LDAP Configuration

Overview
The iProcess Engine allows you to manage iProcess user, group, role and attribute data via any LDAP 3.3-compliant directory service, such as X.500, Microsoft Active Directory, Open LDAP or Oracle Internet Directory.

LDAP offers a solution to this problem by providing:

A distributed, global directory.
Fast, efficient, client/server-based access to the directory.
Integrated user validation.

How does Iprocess work with LDAP?
IProcess user data (that is - user, group, role and attribute data) is maintained as part of the LDAP directory.

For each LDAP directory entry that represents an iProcess user, LDAP directory attributes are mapped to corresponding iProcess properties.

IProcess Engine can use these entries in the LDAP directory as possible iProcess users, rather than creating operating system accounts for each registered iProcess user. This information is kept as part of the iProcess database.

In my opinion LDAP cannot keep all the information about the users in it. So please check before we proceed for LDAP in iProcess Engine.

LDAPCONF Utility Menu
LDAPCONF is a utility which allows you to manage the connection between the LDAP server and the iProcess Engine.

LDAPCONF Menu

========================================
TIBCO iProcess LDAP Connection Administration Utility
Copyright (c) 2001-2008, TIBCO Software Inc.
========================================
[1] Set Connection Information
[2] Set Search Parameters
[3] Set Attribute Mappings
[4] Group Membership in MEMBER LIST format
[5] View Connection Information
[6] Test Connection
[7] Return to LDAP DIT
[8] Save
[9] Synchronise
[10] Enable Attribute Value Translation from UTF-8
[11] Quit

Please enter your selection:

[1] Setting the Connection between LDAP Server and iProcess Engine
This option will prompt for the following details for the connection.

LDAP Server Host Name LDAP Server Hostname here where LDAP directory resides Port Number on LDAP Host to connect Port Number to connect LDAP Distinguished name of the entry to bind as DN Name to bind as

[2] Defining the Search Criteria
This option will prompt for the following details.

Distinguished Name:
DN of the LDAP directory entry from which to start searching for iProcess data. Search filter (cn=*):
Enter the filter criteria to be used to widen or refine the search. By default the search will find any entries that have a cn attribute.

[3]Attribute Mapping
This option will prompt for the following details.

User Name (sn) Enter the name of the LDAP directory attribute that maps to the iProcess user name.
Groupname (groupname)Enter the name of the LDAP directory attribute that maps to the iProcess group name.
RoleName (rolename) Enter the name of the LDAP directory attribute that maps to the iProcess role name.
Description (description) Enter the name of the LDAP directory attribute that maps to the iProcess DESCRIPTION attribute.
Language (language) Enter the name of the LDAP directory attribute that maps to the iProcess LANGUAGE attribute.
Menu Name (menuname) Enter the name of the LDAP directory attribute that maps to the iProcess MENUNAME attribute.
Sortmail( sortmail) Enter the name of the LDAP directory attribute that maps to the iProcess SORTMAIL attribute.
iProcess Group User (groupusers) Enter the name of the LDAP directory attribute that contains the members of a group.
iProcess Role User (roleuser) Enter the name of the LDAP directory attribute that contains the name of the iProcess user who is assigned to a role.
Qsupervisors (qsupervisors) Enter the name of the LDAP directory attribute that maps to the iProcess QSUPERVISORS attribute.
Userflags (userflags) Enter the name of the LDAP directory attribute that maps to the iProcess USERFLAGS attribute.

[4] Group Membership in MEMBER LIST format
This option will prompt for the following details.

Member List Define whether LDAPCONF should read the value of an LDAP directory attribute as a list of iProcess user names,or as a list of LDAP Distinguished Names (DN) Adding Group to LDAP Directory To add an iProcess group to the LDAP directory, create or modify a directory entry as follows:
1. Assign the value GROUP to the attribute.
2. Assign a name for this iProcess group to the attribute.
3. Specify the group’s membership, using the attribute.
4. Define any other mappings for iProcess properties or application-specific data that you require.
Defining Group membership You can use the attribute to define iProcess group membership in a number of ways:
An entry can contain one or more values. If multiple values are used, LDAPCONF includes the usernames from each entry in the group.
All attribute values must be specified either :
as iProcess user names
or
as LDAP Distinguished Names (DN) that reference other entries in the LDAP directory, that in turn contain iProcess user names.

You must configure LDAPCONF to read attribute values as either iProcess user names (MEMBER LIST format) or as LDAP DNs (LDAP DN format).
You cannot combine both methods. See page 30 for more information about how to do
this.

[5] View Connection information
To view current connection information, search parameters and attribute mappings.

Result will be shown as following :

DIT = iProcess
GRP USERS FORMAT = LDAP DN
CONNECTION :-
hostname = node1
portno = 329
credentials = cn=admin,o=aco,c=gb
password = *******
SEARCH :-
base = o=aco,c=gb
filter = cn=*
ATTRIBUTE MAPPINGS :-
username = sn
Groupname = groupname
Rolename = rolename
description = description
language = language
menuname = menuname
sortmail = sortmail
groupusers = groupusers
roleuser = roleuser
Qsupervisors = qsupervisors
Userflags = userflags
extra [1] = email
extra [2] = telephone



[6] Test Connection
The iProcess Engine tests the connection and displays whether the connection attempt succeeded or failed. For example:

Testing connection...
Connect successful.

If the attempt fails, information about the possible cause of the failure is shown. For example, the following error indicates a problem with the DN entry used to authenticate the connection. You should check the validity of the supplied name (and password).

Testing connection...
SW_LDAP_connect() failed : Error whilst binding to connection (-1230)
Press [ENTER] to continue...

If the connection attempt succeeds, the following prompt is displayed:

Do you wish to download user information from LDAP (Y/N):
— If you enter N, the LDAPCONF menu is re-displayed.
— If you enter Y, LDAPCONF searches the LDAP directory using the current search root and filter criteria and displays the number of matching entries found.

Example :
Number of entries found : 10

Then You are then prompted whether to output the results of the search:

in iProcess format (S) or LDAP directory format (L).

iProcess Mapping/LDAP (S/L): s

b. to the screen (S) or to a text file (F).

Output to File or Screen (F/S): s

The search results are displayed or written to the requested file.

[7] Return to LDAP DIT
Configure the iProcess Engine to obtain its user data either from its own database or from the LDAP directory.

If you select this option:

The iProcess Engine will obtain its user information from its own database. All user information downloaded from the LDAP directory is retained.
You can create, modify and delete user information using SWDIR\bin\swutil or the TIBCO iProcess Administrator.
You can still use iProcess Engine’s integral LDAP User Validation feature.

The LDAP_DIT Flag

Selecting the Return to LDAP iProcess DIT option from the LDAPCONF menu toggles the value of the LDAP_DIT configuration flag in the SWDIR\etc\staffcfg file. This flag determines whether or not iProcess uses the LDAP directory to obtain its user information.

If LDAP_DIT is set to:
1, the LDAP directory is used.
0, the LDAP directory is not used. (This is the default option).

[8] Save
Save the current connection information, search parameters, attribute mappings and LDAP_DIT flag setting to the iProcess database.

[9] Synchronize
Synchronize the iProcess Engine’s user data with the contents of the LDAP directory.

If you have not already saved the user data, you are prompted to save any configuration changes you have made.

Then the following prompt is then displayed:

Perform Full or Partial Synchronization or Quit (F/P/Q):

F to perform a full synchronization. This downloads all entries from the LDAP directory which are found by the current search criteria.
P to perform a partial synchronization. This downloads only those entries which are found by the current search criteria and which have changed since the last synchronization was performed. (Every entry in the LDAP directory is timestamped with both its creation and modification time.)
Q to return to the LDAPCONF menu without downloading any user data from the LDAP directory.


[10] Enable/Disable Attribute Value Translation from UTF-8
This option is intended for use with LDAP servers that store directory information internally in UTF-8 format.

This ensures that any attribute information that uses characters from multi-byte character sets (such as Chinese, Japanese, Russian and Korean) is downloaded correctly to the iProcess Engine. If you subsequently need to reconfigure the iProcess Engine not to translate downloaded attribute values from UTF-8, you can do so by selecting the same option from the LDAPCONF menu:

[11] Quit
Quit from the LDAPConf Menu.

LDAPCONF Utility Commands
CONNECT
To set up the connection between the LDAP server and iProcess Engine we can run the following command:

$SWDIR/util/ldapconf CONNECT [-h hostname] [-port number] [-dn name] [-pwd password]

Where:
Hostname is the name of the machine where the LDAP server resides.
Number is the TCP port number to connect to on hostname. This must be a valid numeric value greater than 1. The default value is 389, used for all LDAP servers.
Name is a distinguished name (DN) entry that will be used to authenticate the connection to the LDAP server.
Password is the password associated with name.

SEARCH
To set up the search base and filter criteria to use when searching the LDAP directory for entries to download to the iProcess Engine.

$SWDIR/util/ldapconf SEARCH [-dn name] [-s filter]

Where:
Name is a distinguished name (DN) entry which defines the starting point for the search in the LDAP directory.
Filter is the filter criteria to be used to refine or widen the search.

Example: $SWDIR/util/ldapconf SEARCH -dn “o=aco,c=gb” -s “cn=s*”

MOVESYSINFO
To performs partial or full synchronization of the iProcess user directory with the LDAP directory.

$SWDIR/util/ldapconf MOVESYSINFO -full|partial

Where:
Full requests the iProcess Engine to do a MoveSysInfo to perform a full synchronization with the LDAP directory.
Partial requests the iProcess Engine to do a MoveSysInfo to perform a partial synchronization with the LDAP directory

TEST
To Test the current connection with the current search settings and attribute mappings.

$SWDIR/util/ldapconf TEST [-f filename] [-s|l]

Where:
Filename is the name of the file to send the output of the command to. If omitted, information is output to the screen.
s indicates that user, group, role and attribute information should be downloaded from the LDAP directory and displayed in iProcess format; -l indicates that it should be downloaded and displayed in LDAP format.


Configuring iProcess to use LDAP
You can switch the iProcess Engine over to use the LDAP integral user validation API by using the following swadm command:

$SWDIR\util\swadm set_attribute 0 ALL 0 LDAP_UV 1

You can turn this feature off by deleting the attribute, or setting its value to 0.


Specifying How iProcess Validates Users
Lines 15 and 16 of the SWDIR\etc\staffpms file define whether and how iProcess uses the integral User Validation API provided with the LDAPCONF utility.

Specifying an External User Validation PackageLine 15 defines whether the iProcess Suite validates users against O/S user accounts (the default), or against an external validation package developed using the TIBCO iProcess User Validation API.

This line is optional. If you are using the default method of validating users against O/S accounts, line 15 should be blank.

If you want to validate users against an external validation package, line 15 must contain the full pathname of the user validation package (a DLL file on Windows, a shared library on UNIX).
Note that:
The pathname must contain a leading drive letter and UNIX style separators (/).
Variables such as $SWDIR are not supported in this parameter.

The following example (for a iProcess Engine for Windows) specifies that user validation will be performed against the swuvamod.dll file in the d:/iProcess/staff200/lib directory.

d:/iProcess/staff200/lib/swuvamod.dll

The following example specifies that user validation will be performed against the UVAPI.dll file in the C:/Tibco/iprocess_nod1/util directory; and that the proxy users are supplied by swadmin.

C:/Tibco/iprocess_nod1/util/UVAPI.dll\N\swadmin\\\

Setting up the Proxy User
If you are using iProcess Engine on a UNIX or Linux system, and you use UNIXRUN or UNIXEXEC script commands, you can define a proxy operating system user to perform the commands. If this value is missing, no proxy OS user is defined and the iProcess Engine service user will be used.

A configurable proxy OS user is provided in line 16 of the file $SWDIR/etc/staffpms. This line is optional. If you are not using the LDAP integral user validation API, line 16 should be blank.

Email Configuration

Login as iProcess Background User

Go to $SWDIR/libs

Edit the file "eai_mail.cfg"

SMTP Server=[Email SMTP servre]
From=[EmaiID]@[Domain].com e.g. Alerts@MyHost.com
Port=25
#Make sure that above Email ID is valid.
RetryMsgCount=5
Encoding=UTF-8

Save the above values in file and comment all the unnecessary parameters/values.

Now Run the following command to register the Email

$SWDIR/util/sweaireg REG EAI_MAIL -m [HostName] -l $SWDIR/libs/eai_mail_11_0_1.ear -i $SWDIR/libs/eai_mail.cfg -y

Wow!! Email Registration is done!!

UVAPI

A different approach is to write a customer SPO/SSO based application to insert your users (don't forget to properly configure your server to do that).

UVAPI, as far as I know, are only Validation API, not provided with iPE.They're intended to provide a custom validation procedure to iPE instead of OS or No Validation options.

You should set the DISABLE_USER_CHECK attribute - this disables the check and is quite useful.

The UVAPI is only if you want to implement a custom authorization (e.g.against a user base in your legacy base) and I would definitely not use it as you have to implement a shared library in c (or c++) with a poor interface and no way to do this in Java (using JNI).


Iprocess should have provided a rich API for the authentication or either a web service or some thing that can be hooked onto BW. Also the need to create users at iprocess side is a over head. A configurable authentication method would have been good in this case.


There is also a standard validation against LDAP in the product - an "inbuilt" UVAPI for LDAP. So you can validate against external users without writing C code if you have access to LDAP> And in terms of user information (attributes, group memberships etc) I think you can import that from LDAP too (as well as being able to import it via batch file or APII).

So you neither have to create iPE users manually nor write your own validation code if you have LDAP and can get it configured accordingly.

The current LDAP implementation is far better then the one being implemented with 10.x but in most cases not sufficient because

- a lot of customers don't have LDAP

- need Single-Sign-One


and therefore a Java-based API would be find because we could then simply authenticate the iProcess users against our own system and provide SSO.

Performance Tuning

Tibco iProcess Engine server architecture has been deigned to offer support for large scale enterprise systems.

In order to handle high volumes of work the IPE Server can be tuned for an applications's specific needs.

Increasing BG Processes
By Default Tibco iPE server has four background processes enabled.But in some instances the Bg processes are not enough to keep up with the number of instructions being processes by the iPE server. This issue can be address by adding the Additional Background processes.

Increasing MBox Sets
Incase we increase the BG processes - this would be a good idea to increase the MBoxes along with the number of BG processes . This will lower the change of any contention when the BG processes access the data from the queues. For example we can add the BG processes , extra box and can dedicate this BG and Mbox to PURGE instructions. Now This additional BG will take care of the PURGE instructions and won't interfere with the other BG(s) or MBox(s).

Increasing WIS
WIS processes the handle the work queues in the IPE serrver.Normally A single WIS can handle the work from multiple queues. Incase the queue size is small the WIS works well but incase queue sizes are large(Size referes to the number of work items in the queue) then a Single WIS dealing with multiple queue is overloaded.I would say that Queue Size is the important factor in the WIS performance. My suggestion goes here is Add the extra WIS and dedicate a WIS to one queue which is very busy queue or having large size. This will help to optimize the performance for larger queues.

RPC server tuning
The TIBCO RPC listener process is capable of handling 20 conncurrent client connections.Once the 21st user attempts to connect to the TIBCO server , another RPC listener process should be started so it means user has to wait for the RPC to start. To Tune this parameter - we need to make changes in the staffcfg file for folloeing parameters :
MAX_USERS_PER_PROCESS
USER_LOAD_ALLOCATION
PRE_LOAD_POOL_SERVERS

DeadLines
Deadline processes will be automatically inporoved when extra BGs, WISswill be added. But we need to modify the deadline process intreval value for fast performance.
DMD_PROCESS_INTERVAL

WQS performance Tuning
WQs process uses an area of memory for caching - the wqsindex which is removed and recreated from the memory when the iProcess Engine is started and stoped. This index file can be seen in /var/tmp/ directory(Linux).and the client talks via TCP to WQS and WIS in order to abtain any information. So The better performance for this process can be attacied by increasing the WIS. and we can update the WQS performance tuning parameters in staffcfg file too .
WQS_UPDATE_PERIOD
WQS_ROUND_ROBIN

Functional Performance Tuning
On functional Side for the iprocess development code- there are number of areas which can bve modified. We need to reduce the use of custom audit since we can already derive the audit trail.We should avoid the builiding of composite queues.and the main thing is about search should be very much with the Case data instead of workqueues filetering when seraching accross the multiple queues.

Housekeeping Activities
for optimal performace - We really need to perform the rehular housekeeping for iPE and its database.
- Purging the old Closed cases. I do not support the auto purge option. So It should be proacyively scheduled and done one the weekly/periodically basis.
- Database tuning should be performed regularly
- Deleting the old procedure versions . This will help for the quick start of SPO.Normally SPO takes time to start because there is so much of procedure versions to cache in the memory.
- Cleaning the iprocess log files will imporove trouble shooting.