Scribd Logo
Upload

Welcome to Scribd!

  • Bonita

    Uploaded by

    William Silva
    70 views105 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    70 views105 pages

    Bonita

    Uploaded by

    William Silva

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 105

    Living Application Administration

    Table of Contents
    1. Deploy a simple server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

    1.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

    1.2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 

    1.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

    1.4. Correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 

    1.4.1. Download the bundle from the download page in the customer portal. . . . . . . . . . . . . . . . . 1  

    1.4.2. Extract the bundle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2  

    1.4.3. Install the license file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2  

    1.4.4. First start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 

    1.4.5. Import the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5  

    1.4.6. Install one process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8  

    1.4.7. Setup tool: Update configuration / license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10  

    1.4.8. Setup tool: Change technical password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12  

    2. Bonita with PostgreSQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13  

    2.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13  

    2.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     

    2.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     

    2.3.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     

    2.3.2. PostgreSQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13  

    2.4. Start the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17  

    2.5. Populate the server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18  

    3. Deploy Living application resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19  

    3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19  

    3.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     

    3.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
     

    3.3.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19  

    3.3.2. Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19  

    3.3.3. BDM file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21


     

    3.3.4. Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
     

    3.3.5. Rest api extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25  

    3.3.6. Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
     

    3.3.7. Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
     

    3.3.8. Connector implementation (Live Update) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29  

    3.3.9. Change a parameter of the process deployed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30  

    3.3.10. Living application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31  

    4. Ldap synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33  

    4.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33  

    4.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
     
    4.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

    4.3.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 

    4.3.2. ApacheDS installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34  

    4.3.3. Apache Directory Studio installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34  

    4.3.4. Check the LDAP directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34  

    4.3.5. Configure LDAP Synchronizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35  

    4.3.6. How to create a new account in LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40  

    4.3.7. Execute LDAP Synchronizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46  

    4.3.8. Test synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48  

    4.3.9. Synchronize the Custom information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48  

    5. Bonita LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52  

    5.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52  

    5.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52  

    5.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52  

    5.4. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 

    5.4.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 

    5.4.2. Pull the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52  

    5.4.3. JAAS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53  

    5.4.4. Bonita authentication service configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54  

    5.4.5. Push the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54  

    5.4.6. Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
     

    6. Create a new tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56  

    6.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56  

    6.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56  

    6.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 

    6.3.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 

    6.3.2. Download the REST client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56  

    6.4. Connect to the platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58  

    6.5. Create a new tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61  

    6.6. Connect to the Tenant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63  

    6.7. Create users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64  

    6.7.1. Container Ship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66  

    7. Create a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70  

    7.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70  

    7.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70  

    7.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70  

    7.4. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 

    7.4.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 

    7.4.2. Convert the basic installation into cluster node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70  

    7.4.3. Cluster node verification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72  

    7.4.4. Create a new node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72  


    7.4.5. Extract setup folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73  

    7.4.6. Tomcat 2 ip registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73  

    7.4.7. Run Tomcat 1 & 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73  

    7.4.8. Test if cluster works properly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74  

    8. Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
     

    8.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75  

    8.2. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75  

    8.3. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75  

    8.3.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75  

    8.3.2. Change technical password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75  

    8.3.3. Security on a REST API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77  

    8.3.4. Enable CSRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80  

    8.3.5. Enforce the password policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81  

    8.3.6. Enable the CORS (Tomcat) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83  

    8.3.7. Enable SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85  

    8.3.8. Restriction on the JAVA API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87  

    9. Ldap synchronization (Online Ldap example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88  

    9.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88  

    9.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88  

    9.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88  

    9.4. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88  

    9.4.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88  

    9.4.2. Configure LDAP Synchronizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89  

    9.4.3. Execute LDAP Synchronizer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94  

    9.4.4. Test synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96  

    9.4.5. Synchronize the Custom information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96  

    10. Bonita LDAP authentication (Online Ldap example) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.3. Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.4. Correction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.4.1. Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.4.2. Pull the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98  

    10.4.3. JAAS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99  

    10.4.4. Bonita authentication service configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100  

    10.4.5. Push the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100  

    10.4.6. Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100


     
    Chapter 1. Deploy a simple server
    1.1. Prerequisites
    You need JAVA JDK 8 installed.

    You need to define a variable called JAVA_HOME in System Variables of your O.S.

    JAVA_HOME C:\Program Files\Java\jdk1.8.0_40

    You must have Java ready for execution.

    In command line try "java -version". You should read an answer similar to:

    java version "1.8.0_40"


    Java(TM) SE Runtime Environment (build 187.0_40-b26)
    Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)

    1.2. Objectives
    The goal of this exercise is to deploy a server for testing and prototypes environments, to quickly
    and easily deploy Portal and generated applications, including pre-configured application server.

    1.3. Instructions
    • Download the Tomcat bundle from the download page in the customer portal. (Link provided
    by email or your trainer)

    • Extract the Tomcat bundle.

    • Generate a key key from request_key_utils

    • Generate a licence from your customer / partner portal (or you can use an already created
    licence if you have any).

    • Copy the licence into platform_conf/licenses folder

    • First start your server.

    • Update configuration and restart.

    1.4. Correction
    1.4.1. Download the bundle from the download page in the customer portal.

    To get the download page, access the customer portal, menu "Download", or ask to your trainer.

    • In the section "Deploying Server Components"

    1
    • Choose your component, for this exercise we will take the Tomcat bundle (i.e
    BonitaSubscription-<version>-Tomcat-<version>.zip)

    1.4.2. Extract the bundle.

    Just extract the archive in a folder without spaces or special characters (no accent).

    A Bonita Bundle is composed :

    - At the root, files for start / stop the platform.


    - A setup folder, this directory is the working folder of the Platform Setup tool.
    - A server folder with the application server, the application, the key tool.

    • Note the path to the extracted folder as "BUNDLE_HOME"

    We named:

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    1.4.3. Install the license file.

    A server needs a license to run, exactly like your Bonita Studio.

    If the version (ex 7.x) is the same between the studio and your server, and if they
     are on the same machine, you can copy the studio license in

    SETUP_HOME/platform_conf/licenses/.

    Otherwise:

    • Go in TOMCAT_HOME/request_key_utils/

    • Execute the good version of the generator according to your OS and license type (ex : windows,
    development generateRequestKey.bat)

    • Select option 1 - Case counter license.

    • Copy the key (everything including the parenthesis)

    • Generate a licence from your key (In training just send the key to your trainer)

    • Copy the file of the licence in SETUP_HOME/platform_conf/licenses/. This licence is a


    Development licence, and then you need to follow the Customize chapter.

    2
    Figure 1. Select option 1 in license key generation

    1.4.4. First start.

    Run it.

    Start the server:

    • Open a shell (Linux) / cmd (Windows) prompt and go to BUNDLE_HOME

    • Run start-bonita.bat (or .sh)

    • The console finish with the message : "INFOS: Server startup in xxxxx ms"

    Figure 2. Server is started

    • You can open your browser at the address : http://localhost:8080/bonita/

    3
    Figure 3. Home page

    • Use the default tech user log : install, password : install

    Figure 4. User install is logged

    Troubleshooting

    If something is not working properly you can check in TOMCAT_HOME/logs/ for errors. One file
    name bonita.<Date of the day>.log and catalina.<Date of the day>.log Mains errors:

    4
    java.net.BindException: Address already in use: JVM_Bind <null>:8080

    The server try to start on the port 8080, and this port is already used. Maybe the studio is started ?
    The Studio could be using the port 8080.

     org.bonitasoft.engine.exception.CreationException: The licence is not valid: License


    Error 51
    Unexpected error(s). It might be due an environment issue.
    License Error: No license file found.

    You forgot to set the license, or the license is not correct.

    1.4.5. Import the Organization

    • Open the Studio

    • Export the organization from your Studio (menu Organization/export)

    Figure 5. Export the organization

    • Install the organization

    • Log in the Portal with the default technical user

    5
    User: install / Password: install

    • From the portal go to the menu Organization/Import-Export and import the file extracted from
    the Studio

    Figure 6. Load the organization

    All users must be visible

    Figure 7. All users are loaded

    • Associate User/Administrator profiles to Users. Go to Oranization / Profiles,

    6
    Figure 8. Profiles

    Select the profile Users, click on MORE, and add all users (click on ADD A USER)

    Figure 9. Users in the profile

    • Go to profile Administrator, and reference minimum Walter.Bates in this profile

    7
    Figure 10. Users in the profile

    • Logout and Login with walter.bates/ password bpm

    1.4.6. Install one process

    • Open one process developed with the Studio and generate a bar file

    Figure 11. Export a simple process

    • Choose the Administrator profile,

    8
    Figure 12. Choose the adminstrator profile

    • Select BPM/ Processes tab and click on INSTALL

    Figure 13. Install a process

    • If needed, resolve process actor mapping or form mapping issues. Don’t forget to ENABLE it.

    9
    Figure 14. Check the process/ ENABLE it

    • Switch to User profile

    • Click on Processes

    • Select the process and click on Start button

    Figure 15. Start a process

    1.4.7. Setup tool: Update configuration / license

    The Platform setup tool handles the creation of the database schema and the configuration of
    Bonita Platform.

    10
    In Tomcat bundle you can find the tool in the setup folder

    It is composed of the following items:

    • platform_conf/

    • initial/: contains the default configuration of the Bonita Platform, that can be customized and
    will be pushed when the database is created.

    • current/: will contain configuration files after a pull from the database is made.

    • licenses/: (Subscriptions only) ⇒ must contain the license file to allow Bonita Platform to start
    without error.

    • sql/: SQL scripts that are used to create the Bonita database tables

    • setup.sh: Unix / Mac script to run.

    • setup.bat: Windows script to run.

    • database.properties: contains properties to connect to the database on which the configuration


    is managed.

    To modify the configuration of an already initialized Bonita Platform, you must use the Platform
    setup tool as follows:

    • Stop Bonita Platform in <BUNDLE_HOME>

    > stop-bonita

    (.sh or .bat according your platform)

    • Make sure the file

    <SETUP_HOME>/database.properties

    of the Platform setup tool points to the database used by Bonita Platform.

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>.

    > setup pull

    (.sh or .bat according your platform)

    It will get the current configuration and put it in the <SETUP_HOME>/platform_conf/current


    folder.

    • Modify the configuration files inside the <SETUP_HOME>/platform_conf/current folder


    according to your needs.

    • If you are updating your license file, put it inside <SETUP_HOME>/platform_conf/licenses,


    along with the existing ones. If some retrieved license files are not valid anymore, you can

    11
    remove them, to delete them from the database when pushed.

    • Save the configuration with setup push in <SETUP_HOME>

    > setup pull

    (.sh or .bat according your platform)

    • Start Bonita Platform in <BUNDLE_HOME>

    > start-bonita

    (.sh or .bat according your platform)

    1.4.8. Setup tool: Change technical password

    Note: this procedure is describe in the exercise security. Note that the password has to be changed
    before a production starts

    See http://documentation.bonitasoft.com/?page=tomcat-bundle#toc3 for more information.

    Congrats, you finished the exercice!

    12
    Chapter 2. Bonita with PostgreSQL
    2.1. Requirements
    The use of h2 database is not recommended for production environments. The goal of this exercise
    is to understand how to install Bonita with PostgreSQL

    2.2. Instructions
    Install a PostgreSQL database, create an empty database, and then configure the connection via the
    setup tool

    2.3. Correction
    2.3.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    2.3.2. PostgreSQL

    Installation

    • Run the PostgreSQL installer and follow the step-by-step wizard.

    • When asked to provide the password for "super account", enter "root".

    • Keep default value for all the others options. Don’t run "Stack Builder" at the end of the wizard.

    • In installation folder open the file postgresql.conf (usually under PostgreSQL\10\data)

    • In this file set a non-zero value for max_prepared_transactions (100 is a good number)

    PostgreSQL administration tool

    In order to create the PostgreSQL database, you can use pgAdmin 4. Run this tool and connect to
    your localhost database server, by double-clicking on the node in the Object browser tree view.
    Provide the password that you entered during the installation ("root").

    User creation

    First you need to create a database user:

    • In the object browser, right click on Login Roles and select New Login Role…

    13
    Figure 16. Create PostgreSQL User

    • Set the Role name: bonita

    • In Definition tab, set the password: bpm

    • Click on Ok button

    Database creation

    Then you need to create two databases:

    For the Engine:

    • In the object browser, make a right click on Databases and select New Database…

    • Set the database name: bonitatraining

    • In the owner dropdown list, select the Bonita user created previously

    14
    Figure 17. Create a database

    For the Business Data:

    • In the object browser, made a right click on Databases and select New Database…

    • Set the database name: businesstraining

    • In the owner dropdown list, select the Bonita user created previously

    Bonita bundle setup

    We will update the existing bundle to the PostgreSQL database. Steps are identical on a new bundle.

    15
    • Verify that the PostgreSQL driver is present under setup/lib. Bonita bundle contains the jar
    postgresql-9.3-1102-jdbc41.jar

    • edit the file database.properties:

    <SETUP_HOME>/database.properties

    change the vendor to postgres and give the connection.

    Bonita database properties

    db.vendor=postgres
    db.server.name=localhost
    db.server.port=5432
    db.database.name=bonitatraining
    db.user=bonita
    db.password=bpm

    Business Data database properties

    bdm.db.vendor=postgres
    bdm.db.server.name=localhost
    bdm.db.server.port=5432
    bdm.db.database.name=businesstraining
    bdm.db.user=bonita
    bdm.db.password=bpm

    • run a setup init to create the database

    You can run a start-bonita too. Start bonita will detect that the database is not
    created, and will runn the setup init at this moment. By using the setup init
     manually, we verify that you switch correctly the current instance on the new
    database.

    16
    > setup init

     ____ _ _
    | _ \ (_) |
    | |_) | ___ _ __ _| |_ __ _
    | _ < / _ \| '_ \| | __/ _` |
    | |_) | (_) | | | | | || (_| |
    |____/ \___/|_| |_|_|\__\__,_|

    (Platform Setup 7.6.2)

    [INFO] configuration for Database vendor: postgres


    [INFO] Connected to 'postgres' database with url:
    'jdbc:postgresql://localhost:5432/bonitatraining' with user: 'bonita'
    [INFO] Executed SQL script /D:/bonita/tomcat/7.6.2-Training-Tomcat-
    8.5.23/setup/platform_conf/sql/postgres/createTables.sql
    [INFO] Executed SQL script /D:/bonita/tomcat/7.6.2-Training-Tomcat-
    8.5.23/setup/platform_conf/sql/postgres/createQuartzTables.sql
    [INFO] Executed SQL script /D:/bonita/tomcat/7.6.2-Training-Tomcat-
    8.5.23/setup/platform_conf/sql/postgres/postCreateStructure.sql
    [INFO] Executed SQL script /D:/bonita/tomcat/7.6.2-Training-Tomcat-
    8.5.23/setup/platform_conf/sql/postgres/initTables.sql
    [INFO] Platform created.
    [INFO] Database will be initialized with configuration files from folder:
    platform_conf\initial
    [INFO] Pushing license files from folder:platform_conf\licenses
    [INFO] found license file: BonitaSubscription-7.6-Pierre-yves_Monnet-Dragon-Pierre-
    Yves-20180413-20181010.lic
    [INFO] Initial configuration files successfully pushed to database

    Check if all tables exists in pgAdmin

    Figure 18. Verify tables

    2.4. Start the server


    • copy the postgres driver (setup/lib/postgresql-9.3-1102-jdbc41.jar) to server/lib

    17
    • Start Bonita Platform in <BUNDLE_HOME>

    > start-bonita

    (.sh or .bat according your platform)

    the init command setup the database from the


     <SETUP_HOME>/platform_conf/initial directory, where the different passwords
    weren’t changed. Log to the server with install / password install.

    2.5. Populate the server


    The platform is running on a new database. You have now:

    • to load organization

    • to load different processes

    Congrats, you finished the exercice!

    18
    Chapter 3. Deploy Living application
    resources
    3.1. Requirements
    The goal of this exercise is to understand how to upload resources on Bonita through the portal,
    and then to update

    3.2. Instructions
    From the "provided files" folder and in the uploadResources folder retrieve the resources to upload:

    • Organization

    • BDM file

    • Processes

    • Rest API extension

    • Application page

    • Connector

    • Change a process parameter

    • Living application

    3.3. Correction
    3.3.1. Introduction

    Bonita server accepts different resources. Resources are created by the Bonita Studio, or
    downloaded from the Community.

    All resources you need for this exercises are included in the ZIP file UpdateResource.zip

    3.3.2. Organization

    The first resource to install is the Organization. The Organization contains all users, Groups, Roles
    needed for connecting and executing tasks.

    The organization can be exported from the studio via the menu Organization ⇒
     Export.

    • Connect to the portal using the install password install login

    • Go to "Organization ⇒ Import / Export"

    • Select the ACME.xml file

    19
    Figure 19. Import the organization

    • click on IMPORT

    • Go to "Organization ⇒ Profile"

    • Select the profile User and click on MORE

    • Add the role "Member" in the Roles mapping

    Figure 20. Register all users in the profile User

    When the organization is defined, groups and roles are defined. Then, you should
     give the correct access to each user to correct profiles. In the ACME organization,
    all users are part of the role "Member".

    • Select now the profile Administrator and click on MORE

    • Add the user Walter.Bates

    20
    Figure 21. Register only Walter.Bates as Administrator

    • Log out,

    • Log in as Walter.Bates, password bpm

    • Verify that you can access two profiles "User" and "Administrator"

    3.3.3. BDM file

    A BDM is a set of Business table. Tables are created in a different database, the Business Database.
    When you upload a BDM, the database is updated.

    The BDM is exported from the studio via the menu Development ⇒ Business Data
     Model ⇒ Export.

    • Connect to the portal using the install pasword **install" login

    • go to "BPM Services" and click on PAUSE

    Figure 22. Pause the Bonita Server

    All users will be disconnected immediately

    21
    • Backup your Business Database

     In a real database, this is the moment to backup the Business Database.

    • go to "Business Data Model" and select the bdm.zip file. Click on UPDATE

    Figure 23. Import the BDM

    • If all is correct, then you got a Success Status

    The Portal (via Hibernate) compare the current database and the new model. It
     will update the database as a 'black box':

    Then:

    • if some attributes or tables disappear in the model, they will be dropped without warning

    • if some structure changes (a Single attribute become Multiple), modifications will be done
    without a notification (so values are dropped)

    • for some structure change, the portal will not be able to realize the upgrade, and BDM will
    become unstable: some change will be applied, some other not.

    You can have a look at the SnowMobile page, available on the community, to see in
    advance impacts of the new BDM, and see the proposed SQL script to update your
     database. Then, Apply the change before loading the BDM. Note that you must
    load the BDM in fine to update the JAR file.

    • go to "BPM Services" and click on "RESUME"

    22
    Figure 24. Resume the Bonita Server

    the only way to see the change is to connect to the Business Database via a
     database browser.

    3.3.4. Processes

    A Process is the artifact need to deploy a process on the server. The process is given as a BAR file
    and contains all the environment needed: process definition, connectors, forms.

    The process is exported from the studio via the menu "Server ⇒ Build" and select
     the process to export.

    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "BPM ⇒ Processes"

    Figure 25. Resume the Bonita Server

    • Click on INSTALL, and give the file New Vacation Request—1.0.bar

    23
    Figure 26. Install a process

    • The process is deployed. It is "DISABLED" by default. Any errors are visible and need to be fixed
    before changing the status to ENABLE.

    Figure 27. Dashboard

    • Click on the state button (named DISABLED). Then, the status change to ENABLE

    Figure 28. Enable a process

    • Deploy the second process Initiate Vacation Available—1.0.bar

    • Enable the second process

    • Run one case on the Initiate Vacation Available. On the process list, click on START FOR and
    give Walter.Bates for the user.

    24
    Figure 29. Run a case

    3.3.5. Rest api extension

    The RestAPI Extension extends the basic API, to give new function to pages and forms

    The RestAPI extension is exported from the Studio, "Development ⇒ REST API
     Extension ⇒ Build"

    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "Resources"

     click on REST API extensions to see only the list of REST API resource

    25
    Figure 30. List resources

    • Click on ADD, and give the file tahitiUsersOfManagerExtension-1.0.0-SNAPSHOT.zip

    Figure 31. Add a Rest Api Extension

    • Click on NEXT and then CONFIRM

    3.3.6. Page

    A page is a accessible to users in the Bonita Portal. A page is developed by the Bonita Studio or can
    be download from the Community

    26
    The page is exported from the UI Designer, section Pages, and then the button
     Export. Or via the Community, go to "Contribute ⇒ Projects" and then select the
    Category Page.

    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "Resources"

    Figure 32. List resources

    • Click on ADD, and give the file page-Employee.zip

    Figure 33. Add a page

    27
    • Click on NEXT then CONFIRM. The page should appear in the list.

    • Add the page page-TahitiPage.zip too. You will have a warning with a permission. Just
    CONFIRM.

    3.3.7. Profile

    A profile group a list of page, and a User mapping

    The page is exported from the Portal, Organization section Pages, and then the
     button Export. Or via the Community, go to "Contribute ⇒ Projects" and then
    select the Category Page.

    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "Organization ⇒ Profiles"

    Figure 34. List resources

    • Click on ADD, and give the file Profile_Tahiti.xml

    28
    Figure 35. Add a profile

    To check the profile, log out / log in again as Walter.Bates. The new profile Tahiti-User should
    appears in the profile list.

    Figure 36. Profile Tahiti

    3.3.8. Connector implementation (Live Update)

    A Connector is used in a process. It’s possible to upload for a process a new connector
    implementation. Only one process is impacted then, in order to compartmentalize the risk.

    The connector implementation is exported from the studio, menu "Development ⇒


     Connectors ⇒ Export Connector"

    29
    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "BPM ⇒ Processes" and then select your process (New vacation request). Click on MORE

    • Select Connectors tabs

    Figure 37. List of all connectors

    • See the connector google-calendar-v3-create-event and click on the pencil. Give the file
    google-calendar-create-event-impl-1.0.0.zip and click on SAVE

    Figure 38. Connector update

    3.3.9. Change a parameter of the process deployed

    Process defined parameters. On a process, you can change the value of a parameter.

    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "BPM ⇒ Processes" and then select your process (New vacation request). Click on MORE

    • Select Parameters tabs

    • Select a parameter like calendarServiceAccountId, and click on the value.

    • Change the value, and click on the check icon

    30
    Figure 39. Update a parameter

    3.3.10. Living application

    Living application groups pages and reference a profile

     The Living application is exported from the studio, or from a Portal

    • Connect to the portal using the Walter.Bates/ bpm login and select the Administrator profile

    • Go to "Application" and then click on IMPORT

    • Select the file Application_Tahiti and click on IMPORT

    Figure 40. Add an application

    • Access the URL by clicking on the URL link in the Application page

    31
    Figure 41. Add an application

    • To access the Manager part, log as Helen.Kelly, who is a manager.

    Congrats, you finished the exercice!

    32
    Chapter 4. Ldap synchronization
    If you have internet connection, consider to jump to the same exercise with an online ldap provider
    at the end of the pdf, this will not require any installations === Prerequisites

    • Unzipped BonitaBPMSubscription-7.x.y-deploy folder

    • ApacheDS installer (apacheds-2.0.0-<last version>.zip file) :


    http://apache.crihan.fr/dist/directory/apacheds/dist/

    • Apache Directory Studio installer: http://directory.apache.org/studio/downloads.html

    4.1. Requirements
    Also if we use ldap for authentication, we need in any case our users to be registered in the Bonita
    database, for autherizations procedures The requirement is to setup the synchronization with a
    LDAP source and Bonita database.

    4.2. Instructions
    • Setup LDAP server

    ◦ Setup a simple LDAP server such as ApacheDS (the server part, not Apache Directory Studio)

    ◦ Initialize the server with some test data using a LDAP server administration tool (such as
    Apache Directory Studio)

    • Configure LDAP Synchronizer

    ◦ Configure the connection to the Bonita Engine in order to use HTTP

    ◦ Edit LDAP synchronizer configuration file (bonita.properties) and technical user credentials

    ◦ Edit LDAP synchronizer configuration file for the LDAP connection (ldap.properties)

    ◦ Edit the file that defining mapping of data between Bonita organization and LDAP attributes
    (mapper.properties)

    ◦ Edit sync.properties to specify of the synchronization need to be performed (entry point for
    users’ lookup, logging…)

    • Run the LDAP synchronizer in order to copy LDAP information to Bonita organization

    4.3. Correction
    4.3.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    <LDAP_SYNCHRONIZER> Location of the Ldap Synchronizer

    33
    4.3.2. ApacheDS installation

    • Extract the content of apacheds-2.0.0-<version>.zip file (.exe installer doesn’t work)

    • Run the server

    bin/apacheds (.bat or .sh)

    By default this service will use port 10389)

    The following screen will be displayed. It means that LDAP server was started successfully.

    Figure 42. ApacheDs server started

    4.3.3. Apache Directory Studio installation

    Install the standalone version that match your Operating System or install the Eclipse plugin
    version.

    Warning for standalone installation:

     Reference Apache Directory Studio to JDK (not to JRE).

    4.3.4. Check the LDAP directory

    Start Apache Directory Studio

    • Go to menu Connections panel (left on the bottom) and double click on "local" to connect to
    ApacheDS.

    34
    Figure 43. Ldap Studio Directory

    If no "local" icon is present just click with the right mouse button in the connection panel and
    create a new connection.

    Set the connection parameters accordingly.

    user: uid=admin,ou=system

    password: secret

    port: 10389

    Test if the connection works properly: Click with the right button on the local icon and click on
    "Check network Parameter" to check connection

    4.3.5. Configure LDAP Synchronizer

    • LDAP Synchronizer is included in the Deploy component. In the Customer Portal Download
    page, search the "Download BonitaSubscription-7.x.y-deploy.zip**

    • unzip the file on your disk, and go to the subdirectory

    BonitaBPMSubscription-7.x.y-deploy/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer

    This last one will be represented by

    35
    <LDAP_SYNCHRONIZER>

    Configure Bonita Properties

    LDAP synchronizer relies on Bonita Client Java library in order to push information to Bonita
    Engine. As it will be run as a standalone Java application it cannot use direct Java access to Bonita
    Engine (different classloaders). So we will setup the Bonita Client communication to use HTTP.

    The LDAP Synchronizer can run multiple domain, i.e. multiple tenant. Each tenant
     configuration has its own directory, where Tenant 1 is "1" or "default". In the next
    part, we use the directory "default" to configure the tenant 1.

    Edit the file:

    <LDAP_SYNCHRONIZER>/conf/default/bonita.properties

    Setup the correct connection, for example:

    ######
    # Bonita connection settings
    ######
    # Access type to the server - use EJB3,HTTP
    apiType=HTTP

    # Url to connect to the server


    serverUrl=http://localhost:8080

    # Application name
    applicationName=bonita

    # ejbReference to access the server via the EJB protocol


    # ejbReference=bonita

    ######
    # Bonita connection settings
    ######
    #bonita_home = <PathToBonitaHome>
    ######
    # Bonita account used for sync (needs admin privileges)
    ######
    login = install
    password = install
    technicalUser = platformAdmin
    technicalPassword = platform

    The login are used by the LDAP Synchronizer to connect to the engine, to create, update user. A
    different user can be used, but pay attention that this user will not be disabled by the LDAP

    36
    Synchronizer itself. The Technicall user (install) is ignored by the LDAP because this is not a real
    user.

    the PlatformAdmin is necessary to get the list of all existing tenants. No tenants
     will be created or removed by the LDAP Synchronizer.

    Configure ldap.properties

    Edit the file:

    <LDAP_SYNCHRONIZER>/conf/default/ldap.properties

    file and specify the appropriate information to connect to your LDAP server

    ######
    # LDAP connection settings
    ######
    host_url = ldap://localhost:10389/
    auth_type = simple
    ######
    # LDAP account used for browsing
    ######
    principal_dn = uid=admin,ou=system
    principal_password = secret
    ######
    # User type ('person' for LDAP, 'user' for AD)
    ######
    directory_user_type = person

    Configure mapper.properties

    Edit

    <LDAP_SYNCHRONIZER>/conf/default/mapper.properties

    file to map to Bonita organization fields the LDAP attributes

    ######
    # MAPPER CONFIGURATION
    # Provides the field mapping between Bonita to
    LDAP such as:
    # bonita_poperty = ldap_property
    #
    # user_name is the only mandatory property as it
    is the key defined for matching users, all other properties are optionals.
    # Unused properties should be commented out.

    37
    # Bonita meta data is not supported in current
    version (v4)
    ######
    ######
    # GENERAL INFORMATIONS
    ######
    user_name = uid
    #first_name = givenName
    #last_name = sn
    #title =
    #job_title =
    #manager =
    #delegee =

    ######
    # PROFESSIONAL INFORMATIONS
    ######
    #pro_email =
    #pro_phone =
    #pro_mobile =
    #pro_fax =
    #pro_website =
    #pro_room =
    #pro_building =
    #pro_address =
    #pro_city =
    #pro_zip_code =
    #pro_state =
    #pro_country =
    ######
    # PERSONNAL INFORMATIONS
    ######
    #perso_email =
    #perso_phone =
    #perso_mobile =
    #perso_fax =
    #perso_website =
    #perso_room =
    #perso_building =
    #perso_address =
    #perso_city =
    #perso_zip_code =
    #perso_state =
    #perso_country =

    Configure sync.properties

    Edit

    38
    <LDAP_SYNCHRONIZER>/conf/default/sync.properties

    ######
    # SYNCHRONIZATION CONFIGURATION
    # Provides the settings for the synchronization
    between Bonita and LDAP. See also mapper.conf
    ######
    ######
    # ERROR BEHAVIOR SETTINGS
    # Defines the synchronization error behavior
    settings
    ######
    # Specifies whether an error should be blocking
    upon getting related users (manager and delegees)
    error_level_upon_failing_to_get_related_user =
    warn
    ######
    # LDAP SYNC SEARCH SETTINGS
    # Defines the LDAP watched directory
    ######
    # Declare a list of LDAP watched directories
    ldap_watched_directories = dir1
    # Specify dir1 settings
    dir1.ldap_search_dn = ou=people,dc=example,dc=com
    dir1.ldap_search_filter = cn=*
    ######
    # BONITA USER SYNC SETTINGS
    ######
    # Specify the username case of the Bonita
    imported users
    bonita_username_case = lowercase
    # Specify Bonita users who should not be
    synchronized (user names separated by commas)
    bonita_nosync_users =
    # Specify whether the tool should deactivate
    Bonita users which are not present in LDAP
    bonita_deactivate_users = true
    # Specify the role that will be affected to
    Bonita users
    bonita_user_role = user

    # How to synchronize the 'Custom Information' on User.


    bonita_user_custominfo_policy = none

    # if a 'User Custom Information' is declared in the mapper.properties but doesn't


    exist in the Bonita Database, the 'User Custom Information' is created.
    allow_custominfo_creation = false

    39
    ######
    # LDAP GROUP SYNC SETTINGS
    # Defines the LDAP groups that are synchronized
    ######
    #ldap_groups = group1, group2
    #ldap_search_filter_groups = search1,search2

    Don’t forget to comment ldap_groups and ldap_search_filter_groups


     properties.

    You should always avoid deleting users in Bonita organization. When a user
     performs a task, Bonita Engine keeps the connection between the task and the
    user. If you delete the user account, you will leave this relation broken.

    4.3.6. How to create a new account in LDAP

    Create new context entry

    Select the node dc=example, dc=com and Right click on "New ⇒ New Context Entry"

     Select New Context Entry

    Figure 44. Create new context entry

    • Select Create entry from scratch and click on Next.

    Then select the Object class OrganizationalUnit and click Add

    40
    Figure 45. Add organizationalUnit

    Click on Next. Give as the Distinguished Name

    ou=people, dc=example, dc=com

    Figure 46. ou=people

    Then check the value and click on Finish.

    41
    Figure 47. Check and Finish

    Create new user into ou=people

    Right click on the object Ou=people and select New ⇒ New Entry

     Select New Entry

    Figure 48. New Entry

    • Select Create entry from scratch from the first screen and click on Next

    • Select OrganizationalPerson, click on Add and then select uidObject and click on Add*

    42
    Figure 49. Choose OrganizationalPerson and uidObject

    • click on Next

    • Select the uid attribute, and give as value fabrice

    Figure 50. Set username for uid (e.g. fabrice)

    43
    • click on Next

    On the overview page: * give fabrice for the cn and the sn* attribute

    • Right click on an empty line and select New Attribute… or use the icon New value

    Figure 51.

    • In the pop up window, select the attribut name userPassword

    44
    Figure 52.

    Then, click on Finish. An another pop up appears. Give the password value bpmldap

    Figure 53.

    45
    Figure 54. Set a new attribute userPassword using the second icon on the top

    4.3.7. Execute LDAP Synchronizer

    To start LDAP Synchronizer, execute script

    <LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer

    And check log file in

    <LDAP_SYNCHRONIZER>/logs

    folder to make sure that everything has run flawlessly.

    You have to see this information in the log:

    avr. 24, 2018 4:56:00 PM com.bonitasoft.ldapsynchronizer.user.UserSync


    getUsersToCreate
    INFOS: Bonita users to create: 1

    46
    After Synchronization, if you try now to log in the Bonita BPM portal with your
    new user added in the ldap directory, it does not work. This is because the
     authentication service will still check the user credentials in Bonita BPM database.
    And the ldap synchronizer doesn’t synchronize passwords. In order to login we
    need one of the following options:

    • Log with the user install / password install

    • Check that only one user is not active: fabrice

    Figure 55. User Fabrice

     This user does not have any name and first name, because we don’t map it

    • update the password through the portal: click on MORE… and then access the Password tab

    Figure 56. Change the password

    • Change it to bpm

    • Log out, then log in with user fabrice, password bpm

    47
    Figure 57. Change the password

     change the authentication method to check credentials in ldap (next exercise).

    4.3.8. Test synchronization

    Log in another time with your user. This time Bonita Portal will authenticate you and you should be
    able to display the task list view.

    4.3.9. Synchronize the Custom information

    You can add on each user some custom attributes, and then you can synchronize them from any
    LDAP attributes.

    Add custom information

    It’s not possible to create a Custom information in the Portal. The possibility are: - by the studio

    • by the LDAP Synchronizer, switching the properties

    allow_custominfo_creation = true

    • In the studio, go to "Organization ⇒ Define"

    • Select the organization ACME, and click on Next

    • Click Next until the Organization users window

    • Select one user, then click on the Custom tab

    48
    Figure 58. Acces the custom information

    • Click on manage custom information

    • Add four custom information : building, room, skypeId, facebookid

    Figure 59. Add Four new information

    • Export the organization, and reimport it

     after the reimport, all ACME user will be re-activated

    • Go to a user (as Giovanna Almeida), click on MORE… and then on the tab Custom information

    The new custom information has to be presents.

    49
    Figure 60. Add Four new information

    Add value in LDAP

    We have to map this new custom information to a attribute in LDAP.

    • Add in the LDAP two new attributes: postOfficeBox with value B663 and st with value
    Colorado.

    Note: in LDAP, attributes are defined at the Class level. Because we didn’t define a new LDAP class,
    we use some existing attributes in the current class.

    Change the Mapper

    Edit mapper.properties

    <LDAP_SYNCHRONIZER>/conf/default/mapper.properties

    add the new rules to update information:

    ######
    # CUSTOM ATTRIBUTE INFORMATIONS
    ######

    custom_building = st
    custom_room = postOfficeBox

    Edit sync.properties

    <LDAP_SYNCHRONIZER>/conf/default/sync.properties

    And change the policy to scope

    bonita_user_custominfo_policy = scope

    50
    with scope, all attributes are updated, setted to null if the LDAP object does not
     have the value

    Run the Synchronizer

    Re start the LDAP Synchronizer, execute script

    <LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer

    Verify the Result

    Verify the result. Connect with install user, and access the user fabrice

    Access the custom information tab and check that informations are updated

    Figure 61. Custom information are updated

    Congrats, you finished the exercice!

    51
    Chapter 5. Bonita LDAP authentication
    If you have internet connection, consider to jump to the same exercise with an online ldap provider
    at the end of the pdf, this will not require any installations

    5.1. Prerequisites
    • A running Apache DS server (used in previous exercise)

    5.2. Requirements
    One of the options for Bonita authentication is to use a ldap source directly, without using SSO. The
    objective of this exercise is to configure LDAP authentication.

    5.3. Instructions
    • Configure the Engine to rely on JAAS authentication service implementation (cfg-bonita-
    authentication-impl.xml)

    • Configure the JAAS Login Context to use LDAP Login Module in order to perform authentication
    against LDAP instead of Bonita users database

    5.4. Correction
    5.4.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    5.4.2. Pull the configuration

    Regarding to the documentation : https://documentation.bonitasoft.com/bonita/7.6/


    BonitaBPM_platform_setup

    • Stop Bonita Platform in <BUNDLE_HOME>

    > stop-bonita

    (.sh or .bat according your platform)

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    52
    > setup pull

    (.sh or .bat according your platform)

    It will get the current configuration and put it in the <SETUP_HOME>/platform_conf/current


    folder.

    • Modify the configuration files inside the <SETUP_HOME>/platform_conf/current folder


    according.

    5.4.3. JAAS configuration

    Authentication will rely on two parts:

    • JAAS (standard JVM service) configuration

    • A specific Bonita Engine authentication service implementation that rely on JAAS

    JAAS configuration is done at JVM level and require a configuration file. From the provided files,
    copy jaas-bonita-ldap.cfg into

    <TOMCAT_HOME>/conf

    The content of the file is

    BonitaAuthentication-1 {
      com.sun.security.auth.module.LdapLoginModule REQUIRED
      userProvider="ldap://localhost:10389/ou=people,dc=example,dc=com"
      userFilter="(&(uid={USERNAME})(objectClass=person))"
      authzIdentity="{USERNAME}"
      debug=true
      useSSL=false;
    };

    • JVM will know about the JAAS configuration file location by defining a JVM system property
    named: java.security.auth.login.config. Do define the JVM system property; edit the file

    <SETUP_HOME>/tomcat-templates/setenv.bat (or .sh)

    And uncomment the line SECURITY_OPTS and replace the name by jaas-bonita-ldap.cfg. The line
    must be:

    set SECURITY_OPTS="-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas-bonita-
    ldap.cfg"

    53
    • Modify CATALINA_OPTS property in order to add the %SECURITY_OPTS% property after
    %PLATFORM_SETUP% in the list of CATALINA_OPTS like this:

    set CATALINA_OPTS=%CATALINA_OPTS% %PLATFORM_SETUP% %SECURITY_OPTS% %H2_DATABASE_DIR%


    ...

    5.4.4. Bonita authentication service configuration

    • Modify the properties file in order to use the JAAS implementation of the login service:

    Edit the file:

    <SETUP_HOME>/platform_conf/current/tenants/1/tenant_engine/bonita-tenant-sp-
    custom.properties

    Comment out the authenticationService line (if not already done) and add a new line:

    authentication.service.ref.name=jaasAuthenticationService

    5.4.5. Push the configuration

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    5.4.6. Test

    • Verify that the LDAP ApacheDS is started

    bin/apacheds (.bat or .sh)

    • Verify that the user fabrice is correctly declared in the LDAP Directory

    • Stop and start the server in <BUNDLE_HOME>

    > stop-bonita

    > start-bonita

    • Verify that the user fabrice is correctly declared: connect as install / @training! and verify that
    the user fabrice is declared

    54
    • Log on the Portal using the account previously created.

    You cannot use anymore the previous one stored in Bonita Engine database but
     the one stored in the LDAP (password bpmldap)

    If everything works fine you are able to connect with this user / password

    Congrats, you finished the exercice!

    55
    Chapter 6. Create a new tenant
    6.1. Requirements
    When the installation is completed, one single tenant is created. A developer can create a java
    program to create a new tenant in the platform. In this exercise/tutorial we’ll see the impacts to our
    file-system and database when a new tenant is created.

    6.2. Instructions
    • Install the REST Client

    • Create Tenant

    • Access Tenant, load an organization

    6.3. Correction
    6.3.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    6.3.2. Download the REST client

    Use a rest client plugin in your browser. For this exercise we will use the firefox RestClient plugin,
    but you are free to use any browser based or standalone REST client. (We recommend you do not
    use REST Easy for Firefox as it had some functional issues when tried with this exercise)

    If REST Client is not already installed in your browser, you can install it via the menu (top right)
    and the Add-ons button.

    56
    Figure 62. REST Client

    Search for and Install REST Client:

    Figure 63. REST Client icon

    After you restart Firefox Button to activate REST Client will appear beside the Menu button on your
    browser :

    57
    Figure 64. REST Client icon

    6.4. Connect to the platform


    Use this REST API to connect

    • Connect to the platform (using the special Plaform login).

    Password is platformAdmin (default) or platform .

    Item Value

    URL http://localhost:8080/bonita/
    platformloginservice?password=platform&
    redirect=false&username=platformAdmin

    Method POST

    Header: Content-type application/x-www-form-urlencoded;


    charset=utf-8

    Body

    Result is 200:

    58
    Figure 65. Platform Login

    • Check via the REST API Platform

    Item Value

    URL http://localhost:8080/bonita/API/platform/
    unusedid

    Method GET

    Header:

    Body

    59
    Figure 66. Platform Status

    The answer should be

    {
      "createdBy": "platformAdmin",
      "previousVersion": "",
      "created": "2018-04-19 14:35:01.068",
      "initialVersion": "7.7.0.alpha-06",
      "state": "STARTED",
      "version": "7.7.0.alpha-06"
    }

    • Access the licence information

    Item

    Value

    URL

    http://localhost:8080/bonita/API/platform/platform/license

    Method

    GET

    Header:

    Body

    60
    The answer should be

    {
      "licenseStartDate": "2018-04-13",
      "duration": 181,
      "licenseExpirationDate": "2018-10-11",
      "edition": "Performance",
      "subscriptionStartPeriod": "2017-06-16",
      "subscriptionEndPeriod": "2018-06-15",
      "caseCounterLimit": 500000,
      "caseCounter": 0,
      "numberOfCPUCores": 2,
      "requestKey": "(/fn7P2fItENrYM8MAD4h1ETr/iHjMjXQa0M8f9Ts/KsgY1yITYK0aQ==)",
      "licenseMode": "Internal"
    }

    6.5. Create a new tenant

     To create a tenant, you must be log in too in a Tenant using the Portal

    • Connect to the portal and get the X-Bonita-Token

    First possibilty: by the REST API

    Item Value

    URL http://localhost:8080/bonita/loginservice?

    Method POST

    Header: Content-type application/x-www-form-urlencoded

    Body username=walter.bates&password=bpm&redire
    ct=false&redirectUrl=

    then, in the response, get the value of the cookie X-Bonita-API-Token

    Second option:

    Log with Firefox to the Portal. Then access the Cookie by 1. Click on F12 2. Click on Storage 3. Select
    Cookie, then the domain http://localhost:8080 4. Search the cookie X-Bonita-API-Token

    Copie the value

    61
    Figure 67. Access the portal second tenant

    • use the REST API Tenant to create a new tenant

    Item Value

    URL http://localhost:8080/bonita/API/platform/tenant

    Method POST

    Header: Content-type application/json

    Header: X-Bonita-API-Token [the value]

    Body { "name":"Sale Tenant", "description":"Tenant


    used for the Sales Departement",
    "username":"install", "password":"installSales" }

    The answer should be

    62
    {
      "password":"",
      "name":"Sale Tenant",
      "icon":"/default.png",
      "description":"Tenant used for the Sales Departement",
      "id":"2",
      "state":"DEACTIVATED",
      "creation":"2014-12-04 15:30:19.930",
      "username":""
    }

    The ID is the tenantId, used after for all operations. In our case, id is "2"

    • Activate the tenant

     Use the Tenant ID at the end of the URL. Attention: this is a PUT verb.

    Item Value

    URL http://localhost:8080/bonita/API/platform/
    tenant/2

    Method PUT

    Header: Content-type application/json

    Header: X-Bonita-API-Token [the value]

    Body { "description":"Tenant used for the Sales


    Departement", "state":"ACTIVATED" }

    Result should be

    {
      "password":"",
      "name":"MyTenant",
      "icon":"/default.png",
      "description":"Tenant used for the Sales Departement",
      "id":"102",
      "state":"ACTIVATED",
      "creation":"2014-12-04 15:30:19.930",
      "username":""
    }

    6.6. Connect to the Tenant


    Use the tenant by log on the portal:

    http://localhost:8080/bonita/login.jsp?tenant=2

    63
    • Log in with user install / installSales

    Figure 68. Access the portal second tenant

    6.7. Create users


    • load a complete organization on the new Tenant. Go to "Organization ⇒ Import / Exports" and
    import the ACME.xml organization

    • Create a new user. Go to "Organization / Users" and click on CREATE. Give:

    Item Value

    username tony.marshall

    password (and confirm Password) bpm

    first name Tony

    last name Marshall

    • Validate

    • Access the Membership, and reference the user in the role Member group Europe

    64
    Figure 69. Tony Marshall membership

    • Edit the profiles, and in the profile Users, reference the role Member

    65
    Figure 70. Profile User

    • Log out, Log in as tony.marshall*

    Attention, when you are log in, the portal save the tenant where you were log.
    When you log out, you are back to the URL http://localhost:8080/bonita/login.jsp?
     _l=en&redirectUrl=portal/homepage, so to the default tenant. Use the URL
    http://localhost:8080/bonita/login.jsp?tenant=2 before any try.

    6.7.1. Container Ship

    On the community, the Container Ship page manage the tenants

    Community project is out of Bonitasoft responsability. All components are out of


     support, contributed by the community

    • Access the Community Use https://community.bonitasoft.com/ or the link from the Bonita Web
    site

    • Go to "Contribute ⇒ Project" and search

    66
    Figure 71. Access the Community Portal

    • Download the page (a ZIP file)

    • Log in the portal and use the Administrator profile

    • Go to "Resource" and click on ADD. Give the ZIP file.

    • Go to "Organization ⇒ Profile" and click on ADD

    • Select Create a profile and give a name like adminTool

    Figure 72. Create the adminTool profile

    67
    • In the profile detail, add the page Container ship in the menu, and reference Walter.Bates in
    the Users mapping.

    Figure 73. Profile detail

    • Log out, Log in

    • Access the page: first, log in the Platform

    68
    Figure 74. Use the Container Ship page

    Congrats, you finished the exercice!

    69
    Chapter 7. Create a cluster
    7.1. Prerequisites
    A Bonita server installation with postgres database (from previous exercises)

    7.2. Requirements
    The goal of this exercise is to create a Bonita Cluster.

    7.3. Instructions
    For creating a cluster we’ll transform the existing server into a cluster node. Then we’ll duplicate it,
    change the port, and enable the cluster changing the configuration.

    • Convert the server into a cluster node

    • Create a second node

    • Test

    7.4. Correction
    7.4.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    7.4.2. Convert the basic installation into cluster node

    • Stop Bonita Platform in <BUNDLE_HOME>

    > stop-bonita

    (.sh or .bat according your platform)

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    > setup pull

    (.sh or .bat according your platform)

    • Open the file

    70
    <SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-sp-
    custom.properties

    • Uncomment and set the bonita.cluster property to true, as follows:

    bonita.cluster=true

    • In the same file uncomment and change the line

    #bonita.platform.persistence.use_second_level_cache=true

    change it to:

    bonita.platform.persistence.use_second_level_cache=false

    • Edit the file

    <SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-sp-cluster-
    custom.properties

    Uncomment and set the bonita.cluster.name property to a name of your own, e.g. myBPMCluster

    bonita.cluster.name=myBPMCluster

    Enable tcpip mode and disable the others:

    bonita.platform.cluster.hazelcast.tcpip.enabled=true
    bonita.platform.cluster.hazelcast.multicast.enabled=false
    bonita.platform.cluster.hazelcast.aws.enabled=false

    • Set the server name of your node In the same file uncomment and change the following line:

    bonita.platform.cluster.hazelcast.tcpip.members=localhost

    • Now you can push the updates to Bonita database in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    71
    • Start Bonita Platform in <BUNDLE_HOME>

    > start-bonita

    (.sh or .bat according your platform)

    7.4.3. Cluster node verification

    Let’s verify that the server has been converted into a cluster node:

    • Open the file

    <TOMCAT_HOME>/logs/catalina.yyyy-mm-dd.log

    Check if you find something like:

    Members [1] {
      Member [192.168.56.1]:5701 - b188db7e-dc04-4e51-836b-7d9ba8f9b905 this
    }

    This means that the server has been correctly converted in cluster node.

    7.4.4. Create a new node

    • stop the cluster node executing stop-bonita in <BUNDLE_HOME>

    > stop-bonita

    (.sh or .bat according your platform)

    • Duplicate your tomcat server through copy/paste You have now two nodes:

    BonitaSubscription-7.x.y-Tomcat1
    BonitaSubscription-7.x.y-Tomcat2

    We name the second directory <BUNDLE_HOME2>

    In the exercise we use two nodes on a same machine (for didactical reasons, case far away from the
    reality of course) The advantage is that we don’t need to generate a new license.

    • Change the http port of the second node.

    • open the file

    72
    <BUNDLE_HOME2>/server/conf/server.xml

    • go through this file and change the following ports:

    Item Value

    Server 8005 to 8006

    HTTP 8080 to 8081

    AJP 8009 to 8010

    7.4.5. Extract setup folder.

    Duplicating your tomcat folder you have also duplicate the setup folder. Since the two nodes of the
    cluster share the same database, where the configuration is stored, you just need one setup folder.

    It’s a good practice to have this folder in a separate location, and to run a setup pull before any
    modification.

    • move the BonitaSubscription-7.x.y-Tomcat1/setup up of one level.

    Now your base directory is composed by the follow files:

    BonitaSubscription-7.x.y-Tomcat1
    BonitaSubscription-7.x.y-Tomcat2
    setup

    Go to BonitaSubscription-7.x.y-Tomcat2 and remove the setup folder inside.

    7.4.6. Tomcat 2 ip registration

    • In the "real life" now we should register the ip of tomcat2. We should open the file

    <SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-sp-cluster-
    custom.properties

    and add the new ip to:

    bonita.platform.cluster.hazelcast.tcpip.members=

    Since both of our tomcats are on localhost we don’t need this step.

    7.4.7. Run Tomcat 1 & 2

    Execute start-bonita* (.bat or .sh) from <BUNDLE_HOME1> and <BUNDLE_HOME2>

    73
    cd <BUNDLE_HOME1>
    start-bonita
    cd <BUNDLE_HOME2>
    start-bonita

    • Open the file

    <BUNDLE_HOME>/server/logs/catalina.yyyy-mm-dd.log

    You should find inside:

    Members [2] {
      Member [localhost]:5701 - 30c4034e-44e6-402a-b909-689f8b6ef651
      Member [localhost]:5702 - 745d12e3-1496-4510-a6a0-018f6842313c this
    }

    7.4.8. Test if cluster works properly

    open in two different browsers (chrome and firefox) the two portals:

    Tomcat 1: localhost:8080/bonita Tomcat 2: localhost:8081/bonita

    • Now change something (like the name of a user) in the first Tomcat

    • Check if you can see the modifications directly from the tomcat 2 portal

    You shouldn’t need to log out to see the updates, they should occur in real time.

    Congrats, you finished the exercice!

    74
    Chapter 8. Security
    8.1. Requirements

    8.2. Instructions
    Increase the security by:

    • Change technical password

    • Enable CSRF

    • Enforce the password policy

    • Enable the CORS (Tomcat)

    • Enable SSL

    • Restriction on the JAVA API

    8.3. Correction
    8.3.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    8.3.2. Change technical password

    Bonita Engine has two technical user, platformAdmin and install (there are one install per
    tenant).

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    > setup pull

    (.sh or .bat according your platform)

    Now, the configuration is updated on your platform

    • edit the file

    <SETUP_HOME>/platform_conf/current/tenants/1/tenant_engine/bonita-tenant-community-
    custom.properties

    and change:

    75
    ## Bonita Tenant server core configuration
    userName=install
    userPassword=@training!

    • edit the file

    <SETUP_HOME>/platform_conf/current/platform_portal/platform-tenant-config.properties

    The password has to be set in two different places

    #For tenant
    #Use this property to force the tenant used by the portal when logging in
    #platform.tenant.default.id=0
    platform.tenant.default.username=install
    platform.tenant.default.password=@training!

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    • You can log now to the portal via install / @training!

    Change the Platform Admin

    • Edit the file

    <SETUP_HOME>/platform_conf/current/platform_engine/bonita-platform-community-
    custom.properties**

    and change it:

    ## Platform administrator
    platformAdminUsername=platformAdmin
    platformAdminPassword=@platformTraining!

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    76
    • Log in the Portal as a User (walter.bates for example).

    • Go to the profile Administrator, then click on Licence

    • use the user plaformAdmin / password @platformTraining! to access licence information

    8.3.3. Security on a REST API

    When you deploy a page, you have then to register it on a Profile or in a Living Application. Access
    to the page is controled by the access to the profile (a Living Application register a profile).

    For a REST API Extension, the security is configured in a different way.

    • Get the REST API Extension "PermissionAccess-1.0.0.zip" and load it on the portal (go to
    "Resource ⇒ ADD).

    • To know the permission, open the ZIP file, and open the page.propertiesfile

    Figure 75. Access the propertie file

    • in the permission file, seach for the .permission properties

    PermissionAccess.permissions=TrainingAccess

    The name of the permission is TrainingAccess

    • Check the access: via the REST CLIENT, access the following URL

    Item Value

    URL http://localhost:8080/bonita/API/extension/
    checkAccess

    Method GET

    Header: Body

    You get a status 403

    77
    Figure 76. Error access

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    > setup pull

    (.sh or .bat according your platform)

    Now, the configuration is updated on your platform

    • edit the file

    <SETUP_HOME>/platform_conf\current\tenants\1\tenant_portal\custom-permissions-
    mapping.properties.properties

    and add:

    profile|Training=[TrainingAccess]

    It’s not recommended to setup by name the permission. It should be done per
     profile, to let after the administrator to register user inside

    Save the file.

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    • Stop and start the server in <BUNDLE_HOME>

    78
    > stop-bonita

    > start-bonita

    (.sh or .bat according your platform)

    • Create a profile Training: go to "Organization ⇒ Profile and click on ADD**

    Name the new profile Training

    Figure 77. Create a profile

    • Register Walter.Bates in this profile

    79
    Figure 78. Register Walter Bates

    • Run again the REST API call : you get now a status 200

    Figure 79. Register Walter Bates

    • Log as Helen.Kelly, and then run the REST API : you got a status 403. Only Walter.Bates can
    access this REST API Extension

    8.3.4. Enable CSRF

    Protect the server against Cross-Site Request Forgery (CSRF) attacks.

    in a new installation, the CSRF is enabled by default. If you migrate a Bonita Server
     under 7.3, then the CSRF may be disabled to keep it compatible.

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    80
    > setup pull

    (.sh or .bat according your platform)

    • edit the file

    <SETUP_HOME>/platform_conf/current/platform_portal/security-config.properties

    Set the status to true:

    #Enable/disable CSRF security filter


    security.csrf.enabled true

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    • Verify that the portal works normaly

    see https://documentation.bonitasoft.com/bonita/7.6/csrf-security

    8.3.5. Enforce the password policy

    By default, the password is saved in the Bonita database, encrypted. There are no password policy,
    so any simple password can be use.

    if a Single Sign On or a LDAP Authentication is setup, the password saved in the


     database is not longer used. This setup is interresting only if you keep the
    Password in Bonita

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    > setup pull

    (.sh or .bat according your platform)

    • edit the file

    <SETUP_HOME>/platform_conf/current/tenants/1/tenant_portal/security-config.properties

    Set the security.password.validator to RobustnessPasswordValidator:

    81
    security.password.validator
    org.bonitasoft.web.rest.server.api.organization.password.validator.RobustnessPasswordV
    alidator

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    • Change the password :

    By default, only the administrator can change the password of an user. Use the
     ChangePassword custom page to let an user change by itself its password (see
    after).

    • Connect as Walter.Bates

    • go to the Adminstrator Profile, then "Organization ⇒ Users"

    • Select a user (like Mrs Isabel Bleasdale) and go to the password tab

    • change the password to abc: you get an error

    Figure 80. Error when password does not respect the policy

    See https://documentation.bonitasoft.com/bonita/7.6/enforce-password-policy Enforcing passwords


    will require the following:

    • at least 10 characters long

    • at least 2 special characters

    • at least 2 upper case characters

    • at least 2 lower case characters

    • at least 3 digits

    Try the password

    82
    HelloThisIsTheTraining@2018!

    This password works correclty

    Figure 81. Error when password does not respect the policy

    8.3.6. Enable the CORS (Tomcat)

    CORS is used to verify that the Bonita Portal is not encapsulated in a hidden frame. When the Portal
    is encapsulated in a frame, some javascript can be deployed in the parent frame to capture login,
    password.

    If you try to call the REST API from a page hosted on another domain than the one of the
    tomcat bundle, you will face some issues due to the 'same-origin policy' enforced by web
    browsers.

    • Modify the bonita Web.xml configuration. Edit

    <TOMCAT_HOME>/webapps/bonita/WEB-INF/web.xml

    • Search for the last filter part (should be the filter name UrlRewriteFilter)

    • Add this definition

    83
     <filter>
      <filter-name>CorsFilter</filter-name>
      <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
      <init-param>
      <param-name>cors.allowed.origins</param-name>
      <param-value>*</param-value>
      </init-param>
      <init-param>
      <param-name>cors.allowed.methods</param-name>
      <param-value>GET, HEAD, POST, PUT, DELETE, OPTIONS</param-value>
      </init-param>

      <!-- List of the response headers other than simple response headers that the
    browser should expose to
      the author of the cross-domain request through the
    XMLHttpRequest.getResponseHeader() method.
      The CORS filter supplies this information through the Access-Control-Expose-
    Headers header. -->
      <init-param>
      <param-name>cors.exposed.headers</param-name>
      <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,X-
    Bonita-API-Token</param-value>
      </init-param>

      <!-- The names of the supported author request headers. These are advertised through
    the Access-Control-Allow-Headers header.
      The CORS Filter implements this by simply echoing the requested value back to the
    browser.
      -->
      <init-param>
      <param-name>cors.allowed.headers</param-name>
      <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-
    Method,Access-Control-Request-Headers,X-Bonita-API-Token</param-value>
      </init-param>
    </filter>

    • Search for the first filter-mapping and then add

     <filter-mapping>
      <filter-name>CorsFilter</filter-name>
      <url-pattern>/*</url-pattern>
     </filter-mapping>

    • Stop and start the server in <BUNDLE_HOME>

    84
    > stop-bonita

    > start-bonita

    (.sh or .bat according your platform)

    Check that the portal works correclty

    See https://documentation.bonitasoft.com/bonita/7.6/enable-cors-in-tomcat-bundle

    8.3.7. Enable SSL

    This enables you to use secure HTTP (HTTPS) to access the portal.

    • Run the Java keytool to create a certificate and store it in the keystore. (Note: if you are using
    Windows, you need to run keytool as administrator.)

     if you are using Windows, you need to run keytool as administrator

     Create the directory conf/ssl before running the command.

     keytool is present on the JRE / JDK under the bin directory.

    mkdir <TOMCAT_HOME>\conf\ssl
    keytool -genkey -alias tomcat -keyalg RSA -keystore
    <TOMCAT_HOME>\conf\ssl\keystore.jks

    Answer the questions that keytool asks. When asked for your first name and last name, provide the
    hostname of your system. We use the password bonita! to create the file

    A file named keystore.jks must be created

    • Edit

    <TOMCAT_HOME>/conf/server.xml

    and include the following configuration for the Connector:

    85
    <Connector port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    URIEncoding="UTF-8"
    keystoreFile="${catalina.base}/conf/ssl/keystore.jks"
    keystorePass="bonita!"
    SSLVerifyClient="optional"
    SSLProtocol="TLSv1"></Connector>

    • Edit

    <TOMCAT_HOME>/webapps/bonita/WEB-INF/web.xml

    and add the following security definition:

    web-app is the main node in the XML. So, just add close to the end of the file, after
     </welcome-file-list>

    <web-app>
      ...
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Bonita Portal Secure URLs</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
    </web-app>

    Start Tomcat:

    > start-bonita

    (.sh or .bat according your platform)

    Check that everything is correctly configured, by opening https://127.0.0.1:8443/bonita in your


    browser. Your browser should warn you about the certificate used to perform the HTTPS
    connection. You can safely add this certificate to the exceptions allowed.

    86
    8.3.8. Restriction on the JAVA API

    It’s possible to connect to the Bonita Engine using the JAVA API. When a software is connected to the
    JAVA API, no permission is apply, software can access all functions.

    So, it’s important to close or restrict this entry.

    • Edit

    <TOMCAT_HOME>/webapps/bonita/WEB-INF/web.xml

    And search for the servlet HttpAPIServlet

    Comment the line

    <!-- For engine HTTP API -->


      <!--
      <servlet>
      <servlet-name>HttpAPIServlet</servlet-name>
      <servlet-
    class>org.bonitasoft.engine.api.internal.servlet.HttpAPIServlet</servlet-class>
      </servlet>
      -->

    and lines

      <!-- For engine HTTP API -->


      <!--
      <servlet-mapping>
      <servlet-name>HttpAPIServlet</servlet-name>
      <url-pattern>/serverAPI/*</url-pattern>
      </servlet-mapping>
      -->

    • stop and restart the server

    > stop-bonita

    > start-bonita

    (.sh or .bat according your platform)

    • Now, the url http://localhost:8080/bonita does not work and https://localhost:8443/bonita is


    the correct one.

    Congrats, you finished the exercice!

    87
    Chapter 9. Ldap synchronization (Online
    Ldap example)
    9.1. Prerequisites
    • Unzipped BonitaBPMSubscription-7.x.y-deploy folder

    • internet connection to this website: https://www.forumsys.com/tutorials/integration-how-to/


    ldap/online-ldap-test-server/

    9.2. Requirements
    Also if we use ldap for authentication, we need in any case our users to be registered in the Bonita
    database, for authorizations procedures The requirement is to setup the synchronization with a
    LDAP source and Bonita database.

    9.3. Instructions
    We will use a provided ldap server ldap.forumsys.com. We will need just to configure LDAP
    Synchronizer

    • Configure LDAP Synchronizer

    ◦ Configure the connection to the Bonita Engine in order to use HTTP

    ◦ Edit LDAP synchronizer configuration file (bonita.properties) and technical user credentials

    ◦ Edit LDAP synchronizer configuration file for the LDAP connection (ldap.properties)

    ◦ Edit the file that defines mapping of data between Bonita organization and LDAP attributes
    (mapper.properties)

    ◦ Edit sync.properties to specify of the synchronization need to be performed (entry point for
    users’ lookup, logging…)

    • Run the LDAP synchronizer in order to copy LDAP information to Bonita organization

    9.4. Correction
    9.4.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    <LDAP_SYNCHRONIZER> Location of the Ldap Synchronizer

    88
    9.4.2. Configure LDAP Synchronizer

    • LDAP Synchronizer is included in the Deploy component. In the Customer Portal Download
    page, search the Download BonitaSubscription-7.x.y-deploy.zip

    • unzip the file on your disk, and go to the subdirectory

    BonitaBPMSubscription-7.x.y-deploy/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer

    This last one will be represented by

    <LDAP_SYNCHRONIZER>

    Configure Bonita Properties

    LDAP synchronizer relies on Bonita Client Java library in order to push information to Bonita
    Engine. As it will be run as a standalone Java application it cannot use direct Java access to Bonita
    Engine (different classloaders). So we will setup the Bonita Client communication to use HTTP.

    The LDAP Synchronizer can run multiple domain, i.e. multiple tenant. Each tenant
     configuration has its own directory, where Tenant 1 is "1" or "default". In the next
    part, we use the directory "default" to configure the tenant 1.

    Edit the file:

    <LDAP_SYNCHRONIZER>/conf/default/bonita.properties

    Setup the correct connection, for example:

    89
    ######
    # Bonita connection settings
    ######
    # Access type to the server - use EJB3,HTTP
    apiType=HTTP

    # Url to connect to the server


    serverUrl=http://localhost:8080

    # Application name
    applicationName=bonita

    # ejbReference to access the server via the EJB protocol


    # ejbReference=bonita

    ######
    # Bonita connection settings
    ######
    #bonita_home = <PathToBonitaHome>
    ######
    # Bonita account used for sync (needs admin privileges)
    ######
    login = install
    password = install
    technicalUser = platformAdmin
    technicalPassword = platform

    The login are used by the LDAP Synchronizer to connect to the engine, to create, update user. A
    different user can be used, but pay attention that this user will not be disabled by the LDAP
    Synchronizer itself. The Technicall user (install) is ignored by the LDAP because this is not a real
    user.

    the PlatformAdmin is necessary to get the list of all existing tenants. No tenants
     will be created or removed by the LDAP Synchronizer.

    Configure ldap.properties

    Edit the file:

    <LDAP_SYNCHRONIZER>/conf/default/ldap.properties

    file and specify the appropriate information to connect to your LDAP server

    90
    ######
    # LDAP connection settings
    ######
    host_url = ldap://ldap.forumsys.com:389
    auth_type = simple

    ######
    # LDAP account used for browsing
    ######
    principal_dn = cn=read-only-admin,dc=example,dc=com
    principal_password = password

    ######
    # User type ('person' for LDAP, 'user' for AD)
    ######
    directory_user_type = person

    ######
    # Paged search
    # Not supported by all LDAP servers
    ######
    use_paged_search = false
    page_size = 1000

    Configure mapper.properties

    Edit

    <LDAP_SYNCHRONIZER>/conf/default/mapper.properties

    file to map to Bonita organization fields the LDAP attributes

    ######
    # MAPPER CONFIGURATION
    # Provides the field mapping between Bonita to
    LDAP such as:
    # bonita_poperty = ldap_property
    #
    # user_name is the only mandatory property as it
    is the key defined for matching users, all other properties are optionals.
    # Unused properties should be commented out.
    # Bonita meta data is not supported in current
    version (v4)
    ######
    ######
    # GENERAL INFORMATIONS
    ######

    91
    user_name = uid
    first_name = givenName
    last_name = sn
    #title =
    #job_title =
    #manager =
    #delegee =

    ######
    # PROFESSIONAL INFORMATIONS
    ######
    pro_email = mail
    #pro_phone =
    #pro_mobile =
    #pro_fax =
    #pro_website =
    #pro_room =
    #pro_building =
    #pro_address =
    #pro_city =
    #pro_zip_code =
    #pro_state =
    #pro_country =
    ######
    # PERSONNAL INFORMATIONS
    ######
    #perso_email =
    #perso_phone =
    #perso_mobile =
    #perso_fax =
    #perso_website =
    #perso_room =
    #perso_building =
    #perso_address =
    #perso_city =
    #perso_zip_code =
    #perso_state =
    #perso_country =

    Configure sync.properties

    Edit

    <LDAP_SYNCHRONIZER>/conf/default/sync.properties

    # WARNING: To use a special character in this properties file, escape it and give the
    Unicode value. For example, à = \u00E0.
    # To find the Unicode equivalent of a character, see http://unicode-table.com/en/.
    # or use the native2ascii program from the JDK.

    92
    ######
    # SYNCHRONIZATION CONFIGURATION
    # Provides the settings for the synchronization between Bonita and LDAP
    # See also mapper.conf
    ######

    ######
    # ERROR BEHAVIOR SETTINGS
    # Defines the synchronization error behavior settings
    ######

    # Specifies whether an error should be blocking upon getting related users (manager)
    error_level_upon_failing_to_get_related_user = warn

    ######
    # LDAP SYNC SEARCH SETTINGS
    # Defines the LDAP watched directory
    ######

    # Declare a list of LDAP watched directories


    ldap_watched_directories = dir1,dir2

    # Specify dir1 settings


    dir1.ldap_search_dn = ou=mathematicians,dc=example,dc=com
    dir1.ldap_search_filter = cn=*

    # Specify dir2 settings


    dir2.ldap_search_dn = ou=scientists,dc=example,dc=com
    dir2.ldap_search_filter = cn=*

    ######
    # BONITA USER SYNC SETTINGS
    ######

    # Specifies the username case of the Bonita imported users


    bonita_username_case = lowercase

    # Specify Bonita users who should not be synchronized (user names separated by commas)
    #bonita_nosync_users = admin,john,james,jack

    # Specifies whether the tool should deactivate Bonita users which are not present in
    LDAP
    bonita_deactivate_users = true

    # Specifies whether the tool should reactivate Bonita users which are updated in LDAP
    bonita_reactivate_users = true

    93
    # Specify the role that will be affected to Bonita users
    bonita_user_role = user

    bonita_user_custominfo_policy = partial

    # if a 'User Custom Information' is declared in the mapper.properties but doesn't


    exist in the Bonita Database, the 'User Custom Information' is created.
    allow_custominfo_creation = true

    ######
    # LDAP GROUP SYNC SETTINGS
    # Defines the LDAP groups that are synchronized
    ######

    # Specifies whether recursive groups (sub groups) should also be synchronized


    allow_recursive_groups = true

    # List of groups to synchronize


    ldap_groups = group1, group2

    # Specify group1 settings


    group1.ldap_group_dn = ou=mathematicians,dc=example,dc=com
    group1.forced_bonita_group_name = mathematicians

    # Specify group2 settings: synch the group with specified dn but not users inside this
    group
    group2.ldap_group_dn = ou=scientists,dc=example,dc=com
    group2.forced_bonita_group_name = scientists

    You can comment/remove ldap_search_filter_groups properties. for this


     example

    You should always avoid deleting users in Bonita organization. When a user
     performs a task, Bonita Engine keeps the connection between the task and the
    user. If you delete the user account, you will leave this relation broken.

    9.4.3. Execute LDAP Synchronizer

    To start LDAP Synchronizer, execute script

    <LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer

    And check log file in

    <LDAP_SYNCHRONIZER>/logs

    94
    folder to make sure that everything has run flawlessly.

    You should see some users created in this log message:

    avr. 24, 2018 4:56:00 PM com.bonitasoft.ldapsynchronizer.user.UserSync


    getUsersToCreate
    INFOS: Bonita users to create: 10

    After Synchronization, if you try now to log in the Bonita BPM portal with your
    new user added in the ldap directory, it does not work. This is because the
     authentication service will still check the user credentials in Bonita BPM database.
    And the ldap synchronizer doesn’t synchronize passwords. In order to login we
    need one of the following options:

    • Log with the user install / password install

    • Select one user of your choice

    • update the password through the portal: click on MORE… and then access the Password tab

    Figure 82. Change the password

    • Change it to bpm

    • Log out, then log in with new user credentials

    Figure 83. Change the password

     change the authentication method to check credentials in ldap (next exercise).

    95
    9.4.4. Test synchronization

    Log in another time with your user. This time Bonita Portal will authenticate you and you should be
    able to display the task list view.

    9.4.5. Synchronize the Custom information

    You can add on each user some custom attributes, and then you can synchronize them from any
    LDAP attributes.

    Add custom information

    Bonita Organization comes out with a full set of attributes for the users (i.e. email, phones, building,
    etc), but it’s possible to create custom information.

    • Custom information can be defined in the Bonita Studio

    ◦ In the studio, go to "Organization ⇒ Define"

    ◦ Select the organization ACME, and click on Next

    ◦ Click Next until the Organization users window

    ◦ Select one user, then click on the Custom tab

    Figure 84. Access the custom information

    • Click on manage custom information

    • Add a new custom information : otherPhone

    • Export the organization, and reimport it

     after the reimport, all ACME users will be re-activated

    • Select a user (i.e. walter.bates), click on MORE… and then on the tab Custom information the
    new custom information has to be present.

    • Configure Ldap Synchronizer

    ◦ Custom information can be updated by the LDAP Synchronizer, switching the property in
    the sync.properties file

    96
    bonita_user_custominfo_policy = scope
    allow_custominfo_creation = true

    with scope, all attributes are updated, set to null if the LDAP object does not have
     the value

    Change the Mapper

    Unfortunately the ldap online provider we are using is not that rich in attributes, so we’ll consider
    for this exercise the telephone as a custom attribute

    Edit mapper.properties

    <LDAP_SYNCHRONIZER>/conf/default/mapper.properties

    add the new rules to update information:

    ######
    # CUSTOM ATTRIBUTE INFORMATIONS
    ######

    custom_otherPhone = telephoneNumber

    Run the Synchronizer

    Re start the LDAP Synchronizer, execute script

    <LDAP_SYNCHRONIZER>/BonitaBPMSubscription-7.x.y-LDAP-Synchronizer

    Verify the Result

    Verify the result. Connect with install user, and access the user einstein

    Access the custom information tab and check that informations are updated. (Not all the users have
    this custom information provided)

    Congrats, you finished the exercise!

    97
    Chapter 10. Bonita LDAP authentication
    (Online Ldap example)
    10.1. Prerequisites
    • Internet connection to this website: https://www.forumsys.com/tutorials/integration-how-to/
    ldap/online-ldap-test-server/

    10.2. Requirements
    One of the options for Bonita authentication is to use a ldap source directly, without using SSO. The
    objective of this exercise is to configure LDAP authentication.

    10.3. Instructions
    • Configure the Engine to rely on JAAS authentication service implementation (cfg-bonita-
    authentication-impl.xml)

    • Configure the JAAS Login Context to use LDAP Login Module in order to perform authentication
    against LDAP instead of Bonita users database

    10.4. Correction
    10.4.1. Names

    <BUNDLE_HOME> Location of the bundle

    <TOMCAT_HOME> <BUNDLE_HOME>/server/

    <SETUP_HOME> <BUNDLE_HOME>/setup/

    10.4.2. Pull the configuration

    As explained in the documentation : https://documentation.bonitasoft.com/bonita/7.6/


    BonitaBPM_platform_setup

    • Stop Bonita Platform in <BUNDLE_HOME>

    > stop-bonita

    (.sh or .bat according your platform)

    • Retrieve the last configuration via the setup pull in <SETUP_HOME>

    98
    > setup pull

    (.sh or .bat according your platform)

    It will get the current configuration and put it in the <SETUP_HOME>/platform_conf/current


    folder.

    • Modify the configuration files inside the <SETUP_HOME>/platform_conf/current folder


    accordingly.

    10.4.3. JAAS configuration

    Authentication will rely on two parts:

    • JAAS (standard JVM service) configuration

    • A specific Bonita Engine authentication service implementation that rely on JAAS

    JAAS configuration is done at JVM level and require a configuration file. From the provided files,
    copy jaas-bonita-ldap.cfg into

    <TOMCAT_HOME>/conf

    The content of the file is

    BonitaAuthentication-1 {
      com.sun.security.auth.module.LdapLoginModule sufficient
      userProvider="ldap://ldap.forumsys.com:389/cn=read-only-admin,dc=example,dc=com"
      authIdentity="cn=read-only-admin,dc=example,dc=com"
      debug=true
      useSSL=false;
    };

    • JVM will know about the JAAS configuration file location by defining a JVM system property
    named: java.security.auth.login.config. To define the JVM system property; edit the file

    <SETUP_HOME>/tomcat-templates/setenv.bat (or .sh)

    And uncomment the line SECURITY_OPTS and replace the name by jaas-bonita-ldap.cfg. The line
    must be:

    set SECURITY_OPTS="-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas-bonita-
    ldap.cfg"

    • Modify CATALINA_OPTS property in order to add the %SECURITY_OPTS% property after

    99
    %PLATFORM_SETUP% in the list of CATALINA_OPTS like this:

    set CATALINA_OPTS=%CATALINA_OPTS% %PLATFORM_SETUP% %SECURITY_OPTS% %H2_DATABASE_DIR%


    ...

    10.4.4. Bonita authentication service configuration

    • Modify the properties file in order to use the JAAS implementation of the login service:

    Edit the file:

    <SETUP_HOME>/platform_conf/current/tenants/1/tenant_engine/bonita-tenant-sp-
    custom.properties

    Comment out the authenticationService line (if not already done) and add a new line:

    authentication.service.ref.name=jaasAuthenticationService

    10.4.5. Push the configuration

    • Save the configuration with setup push in <SETUP_HOME>

    > setup push

    (.sh or .bat according your platform)

    10.4.6. Test

    • Stop and start the server in <BUNDLE_HOME>

    > stop-bonita

    > start-bonita

    • Verify that the user euclid is correctly declared: connect as install and verify that the user
    euclid is declared

    • Log on the Portal using the account previously created, and the password "password" (that is
    defined in the ldap and not in bonita)

    You cannot use anymore the previous password defined in the Bonita Engine
     database but the one stored in the LDAP (password password)

    If everything works fine you are able to connect with this user / password

    100
    Congrats, you finished the exercise!

    101

    You might also like