Business-process-management (BPM) systems are increasingly used in service-oriented architectures (SOA), coordinating activities of web services and of human actors. The openness and flexibility of SOA causes new challenges regarding security of business processes. This is because they have to deal with unexpected situations at run time. Respective solutions must be inherent to a BPM system (BPMS). Process implementers must explicitly model different security aspects of business processes, and the BPMS must combine them with run-time context to enforce security. However, existing BPMS do not address security issues in a way that is sufficiently broad. Thus, extensions are necessary, and they should integrate existing technology. The core contribution of this paper is to propose how to extend the WfMC reference architecture for BPMS to accomplish this, having identified different design alternatives. The resulting architecture is generic and integrates with existing SOA technologies like federated identity management. It is modular, making adaptations relatively easy. This has been hard to achieve because security aspects concern the entire system. Finally, our architecture can be used to implement the various business process security modelling approaches that have been presented in the literature.