7.2 Provisioning Configuration

The Provisioning Configuration actions allow you to configure the Delegation and Proxy Service, the Digital Signature Service, the provisioning user interface settings, and the Workflow Engine and clustering.

To access the Provisioning Configuration actions, you need to be a Configuration Administrator.

7.2.1 Configuring Delegation and Proxy Settings

Configuring the Delegation and Proxy Service

To configure the Delegation and Proxy Service:

  1. Select the RBPM Provisioning and Security tab.

  2. Select Delegation and Proxy from the left navigation menu.

    The user interface displays the Delegation and Proxy page. To configure the service, you need to make some changes in the Delegation and Proxy Service Settings box.

  3. Check the Allow All Requests option if you want to display the All option in the Resource Search Criteria drop-down list for the Team Delegate Assignments action. When the All option is available, a delegate assignment can be defined that applies to all resource categories.

  4. Define the retention period for delegate, proxy, and availability assignments:

    Field

    Description

    Retention time for Delegation assignments

    Specifies the number of minutes to retain delegate assignments in the directory after they have expired. The default is 0, which indicates that the assignments will be removed after the expiration time has been reached.

    Retention time for Proxy assignments

    Specifies the number of minutes to retain proxy assignments in the directory after they have expired. The default is 0, which indicates that the assignments will be removed after the expiration time has been reached.

    Retention time for Availability settings

    Specifies the number of minutes to retain availability settings in the directory after they have expired. The default is 0, which indicates that the assignments will be removed after the expiration time has been reached.

  5. Select the email templates you want to use for delegation, proxy, and availability notifications:

    Field

    Description

    Delegation notification template

    Specifies the language-independent name for the template to use for delegation email notifications. After the template name has been specified, the notification engine can determine which language-specific template to use at runtime.

    For details on creating and editing email templates, see Section 10.4, Working with Email Templates.

    Proxy notification template

    Specifies the language-independent name for the template to use for proxy email notifications. After the template name has been specified, the notification engine can determine which language-specific template to use at runtime.

    For details on creating and editing email templates, see Section 10.4, Working with Email Templates.

    Availability notification template

    Specifies the language-independent name for the template to use for availability email notifications. After the template name has been specified, the notification engine can determine which language-specific template to use at runtime.

    For details on creating and editing email templates, see Section 10.4, Working with Email Templates.

Scheduling Synchronization and Cleanup

To configure the Synchronization and Cleanup Service:

  1. Select the RBPM Provisioning and Security tab.

  2. In the Provisioning Configuration group of actions, select Delegation and Proxy from the left navigation menu.

    The user interface displays the Delegation and Proxy page. To schedule synchronization and cleanup, you need to make some changes in the Synchronization and Cleanup Service box.

  3. To specify how often you want to activate the synchronization service, type the activation interval (in minutes) in the Synchronization Service Activation Interval field. The default value is 0, which means that the service is not activated.

    When the synchronization service runs, any modifications (or deletions) made to delegate assignments are synchronized with the corresponding availability settings for the user.

  4. To specify how often you want to activate the cleanup service, select Cleanup Service Activation Interval, then type the activation interval (in minutes). Alternatively, select Cleanup Date and use the calendar tool to specify the date when you want to activate the service. The default value is 0, which means that the service is not activated.

    If no cleanup date is specified, the date is set to null. If no cleanup interval is specified, the interval is set to 0. When a cleanup date is specified, the interval is set to be 0. When an interval value other than 0 is specified, the date is set to null. If you check the cleanup interval option without putting in a number (the default is 0), the interface will show the original cleanup date after you submit the page, just as if you had not performed a submit.

    When the cleanup service runs, all obsolete proxy and delegate assignments are removed from the system.

If the cleanup service has been activated, the Last cleanup performed field indicates when the last cleanup was performed.

7.2.2 Configuring the Digital Signature Service

This section provides details on configuring the Digital Signature Service.

To configure the Digital Signature Service:

  1. Select the RBPM Provisioning and Security tab.

  2. Select Digital Signature Service from the left navigation menu.

    The user interface displays the Digital Signature Service panel.

  3. Perform these steps to configure the Digital Signature Service:

    1. Select the Enable Digital Signature Support check box.

      If this check box is not selected, users will see an error message when they try to access any provisioning resource that requires a digital signature.

      Before enabling digital signature support, make sure all of the required JARs are present. If any of the JARs are missing, you will see an error message when you select the check box. For details on which JARs are required for digital signatures, see Section 2.3, Digital Signature Configuration.

    2. Select the Use XML Signature check box if you want to use an XML Signature.

    3. Optionally select the Enable Signed Document Preview checkbox to allow users to preview signed documents.

    4. Select the Use Digital Signature as a Service checkbox to configure digital signatures with the Digital Signature Service.

      The service for digital signatures is very easy to configure and manage. Do not deselect this checkbox, unless you are not ready to upgrade from an older digital signature implementation, or require the ability to read digital signature cards, since this support is not available with digital signature as a service.

      IMPORTANT:We strongly encourage you to use the digital signature as a service support, since it is the most reliable and easy-to-use configuration for managing digital signatures.

      When you select Use Digital Signature as a Service, the user interface automatically displays the name of the provider class for signature verification. You cannot edit the class name if you are using the digital signature service.

    5. (Not Required for Digital Signature as a Service) Type the name of the class for your digital signature service in the Class Name field.

    6. (Not Required for Digital Signature as a Service) Optionally specify an entity key in the Alternative Certificate Subject Virtual Entity Key field. The entity key maps to an entity defined in the data abstraction layer. The entity provides a calculated attribute that can be used instead of the LDAP common name to ensure that only authorized users can perform digital signing. In the Designer, you define the entity, giving the key any name you like. On the Digital Signature Service configuration panel, you specify the key for the entity you defined. The alternative subject is an optional feature that you can use to add an extra layer of protection.

    7. (Not Required for Digital Signature as a Service) Select JKS or PKCS as the Key Store Type for your configuration. The choice depends on how your application will store encrypted private keys locally. If you want to use the Java Key Store, then select JKS. If you would prefer to use a language-neutral approach, select PKCS.

    8. (Not Required for Digital Signature as a Service) Optionally select the Certificate Authorization check box to ensure that the authenticated user matches the user associated with the selected user certificate. When Certificate Authorization is enabled, the current user is not permitted to use a certificate on the smart card (or browser) that has been given to a different user.

    9. (Not Required for Digital Signature as a Service) Optionally select the Enable Revocation Check check box to cause the application to check the certificate revocation list (CRL) before using a certificate to be sure that it is still valid. A certificate might be revoked for several reasons. For example, the certificate authority might determine that a particular certificate was improperly issued. Alternatively, the certificate might be revoked if the private key for the certificate has been lost or stolen.

    10. (Not Required for Digital Signature as a Service) Optionally select the Enable OCSP Query check box to perform a query against an Online Certificate Status Protocol (OCSP) server before using a certificate. OCSP is an alternative to certificate revocation lists that addresses problems associated with using CRLs in a public key infrastructure (PKI). The OCSP access point for the server is specified in the User Application Configuration utility.

  4. To view the settings for a previously configured applet, select the applet from the Signature Applet dropdown list.

  5. Perform these steps to add a new signature applet configuration:

    1. Click Add.

      The user interface makes the fields in the Signature Applet panel editable.

    2. Provide a name for this applet configuration in the Display Name field.

    3. Specify the class ID for the applet in the Class ID field.

    4. Specify the entry of the JAR that contains the applet in the Archive Name field.

    5. Specify <context root path> of the Web application that contains the applet archive for the Context Root. (If the context root points to a different application, always start it with a “/” character.)

    6. Specify the callback name in the Callback Name field.

    7. Specify the XML declaration string in the Declaration Template field.

    8. Specify the invocation string in the Invocation Template field.

    9. Specify the callback function in the Callback Function Template field.

    10. Select the browser type (for example, IE 6.0) in the Browser Type select list.

  6. Click Save to save your settings.

7.2.3 Configuring the Provisioning UI Display Settings

This section provides instructions on configuring various user interface settings. Some of the settings control system-wide behavior within the User Application. Others are specific to the Work Dashboard.

To access the Provisioning UI Display Settings:

  1. Select the Administration tab.

  2. Select the RBPM Provisioning and Security tab.

  3. Select Provisioning UI Display Settings from the left navigation menu.

    The user interface displays the Provisioning UI Display Settings page. To configure the display settings for the Work Dashboard, you can make changes in the Task Settings and Request Status Settings box, which appear after the General Display Settings.

After you change the settings, you must restart JBoss in order for the changes to take effect.

Configuring the General Display Settings

The Administration tab in the User Application provides several settings you can use to control how result sets are processed and displayed on pages within the application. To configure the settings for result sets and pagination:

  1. On the Provisioning UI Display Settings page, scroll down to the General Display Settings section of the page.

  2. Modify any of the following settings, and click Save.

    Setting

    Description

    Default number of results displayed per page

    Specifies the default number of rows to display in lists shown on the Roles and Resources tab.

    When a user initiates a query on any of the pages listed above, the User Application caches the data obtained by the query, and returns the number of rows specified for this setting to the browser. Each time the user requests to see the next page, another set of rows is returned from the cache.

    The default value for this setting is 25.

    Options for number of results displayed per page (use spaces to separate values)

    Allows you to specify additional values that the user can select to override the default number of rows displayed on the My Roles, View Request Status, Browse Role Catalog, and Manage Role Relationships pages. The list of values you type must be separated by spaces.

    Note that the number specified in the Default number of results displayed per page control is always included in the list of values for the user to select.

    The default value for this setting is 5 10 50 100 500.

    NOTE:This setting also applies to the Team Tasks page on the Work Dashboard tab and to the Object Selector. The default number of rows displayed on the Team Tasks page and in the Object Selector, however, is not controlled by the Default number of results displayed per page setting. The default number of rows for team tasks is set at 5, and the default number of rows for the Object Selector is set at 10.

    Threshold for browser-based sorting and filtering

    Specifies the maximum amount of memory (expressed in rows) for the client browser to use for sorting and filtering. If you specify a very high value, client-side sorting and filtering will be very fast, but an excessive amount of memory might be used on the client. If you specify a very low value, the client-side memory usage might be low, but sorting and filtering might also be too slow.

    This setting applies only if the size of the result set is less than or equal to the threshold value. If the size of the result set is larger than the threshold value specified, sorting and filtering operations are performed on the server.

    The default value for this setting is 1000.

Configuring the Task Settings

To configure the administrative settings for the Tasks list on the Work Dashboard:

  1. Scroll down to the Task Settings box.

  2. To specify whether you want the Task List to be displayed when users first open the dashboard, select either the Yes or No radio button for the Expand Task List in default view of Work Dashboard option.

  3. To set the default sort column for the task list, pick the column in the Task Notifications List default sort field. Indicate whether the sort order will be ascending or descending by selecting or deselecting the Descending checkbox.

    The default sort column is required in the task list display. When you select a default sort column, this column is automatically added to the User default columns list.

    To allow the user to override the default sort column and sort order, click the the Allow user to override checkbox.

  4. To include a column in the task list, select it in the Available Columns list box, and drag them to the User default columns list box. To remove a column, select it in the User default columns list box and drag it to the Available Columns list box. You can select multiple columns to include or exclude by using the Ctrl or Shift key while clicking on the columns.

    To allow the user to override the column selections you’ve made, click the Allow user to override checkbox. When you click this checkbox, the user interface displays the Available columns for User override list box. Any columns you add to the Available columns for User override list box are included in the Available columns list that the user sees on the Work Dashboard. To allow the user to override the default column list, select and drag one or more columns to the Available columns for User override list box from either the User default columns list box or the Available Columns list box. When you add a column to the Available columns for User override list box, that column is automatically removed from the list box from which you dragged it.

  5. To specify how the task details should be displayed when the user clicks on a task, select one of the following options:

    Option

    Description

    In line with list

    Displays the details within the Task Notifications list, directly under the task selected.

    This is the default.

    In modal dialog

    Displays the details in a separate dialog box that must appears on top of the Task Notifications list. After viewing the details for a task, the user needs to close the dialog to see the list again.

  6. To allow the user to claim a task automatically by simply opening the task details, select yes for the Auto-claim when opening Task Details option. When this option is set to no, the user must explicitly select Claim to claim a task.

Configuring the Request Status Settings

To configure the administrative settings for the Request Status list on the Work Dashboard:

  1. Scroll down to the Request Status Settings box.

  2. To set the default sort column for the request status list, pick the column in the Request Status List default sort field. Indicate whether the sort order will be ascending or descending by selecting or deselecting the Descending checkbox.

    The default sort column is required in the request status list display. When you select a default sort column, this column is automatically added to the User default columns list.

    To allow the user to override the default sort column and sort order, click the the Allow user to override checkbox.

  3. To include a column in the request status list, select it in the Available Columns list box, and drag them to the User default columns list box. To remove a column, select it in the User default columns list box and drag it to the Available Columns list box. You can select multiple columns to include or exclude by using the Ctrl or Shift key while clicking on the columns.

    To allow the user to override the column selections you’ve made, click the Allow user to override checkbox. When you click this checkbox, the user interface displays the Available columns for User override list box. Any columns you add to the Available columns for User override list box are included in the Available columns list that the user sees on the Work Dashboard. To allow the user to override the default column list, select and drag one or more columns to the Available columns for User override list box from either the User default columns list box or the Available Columns list box. When you add a column to the Available columns for User override list box, that column is automatically removed from the list box from which you dragged it.

  4. To specify how the request status details should be displayed when the user clicks on one of the items requested, select one of the following options:

    Option

    Description

    In line with list

    Displays the details within the Request Status list, directly under the request selected.

    This is the default.

    In modal dialog

    Displays the details in a separate dialog box that must appears on top of the Task Notifications list. After viewing the details for a task, the user needs to close the dialog to see the list again.

7.2.4 Configuring the Workflow Engine and Cluster Settings

This section provides instructions on configuring the Workflow Engine and on configuring cluster settings. These settings apply to all engines in the cluster. When any of these settings are changed, other engines in the cluster will detect these changes in the database and use the new values. The engines check for changes to these settings at the same rate as specified by the pending process interval.

When the workflow engine starts up it checks to see if its engine ID is already in use by another node in the cluster. When this is the case, the workflow engine checks the cluster database to see if the status of the engine is SHUTDOWN or TIMEDOUT. If it is, the workflow engine starts. If the status is STARTING or RUNNING, the workflow engine logs a warning, then waits for a heartbeat time out to occur. If the heartbeat time out occurs, that means that the other workflow engine with the same ID was not shut down properly, so it's safe to start. If the heartbeat timer is updated, that means another workflow engine with the same ID is running in the cluster, so the workflow engine cannot start. You can specify the heartbeat time out (the maximum elapsed time between heartbeats before a workflow engine is considered timed out) by setting Heartbeat Interval and Heartbeat Factor. For more information about configuring these settings, see Configuring the Workflow Cluster.

The process cache settings and heartbeat settings require a server restart to take effect.

Configuring the Workflow Engine

To configure the Workflow Engine settings:

  1. Select the Provisioning tab.

  2. Select Engine and Cluster Settings from the left navigation menu.

    The user interface displays the Workflow Configuration Settings page. To configure the engine, you need to make some changes in the Workflow Engine box.

  3. To change an engine setting, click the target field for the setting and type the new value. The engine settings are described below:

    Engine Setting

    Description

    Email Notification (per workflow engine)

    Enables or disables email notifications for the entire workflow engine. Defaults to enabled.

    Web Service Activity Timeout (minute)

    Specifies the default Web Service activity timeout in minutes. The default is 50 minutes.

    User Activity Timeout (hour, 0 for no timeout)

    Specifies the default user activity timeout. The default is 0 days, which indicates no timeout.

    Completed Process Timeout (day)

    Specifies the number of days that a completed process state is kept in the workflow database system. The default is 120 days.

    Completed Process Cleanup Interval (hour)

    Specifies how often the engine checks for and removes completed processes that have been in the workflow database system for longer than the completed process timeout. The default is 12 hours.

    Pending Process Interval (second)

    User activities that are executed on an engine which the process is not bound to are put into a pending state. This interval specifies how often to check for pending activities in order to continue their execution. The default is 30 seconds.

    Retry Queue Interval (minute)

    Activities that fail because of suspected database connectivity issues are put on a retry queue. This interval specifies how often the engine attempts to retry these activities. The default is 15 minutes.

    Maximum Thread Pool Size

    The maximum number of threads that the engine uses to execute activities. The default is 20.

    Minimum Thread Pool Size

    The minimum number of threads that the engine uses to execute activities. When a thread is requested and fewer than the minimum are in the pool, a new thread will be created even if there are idle threads in the pool. The default is 10.

    Initial Thread Pool Size

    Number of prestarted threads in the pool when it is created. The default is 5.

    Thread Keep Alive Time (second)

    If the pool is larger than the minimum size, excess threads that have been idle for more than the keep alive time will be destroyed. The default is 5 minutes.

    Process Cache Load Factor

    The load factor specifies how full the cache is allowed to get before increasing its capacity. If the number of entries in the cache exceeds the product of the load factor multiplied by the current capacity, then the capacity is increased. The default is 0.75.

    Process Cache Initial Capacity

    The process cache is backed by a hash map. The capacity is the number of buckets in the hash map. The initial capacity is the number of buckets at the time the cache is created. The default is 700.

    Process Cache Maximum Capacity

    Before adding a process to the cache, if the number of processes in the cache equals or exceeds the Process Cache Maximum Capacity, the cache attempts to remove the oldest inactive process from the cache. The maximum capacity is a soft limit, so the number of processes in the cache might exceed the Process Cache Maximum Capacity if there are no inactive processes (only active processes) in the cache.

    A good value for this setting should be less than product of the Process Cache Initial Capacity and the Process Cache Load Factor. This gives the cache a chance to remove older inactive processes from the cache before having to increase its capacity.

    Take the following example:

    Process Cache Initial Capacity = 700;

    Process Cache Load Factor =.75;

    Process Cache Maximum Capacity = 500;

    Number of processes in cache = 500;

    In this case, the number of processes in the cache that will trigger the cache to grow its capacity and perform a rehash would be 525, because the Initial capacity multiplied by the load factor is equal to 525.In this example, when there are 500 processes in the cache, the cache is approaching the point where it must increase its size and perform a rehash, which is at 525 processes. When another process is added to the cache, the engine attempts to remove the least recently used inactive process instead of letting the cache get closer to 525 processes.

    The default is 500.

    Maximum Engine Shutdown Timeout (minute)

    The engine attempts to shutdown gracefully. When shutting down it stops queuing new activities for execution and attempts to complete any activities already queued. This timeout specifies the maximum time that the engine waits for all queued activities and threads executing activities to complete. If this time is exceeded, the engine halts processing of queued activities and attempts to stop all threads executing activities. The default is 1 minute.

Configuring the Workflow Cluster

To configure the Workflow Cluster settings:

  1. Select the Provisioning tab.

  2. Select Engine and Cluster Settings from the left navigation menu.

    The user interface displays the Workflow Configuration Settings page. To configure cluster settings, you need to make some changes in the Workflow Cluster box.

  3. To change a cluster setting, click the target field for the setting and type the new value. The cluster settings are described below:

    Cluster Setting

    Description

    Heartbeat Interval (second, minimum 60)

    Specifies the interval at which the workflow engine’s heartbeat is updated.

    When the workflow engine starts up, it detects if its engine ID is already being used by another node in the cluster and refuses to start if the ID is in use. The User Application database maintains a list of engine IDs and engine states. If an engine crashes and is restarted, its last state in the database indicates that it is still running. The workflow engine therefore uses a heartbeat timer, which writes heartbeats at the specified interval, to determine if an engine with its ID is still running in the cluster. If it’s already running, it refuses to start.

    The minimum value for the heartbeat interval is 60 seconds.

    Heartbeat Factor (minimum 2)

    Specifies the factor that is multiplied with the hearbeat interval to arrive at the heartbeat timeout.

    The timeout is the maximum elapsed time permitted between heartbeats before an engine will be considered timed out.

    The minimum value for the heartbeat factor is 2.