Professional Documents
Culture Documents
Table of Contents
1. Deploy a simple server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.4. Correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.4.1. Download the bundle from the download page in the customer portal. . . . . . . . . . . . . . . . . 1
2.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.2. PostgreSQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2. Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.4. Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3.6. Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3.7. Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4. Ldap synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
5.4.6. Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
7. Create a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.3.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
9.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
9.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
9.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
9.4. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
9.4.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
10.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
10.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
10.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
10.4. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
10.4.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
You need to define a variable called JAVA_HOME in System Variables of your O.S.
In command line try "java -version". You should read an answer similar to:
1.2. Objectives
The goal of this exercise is to deploy a server for testing and prototypes environments, to quickly
and easily deploy Portal and generated applications, including pre-configured application server.
1.3. Instructions
• Download the Tomcat bundle from the download page in the customer portal. (Link provided
by email or your trainer)
• Generate a licence from your customer / partner portal (or you can use an already created
licence if you have any).
1.4. Correction
1.4.1. Download the bundle from the download page in the customer portal.
To get the download page, access the customer portal, menu "Download", or ask to your trainer.
1
• Choose your component, for this exercise we will take the Tomcat bundle (i.e
BonitaSubscription-<version>-Tomcat-<version>.zip)
Just extract the archive in a folder without spaces or special characters (no accent).
We named:
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
If the version (ex 7.x) is the same between the studio and your server, and if they
are on the same machine, you can copy the studio license in
SETUP_HOME/platform_conf/licenses/.
Otherwise:
• Go in TOMCAT_HOME/request_key_utils/
• Execute the good version of the generator according to your OS and license type (ex : windows,
development generateRequestKey.bat)
• Generate a licence from your key (In training just send the key to your trainer)
2
Figure 1. Select option 1 in license key generation
Run it.
• The console finish with the message : "INFOS: Server startup in xxxxx ms"
3
Figure 3. Home page
Troubleshooting
If something is not working properly you can check in TOMCAT_HOME/logs/ for errors. One file
name bonita.<Date of the day>.log and catalina.<Date of the day>.log Mains errors:
4
java.net.BindException: Address already in use: JVM_Bind <null>:8080
The server try to start on the port 8080, and this port is already used. Maybe the studio is started ?
The Studio could be using the port 8080.
5
User: install / Password: install
• From the portal go to the menu Organization/Import-Export and import the file extracted from
the Studio
6
Figure 8. Profiles
Select the profile Users, click on MORE, and add all users (click on ADD A USER)
7
Figure 10. Users in the profile
• Open one process developed with the Studio and generate a bar file
8
Figure 12. Choose the adminstrator profile
• If needed, resolve process actor mapping or form mapping issues. Don’t forget to ENABLE it.
9
Figure 14. Check the process/ ENABLE it
• Click on Processes
The Platform setup tool handles the creation of the database schema and the configuration of
Bonita Platform.
10
In Tomcat bundle you can find the tool in the setup folder
• platform_conf/
• initial/: contains the default configuration of the Bonita Platform, that can be customized and
will be pushed when the database is created.
• current/: will contain configuration files after a pull from the database is made.
• licenses/: (Subscriptions only) ⇒ must contain the license file to allow Bonita Platform to start
without error.
• sql/: SQL scripts that are used to create the Bonita database tables
To modify the configuration of an already initialized Bonita Platform, you must use the Platform
setup tool as follows:
> stop-bonita
<SETUP_HOME>/database.properties
of the Platform setup tool points to the database used by Bonita Platform.
11
remove them, to delete them from the database when pushed.
> start-bonita
Note: this procedure is describe in the exercise security. Note that the password has to be changed
before a production starts
12
Chapter 2. Bonita with PostgreSQL
2.1. Requirements
The use of h2 database is not recommended for production environments. The goal of this exercise
is to understand how to install Bonita with PostgreSQL
2.2. Instructions
Install a PostgreSQL database, create an empty database, and then configure the connection via the
setup tool
2.3. Correction
2.3.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
2.3.2. PostgreSQL
Installation
• When asked to provide the password for "super account", enter "root".
• Keep default value for all the others options. Don’t run "Stack Builder" at the end of the wizard.
• In this file set a non-zero value for max_prepared_transactions (100 is a good number)
In order to create the PostgreSQL database, you can use pgAdmin 4. Run this tool and connect to
your localhost database server, by double-clicking on the node in the Object browser tree view.
Provide the password that you entered during the installation ("root").
User creation
• In the object browser, right click on Login Roles and select New Login Role…
13
Figure 16. Create PostgreSQL User
• Click on Ok button
Database creation
• In the object browser, make a right click on Databases and select New Database…
• In the owner dropdown list, select the Bonita user created previously
14
Figure 17. Create a database
• In the object browser, made a right click on Databases and select New Database…
• In the owner dropdown list, select the Bonita user created previously
We will update the existing bundle to the PostgreSQL database. Steps are identical on a new bundle.
15
• Verify that the PostgreSQL driver is present under setup/lib. Bonita bundle contains the jar
postgresql-9.3-1102-jdbc41.jar
<SETUP_HOME>/database.properties
db.vendor=postgres
db.server.name=localhost
db.server.port=5432
db.database.name=bonitatraining
db.user=bonita
db.password=bpm
bdm.db.vendor=postgres
bdm.db.server.name=localhost
bdm.db.server.port=5432
bdm.db.database.name=businesstraining
bdm.db.user=bonita
bdm.db.password=bpm
You can run a start-bonita too. Start bonita will detect that the database is not
created, and will runn the setup init at this moment. By using the setup init
manually, we verify that you switch correctly the current instance on the new
database.
16
> setup init
____ _ _
| _ \ (_) |
| |_) | ___ _ __ _| |_ __ _
| _ < / _ \| '_ \| | __/ _` |
| |_) | (_) | | | | | || (_| |
|____/ \___/|_| |_|_|\__\__,_|
17
• Start Bonita Platform in <BUNDLE_HOME>
> start-bonita
• to load organization
18
Chapter 3. Deploy Living application
resources
3.1. Requirements
The goal of this exercise is to understand how to upload resources on Bonita through the portal,
and then to update
3.2. Instructions
From the "provided files" folder and in the uploadResources folder retrieve the resources to upload:
• Organization
• BDM file
• Processes
• Application page
• Connector
• Living application
3.3. Correction
3.3.1. Introduction
Bonita server accepts different resources. Resources are created by the Bonita Studio, or
downloaded from the Community.
All resources you need for this exercises are included in the ZIP file UpdateResource.zip
3.3.2. Organization
The first resource to install is the Organization. The Organization contains all users, Groups, Roles
needed for connecting and executing tasks.
The organization can be exported from the studio via the menu Organization ⇒
Export.
19
Figure 19. Import the organization
• click on IMPORT
• Go to "Organization ⇒ Profile"
When the organization is defined, groups and roles are defined. Then, you should
give the correct access to each user to correct profiles. In the ACME organization,
all users are part of the role "Member".
20
Figure 21. Register only Walter.Bates as Administrator
• Log out,
• Verify that you can access two profiles "User" and "Administrator"
A BDM is a set of Business table. Tables are created in a different database, the Business Database.
When you upload a BDM, the database is updated.
The BDM is exported from the studio via the menu Development ⇒ Business Data
Model ⇒ Export.
21
• Backup your Business Database
• go to "Business Data Model" and select the bdm.zip file. Click on UPDATE
The Portal (via Hibernate) compare the current database and the new model. It
will update the database as a 'black box':
Then:
• if some attributes or tables disappear in the model, they will be dropped without warning
• if some structure changes (a Single attribute become Multiple), modifications will be done
without a notification (so values are dropped)
• for some structure change, the portal will not be able to realize the upgrade, and BDM will
become unstable: some change will be applied, some other not.
You can have a look at the SnowMobile page, available on the community, to see in
advance impacts of the new BDM, and see the proposed SQL script to update your
database. Then, Apply the change before loading the BDM. Note that you must
load the BDM in fine to update the JAR file.
22
Figure 24. Resume the Bonita Server
the only way to see the change is to connect to the Business Database via a
database browser.
3.3.4. Processes
A Process is the artifact need to deploy a process on the server. The process is given as a BAR file
and contains all the environment needed: process definition, connectors, forms.
The process is exported from the studio via the menu "Server ⇒ Build" and select
the process to export.
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Go to "BPM ⇒ Processes"
23
Figure 26. Install a process
• The process is deployed. It is "DISABLED" by default. Any errors are visible and need to be fixed
before changing the status to ENABLE.
• Click on the state button (named DISABLED). Then, the status change to ENABLE
• Run one case on the Initiate Vacation Available. On the process list, click on START FOR and
give Walter.Bates for the user.
24
Figure 29. Run a case
The RestAPI Extension extends the basic API, to give new function to pages and forms
The RestAPI extension is exported from the Studio, "Development ⇒ REST API
Extension ⇒ Build"
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Go to "Resources"
click on REST API extensions to see only the list of REST API resource
25
Figure 30. List resources
3.3.6. Page
A page is a accessible to users in the Bonita Portal. A page is developed by the Bonita Studio or can
be download from the Community
26
The page is exported from the UI Designer, section Pages, and then the button
Export. Or via the Community, go to "Contribute ⇒ Projects" and then select the
Category Page.
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Go to "Resources"
27
• Click on NEXT then CONFIRM. The page should appear in the list.
• Add the page page-TahitiPage.zip too. You will have a warning with a permission. Just
CONFIRM.
3.3.7. Profile
The page is exported from the Portal, Organization section Pages, and then the
button Export. Or via the Community, go to "Contribute ⇒ Projects" and then
select the Category Page.
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Go to "Organization ⇒ Profiles"
28
Figure 35. Add a profile
To check the profile, log out / log in again as Walter.Bates. The new profile Tahiti-User should
appears in the profile list.
A Connector is used in a process. It’s possible to upload for a process a new connector
implementation. Only one process is impacted then, in order to compartmentalize the risk.
29
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Go to "BPM ⇒ Processes" and then select your process (New vacation request). Click on MORE
• See the connector google-calendar-v3-create-event and click on the pencil. Give the file
google-calendar-create-event-impl-1.0.0.zip and click on SAVE
Process defined parameters. On a process, you can change the value of a parameter.
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Go to "BPM ⇒ Processes" and then select your process (New vacation request). Click on MORE
30
Figure 39. Update a parameter
• Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile
• Access the URL by clicking on the URL link in the Application page
31
Figure 41. Add an application
32
Chapter 4. Ldap synchronization
If you have internet connection, consider to jump to the same exercise with an online ldap provider
at the end of the pdf, this will not require any installations === Prerequisites
4.1. Requirements
Also if we use ldap for authentication, we need in any case our users to be registered in the Bonita
database, for autherizations procedures The requirement is to setup the synchronization with a
LDAP source and Bonita database.
4.2. Instructions
• Setup LDAP server
◦ Setup a simple LDAP server such as ApacheDS (the server part, not Apache Directory Studio)
◦ Initialize the server with some test data using a LDAP server administration tool (such as
Apache Directory Studio)
◦ Edit LDAP synchronizer configuration file (bonita.properties) and technical user credentials
◦ Edit LDAP synchronizer configuration file for the LDAP connection (ldap.properties)
◦ Edit the file that defining mapping of data between Bonita organization and LDAP attributes
(mapper.properties)
◦ Edit sync.properties to specify of the synchronization need to be performed (entry point for
users’ lookup, logging…)
• Run the LDAP synchronizer in order to copy LDAP information to Bonita organization
4.3. Correction
4.3.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
33
4.3.2. ApacheDS installation
The following screen will be displayed. It means that LDAP server was started successfully.
Install the standalone version that match your Operating System or install the Eclipse plugin
version.
• Go to menu Connections panel (left on the bottom) and double click on "local" to connect to
ApacheDS.
34
Figure 43. Ldap Studio Directory
If no "local" icon is present just click with the right mouse button in the connection panel and
create a new connection.
user: uid=admin,ou=system
password: secret
port: 10389
Test if the connection works properly: Click with the right button on the local icon and click on
"Check network Parameter" to check connection
• LDAP Synchronizer is included in the Deploy component. In the Customer Portal Download
page, search the "Download BonitaSubscription-7.x.y-deploy.zip**
BonitaBPMSubscription-7.x.y-deploy/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer
35
<LDAP_SYNCHRONIZER>
LDAP synchronizer relies on Bonita Client Java library in order to push information to Bonita
Engine. As it will be run as a standalone Java application it cannot use direct Java access to Bonita
Engine (different classloaders). So we will setup the Bonita Client communication to use HTTP.
The LDAP Synchronizer can run multiple domain, i.e. multiple tenant. Each tenant
configuration has its own directory, where Tenant 1 is "1" or "default". In the next
part, we use the directory "default" to configure the tenant 1.
<LDAP_SYNCHRONIZER>/conf/default/bonita.properties
######
# Bonita connection settings
######
# Access type to the server - use EJB3,HTTP
apiType=HTTP
# Application name
applicationName=bonita
######
# Bonita connection settings
######
#bonita_home = <PathToBonitaHome>
######
# Bonita account used for sync (needs admin privileges)
######
login = install
password = install
technicalUser = platformAdmin
technicalPassword = platform
The login are used by the LDAP Synchronizer to connect to the engine, to create, update user. A
different user can be used, but pay attention that this user will not be disabled by the LDAP
36
Synchronizer itself. The Technicall user (install) is ignored by the LDAP because this is not a real
user.
the PlatformAdmin is necessary to get the list of all existing tenants. No tenants
will be created or removed by the LDAP Synchronizer.
Configure ldap.properties
<LDAP_SYNCHRONIZER>/conf/default/ldap.properties
file and specify the appropriate information to connect to your LDAP server
######
# LDAP connection settings
######
host_url = ldap://localhost:10389/
auth_type = simple
######
# LDAP account used for browsing
######
principal_dn = uid=admin,ou=system
principal_password = secret
######
# User type ('person' for LDAP, 'user' for AD)
######
directory_user_type = person
Configure mapper.properties
Edit
<LDAP_SYNCHRONIZER>/conf/default/mapper.properties
######
# MAPPER CONFIGURATION
# Provides the field mapping between Bonita to
LDAP such as:
# bonita_poperty = ldap_property
#
# user_name is the only mandatory property as it
is the key defined for matching users, all other properties are optionals.
# Unused properties should be commented out.
37
# Bonita meta data is not supported in current
version (v4)
######
######
# GENERAL INFORMATIONS
######
user_name = uid
#first_name = givenName
#last_name = sn
#title =
#job_title =
#manager =
#delegee =
######
# PROFESSIONAL INFORMATIONS
######
#pro_email =
#pro_phone =
#pro_mobile =
#pro_fax =
#pro_website =
#pro_room =
#pro_building =
#pro_address =
#pro_city =
#pro_zip_code =
#pro_state =
#pro_country =
######
# PERSONNAL INFORMATIONS
######
#perso_email =
#perso_phone =
#perso_mobile =
#perso_fax =
#perso_website =
#perso_room =
#perso_building =
#perso_address =
#perso_city =
#perso_zip_code =
#perso_state =
#perso_country =
Configure sync.properties
Edit
38
<LDAP_SYNCHRONIZER>/conf/default/sync.properties
######
# SYNCHRONIZATION CONFIGURATION
# Provides the settings for the synchronization
between Bonita and LDAP. See also mapper.conf
######
######
# ERROR BEHAVIOR SETTINGS
# Defines the synchronization error behavior
settings
######
# Specifies whether an error should be blocking
upon getting related users (manager and delegees)
error_level_upon_failing_to_get_related_user =
warn
######
# LDAP SYNC SEARCH SETTINGS
# Defines the LDAP watched directory
######
# Declare a list of LDAP watched directories
ldap_watched_directories = dir1
# Specify dir1 settings
dir1.ldap_search_dn = ou=people,dc=example,dc=com
dir1.ldap_search_filter = cn=*
######
# BONITA USER SYNC SETTINGS
######
# Specify the username case of the Bonita
imported users
bonita_username_case = lowercase
# Specify Bonita users who should not be
synchronized (user names separated by commas)
bonita_nosync_users =
# Specify whether the tool should deactivate
Bonita users which are not present in LDAP
bonita_deactivate_users = true
# Specify the role that will be affected to
Bonita users
bonita_user_role = user
39
######
# LDAP GROUP SYNC SETTINGS
# Defines the LDAP groups that are synchronized
######
#ldap_groups = group1, group2
#ldap_search_filter_groups = search1,search2
You should always avoid deleting users in Bonita organization. When a user
performs a task, Bonita Engine keeps the connection between the task and the
user. If you delete the user account, you will leave this relation broken.
Select the node dc=example, dc=com and Right click on "New ⇒ New Context Entry"
40
Figure 45. Add organizationalUnit
41
Figure 47. Check and Finish
Right click on the object Ou=people and select New ⇒ New Entry
• Select Create entry from scratch from the first screen and click on Next
• Select OrganizationalPerson, click on Add and then select uidObject and click on Add*
42
Figure 49. Choose OrganizationalPerson and uidObject
• click on Next
43
• click on Next
On the overview page: * give fabrice for the cn and the sn* attribute
• Right click on an empty line and select New Attribute… or use the icon New value
Figure 51.
44
Figure 52.
Then, click on Finish. An another pop up appears. Give the password value bpmldap
Figure 53.
45
Figure 54. Set a new attribute userPassword using the second icon on the top
<LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer
<LDAP_SYNCHRONIZER>/logs
46
After Synchronization, if you try now to log in the Bonita BPM portal with your
new user added in the ldap directory, it does not work. This is because the
authentication service will still check the user credentials in Bonita BPM database.
And the ldap synchronizer doesn’t synchronize passwords. In order to login we
need one of the following options:
This user does not have any name and first name, because we don’t map it
• update the password through the portal: click on MORE… and then access the Password tab
• Change it to bpm
47
Figure 57. Change the password
Log in another time with your user. This time Bonita Portal will authenticate you and you should be
able to display the task list view.
You can add on each user some custom attributes, and then you can synchronize them from any
LDAP attributes.
It’s not possible to create a Custom information in the Portal. The possibility are: - by the studio
allow_custominfo_creation = true
48
Figure 58. Acces the custom information
• Go to a user (as Giovanna Almeida), click on MORE… and then on the tab Custom information
49
Figure 60. Add Four new information
• Add in the LDAP two new attributes: postOfficeBox with value B663 and st with value
Colorado.
Note: in LDAP, attributes are defined at the Class level. Because we didn’t define a new LDAP class,
we use some existing attributes in the current class.
Edit mapper.properties
<LDAP_SYNCHRONIZER>/conf/default/mapper.properties
######
# CUSTOM ATTRIBUTE INFORMATIONS
######
custom_building = st
custom_room = postOfficeBox
Edit sync.properties
<LDAP_SYNCHRONIZER>/conf/default/sync.properties
bonita_user_custominfo_policy = scope
50
with scope, all attributes are updated, setted to null if the LDAP object does not
have the value
<LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer
Verify the result. Connect with install user, and access the user fabrice
Access the custom information tab and check that informations are updated
51
Chapter 5. Bonita LDAP authentication
If you have internet connection, consider to jump to the same exercise with an online ldap provider
at the end of the pdf, this will not require any installations
5.1. Prerequisites
• A running Apache DS server (used in previous exercise)
5.2. Requirements
One of the options for Bonita authentication is to use a ldap source directly, without using SSO. The
objective of this exercise is to configure LDAP authentication.
5.3. Instructions
• Configure the Engine to rely on JAAS authentication service implementation (cfg-bonita-
authentication-impl.xml)
• Configure the JAAS Login Context to use LDAP Login Module in order to perform authentication
against LDAP instead of Bonita users database
5.4. Correction
5.4.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
> stop-bonita
52
> setup pull
JAAS configuration is done at JVM level and require a configuration file. From the provided files,
copy jaas-bonita-ldap.cfg into
<TOMCAT_HOME>/conf
BonitaAuthentication-1 {
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://localhost:10389/ou=people,dc=example,dc=com"
userFilter="(&(uid={USERNAME})(objectClass=person))"
authzIdentity="{USERNAME}"
debug=true
useSSL=false;
};
• JVM will know about the JAAS configuration file location by defining a JVM system property
named: java.security.auth.login.config. Do define the JVM system property; edit the file
And uncomment the line SECURITY_OPTS and replace the name by jaas-bonita-ldap.cfg. The line
must be:
set SECURITY_OPTS="-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas-bonita-
ldap.cfg"
53
• Modify CATALINA_OPTS property in order to add the %SECURITY_OPTS% property after
%PLATFORM_SETUP% in the list of CATALINA_OPTS like this:
• Modify the properties file in order to use the JAAS implementation of the login service:
<SETUP_HOME>/platform_conf/current/tenants/1/tenant_engine/bonita-tenant-sp-
custom.properties
Comment out the authenticationService line (if not already done) and add a new line:
authentication.service.ref.name=jaasAuthenticationService
5.4.6. Test
• Verify that the user fabrice is correctly declared in the LDAP Directory
> stop-bonita
> start-bonita
• Verify that the user fabrice is correctly declared: connect as install / @training! and verify that
the user fabrice is declared
54
• Log on the Portal using the account previously created.
You cannot use anymore the previous one stored in Bonita Engine database but
the one stored in the LDAP (password bpmldap)
If everything works fine you are able to connect with this user / password
55
Chapter 6. Create a new tenant
6.1. Requirements
When the installation is completed, one single tenant is created. A developer can create a java
program to create a new tenant in the platform. In this exercise/tutorial we’ll see the impacts to our
file-system and database when a new tenant is created.
6.2. Instructions
• Install the REST Client
• Create Tenant
6.3. Correction
6.3.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
Use a rest client plugin in your browser. For this exercise we will use the firefox RestClient plugin,
but you are free to use any browser based or standalone REST client. (We recommend you do not
use REST Easy for Firefox as it had some functional issues when tried with this exercise)
If REST Client is not already installed in your browser, you can install it via the menu (top right)
and the Add-ons button.
56
Figure 62. REST Client
After you restart Firefox Button to activate REST Client will appear beside the Menu button on your
browser :
57
Figure 64. REST Client icon
Item Value
URL http://localhost:8080/bonita/
platformloginservice?password=platform&
redirect=false&username=platformAdmin
Method POST
Body
Result is 200:
58
Figure 65. Platform Login
Item Value
URL http://localhost:8080/bonita/API/platform/
unusedid
Method GET
Header:
Body
59
Figure 66. Platform Status
{
"createdBy": "platformAdmin",
"previousVersion": "",
"created": "2018-04-19 14:35:01.068",
"initialVersion": "7.7.0.alpha-06",
"state": "STARTED",
"version": "7.7.0.alpha-06"
}
Item
Value
URL
http://localhost:8080/bonita/API/platform/platform/license
Method
GET
Header:
Body
60
The answer should be
{
"licenseStartDate": "2018-04-13",
"duration": 181,
"licenseExpirationDate": "2018-10-11",
"edition": "Performance",
"subscriptionStartPeriod": "2017-06-16",
"subscriptionEndPeriod": "2018-06-15",
"caseCounterLimit": 500000,
"caseCounter": 0,
"numberOfCPUCores": 2,
"requestKey": "(/fn7P2fItENrYM8MAD4h1ETr/iHjMjXQa0M8f9Ts/KsgY1yITYK0aQ==)",
"licenseMode": "Internal"
}
To create a tenant, you must be log in too in a Tenant using the Portal
Item Value
URL http://localhost:8080/bonita/loginservice?
Method POST
Body username=walter.bates&password=bpm&redire
ct=false&redirectUrl=
Second option:
Log with Firefox to the Portal. Then access the Cookie by 1. Click on F12 2. Click on Storage 3. Select
Cookie, then the domain http://localhost:8080 4. Search the cookie X-Bonita-API-Token
61
Figure 67. Access the portal second tenant
Item Value
URL http://localhost:8080/bonita/API/platform/tenant
Method POST
62
{
"password":"",
"name":"Sale Tenant",
"icon":"/default.png",
"description":"Tenant used for the Sales Departement",
"id":"2",
"state":"DEACTIVATED",
"creation":"2014-12-04 15:30:19.930",
"username":""
}
The ID is the tenantId, used after for all operations. In our case, id is "2"
Use the Tenant ID at the end of the URL. Attention: this is a PUT verb.
Item Value
URL http://localhost:8080/bonita/API/platform/
tenant/2
Method PUT
Result should be
{
"password":"",
"name":"MyTenant",
"icon":"/default.png",
"description":"Tenant used for the Sales Departement",
"id":"102",
"state":"ACTIVATED",
"creation":"2014-12-04 15:30:19.930",
"username":""
}
http://localhost:8080/bonita/login.jsp?tenant=2
63
• Log in with user install / installSales
Item Value
username tony.marshall
• Validate
• Access the Membership, and reference the user in the role Member group Europe
64
Figure 69. Tony Marshall membership
• Edit the profiles, and in the profile Users, reference the role Member
65
Figure 70. Profile User
Attention, when you are log in, the portal save the tenant where you were log.
When you log out, you are back to the URL http://localhost:8080/bonita/login.jsp?
_l=en&redirectUrl=portal/homepage, so to the default tenant. Use the URL
http://localhost:8080/bonita/login.jsp?tenant=2 before any try.
• Access the Community Use https://community.bonitasoft.com/ or the link from the Bonita Web
site
66
Figure 71. Access the Community Portal
67
• In the profile detail, add the page Container ship in the menu, and reference Walter.Bates in
the Users mapping.
68
Figure 74. Use the Container Ship page
69
Chapter 7. Create a cluster
7.1. Prerequisites
A Bonita server installation with postgres database (from previous exercises)
7.2. Requirements
The goal of this exercise is to create a Bonita Cluster.
7.3. Instructions
For creating a cluster we’ll transform the existing server into a cluster node. Then we’ll duplicate it,
change the port, and enable the cluster changing the configuration.
• Test
7.4. Correction
7.4.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
> stop-bonita
70
<SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-sp-
custom.properties
bonita.cluster=true
#bonita.platform.persistence.use_second_level_cache=true
change it to:
bonita.platform.persistence.use_second_level_cache=false
<SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-sp-cluster-
custom.properties
Uncomment and set the bonita.cluster.name property to a name of your own, e.g. myBPMCluster
bonita.cluster.name=myBPMCluster
bonita.platform.cluster.hazelcast.tcpip.enabled=true
bonita.platform.cluster.hazelcast.multicast.enabled=false
bonita.platform.cluster.hazelcast.aws.enabled=false
• Set the server name of your node In the same file uncomment and change the following line:
bonita.platform.cluster.hazelcast.tcpip.members=localhost
71
• Start Bonita Platform in <BUNDLE_HOME>
> start-bonita
Let’s verify that the server has been converted into a cluster node:
<TOMCAT_HOME>/logs/catalina.yyyy-mm-dd.log
Members [1] {
Member [192.168.56.1]:5701 - b188db7e-dc04-4e51-836b-7d9ba8f9b905 this
}
This means that the server has been correctly converted in cluster node.
> stop-bonita
• Duplicate your tomcat server through copy/paste You have now two nodes:
BonitaSubscription-7.x.y-Tomcat1
BonitaSubscription-7.x.y-Tomcat2
In the exercise we use two nodes on a same machine (for didactical reasons, case far away from the
reality of course) The advantage is that we don’t need to generate a new license.
72
<BUNDLE_HOME2>/server/conf/server.xml
Item Value
Duplicating your tomcat folder you have also duplicate the setup folder. Since the two nodes of the
cluster share the same database, where the configuration is stored, you just need one setup folder.
It’s a good practice to have this folder in a separate location, and to run a setup pull before any
modification.
BonitaSubscription-7.x.y-Tomcat1
BonitaSubscription-7.x.y-Tomcat2
setup
• In the "real life" now we should register the ip of tomcat2. We should open the file
<SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-sp-cluster-
custom.properties
bonita.platform.cluster.hazelcast.tcpip.members=
Since both of our tomcats are on localhost we don’t need this step.
73
cd <BUNDLE_HOME1>
start-bonita
cd <BUNDLE_HOME2>
start-bonita
<BUNDLE_HOME>/server/logs/catalina.yyyy-mm-dd.log
Members [2] {
Member [localhost]:5701 - 30c4034e-44e6-402a-b909-689f8b6ef651
Member [localhost]:5702 - 745d12e3-1496-4510-a6a0-018f6842313c this
}
open in two different browsers (chrome and firefox) the two portals:
• Now change something (like the name of a user) in the first Tomcat
• Check if you can see the modifications directly from the tomcat 2 portal
You shouldn’t need to log out to see the updates, they should occur in real time.
74
Chapter 8. Security
8.1. Requirements
8.2. Instructions
Increase the security by:
• Enable CSRF
• Enable SSL
8.3. Correction
8.3.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
Bonita Engine has two technical user, platformAdmin and install (there are one install per
tenant).
<SETUP_HOME>/platform_conf/current/tenants/1/tenant_engine/bonita-tenant-community-
custom.properties
and change:
75
## Bonita Tenant server core configuration
userName=install
userPassword=@training!
<SETUP_HOME>/platform_conf/current/platform_portal/platform-tenant-config.properties
#For tenant
#Use this property to force the tenant used by the portal when logging in
#platform.tenant.default.id=0
platform.tenant.default.username=install
platform.tenant.default.password=@training!
<SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-community-
custom.properties**
## Platform administrator
platformAdminUsername=platformAdmin
platformAdminPassword=@platformTraining!
76
• Log in the Portal as a User (walter.bates for example).
When you deploy a page, you have then to register it on a Profile or in a Living Application. Access
to the page is controled by the access to the profile (a Living Application register a profile).
• Get the REST API Extension "PermissionAccess-1.0.0.zip" and load it on the portal (go to
"Resource ⇒ ADD).
• To know the permission, open the ZIP file, and open the page.propertiesfile
PermissionAccess.permissions=TrainingAccess
• Check the access: via the REST CLIENT, access the following URL
Item Value
URL http://localhost:8080/bonita/API/extension/
checkAccess
Method GET
Header: Body
77
Figure 76. Error access
<SETUP_HOME>/platform_conf\current\tenants\1\tenant_portal\custom-permissions-
mapping.properties.properties
and add:
profile|Training=[TrainingAccess]
It’s not recommended to setup by name the permission. It should be done per
profile, to let after the administrator to register user inside
78
> stop-bonita
> start-bonita
79
Figure 78. Register Walter Bates
• Run again the REST API call : you get now a status 200
• Log as Helen.Kelly, and then run the REST API : you got a status 403. Only Walter.Bates can
access this REST API Extension
in a new installation, the CSRF is enabled by default. If you migrate a Bonita Server
under 7.3, then the CSRF may be disabled to keep it compatible.
80
> setup pull
<SETUP_HOME>/platform_conf/current/platform_portal/security-config.properties
see https://documentation.bonitasoft.com/bonita/7.6/csrf-security
By default, the password is saved in the Bonita database, encrypted. There are no password policy,
so any simple password can be use.
<SETUP_HOME>/platform_conf/current/tenants/1/tenant_portal/security-config.properties
81
security.password.validator
org.bonitasoft.web.rest.server.api.organization.password.validator.RobustnessPasswordV
alidator
By default, only the administrator can change the password of an user. Use the
ChangePassword custom page to let an user change by itself its password (see
after).
• Connect as Walter.Bates
• Select a user (like Mrs Isabel Bleasdale) and go to the password tab
Figure 80. Error when password does not respect the policy
• at least 3 digits
82
HelloThisIsTheTraining@2018!
Figure 81. Error when password does not respect the policy
CORS is used to verify that the Bonita Portal is not encapsulated in a hidden frame. When the Portal
is encapsulated in a frame, some javascript can be deployed in the parent frame to capture login,
password.
If you try to call the REST API from a page hosted on another domain than the one of the
tomcat bundle, you will face some issues due to the 'same-origin policy' enforced by web
browsers.
<TOMCAT_HOME>/webapps/bonita/WEB-INF/web.xml
• Search for the last filter part (should be the filter name UrlRewriteFilter)
83
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
</init-param>
<!-- List of the response headers other than simple response headers that the
browser should expose to
the author of the cross-domain request through the
XMLHttpRequest.getResponseHeader() method.
The CORS filter supplies this information through the Access-Control-Expose-
Headers header. -->
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,X-
Bonita-API-Token</param-value>
</init-param>
<!-- The names of the supported author request headers. These are advertised through
the Access-Control-Allow-Headers header.
The CORS Filter implements this by simply echoing the requested value back to the
browser.
-->
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-
Method,Access-Control-Request-Headers,X-Bonita-API-Token</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
84
> stop-bonita
> start-bonita
See https://documentation.bonitasoft.com/bonita/7.6/enable-cors-in-tomcat-bundle
This enables you to use secure HTTP (HTTPS) to access the portal.
• Run the Java keytool to create a certificate and store it in the keystore. (Note: if you are using
Windows, you need to run keytool as administrator.)
mkdir <TOMCAT_HOME>\conf\ssl
keytool -genkey -alias tomcat -keyalg RSA -keystore
<TOMCAT_HOME>\conf\ssl\keystore.jks
Answer the questions that keytool asks. When asked for your first name and last name, provide the
hostname of your system. We use the password bonita! to create the file
• Edit
<TOMCAT_HOME>/conf/server.xml
85
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
URIEncoding="UTF-8"
keystoreFile="${catalina.base}/conf/ssl/keystore.jks"
keystorePass="bonita!"
SSLVerifyClient="optional"
SSLProtocol="TLSv1"></Connector>
• Edit
<TOMCAT_HOME>/webapps/bonita/WEB-INF/web.xml
web-app is the main node in the XML. So, just add close to the end of the file, after
</welcome-file-list>
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Bonita Portal Secure URLs</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
Start Tomcat:
> start-bonita
86
8.3.8. Restriction on the JAVA API
It’s possible to connect to the Bonita Engine using the JAVA API. When a software is connected to the
JAVA API, no permission is apply, software can access all functions.
• Edit
<TOMCAT_HOME>/webapps/bonita/WEB-INF/web.xml
and lines
> stop-bonita
> start-bonita
87
Chapter 9. Ldap synchronization (Online
Ldap example)
9.1. Prerequisites
• Unzipped BonitaBPMSubscription-7.x.y-deploy folder
9.2. Requirements
Also if we use ldap for authentication, we need in any case our users to be registered in the Bonita
database, for authorizations procedures The requirement is to setup the synchronization with a
LDAP source and Bonita database.
9.3. Instructions
We will use a provided ldap server ldap.forumsys.com. We will need just to configure LDAP
Synchronizer
◦ Edit LDAP synchronizer configuration file (bonita.properties) and technical user credentials
◦ Edit LDAP synchronizer configuration file for the LDAP connection (ldap.properties)
◦ Edit the file that defines mapping of data between Bonita organization and LDAP attributes
(mapper.properties)
◦ Edit sync.properties to specify of the synchronization need to be performed (entry point for
users’ lookup, logging…)
• Run the LDAP synchronizer in order to copy LDAP information to Bonita organization
9.4. Correction
9.4.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
88
9.4.2. Configure LDAP Synchronizer
• LDAP Synchronizer is included in the Deploy component. In the Customer Portal Download
page, search the Download BonitaSubscription-7.x.y-deploy.zip
BonitaBPMSubscription-7.x.y-deploy/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer
<LDAP_SYNCHRONIZER>
LDAP synchronizer relies on Bonita Client Java library in order to push information to Bonita
Engine. As it will be run as a standalone Java application it cannot use direct Java access to Bonita
Engine (different classloaders). So we will setup the Bonita Client communication to use HTTP.
The LDAP Synchronizer can run multiple domain, i.e. multiple tenant. Each tenant
configuration has its own directory, where Tenant 1 is "1" or "default". In the next
part, we use the directory "default" to configure the tenant 1.
<LDAP_SYNCHRONIZER>/conf/default/bonita.properties
89
######
# Bonita connection settings
######
# Access type to the server - use EJB3,HTTP
apiType=HTTP
# Application name
applicationName=bonita
######
# Bonita connection settings
######
#bonita_home = <PathToBonitaHome>
######
# Bonita account used for sync (needs admin privileges)
######
login = install
password = install
technicalUser = platformAdmin
technicalPassword = platform
The login are used by the LDAP Synchronizer to connect to the engine, to create, update user. A
different user can be used, but pay attention that this user will not be disabled by the LDAP
Synchronizer itself. The Technicall user (install) is ignored by the LDAP because this is not a real
user.
the PlatformAdmin is necessary to get the list of all existing tenants. No tenants
will be created or removed by the LDAP Synchronizer.
Configure ldap.properties
<LDAP_SYNCHRONIZER>/conf/default/ldap.properties
file and specify the appropriate information to connect to your LDAP server
90
######
# LDAP connection settings
######
host_url = ldap://ldap.forumsys.com:389
auth_type = simple
######
# LDAP account used for browsing
######
principal_dn = cn=read-only-admin,dc=example,dc=com
principal_password = password
######
# User type ('person' for LDAP, 'user' for AD)
######
directory_user_type = person
######
# Paged search
# Not supported by all LDAP servers
######
use_paged_search = false
page_size = 1000
Configure mapper.properties
Edit
<LDAP_SYNCHRONIZER>/conf/default/mapper.properties
######
# MAPPER CONFIGURATION
# Provides the field mapping between Bonita to
LDAP such as:
# bonita_poperty = ldap_property
#
# user_name is the only mandatory property as it
is the key defined for matching users, all other properties are optionals.
# Unused properties should be commented out.
# Bonita meta data is not supported in current
version (v4)
######
######
# GENERAL INFORMATIONS
######
91
user_name = uid
first_name = givenName
last_name = sn
#title =
#job_title =
#manager =
#delegee =
######
# PROFESSIONAL INFORMATIONS
######
pro_email = mail
#pro_phone =
#pro_mobile =
#pro_fax =
#pro_website =
#pro_room =
#pro_building =
#pro_address =
#pro_city =
#pro_zip_code =
#pro_state =
#pro_country =
######
# PERSONNAL INFORMATIONS
######
#perso_email =
#perso_phone =
#perso_mobile =
#perso_fax =
#perso_website =
#perso_room =
#perso_building =
#perso_address =
#perso_city =
#perso_zip_code =
#perso_state =
#perso_country =
Configure sync.properties
Edit
<LDAP_SYNCHRONIZER>/conf/default/sync.properties
# WARNING: To use a special character in this properties file, escape it and give the
Unicode value. For example, à = \u00E0.
# To find the Unicode equivalent of a character, see http://unicode-table.com/en/.
# or use the native2ascii program from the JDK.
92
######
# SYNCHRONIZATION CONFIGURATION
# Provides the settings for the synchronization between Bonita and LDAP
# See also mapper.conf
######
######
# ERROR BEHAVIOR SETTINGS
# Defines the synchronization error behavior settings
######
# Specifies whether an error should be blocking upon getting related users (manager)
error_level_upon_failing_to_get_related_user = warn
######
# LDAP SYNC SEARCH SETTINGS
# Defines the LDAP watched directory
######
######
# BONITA USER SYNC SETTINGS
######
# Specify Bonita users who should not be synchronized (user names separated by commas)
#bonita_nosync_users = admin,john,james,jack
# Specifies whether the tool should deactivate Bonita users which are not present in
LDAP
bonita_deactivate_users = true
# Specifies whether the tool should reactivate Bonita users which are updated in LDAP
bonita_reactivate_users = true
93
# Specify the role that will be affected to Bonita users
bonita_user_role = user
bonita_user_custominfo_policy = partial
######
# LDAP GROUP SYNC SETTINGS
# Defines the LDAP groups that are synchronized
######
# Specify group2 settings: synch the group with specified dn but not users inside this
group
group2.ldap_group_dn = ou=scientists,dc=example,dc=com
group2.forced_bonita_group_name = scientists
You should always avoid deleting users in Bonita organization. When a user
performs a task, Bonita Engine keeps the connection between the task and the
user. If you delete the user account, you will leave this relation broken.
<LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer
<LDAP_SYNCHRONIZER>/logs
94
folder to make sure that everything has run flawlessly.
After Synchronization, if you try now to log in the Bonita BPM portal with your
new user added in the ldap directory, it does not work. This is because the
authentication service will still check the user credentials in Bonita BPM database.
And the ldap synchronizer doesn’t synchronize passwords. In order to login we
need one of the following options:
• update the password through the portal: click on MORE… and then access the Password tab
• Change it to bpm
95
9.4.4. Test synchronization
Log in another time with your user. This time Bonita Portal will authenticate you and you should be
able to display the task list view.
You can add on each user some custom attributes, and then you can synchronize them from any
LDAP attributes.
Bonita Organization comes out with a full set of attributes for the users (i.e. email, phones, building,
etc), but it’s possible to create custom information.
• Select a user (i.e. walter.bates), click on MORE… and then on the tab Custom information the
new custom information has to be present.
◦ Custom information can be updated by the LDAP Synchronizer, switching the property in
the sync.properties file
96
bonita_user_custominfo_policy = scope
allow_custominfo_creation = true
with scope, all attributes are updated, set to null if the LDAP object does not have
the value
Unfortunately the ldap online provider we are using is not that rich in attributes, so we’ll consider
for this exercise the telephone as a custom attribute
Edit mapper.properties
<LDAP_SYNCHRONIZER>/conf/default/mapper.properties
######
# CUSTOM ATTRIBUTE INFORMATIONS
######
custom_otherPhone = telephoneNumber
<LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer
Verify the result. Connect with install user, and access the user einstein
Access the custom information tab and check that informations are updated. (Not all the users have
this custom information provided)
97
Chapter 10. Bonita LDAP authentication
(Online Ldap example)
10.1. Prerequisites
• Internet connection to this website: https://www.forumsys.com/tutorials/integration-how-to/
ldap/online-ldap-test-server/
10.2. Requirements
One of the options for Bonita authentication is to use a ldap source directly, without using SSO. The
objective of this exercise is to configure LDAP authentication.
10.3. Instructions
• Configure the Engine to rely on JAAS authentication service implementation (cfg-bonita-
authentication-impl.xml)
• Configure the JAAS Login Context to use LDAP Login Module in order to perform authentication
against LDAP instead of Bonita users database
10.4. Correction
10.4.1. Names
<TOMCAT_HOME> <BUNDLE_HOME>/server/
<SETUP_HOME> <BUNDLE_HOME>/setup/
> stop-bonita
98
> setup pull
JAAS configuration is done at JVM level and require a configuration file. From the provided files,
copy jaas-bonita-ldap.cfg into
<TOMCAT_HOME>/conf
BonitaAuthentication-1 {
com.sun.security.auth.module.LdapLoginModule sufficient
userProvider="ldap://ldap.forumsys.com:389/cn=read-only-admin,dc=example,dc=com"
authIdentity="cn=read-only-admin,dc=example,dc=com"
debug=true
useSSL=false;
};
• JVM will know about the JAAS configuration file location by defining a JVM system property
named: java.security.auth.login.config. To define the JVM system property; edit the file
And uncomment the line SECURITY_OPTS and replace the name by jaas-bonita-ldap.cfg. The line
must be:
set SECURITY_OPTS="-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas-bonita-
ldap.cfg"
99
%PLATFORM_SETUP% in the list of CATALINA_OPTS like this:
• Modify the properties file in order to use the JAAS implementation of the login service:
<SETUP_HOME>/platform_conf/current/tenants/1/tenant_engine/bonita-tenant-sp-
custom.properties
Comment out the authenticationService line (if not already done) and add a new line:
authentication.service.ref.name=jaasAuthenticationService
10.4.6. Test
> stop-bonita
> start-bonita
• Verify that the user euclid is correctly declared: connect as install and verify that the user
euclid is declared
• Log on the Portal using the account previously created, and the password "password" (that is
defined in the ldap and not in bonita)
You cannot use anymore the previous password defined in the Bonita Engine
database but the one stored in the LDAP (password password)
If everything works fine you are able to connect with this user / password
100
Congrats, you finished the exercise!
101