How to configure BPME 5.x with LDAPS protocol

How to configure BPME 5.x with LDAPS protocol

book

Article ID: KB0137913

calendar_today

Updated On:

Products Versions
TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) 5.x

Description

To enable SSL on the LDAP server used in the BPME 5.x, we need to provide the public certificate of the LDAP server to the BPME 5.x container application.

We need to provide the path of the certificate to the container using the environment variable "LDAP_<ldap alias name>_SSLCERT" for the corresponding group name of the LDAP server.

The certificate needs to be injected into the BPME container via the container volume mount based on the container platform used.

In the resolution section of this article, you will find the exact steps for Kubernetes and Docker.

Volume mount used to store the certificate file must have a different lifecycle than the container/pod, i.e, stopping deleting the container/pod shouldn't delete the volume ot its data.

Environment

All

Resolution

Steps:

  1. Generate or download the public certificate from the LDAP server and place it on the machine where you will run Docker or Kubernetes commands.
  2. Add the public LDAP server certificate to the volume of the container platform:
    1. Docker:
      1. Create a named volume using the Docker command below:
        docker volume create <volume-name>
        Example:
        docker volume create ldap-certs
      2. Copy the certificate into the named Docker volume using the following command:
        docker run --rm -v <cert path in host server>/<certficate.file>:<temp location in container>/<certficate.file>:ro -v ldap-certs:<directory inside volume> <image-name> cp <temp location in container>/<certficate.file> <directory inside volume>/<certficate.file>
        Example:
        docker run --rm -v /home/ompatil/openldap-certs/mycacert.pem:/tmp/mycacert.pem:ro -v ldap-certs:/etc/ldap/certs alpine cp /tmp/mycacert.pem /etc/ldap/certs/mycacert.pem 
    2. Kubernetes:
      1. Run the below command to convert the certificate into base64 text:
        cat < certificate.file> | base64
        Example:
        cat cn_gasdseuomkarw05.ompatil.com.cer | base64
      2. Create a secret to store the LDAP certificate base64 data by creating a file bpm-ldap-cert.yaml and add the below content into it, where you need to add the certificate base64 text in the cert. data section:
        apiVersion: v1
kind: Secret
metadata:
  name: secret-name
  namespace: bpm-msql
type: Opaque
data:
  ldap.crt: <base64 of cert>
        Example:
        apiVersion: v1
kind: Secret
metadata:
  name: ldap-certificates
  namespace: bpm-msql
type: Opaque
data:
  ldap.crt: LS0tLS1CRUdJTiBDRVJ........Q0FURS0tLS0tCg==
      3. Run the below command to create the Kubernetes Secret:
        kubectl apply -f bpm-ldap-cert.yaml
      4. Add a volume mount to the BPME pod by adding the following properties in the deployment file:
        spec:
  containers:
      - name: <container-name>
        image: tibco/bpm/runtime:5.x.x
        volumeMounts:
          - name: <give your mount name>
            mountPath: "<path of hte mount>"
.
.
  volumes:
    - name: <mount name given to the pod>
      secret:
        secretName: <certificate secret name>

        Example:

        spec:
      containers:
      - name: bpm
        image: tibco/bpm/runtime:5.6.0
        volumeMounts:
          - name: ldap-cert-volume
            mountPath: "/etc/ldap-certs"
.
.
      volumes:
        - name: ldap-cert-volume
          secret:
            secretName: ldap-certificates
  3. Update and add the environment variable for the LDAP server URL and provide the path of the certificate.
    1. Docker:
      1. Update the LDAP server URL in the LDAP_<group name>_URL environment variable to use the ldaps protocol and SSL port.
      2. Add a new environment LDAP_<group name>_SSLCERT, and its value should be the path where you will place the certificate inside the container using mount.
        1. For .env file, then add the new variable like below:
          LDAP_SYSTEM_ALIAS=System
LDAP_SYSTEM_URL=ldaps://ompatil:636/dc=ompatil
LDAP_SYSTEM_PRINCIPAL=uid=ompatil,ou=people,dc=ompatil
LDAP_SYSTEM_CREDENTIALS=Tibco2020
LDAP_SYSTEM_SSLCERT=/etc/ldap/mycacert.pem
        2. For the Docker CLI command, add another parameter -p with a variable and its value.
    2. Kubernetes:
      1. In the deployment file, update the environment variable LDAP_<group name>_URL under the env section.
      2. Add a new variable LDAP_<group name>_SSLCERT with the certificate path of the mount created in the previous steps.
        Example:
                env:
          - name: JDBC_DRIVERCLASS
            value: "com.microsoft.sqlserver.jdbc.SQLServerDriver"
          - name: JDBC_URL
            value: "jdbc:sqlserver://ompatil:1433;databaseName=bpm;encrypt=true;trustServerCertificate=true;"
          - name: LDAP_SYSTEM_ALIAS
            value: "System"
          - name: LDAP_SYSTEM_URL
            value: "ldaps://ompatil:636"   
          - name: LDAP_SYSTEM_SSLCERT
            value: "/etc/ldap-certs/ldap.crt"
  4. Start/Run BPME 5.x container/pod by attaching the volume created in the previous steps.
    1. Docker:
      1. Run the Docker run command and attach the volume created in step 2:
        docker run -d -p 8181:8181 --name bpm --env-file ./db-server.env  --env-file ./ldap.env -v <volume-name>:<cert path inside the container> bpme-image-name
        Example:
        docker run -d -p 8181:8181 --name bpm --env-file ./db-server.env  --env-file ./ldap.env -v ldap-certs:/etc/ldap tibco/bpm/runtime:5.5.0
    2. Kubernetes:
      Create a pod by running the deployment file:
      kubectl apply -f bpm-deployment.yaml

Issue/Introduction

This article illustrates the steps to configure the SSL or LDAPS protocol with the LDAP server used in the BPM 5.x.

 

Additional Information

LDAPS, SSL, BPM 5.x

Powered by Wolken Software