Chapter 2. Installation options

Red Hat JBoss BPM Suite comes in two versions:
  • Executable jar installer for installation on Red Hat JBoss Enterprise Application Platform (EAP) 6.4.
  • Zip file install which itself comes in two versions:
    • jboss-bpmsuite-6.MINOR_VERSION-deployable-eap6.x.zip: version adapted for deployment on Red Hat JBoss Enterprise Application Platform (EAP 6.4).
    • jboss-bpmsuite-6.MINOR_VERSION-deployable-generic.zip: the deployable version with additional libraries adapted for deployment on Red Hat JBoss Web Server (EWS), Apache Tomcat 6, and Apache Tomcat 7.
Depending on your environment, you may choose the installation option best suited for your project needs.

Note

Red Hat JBoss BPM Suite is designed to work with UTF-8 encoding. If a different encoding system is used by the underlying JVM, unexpected errors might occur. To ensure UTF-8 is used by the JVM, use the following system property "-Dfile.encoding=UTF-8".

Important

From JBoss BPM Suite 6.1 onwards, you must have JBoss EAP 6.4 or better already installed before attempting to install JBoss BPM Suite.

Warning

In addition to the following install steps, we strongly recommend to set the system property org.kie.tx.lock.enabled to false in order to prevent unresponsiveness or deadlock issues. You can either start your server with the option -Dorg.kie.tx.lock.enabled=false or edit the standalone.xml file: 
<system-properties>
	<property name="org.kie.tx.lock.enabled" value="false"/>
	...
</system-properties>
For further details, please refer to this article: https://access.redhat.com/solutions/1610723.

2.1. The Red Hat JBoss BPM Suite Installer installation

This section describes the steps required to install Red Hat JBoss BPM Suite using the jar file installer installation method. The jar file is an executable file that installs JBoss BPM Suite on an existing JBoss EAP 6 installation.
From JBoss BPM Suite 6.1 onwards, you must have JBoss EAP 6.4 or better already installed in order to install JBoss BPM Suite.

Note

Due to IBM JDK not being able to use keystores generated on other JDKs, it is not possible to install JBoss BPM Suite into an existing JBoss EAP running on IBM JDK with a keystore generated on another JDK.

2.1.1. Downloading Red Hat JBoss BPM Suite for JBoss EAP

  1. Go to the Red Hat Customer Portal and log in.
  2. Click DownloadsProducts Downloads.
  3. In the Product Downloads page that opens, click Red Hat JBoss BPM Suite.
  4. From the Version drop-down menu, select version 6.1.
  5. Select Red Hat JBoss BPM Suite 6.1 Deployable for EAP 6.4 and then click Download.

2.1.2. Installing Red Hat JBoss BPM Suite Using the Installer

The installer for Red Hat JBoss BPM Suite is an executable Java jar file. You can use it to install JBoss BPM Suite on an existing EAP 6.4 installation.

Note

For security reasons, you should run the installer as a non-root user.
Prerequisite

Before attempting to install JBoss BPM Suite, ensure you have already installed Red Hat JBoss EAP 6.4 or better.

  1. Setup Location and Users

    Navigate to the folder where you downloaded the installer file in a command prompt and execute the following command.
    java -jar jboss-bpmsuite-6.1.0.GA-installer.jar

    Note

    When running the installer on Windows, you may be prompted to provide administrator credentials during the installation. To prevent this, add the izpack.mode=privileged option to the installation command: java -Dizpack.mode=privileged -jar jboss-bpmsuite-6.1.0.GA-installer.jar
  2. The graphical installer will execute and display a splash screen and a license agreement page. Accept the license to proceed.
  3. In the next screen, provide the parent location of an existing JBoss EAP where JBoss BPM Suite must be installed. The screenshot below depicts an example directory path:
    The image depicts the parent directory for the existing EAP installation.

    Figure 2.1. Red Hat JBoss BPM Suite for JBoss EAP Directory Path

  4. In the next two screens, create two users: the first one for the management console of the EAP (ManagementRealm) and the second one for managing JBoss BPM Suite itself (ApplicationRealm).
    Creation of the first user for the management console of JBoss EAP is optional and you may skip it if it is not required.
    Make a note of these usernames and passwords as you will need them to access the JBoss EAP server (if you do decide to create it) and the JBoss BPM Suite application respectively.
    Unless advanced configuration is performed, the JBoss BPM Suite user password will be used as the default password for both client and server JMS SSL keystores, as well as password vault keystores.

    Note

    The username that you create should not be the same as any of the pre-defined roles (See Section 4.1, “Defining Roles”).
    The passwords that you create must have at least 8 characters and must contain at least one number and one non-alphanumeric character (not including the character &).

    Note

    The application role assigned to the second user that you create is the admin role. You can assign additional roles to this user at this stage.

  5. Setup Security Environment

    Next, you will setup the security environment of your new JBoss BPM Suite install. Decide to enable or disable the Java Security Manager in this step by clicking on the check box. The Java Security Manager makes your system more secure but may downgrade performance. You need to make a decision based on your environment.
  6. Choose whether you want to setup pure IPv6 configuration on the server that the installation is taking place. This will allow you to setup runtime IPv6 specific configurations later.

  7. Configure Runtime Environment

    This step provides the option of using a default configuration or specifying an advanced configuration.

    • Default Configuration

      Choose default configuration for the runtime environment in the next step and click next to review the installation details. If you are happy with the details, click next to start the actual installation or click previous to go back and make changes.

    • Advanced Configuration

      Choose to enable advanced configuration options. Select "Perform advanced configuration" and choose the advanced configuration options you want to enable for your environment via the check boxes.
      Advanced Configuration Options

      Figure 2.2. Advanced Configuration Options

      • Configure Vault Password

        Vault passwords are used to obfuscate passwords in the various server descriptors using a java secret key generated during the installation process, or manually using the keytool. This prevents passwords from being stored as plain text in the descriptors. The iteration count and salt are both parameters to the encryption process.
        In the case of JBoss BPM Suite, a vault is always installed, even if the user does not choose to install one with their own parameters. When this occurs, default values will be used.
        For more information about vault passwords, see the Red Hat JBoss EAP Security Guide.
        Configure vault password

        Figure 2.3. Configure vault password

      • SSL Security

        This screen allows you to add the <ssl> and <truststore> elements to the ManagementRealm security-realm using the provided keystore.
        • The <ssl> element causes the server to present the certificate within the keystore as its identity, which allows the user to apply their official certificate.
        • The <truststore> element enables "Client-Cert" authentication. This means that, if a remote client attempts to connect to any resource managed by the ManagementRealm, the client can present a certificate, and if an entry in the truststore matches, will be authenticated without needing to provide a username / password.
        The end result is an encrypted connection that is secure between the client and the server for the ManagementRealm.
        SSL Configuration

        Figure 2.4. SSL Security Configuration

      • LDAP Security

        This step in the installer allows the user to define an LDAP server, which in turn defines users which should be allowed to authenticate with the ManagementRealm. This replaces the default configuration.
        The LDAP Connection screen allows users to define how to connect to the LDAP server.
        • The Distinguished Name(DN): the user that can connect to the LDAP server. Typically the DN will uniquely define a special user for this purpose.
        LDAP Connection

        Figure 2.5. LDAP Connection Configuration

        LDAP Security (Management Console)

        The Management Console LDAP Configuration screen allows you to set up a security realm. This defines the <security-realm> element to be added to the descriptors, and utilizes the connection defined previously.
        Secure Management Console with LDAP

        Figure 2.6. Management Console LDAP Configuration

        • Base DN: Will typically define a 'base search' or 'root context' to begin searching for users.
        • Filter type: Tells JBoss EAP how to find the LDAP attribute that defines a user; it is can be a simple attribute, but can also be a complex "LDAP Filter".
        • Username attribute: The LDAP attribute which holds the username values. A username entered in this field is used for search queries as a value of the 'uid' attribute. If a user chooses 'LDAP syntax query' as a filter type, this query must be specified in this field.
        • Recursive directory search: If enabled, JBoss EAP will traverse the LDAP tree recursively, starting at Base DN. Otherwise, the search will be limited to Base DN.

        LDAP Security (Business Central)

        Most of the following fields are similar to the Base DN. Contexts are used to search for roles, which allows it to perform authorization in addition to authentication. Otherwise, the context fields are analogous to the Base DN from the previous, and attribute fields are analogous to Username attribute. The filters allow fine grained control over which values of the given attribute will be accepted.
        In JBoss BPM Suite, the jbpm.usergroup.callback.properties and jbpm.user.info.properties files used by LDAPUserGroupInfo and LDAPUserInfo components of Task Service, are also filled by values entered on the Business Central LDAP Configuration page.
        Input values from Business Central LDAP Configuration page are used to configure a new security domain, which make use of LdapExtended login module. This security domain is set as default for Business Central web application. For more information about security domains and login modules, see the Red Hat JBoss EAP Security Guide.
        Business Central LDAP Configuration

        Figure 2.7. Business Central LDAP Configuration

      • Security Domain and JSSE

        The Security Domain screen allows you to configure all of the elements of the <security-domain> security subsystem for managing security information, including JSSE configuration. For more detailed information about configuring security domains, see the Red Hat JBoss EAP Security Guide.
        Add a Security Domain

        Figure 2.8. Security Domain

        Security Domain JSSE Configuration

        Figure 2.9. JSSE Configuration

      • Configure JMS SSL Keystores

        This screen allows the encryption of JMS messages sent to Business Central. The client keystores are distributed to systems that need to communicate with the server in order to facilitate encrypted communications. Users can use their pre-existing keystores or generate new ones.
        JMS Configuration

        Figure 2.10. Configure JMS SSL Keystores

  8. The installer will go through the steps to install JBoss BPM Suite and will perform post installation configuration steps when you click next. The installer will also start the JBoss BPM Suite server and connect to it to validate the installation. Click next to get to the last screen where you can generate the installation script and properties file. Click done to quit the installer.
You have successfully installed Red Hat JBoss BPM Suite using the installer.

2.1.3. Installing Red Hat JBoss BPM Suite using the Installer in CLI Mode

The installer for Red Hat JBoss BPM Suite can also be executed through the command-line interface (CLI). The procedure below demonstrates the steps that you are likely to encounter using this option to install JBoss BPM Suite.
Prerequisite

Before attempting to install JBoss BPM Suite, ensure you have already installed Red Hat JBoss EAP 6.4 or better.

  1. Navigate to the folder where you downloaded the installer file in a command prompt and execute the following command. 
    java -jar jboss-bpmsuite-6.1.0.GA-installer.jar -console
  2. The command-line interactive process will start and display the End-User license agreement. You will be prompted to select an option at the end of this license: 
    press 1 to continue, 2 to quit, 3 to redisplay.
  3. Enter 1 to begin the installation and type in the parent directory of an existing EAP installation. 
    The location below must specify the JBOSS_HOME of an existing EAP installation.

[/home/user/BPMSuite-6.1.0/jboss-eap-6.4]
    The installer will verify the location of the JBoss EAP installation at the provided location. Enter 1 to confirm and continue.
  4. Optional: Create a user for the management console of JBoss EAP (Management Realm): 
    Create an administrative user
This user will be added to the host container's management realm for administrative purposes. It can be used to access the management console, the management CLI or other applications secured in this realm.
    Enter 0 to skip creating a new administrative user or 1 to create one. If you do decide to create one, then follow these steps:
    1. Enter a username: 
      Admin username: [admin]
    2. Create and confirm a password for the user of the EAP management console: 
      The password must have at least 8 characters, and contain at least one number and one non-alphanumeric symbol (not including the character &).

Admin password: []

Confirm admin password: [******************************]
      After this user has been created successfully, continue to the next step.
  5. Create a JBoss BPM Suite admin user 
    Create a Business Process Management Suite Admin User
Create a BPM Suite admin user. The user will be added to the ApplicationRealm, and can be used to access the Business Central Console. The User will be assigned the 'admin' application roles. The BPM Suite username cannot be any of the following: 'admin', 'analyst', 'user', 'manager' or 'developer'.


BPM Suite username: [bpmsAdmin]
  6. Enter a username for this user and then create and confirm a password. 
    The password must have at least 8 characters, and contain at least one number and one non-alphanumeric symbol (not including the character &).

BPM Suite password: []

Confirm BPM Suite password: [****************]
  7. After the passwords have been entered and confirmed, you will be given an optional step to define other roles for this user (besides the admin role). Enter these roles in a comma separated list or just press enter to skip this part. 
    (Optional) You can add this user to additional roles that will be used for task management.  These roles are custom named and used again when building your processes with human tasks.  Add your custom named roles in a comma separated list below.

Additional user roles: []
  8. Configure the Java Security Manager by either pressing 1 to select it or 0 to deselect it. 
    Configure the Java Security Manager
A Java security manager offers JVM level security beyond what is provided by the application container. It enforces access rules at the JVM runtime based on one or more security policies.

This installer will place two security policies in the installation directory with the filenames 'security.policy' and 'kie.policy' regardless of choice. Those policies will be enabled at runtime if the option below is selected.

Please note that a security manager imposes a significant performance overhead when enabled. It is suggested the included policies be applied in production if user requirements call for a stronger measure than what is already provided by the application container's authentication and authorization mechanism.

Please see the JBoss Business Process Management Suite administrative documentation for further details and consideration.
  [ ] Enable the Java security manager
Input 1 to select, 0 to deselect:
  9. After the Java Security Manager choice, choose an option from the prompt below: 
    press 1 to continue, 2 to quit, 3 to redisplay.
  10. Specify whether or not you are using IPv6. 
    IPv6 configuration

If this computer is using a pure IPv6 configuration, please check the box below. A pure IPv6 setup requires additional configuration at runtime to ensure the proper bindings of the management and http interfaces.
  [ ] Enable pure IPv6 configuration
Input 1 to select, 0 to deselect:
    After selecting or deselecting IPv6 configuration, select one of the following options: 
    press 1 to continue, 2 to quit, 3 to redisplay.
  11. Configure the runtime environment by either choosing the default configuration or advanced options. 
    Configure runtime environment
Red Hat JBoss Business Process Management Suite can be further customized at this time.
0  [x] Perform default configuration
1  [ ] Perform advanced configuration
    If you select 1, "Perform advanced configuration," complete the following configurations: 
    •   [ ] Install password vault
Input 1 to select, 0 to deselect:

    •   [ ] Enable SSL security
Input 1 to select, 0 to deselect:

    •   [ ] Secure EAP Management Console with LDAP
Input 1 to select, 0 to deselect:

    •   [ ] Secure Business Central with LDAP
Input 1 to select, 0 to deselect:

    •   [ ] Add a security-domain
Input 1 to select, 0 to deselect:

    •   [ ] Generate JMS Client Keystores
Input 1 to select, 0 to deselect:
  12. Next, choose an option from the prompt below: 
    press 1 to continue, 2 to quit, 3 to redisplay.
  13. The .jar file will begin to upack and configure.
  14. After a successful installation, the command-line will ask you if you would like to generate an automatic installation script and properties file. 
    Installation has completed successfully.
Application installed on /home/user/BPMSuite-6.1.0/jboss-eap-6.4
Would you like to generate an automatic intallation script and properties file?
(y/n) [n]:
  15. If you select [ y ], provide a path for the automatic installation script: 
    Select path for the automatic installation script: [/home/user/BPMSuite-6.1.0/jboss-eap-6.4/<auto script filename>]
    This generated script will allow the user to run the installer in the following way for future installations: 
    java -jar jboss-bpmsuite-6.1.0.GA-installer.jar <auto script filename>

    Note

    Running the installer in this way will result in an installation identical to the installation from which the auto script was generated. Note that sensitive values, such as passwords, will need to be provided from an external file or provided at auto installation time. The optional argument below allows the user to provide these values automatically: 
    -variablefile <variable filename>
    Sensitive values can also be provided using the following argument: 
    -variables key1=value1,key2=value2
  16. The command-line will provide the following message upon a successful auto script creation and/or console installation: 
    XML written successfully.
[ Console installation done ]
[BPMS_Installer]$
  17. Start JBoss EAP by running standalone.sh in the jboss-eap-6.4/bin directory. 
    ./standalone.sh
  18. Navigate to http://localhost:8080/business-central in a web browser.
  19. Login with the correct username/password as given to the JBoss BPM Suite user in the "Create and confirm a password for the JBoss BPM Suite user" step.

2.1.4. Installing Red Hat JBoss BPM Suite in the Domain Mode

To install the deployable package for JBoss EAP in the domain mode, do the following steps:
  1. Download and extract the Red Hat JBoss BPM Suite 6.1.0 Deployable for EAP 6 ZIP file from Red Hat Customer Portal and copy the following directories into your local installation of EAP 6.4:
    • bin
    • domain
    Skip the standalone directory.
  2. On the command line, move to the /domain directory and start the domain:
    In a Unix environment, run: 
    ./domain.sh
    In a Windows environment, run: 
    ./domain.bat
  3. Deploy the archive either via ${jboss-eap-home}/bin/jboss-cli.sh / ${jboss-eap-home}/bin/jboss-cli.bat, or via management web UI (localhost:9990/):

    Note

    The web applications business-central.war and dashbuilder.war supplied in the EAP deployable binaries are directories, but for deployment into the domain, you have to use WAR archives. To create them, simply zip the content of the business-central.war and the dashbuilder.war directories.
    1. To deploy the archive via ${jboss-eap-home}/bin/jboss-cli.sh or ${jboss-eap-home}/bin/jboss-cli.bat, move into the ${jboss-eap-home}/bin directory and deploy the WAR file:
      In a Unix environment, run: 
      ./jboss-cli.sh
      In a Windows environment, run: 
      ./jboss-cli.bat
    2. To deploy the archive via management web UI (localhost:9990/):
      • log in using your EAP management account
      • select Domain -> Manage Deployments -> Content Repository -> Add
      • select the web archive from the file system, upload the web archive
      • select the deployment, click the Assign button
      • select the server group

Note

In order to log in to Business Central deployed on Host Controller (HC) machines, the user created on the Domain Controller Machine has to be created on the Host Controller machines as well, by following the steps in the Section 4.2, “Creating users” section.

Installing Multiple JBoss BPM Suite Server Instances

In many situations, users may want to group together a set of EAP 6 nodes on the same machine and give them a meaningful name for easy maintenance. Unique values need to be incorporated for the system properties for each server instance. Listed below are the common properties that can be specified with a single JBoss BPM Suite node to change the default configuration; however, they should be specified for multiple nodes running on a single machine so every node can point to a different directory:
  • org.uberfire.nio.git.dir
  • org.uberfire.metadata.index.dir
  • org.uberfire.nio.git.ssh.cert.dir
When multiple JBoss BPM Suite nodes are used on a single machine, the below properties need to be specified:
  • org.uberfire.nio.git.daemon.host - can be left on default to bind to localhost.
  • org.uberfire.nio.git.daemon.port
  • org.uberfire.nio.git.ssh.host - can be left on default to bind to localhost.
  • org.uberfire.nio.git.ssh.port

Note

Both the org.uberfire.nio.git.daemon.port and the org.uberfire.nio.git.ssh.port require different port values in order to avoid port conflicts.
Incorporate the previous properties in the $EAP_HOME/domain/configuration/host.xml file as illustrated in the two nodes below:
Node A: 
<system-properties>
    <property name="org.uberfire.nio.git.dir" value="/valid/path/.." boot-time="false"/>
    <property name="org.uberfire.metadata.index.dir" value="/valid/path/.." boot-time="false"/>
    <property name="org.uberfire.nio.git.ssh.cert.dir" value="/valid/path/.." boot-time="false"/>

    <property name="org.uberfire.nio.git.daemon.host" value="10.10.10.10" boot-time="false"/>
    <property name="org.uberfire.nio.git.daemon.port" value="9417" boot-time="false"/>
    <property name="org.uberfire.nio.git.ssh.host" value="10.10.10.10" boot-time="false"/>
    <property name="org.uberfire.nio.git.ssh.port" value="8002" boot-time="false"/>
</system-properties>
Node B: 
<system-properties>
    <property name="org.uberfire.nio.git.dir" value="/valid/path/.." boot-time="false"/>
    <property name="org.uberfire.metadata.index.dir" value="/valid/path/.." boot-time="false"/>
    <property name="org.uberfire.nio.git.ssh.cert.dir" value="/valid/path/.." boot-time="false"/>

    <property name="org.uberfire.nio.git.daemon.host" value="10.10.10.10" boot-time="false"/>
    <property name="org.uberfire.nio.git.daemon.port" value="9418" boot-time="false"/>
    <property name="org.uberfire.nio.git.ssh.host" value="10.10.10.10" boot-time="false"/>
    <property name="org.uberfire.nio.git.ssh.port" value="8003" boot-time="false"/>
</system-properties>
The system properties depicted above should indicate the host, port, or location of the .index or .niogit files. These files, which should be used by a respective node, would then be grouped in a particular domain.