Chapter 2   Overview of Cluster and Application Administration

This chapter contains information that is essential to IT administrators. The chapter introduces the concept of clusters, discusses the duties of the IT administrator, discusses the use of directory servers in Process Manager, and discusses security issues.

It has the following sections:

• About Clusters



• Overview of Process Administrator Tasks



• Directories in Process Manager



• Changing Your User Directory



• Using a New Directory Server



• Directory Server Terms and Attributes



• Security in Process Manager

About Clusters

---

Process Manager is an application that runs on iPlanet Application Server. Process Manager uses the application server to run the HTML-based Process Administrator, Process Business Manager, and Process Express.

Process Manager associates a configuration directory, a corporate user directory, a relational database, one or more iPlanet Web Servers and one or more iPlanet Application Servers into a cluster.

As the administrator, you can perform these iPlanet Application Server-related tasks:

• Join your local iPlanet Application Server to an existing cluster.



• Remove your local iPlanet Application Server from a cluster.

Each cluster must have at least one application server, but there can be more than one if several networked systems use the same cluster. All applications are replicated to all iPlanet Application Server machines in a cluster.

Process Manager Applications

All Process Manager applications run as applications on each iPlanet Application Server machine in a cluster. Deployed applications are deployed to all application servers in a cluster, so if one server is unavailable, the application continues to run on the other machines in a cluster.

When a specific iPlanet Application Server machine shuts down, all the applications on that server also shut down. When the server comes back up, it automatically restarts all its applications.

Overview of Process Administrator Tasks

---

The information technology administrator has these primary types of tasks:

• installing and configuring the software




The first task is to install the Process Manager components and make sure they are configured correctly for your environment. See the Installation Guide for details.



• creating a cluster




The next step is to create a cluster so that Process Builder can deploy applications that can be used across the enterprise. To create a cluster you use the Process Administrator interface, as discussed in Chapter 4 "Managing Clusters."



• managing clusters and applications




You can continue to manage and update the cluster as needed. For example, you may need to switch to a different corporate user directory or you may want to add other iPlanet Application Servers to the cluster.



You can also manage deployed applications. For example, you may need to shut down a test application, as discussed in Chapter 5 "Managing Applications."

Accessing Process Administrator

---

Process Administrator is a web-based interface for creating and managing clusters and deployed applications. You access Process Administrator's interface in a web browser through its home page at

http://yourServer/Administrator.apm

Process Administrator uses a tabbed HTML-based interface that provides access to management functions in these areas:

• Cluster management




The Cluster Management tab displays different sets of forms depending on the situation: one set is for use in creating or joining a cluster and the other set is for managing existing clusters. For details, see Chapter 4 "Managing Clusters."



• Applications




Process Administrator provides several management forms for applications. You can change the state of an application, check its logs, and archive and delete its data. For details, see Chapter 5 "Managing Applications."

Directories in Process Manager

---

Process Manager uses directories for two purposes:

• to store Process Manager configuration information, such as process definitions



• to provide a list of the users and groups within a corporation who can be assigned to activities

The Configuration Directory

The configuration directory must be Netscape Directory Server 4.0, which is included in the build for Process Manager 6.0. This directory stores Process Manager configuration information, including the application definitions for all deployed applications. The directory can also be used as a central repository for applications that are still being designed but are not yet deployed. The cluster creation procedure extends this directory's schema to include the attributes and object classes required for Process Manager.

Once you define a cluster to use a particular configuration directory, you cannot switch to use another Directory Server in the cluster for your configuration information. (You can, however, create a new cluster that uses a different configuration directory).

The Corporate User Directory

The corporate user directory must be Netscape Directory Server 4.0, which is included in the build for Process Manager 6.0. This directory contains the set of corporate users who can be the assignee for a work item.

When you install Process Manager using all the defaults, you install a single Directory Server that you use for both types of information: users and configuration. This works well for using the sample applications and for initial testing of new applications where you can create a sample set of corporate users that you can test reliably.

Changing Your User Directory

---

To test applications in an environment that simulates your production environment or to move an application into production, you need to be able to access the actual users in your corporation. To do this, you need to change several default values to point to your company's corporate Directory Server, including the following:

• the directory that Process Manager uses for authenticating users and groups



• the access control rules (ACLs) for Process Manager-specific configuration styles



• your cluster's corporate directory



• make sure your sample applications have valid users








---

Note	All Application Servers in a cluster must use the same information for all these settings.

---

To change the user directory, perform the following task:

• Change the Directory for Authentication

Change the Directory for Authentication

Process Manager 6.0 does not perform web server-based authentication. The authentication is done from the Application Server. The Application Server has a notion of a corporate directory which is used to store users, groups and roles. The Application Server authenticates users against this particular corporate directory.

Process Manager 6.0 leverages the same corporate directory to authenticate users. For information about changing the directory for authentication, please refer to the Application Server documentation.

Using a New Directory Server

---

There are two ways to make your applications use the new Directory Server:

• Make an Existing Cluster Point to a New Corporate Directory



• Create a New Cluster

Make an Existing Cluster Point to a New Corporate Directory

If you are making an existing cluster point at the new directory, perform the following steps:

1. In Process Administrator, use the Change Cluster Information page to update the cluster with the new corporate user directory URL. See "Changing Cluster Information" in Chapter 4 "Managing Clusters" for instructions.



2. Making sure you have access to the right directory from Process Builder. There are two ways of doing this:



• If you have a cluster available during the design phase, you don't need to include the new corporate user directory's URL in the preferences.ini file. Instead, make sure your application uses the cluster's corporate directory. To do this, open the application's main properties inspector and set the Corporate Directory to be based on the cluster.



• If you are designing an application without access to a cluster during the design phase, you need to add the new LDAP URL to the preferences.ini file. In this case, make sure your application uses a specific corporate directory. To do this, open the application's main properties inspector and pick the Corporate Directory you want to use. Note that if you deploy to a cluster that uses the same directory, the assignments work as designed.

Create a New Cluster

To create a new cluster, follow the following steps:

1. In Process Administrator, create a new cluster using the new directory. For more information, see "Creating a Cluster" in Chapter 4 "Managing Clusters."



2. In Process Builder, redeploy your existing applications to the new cluster.

Making Applications Work with a New Corporate Directory

If the users and groups you use in your existing Process Manager applications also exist as valid users and groups in the new corporate directory your applications will work as is.

However, if your applications have groups and roles whose members do not exist in the new corporate directory, you have a choice of two ways to make the applications work with the new corporate user directory:

• Change the groups and roles to include members in the new corporate directory.



• Add the required users to the new directory.

If the original users and groups are not valid any more, you must change them so that they can be found in the new Directory Server and then redeploy the applications.

Changing Members of Groups and Roles

To change the members of groups or roles, follow these steps:

1. In the Process Builder, select a group or role in the application tree.



2. Open its properties inspector.



3. Update the members in the group or role.

To add users or groups to the new directory, follow these steps:

1. Launch Netscape Console.



2. On the authentication dialog box, enter this information:



• administrative user name



• administrative password



• administration URL for the new directory server's Administration Server, including the port number



3. Click on User and Groups tab.



4. Pick New User or New Group from the drop-down list in lower right corner and click Create.



5. Enter new user or group info and click OK when done.

Directory Server Terms and Attributes

---

Because much of Process Manager is dependent on Directory Servers, this section is included to help clarify some of the most relevant concepts and terminology.

Whether you are accessing the corporate user directory for your set of users or defining a cluster in the configuration directory, you need to understand how to identify the directory and the specific cluster entry within the server.

There are some standard LDAP terms and attributes that you may need to understand before you can create Directory Server entries. This section briefly describes them for your convenience. For detailed information, see the Directory Server manuals, which you can access by clicking on any help button in a Directory Server product.

LDAP Terms

In general, Netscape Directory Servers use standard LDAP terminology, but different administrative forms may use slightly different sets of equivalent terms. Common terminology you may encounter as you install and use the Directory Server includes the following:

Distinguished Name (DN).

A series of comma-delimited attributes that uniquely identify the directory entry location within the directory tree. This could be a person, a group, an organization, or any other object for which you want to maintain information in a directory. In the case of Process Manager, information about a cluster is maintained in a directory.

Base DN.

The entry at which to start directory searches, sometimes referred to as the search base. This base is often the root entry, that is, the search starts at the top of the directory tree.

Bind DN.

The DN used to access the directory. Directory Server authentication is referred to as binding to the directory. Which DN you use as the Bind DN determines the level of directory access permitted. This is often the root DN, who has complete access to the directory, and so the Bind DN is sometimes referred to as the unrestricted user. The default Bind DN for Netscape Directory Servers is cn=Directory Manager.

Directory Suffix.

A distinguished name (DN) suffix for your local directory. All incoming LDAP queries must contain this suffix, which is equivalent to the root entry of your Directory Server structure. This provides the highest level of identification for a specific directory. For example, o=airius.com. Everything contained within a directory is underneath this entry. If you know the directory suffix or root entry for a directory, you know which directory it is.

Root Entry.

The first entry in a directory tree, that is the top of the tree. This is often, but not always the Base DN. The root entry corresponds to the directory suffix. If you know the root entry or directory suffix for a directory, you know which directory it is.

LDAP Attributes

When you identify a directory's location in a Directory Server's tree, such as when you define a cluster within the configuration directory, you typically need to use only a small set of LDAP attributes. These include the following:

• c (country)



• o (organization)



• ou (organizational unit)



• cn (common name)



• uid (user ID)

The common name entry of cn=Directory Manager is the default administrative user identifier for Directory Servers. It is set when you perform a default installation of the Directory Server.

---

Note	You cannot use commas within an attribute value, only as delimiters between attributes.

---

Figure 2-1    A sample corporate user directory structure

Directory Structure

The Directory Server uses a tree structure to define different sets of data. In a simple case, such as identifying a cluster, you could have a structure like this:

• o=airius.com (tree root level)



• cn=My Cluster (specific cluster branch)

If you had another cluster in the tree, you could have these values:

• o=airius.com (the same tree root level)



• cn=Your Cluster (a different branch of the Directory Server tree)

Together these two values uniquely identify the location of the cluster's directory entry in the Directory Server and are referred to as the cluster's distinguished name, or DN. When you want to uniquely identify the cluster, you need to include the entire DN, with attributes separated by commas and listed in order from most specific to highest level. For example, for a cluster, you could use this DN:

cn=My Cluster, o=airius.com

Figure 2-2    A sample directory containing a cluster

LDAP URLs

You use these attributes to identify the corporate user directory and your cluster entry to the Process Builder in the preferences.ini file after creating a cluster. This file requires you to use a specific LDAP URL format when you enter this information.

The Corporate Directory URL

If you do not require user authentication, as is typical for the corporate user directory, use this format:

ldap://yourDirServer:port/Base DN

For example:

ldap://netscape.mcom.com:389/o=mcom.com

The Cluster URL

If you require user authentication, as you do for the cluster entry, use this format:

ldap://Bind DN:Bind Password@yourDirServer:port/cluster DN

For example:

ldap://cn=Directory Manager:netscape@netscape.airius.com:389/cn=HR Cluster, o=mcom.com

Security in Process Manager

---

Process Manager supports additional security features such as using SSL-enabled iPlanet Web Servers to provide secure content and access. Process Manager also allows designers to build applications that use certificates and digital signatures as part of their processing.

If you want to enable SSL on your web server, read Chapter 5, "Working with Server Security," in the online iPlanet Web Server Administrator's Guide. You can access the iPlanet Web Server help system by clicking any Help button on a in the web server administration interface.

If you want to include digital signatures in a form, read the information about how to design with them in Chapter 6, "Defining Data Fields," in the Builder's Guide. Digital signatures are stored in a special database table, wf_blobs, so the administrator can query the database as needed to verify a signature. Also see Storing Digital Signatures for more information.

For further information about security in general and about how to use the security features available in iPlanet products, see the Security Documentation page in the iPlanet web site, at

http://docs.iplanet.com/docs/manuals/security.html