BPM, Workflow, and Case

Problem:

IBM BAW product is installed in IBM Fyre ( or any on-premises) environment. If you need to access the BAW applications and its Web URLs (e.g. Workflow Center, Process Designer, ProcessAdmin console etc.)  without using company VPN, it is not possible by default.

Solution Summary:

Here-in we provide a simple approach using IBM Secure Gateway service to enable you to offer a cloud address for the on-premises BAW environment. With this enabled, you can access BAW applications on IBM Fyre environment externally using a public internet address.

It is assumed that IBM HTTP server is present and configured with the Plugin to front-end requests to IBM BAW URLs.

Solution Details:

Here we assume a single-cluster BAW environment, with a single Node. The approach can be validated for a three cluster and / or multi node environments as well. To accomplish we also require an IBM HTTP Server to act as a reverse proxy. It can installed on a separate node or on the same node as the BAW cluster server.

The steps can be outlined as follows:

1. Subscribe to IBM Secure Gateway service on IBM Cloud
2. Install Secure Gateway client on the node which would be running IBM HTTP Server.
3. Create a destination on Secure Gateway.
4. Install IBM HTTP Server and configure the Plugin for load balancing BAW web-requests
5. Configure IBM HTTP Server virtual hosts
   1. Create virtual host on IBM HTTP Server to match the Secure Gateway host & port
   2. Create virtual host on IBM BAW to match the Secure Gateway host & port
6. Update the ACL on Security Gateway client to allow access.
7. Update the destination configuration on Secure Gateway to connect to the virtual host configured on IBM HTTP Server.
8. Connect and test the applications.

Step 1: Subscribe to IBM Secure Gateway service on IBM Cloud

1. Log into IBM Cloud portal.
2. From the catalog of services, search for Secure Gateway.
3. Select the service and provision an instance to your org & space.

Step 2: Install Secure Gateway client on the node which would be running IBM HTTP Server

1. Once the service is provisioned, from the console create a new Gateway by selecting Add Gateway
2. Provide a name for your gateway, e.g. baw1
3. There are two components to the Secure Gateway, viz. the clients and destinations. We will create a client to run in our HTTP Server node.
4. Create a client and download the client installer. In this exercise, IBM installer for RHEL was selected.
5. Copy the installer to (rpm file) to the Linux server where IBM HTTP Server is installed.
6. Install the Secure Gateway client, e.g. rpm -i <rpmfile>

Step 3: Create a destination on Secure Gateway

1. Click on add destination and add a destination. At this stage you need to provide the fully qualified hostname of the client machine (i.e. HTTP Server node )

2. Update the destination as shown above. This is a temporary configuration and will be updated once again after IBM HTTP Server is configured

Step 4: Install IBM HTTP Server and configure the Plugin for load balancing BAW web-requests

1. Please refer to the IBM BAW Knowledge Center for the details. The steps are briefly described below.
2. Install IBM HTTP Server, Plugin for WebSphere and WebSphere Customization Toolbox (WCT) on the HTTP Server node.
3. Create and configure a Plugin using WCT.
4. Create the unmanaged node definition in IBM BPM Deployment Manager.
5. Create the web server definition, generate and propagate the plugin.
6. Secure IHS with SSL.
   1. Create a key-store for IHS.
   2. Create a self-signed certificate for IHS.
   3. Enable SSL directives in IHS.
7. Import the Signer certificate of the BPM Node(s) into the Plugin key-store and copy the plugin key-store to the Plugin directory.
8. Re-start IHS and verify the functionality.

Step 5: Configure IBM HTTP Server virtual hosts

1. IBM HTTP Server virtual hosts allow several name-based web sites on a single IP address. We need to configure a virtual host in HTTP Server that would correspond to the cloud destination address.
2. Open the httpd.conf flie and add an entry as shown below. Substitute the host/port $$...$$ of the destination as per your secure gateway destination.

Listen $$Secure-Gateway Destination Port$$

<VirtualHost *:$$Secure-Gateway Destination Port$$>

ServerName $$Secure-Gateway Destination Host$$

DocumentRoot /

SSLEnable

SSLClientAuth None

SSLProtocolDisable SSLv2

SSLProtocolDisable SSLv3

</VirtualHost>

3. Open WebSphere Administration Console and go to Environment -> Virtual Hosts -> default_host -> host aliases
4. Add a new host alias with the hostname as * and port as *:$$ Secure-Gateway Destination Port$$
5. Synchronize the changes to the nodes.
6. Go to Server -> Server Types -> Web Server-> webservername
7. Go to Plug-in properties-> Custom Properties
8. Add a new custom property named UseInsecure with a value true
9. Go back to Server -> Server Types -> Web Server and Generate the Plugin and Propagate the Plugin
10. Restart the Application Server.
11. Restart the IBM HTTP Server.

Step 6: Update the ACL on Security Gateway client to allow access.

1. Open the Secure Gateway Client UI.
2. In the ACL section, add the following ACL entry
3. Hostname-> Cloud Destination Host and Port-> Cloud Destination Port

Step 7: Update the destination configuration on Secure Gateway to connect to the virtual host configured on IBM HTTP Server

1. Firstly, add a /etc/hosts entry in IBM HTTP Server node corresponding to the Cloud Host mapped to the IP address of the HTTP Server node.
2. Re-open the destination configuration in the secure Gateway and re-configure it with the host and port corresponding to the host and port just added in the client ACL.

Step 7: Connect and test the applications

1. Without any VPN connection, access the BAW URLs for e.g. https:// $$Secure-Gateway Destination Host$$:$$Secure-Gateway Destination Port$$/WorflowCenter
2. Validate by accessing other URLs and executing transactions.