhost:9443 </dev/null > ~/liberty.cer

Having shipped the certificate file from the Mac to the Red Hat VM: -

scp ~/liberty.cer wasadmin@bpm856:~

I then imported it into the IHS key store: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -add -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -file ~/liberty.cer -label liberty

and validated it thus: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd

Certificates found
* default, - personal, ! trusted, # secret key
! liberty

and: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label liberty

Label : liberty
Key Size : 2048
Version : X509 V3
Serial : 5550f616
Issuer : CN=,OU=defaultServer,O=ibm,C=us
Subject : CN=,OU=defaultServer,O=ibm,C=us
Not Before : May 11, 2015 7:33:58 PM GMT+01:00
Not After : May 10, 2016 7:33:58 PM GMT+01:00


The job, as they say, is a good 'un.

PS Thanks to Oliver for his insights ....

Saturday, 9 May 2015

Adding Ant to IBM Operational Decision Manager

In a departure from the norm, I'm NOT going to detail my recent experiences with Apache Ant and IBM ODM Ruls here, but instead direct you to my post on another site, the Global WebSphere Community (GWC), which hosts the WebSphere User Group.

So you want to know more about Ant and ODM ? Then please read my post here: -

and feel free to provide feedback here, there, or via Twitter.

Wednesday, 6 May 2015

Disaster recovery guidance for IBM Business Process Manager - An updated approach for IBM BPM V8.x

IBM® Business Process Manager (BPM) is a powerful tool for modeling and running an organization's most critical business processes. Over the past several years, features have been developed and verified to enable cross-site replication and recovery, achieving very sophisticated disaster-recovery objectives. Learn about the core principles that guide an infrastructure architect to design a successful disaster-recovery strategy.