IBM BPM: Topology, Security, Basic Administration, and Monitoring

Introduction

The maintenance of a clustered server environment for IBM® Business Process Manager (BPM) that interacts with many back-end and front-end systems and services can be challenging task. Administrators can follow the IBM Business Process Manager Operation overview series to guide their daily operation work. This article helps administrators with topology, security, and basic administrative and monitoring operations.

Overview

IT departments strive to maintain a healthy production environment for their systems. To help you maintain a clustered server environment for IBM BPM that interacts with many back-end and front-end systems and services, this series provides an operation overview. Part 1 introduces the following basic operations for IBM BPM:

ü  Topology best practices

ü  Security configuration

ü  Administering applications and processes

ü  Monitoring.

A typical IBM BPM project contains the following administrative user roles:

Ø  The IBM BPM administrator, who completes the following tasks:

·        Provides all system aspects for successfully installing, configuring, and running day-to-day maintenance of IBM BPM systems.

·        Provides all system and software aspects for successfully deploying process application snapshots from Process Center to both online and offline Process Servers.

·        Provides all IBM BPM process operations, for example, accessing the Process Admin Console and the Process Inspector.

·        Looks after the health of processes and services that are running in IBM BPM.

Ø  The database administrator, who provides information about database setup and configuration and the organization's corporate policies for governance and change management for databases. The database administrator is also responsible for maintaining the ongoing optimal operation of the database by monitoring database performance and operation parameters (for example, table spaces and indexing).

Ø  The WebSphere Application Server administrator, who provides information about the setup and configuration of the application server middleware layer and the organization’s corporate policies for governance and change management for the application server. In some organizations, the IBM BPM administrator and the WebSphere administrator are the same person.

Ø  The system administrator, who provides information about hardware and network setup and configuration and the organization's corporate policies for governance and change management for hardware and networks.

This IBM BPM operation overview focuses on the basic operations tasks of the IBM BPM administrator.

IBM BPM Administrator Tasks

The IBM BPM administrator, who wants to maintain a healthy environment for IBM BPM systems needs to know topology best practices and basic operations for configuring security, administering applications and processes, and monitoring the IBM BPM system.

Topology Best Practices

A deployment environment is an IBM BPM term that describes the collection of clusters that IBMBPM requires.

IBM BPM offers the following three patterns for deployment environments:

v IBM BPM Standard (Process Center or Process Server): All capabilities of IBM BPM Standard (Process Server, Performance Data Warehouse, and embedded Enterprise Content Management)

v IBM BPM Advanced (Process Center or Process Server): All IBM BPM Standard capabilities plus advanced capabilities (includes service component architecture and Business Process Choreographer)

v IBM BPM Advanced with only Process Server: Only IBM BPM Advanced capabilities(includes service component architecture and Business Process Choreographer)

IBM BPM Express is a stand-alone environment that includes the same capabilities as IBM BPM Standard for getting started with IBM BPM, but it is not intended for a highly available production environment.

Below Figure shows examples of the three deployment environments for a Process Server.

For each of the three types of deployment environments, you have the following two choices for a cluster pattern (as shown in Figure below):

ü  Single Cluster

ü  Application, Remote Messaging, Remote Support (recommended)

A three-cluster pattern (Application, Remote Messaging, and Remote Support) is recommended for production. IBM BPM no longer offers the two-cluster or four-cluster patterns.

If you use three clusters, you can isolate your code on the application cluster and keep it separate from the messaging infrastructure cluster and from the supporting applications cluster, where much of the IBM BPM system infrastructure and support code runs. This approach can ease your operations and troubleshooting tasks. You get better runtime isolation and independent scaling with three clusters.

Figure 3 shows an illustration of the three-cluster pattern, with an application cluster, a remote messaging infrastructure cluster, and a remote supporting applications cluster. Figure 4 shows an example of the three-cluster pattern with the IBM BPM Standard Process Server deployment environment, Figure 5 shows an example of the three-cluster pattern with the IBM BPM Advanced Process Server deployment environment, and Figure 6 shows an example of the three-cluster pattern with the IBM BPM Advanced-only Process Server deployment environment.

The three-cluster pattern

IBM BPM Standard three-cluster pattern

IBM BPM Advanced three-cluster pattern

IBM BPM Advanced-only Process Server three-cluster pattern

Security Maintenance

Security is an important aspect for ongoing operation of the system and must be maintained regularly.

As part of your initial setup, complete the following steps:

1.      Review all IBM BPM security roles and the corresponding aliases and make sure that they are assigned to the correct security roles.

2.      Review your user registry configuration as documented in the IBM Business Process Manager Security overview topic in IBM Knowledge Center. For IBM BPM, the preferred user registry type is federated repositories (also referred to as Virtual Member Manager or VMM). Only this registry type allows you to use all features of IBM BPM and benefit from performance optimizations.

The following list includes regular security maintenance tasks:

·        Monitor IBM Fix Central for recommended security fixes, and install all of them in a timely manner. Subscribe to security bulletins as described in the IBM Smarter Process Security blog in IBM developer Works communities.

·        Review your security setup regularly, especially after any network-related infrastructure changes.

·        Track the expiration date for all your Secure Sockets Layer (SSL) certificates and make sure to renew them ahead of time. If necessary, alert your organization users about changes in certificates so they are not surprised by access denial when the certificates expired. See the Certificates need to be converted to use SHA256withRSA in WebSphere Application Server support document and the Renewing a certificate in SSL topic in IBM Knowledge Center.

·        Track the expiration date for all your administrative user IDs and passwords. As a good practice, use a “two users for one purpose” approach with interleaving expiration date so both users do not get locked out at the same time. For example, IBM BPM uses single user to connect to DB2. If you need to update its password without downtime, create two users in DB2 with identical permissions. In the authentication aliases, configure one of them. Just before its password expires, go into DB2, reset the password for the other user (so the user account has a fresh expiration time). Then, in IBM BPM, change the user for the authentication aliases from the first to the second.

·        For the IBM BPM system, schedule regular sync ups for users and groups with your user directory. See the Synchronizing users and groups topic in IBM Knowledge Center.

Administering applications and processes

After you install or deploy your applications to the runtime environment, you need to manage them. Management includes administering the process applications or service modules themselves and administering all the processes and components that are associated with them.

The tools that you use depend on the type of administration task that you are doing. The following administrative tools are available:

·        Commands (wsadmin scripting): Many regular administration tasks as available as wsadmin commands.

·        Process Admin Console: This console can be used to change your environment variables, monitor Event Manager, monitor caches, and monitor your Business Process Modeling Notation (BPMN)-based processes.

·        Process Inspector: The Process Inspector is part of the Process Admin Console and can be used to inspect the status of BPMN process instances.

·        Process Center console: The main Process Center console is used to check the current snapshot and deployment status of your applications for online Process Servers.

·        Performance Admin Console: Similar to the Process Admin Console, this console can be used to change the operation of Performance Data Warehouses.

·        WebSphere Application Server administrative console: Use this console for configuration that is related to security roles, database connections, and other WebSphere Application Server configuration.

·        Business Process Choreographer Explorer (in IBM BPM Advanced): Similar to the Process Inspector, the Business Process Choreographer Explorer is used to inspect the status of Business Process Execution Language (BPEL) process instances.

·        Failed event manager (in IBM BPM Advanced): Use this console to find and manage failed events for your IBM BPM Advanced applications on all servers in a deployment environment.

For details about administering applications and processes, see the Administering applications and processes in the runtime environment topic in IBM Knowledge Center.

Monitoring

In IBM BPM, you need to regularly monitor the following items, but to learn more about tools to use when you monitor and troubleshoot, in later articles of this series.

·        Check the JVM logs (SystemOut.log, SystemErr.log) and the first-failure data that is captured regularly for error messages.

·        Check the JVM memory usage and maximum heap settings, and adjust as necessary when your payload changes.

·        Monitor disk space such as logs directories, temp space, and the database file system to make sure that there is enough free space.

·        Monitor the number of completed process and task instances in the system. By having an active purging policy so you do not keep completed instances for an extended period, you ensure that the total number of completed instances is as low as possible and is not growing over time.

·        Use Java Management Extensions (JMX) or the Process Admin Console > Process Monitor capability to monitor the set of processes instances that are running and for how long.

ü  Check for looping business process definition (BPD) instances in Process Monitor if the CPU load is unusually high.

ü  For JMX, you can use utilities like JConsole or other JMX-compliant monitor tools (such as IBM Tivoli Monitoring), or you can access the data through programmatic means.

ü  Review and set up the system to check for infinite loops in JavaScript.

ü  In IBM BPM V8.5.6, it is possible to set up an alert definition to query for the number of process instances or tasks.

·        Monitor and act on failed BPD instances or instances with stopped activities for BPEL. All these instances might need manual interaction so that they complete.

·        Check the Event Manager on-hold tasks to replay any held Event Manager tasks.

·        Check the Event Manager Monitor for the execution state of schedulers.

·        Monitor queue depths of all destinations in the system integration buses of the environment. Assign thresholds based on results of usual behavior that is seen during a performance test and ensure that notifications are sent or actions are taken if those thresholds get exceeded.

·        For IBM BPM Advanced: Monitor the number of failed events in the system. Ensure that failed events are processed regularly so that the number is always 0 or very close to 0.

·        For IBM BPM Advanced: Monitor the state of WebSphere MQ listeners, if applicable. Ensure that they are started.

·        For IBM BPM Advanced: Monitor for event sequencing locks, if applicable. Ensure that locks get released, if not done automatically.

·        For IBM BPM Advanced: Check the Store and Forward status (also available in the failed event manager) and initiate the Forward option if applicable.

Consider the following tips for monitoring:

·        Use JMX or the Process Admin Console > Process Monitor function to monitor the set of processes instances that are running and for how long.(enhanced functions are available in V7.5.1.2, V8.0.1.2 and V8.5.5.0).

·        Verify the status of your environment with the IBM BPM Health Center as described in the Verifying the status of your environment by using the Health Center topic on IBM Knowledge Center.

·       Use IBM Tivoli Composite Application Manager Products, which provide ways to monitor the IBM BPM environment both on the WebSphere Application Server and on the IBM BPM level.

Conclusion

In this part of IBM BPM operation overview series, you learned about the following basic operations that are necessary for an IBM BPM administrator: topology best practices, security configuration, administering applications and processes, and monitoring.

I will be sharing the next parts in the series to learn about maintenance and migration tasks and about advanced operations and monitoring tasks.

Download

File Name	Size	Download
IBM BPM: Topology, Security, Basic Administration, and Monitoring.pdf	690KB	Download