IBM Business Process Manager Security: Concepts and Guidance

Book description

This IBM® Redbooks® publication provides information about security concerning an organization’s business process management (BPM) program, about common security holes that often occur in this field, and describes techniques for rectifying these holes. This book documents preferred practices and common security hardening exercises that you can use to achieve a reasonably well-secured BPM installation.

Many of the practices described in this book apply equally to generic Java Platform and Enterprise Edition (J2EE) applications, as well as to BPM. However, it focuses on aspects that typically do not receive adequate consideration in actual practice. Also, it addresses equally the BPM Standard and BPM Advanced Editions, although there are topics inherent in BPM Advanced that we considered to be out of scope for this book.

This book is not meant as a technical deep-dive into any one topic, technology, or philosophy. IBM offers a variety of training and consulting services that can help you to understand and evaluate the implications of this book’s topic in your own organization.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  3. Chapter 1: Why Business Process Manager security is important
    1. BPM is your corporate DNA
      1. Business Process Manager users have access
      2. Business Process Manager has unique security considerations
    2. Basic concepts
      1. Business Process Manager
      2. WebSphere Application Server
      3. Business Process Manager administration tools
      4. Installation options
    3. Encryption, SSL, and certificates
      1. Encryption
      2. Symmetric and asymmetric keys
      3. SSL and digital certificates
      4. Certificate authorities
  4. Chapter 2: Installation
    1. Business Process Manager and WebSphere Application Server topologies
      1. Basic concepts
      2. Complex realities
    2. Common security holes
      1. Faith in firewalls
      2. Failure to use SSL between BPM and database server
      3. Failure to encrypt data at rest
      4. Failure to use SSL between Process Center and Process Server
      5. Overuse of default Business Process Manager accounts
      6. Overuse of trust in certificate authorities
  5. Chapter 3: Authentication: Who has access
    1. Subjects and Principals
    2. WebSphere user registry
      1. Flat-file repositories
      2. LDAP repositories
      3. Custom software repository
      4. Federated repositories
    3. Common security holes
      1. Weak password policies
      2. Failure to change default passwords
      3. Faith in firewalls
      4. Insecure LDAP connections
      5. Insecure SSO solutions
  6. Chapter 4: Authorization: Access to what
    1. Groups versus roles
    2. Grouping mechanisms
      1. LDAP groups
      2. VMM security groups
      3. Process Admin Console and private groups (1/2)
      4. Process Admin Console and private groups (2/2)
      5. Process Designer swimlanes and participant groups
      6. Mapping roles to groups (1/2)
      7. Mapping roles to groups (2/2)
      8. Review and summary
    3. Administrative access
      1. Granting access to Process Designer (1/2)
      2. Granting access to Process Designer (2/2)
      3. Review and summary
    4. Instance-based authorization
    5. Common security holes
      1. Overuse of administrator privileges
      2. Failure to map participant groups
      3. Overpopulation of groups
      4. Overuse of tw_authors, tw_admins
      5. Faith in firewalls
  7. Chapter 5: Integration: Working with others
    1. Business Process Manager Standard Edition versus Advanced Edition
    2. Business Process Manager Standard Edition outbound web services
      1. Using Web Service Integration (1/3)
      2. Using Web Service Integration (2/3)
      3. Using Web Service Integration (3/3)
      4. Using SOAP Integration
      5. Using Java Integration
    3. Business Process Manager Standard Edition inbound web services
      1. Steps to create inbound web service (1/2)
      2. Steps to create inbound web service (2/2)
      3. Review and summary
      4. Securing the inbound web service
    4. Business Process Manager Advanced Edition web services options
    5. Common security holes
      1. Failure to secure web services passwords
      2. Faith in firewalls
  8. Related publications
    1. IBM Redbooks publications
    2. Other publications
    3. Help from IBM
  9. Back cover

Product information

  • Title: IBM Business Process Manager Security: Concepts and Guidance
  • Author(s): J Keith Wood, Jens Engelke
  • Release date: September 2012
  • Publisher(s): IBM Redbooks
  • ISBN: None