Cloud Pak for Business Automation

Business Automation Workflow (BAW) supports integrating external content from an enterprise content management system in workflow automations. This article describes how to integrate BAW in CloudPak for Business Automation (CP4BA) 21.0.3 with content in FileNet Content Manager (FNCM) 5.5.5 (and later) on a traditional WebSphere Application Server 9.0.5.3 (and later).   The FNCM applications used by BAW in this configuration are CMIS and Content Platform Engine (CPE).  This article only covers the content integration capabilities of BAW and not the case capabilities.

User Driven Interaction

In a CP4BA user driven interaction, users (1) authenticate with BAW via Zen (2) and IAM (3).  Zen is the Cloud Pack Platform front door to all the Cloud Pak services and capabilities.  Zen uses the Identity and Access Management (IAM) service to validate the users identity with the underlying LDAP (4).  Zen then creates an OAuth token (aka Zen Token) that is passed to the Cloud Pak services.  Each Cloud Pak service validates this token with Zen to authenticate the request.
Authentication between BAW and FNCM uses this same OAuth token for Single Sign On (SSO).  The OAuth token (5) passed from BAW to FNCM is the token created when the user first logs into CP4BA.  When FNCM on traditional WebSphere (tWAS) receives the OAuth token, it invokes Zen (6) to validate it.   The OAuth token is mapped to the underlying LDAP (7)  to create an LTPA token.  CMIS receives the request and invokes CPE to carry it out.  The authentication between CMIS and CPE on tWAS uses LTPA (8) to propagate the SSO session, which is validated again with the underlying LDAP (9).

System-to-System Interaction

If a system-to-system interaction is used, then the technical user configured for the external service in BAW is passed using HTTP Basic Authentication (1) to CMIS running on tWAS.  These basic authentication credentials are validated by tWAS against the LDAP server (2) and an LTPA token is generated to pass to CPE (3).  CPE then validates the LTPA token against the LDAP (4) before processing the request.

The following sections describe how to configure traditional WebSphere to allow these authentication sequences to take place.

Configuring CMIS 1.0

You may use either CMIS 1.0 (aka IBM CMIS 3.0.6) or CMIS 1.1 (aka opencmis) on tWAS with BAW on CP4BA.  If you are using CMIS 1.1, then no additional configuration is necessary, so you can proceed to the next section.

If you are using CMIS 1.0, then you must disable the CMIS WSSecurity settings.  If you use CMIS 1.0 with other applications that require these WSSecurity settings, then it is recommended that you deploy CMIS 1.0 with a different context root, so as not to affect these other applications.

• Navigate to Enterprise Applications and select the CMIS 3.0.6 deployment

• Click the Service provider policy sets and bindings link.

• Detach the policy by selecting the cmis entry and clicking the Detach Policy Set button.  This disables WSSecurity for the module.

• Save the configuration.

Add LDAP used in CP4BA to tWAS

Add the LDAP used with BAW in CP4BA as an LDAP in the Federated repositories of the FNCM tWAS server

Configuring OAuth for FNCM on tWAS

Follow the instructions in these blogs to setup SSO in traditional WebSphere for both LTPA and OpenID Connect with FNCM

• How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere traditional application server
• How to Configure LTPA/OAuth/OIDC SSO with FileNet ICN, CS GraphQL, and CPE on WebSphere ND Application Server

Configuring the OIDC TAI to validate the CP4BA Zen token

On tWAS, navigate to the OIDC RP configuration at:  Global security > Trust association > Interceptors > com.ibm.ws.security.oidc.client.RelyingParty

Enter these values for provider_x, where x is the provider number used for your CP4BA provider.  The zen-front-door URL can be found in your CP4BA OCP Console under the cpd route for your project.

The identifier and useRealm value of cp4ba-baw is arbitrary.  You can change it to whatever value you like.  However, you will need to use this realm name in the next step. 
Alternatively, you can leave out the useRealm property.  The WebSphere default, if no realm is specified is to use the value under the issuerIdentifier property (i.e. KNOXSSO).  If you go this route, then enter KNOXSSO as the trusted realm in the next section instead of cp4ba-baw.

Name	Value
provider_x.identifier	cp4ba-baw
provider_x.filter	applicationNames==cmis;Authorization%=Bearer
provider_x.jwkEndpointUrl	https://zen-front-door/auth/jwks
provider_x.signatureAlgorithm	RS256
provider_x.issuerIdentifier	KNOXSSO
provider_x.audiences	DSX
provider_x.mapIdentityToRegistryUser	true
provider_x.uniqueUserIdentifier	username
provider_x.useRealm	cp4ba-baw
provider_x.tokenReuse	true
provider_x.useJwtFromRequest	required
provider_x.verifyIssuerInIat	true

Adding CP4BA as a trusted realm

Navigate to Global Security > Federated repositories > Trusted authentication realms - inbound

Add cp4ba-baw (or whatever name you set with the useRealm property) as an External Trusted Realm.  If you did not define the useRealm property, then add the value returned by the issuerIdentifier property (i.e. KNOXSSO).

Import Zen Front Door SSL/TLS certificate into tWAS truststore

Navigate to: Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore of the Cell in which the CMIS application is deployed.

• Click on Signer certificates

• Click on Retrieve from port.  Then fill out the host and port information to the CP4BA Zen Front door.

• Repeat this procedure for the NodeDefaultTrustStore of the node containing the CMIS application.

Set JVM arguments to pass LTPA token from CMIS to CPE

Set the following JVM option on the WebSphere server containing the CMIS application.  This will cause CMIS, which uses the CE API, to send the LTPA token to the CPE application for SSO.

-Dcom.filenet.authentication.wsi.AutoDetectAuthToken=true
-Dcom.filenet.authentication.wsi.AuthTokenOrder=ltpa,oauth,oidc


Restart the WebSphere server(s) after completing all the above configuration

Testing BAW integration

To test this configuration, login to CP4BA and create a Workflow automation.

• Give the workflow automation a name and click the Create button

• Navigate to the Servers tab

• Choose the server type Enterprise Content Management Server and provide the server details for your FNCM deployment on traditional WebSphere.  Provide a username and password for basic authentication and click the Test Connection button to verify connectivity using these credentials.

• Note that the Test Connection button uses basic authentication with the provided credentials regardless of whether the  Always use this connection information checkbox is enabled.
  
  
• To enable documents and folders to be created as the currently logged-in user, you must disable the Always use this connection information checkbox.  You can verify this by running a user driven interaction, in which the current user creates a document or folder.  Below is an example of such a process in which an Inline User Task is used to prompt the user to create a Folder.
  
  First, let's take a look at how this Inline User Task is configured to submit requests to the ECM server you just defined.  Select and click on the Inline User Task's implementation.
  
  
• Go to the Coach, then select the Document Explorer icon and go to the Configuration tab.  See that the Server name has been set to match the name of the Enterprise Content Management Server we had configured to point to FNCM on tWAS.
  
  

• Now go to the Process Portal or Workplace application and login.  In this example, we have logged into the Process Portal as the user cp4admin.  Launch the process, click on the Work icon, then click on the Step: Inline User Task
  
  
• Claim this task, then select the option to Add Folder in Document Explorer

• Provide a name for the Folder and click Ok
  
  

• Back on the Document Explorer, note that this Folder has been created by the current user (i.e. cp4admin).  Click Ok to complete this task.

• We've now shown that OAuth SSO is working by creating a new Folder as the current user. 
  
  
• We could also create a new Folder using the configured technical user.  We demonstrate this by going back to the Server Settings and enabling the Always use this connection information checkbox.  Now when we create a Folder in this process, it will be done as the configured technical user: newcp4admin

• After making this change, launch a new Process and create a new Folder.  Notice that this Folder has now been created by the technical user: newcp4admin

• Now lets examine the behavior in a system-to-system interaction in which a content integration task in a system service flow automatically performs some action independent of any user interaction.  These content integration tasks are always performed using the technical user that is configured in the Server definition.
  
  
• To demonstrate this, we've created another Process with a Create Folder System Task.  In this process, the current user is first prompted to provide a Folder name.  Then the Create Folder System Task is automatically executed followed by the Retrieve Folder System Task.  Finally, the user can view the results in the Output folder information task.
  
  Let's look at the Create Folder System Task by selecting it, then selecting the Create Folder Service implementation

• Looking at the implementation of the Create Folder content integration task in the Create Folder Service service flow, notice that the Type is Content Integration Task and the Server is the cmis_on_twas server connecting to our FNCM deployment on tWAS.

• Now go back to the Process Portal application, login as the cp4admin user, and launch the Create Folder Process

• Select Step: Input folder name task, claim this task, and provide a name for the new Folder

• The system tasks Create Folder System Task and Retrieve Folder System Task now automatically execute in the background.  The next interactive task is Step: Output folder information task.  So select it and view the results

• In these results, note that this folder has been created by the technical user: newcp4admin.  Now click Ok to complete this task.

Summary

In this article, we've shown how to configure FNCM on tWAS to accept requests from BAW running in CP4BA to perform content related operations in FNCM.  We then demonstrated how BAW in CP4BA is configured to point to FNCM/CMIS on tWAS in a Server definition and how BAW processes are defined to use that Server definition to send requests to FNCM on tWAS.

We also showed the effect of the Always use this connection information checkbox in the Server definition.  For interactive tasks in a process, if this checkbox is enabled, then the technical user credentials in the Server definition are used to execute the task using Basic authentication with CMIS on tWAS.  If this checkbox is disabled, then the current user is used to execute the task via OAuth SSO with FNCM/CMIS on tWAS.

Finally, we showed that content integration tasks used in system-to-system processes always use the technical user credentials to execute the task using Basic authentication.
#BusinessAutomationWorkflow(BAW)
#FileNet
#WebSphere