How to secure a hosted transparent decision service in IBM Operational Decision Management

This article explores one of the techniques you can use to secure a hosted transparent decision service in IBM® Operational Decision Manager. Authentication and authorization are often required in a production environment. You'll learn how to configure a hosted transparent decision service to connect to LDAP for authentication, as well as define additional code to validate whether the calling user ID is authorized to invoke the rule project. This content is part of the IBM Business Process Management Journal.

Tamer Nassar (tamer@us.ibm.com), Software Engineer, IBM

Tamer NassarTamer Nassar is a software engineer in the office of the IBM CIO, and has been with IBM since 2000. He has been involved in many different projects, with a variety of technologies, designing, implementing, and testing many end-to-end enterprise solutions. His areas of interest and expertise include SOA, IT architecture and methodology, WebSphere Application Server, WebSphere Process Server, WebSphere MQ, and WebSphere Message Broker.



Murali Vridhachalam (mural@us.ibm.com), IT Architect, IBM

Murali Vridhachalam photoMurali Vridhachalam, an Open Group certified IT architect, has been involved with XBRL since early 2005. He was the lead architect for IBM's first ever submission of financial reports using XBRL, as part of the SEC's XBRL voluntary filing program. His current interests include SOA and Software as a Service (SaaS) offerings built using the IBM enterprise software portfolio.



Zhi Yong Mao (maozy@cn.ibm.com), Software Engineer, IBM

Zhi Mao photoZhi Yong Mao has been working in the office of the IBM CIO for more than 6 years. His areas of interest and expertise include SOA, IT architecture, J2EE, Websphere Application Server, DB2 and PHP.



13 February 2013

Also available in Chinese

Overview

Using IBM Operational Decision Manager (IBM ODM) software to implement decision logic, you can realize major advancements in bridging the gap between business people and IT. ODM enables businesses to define policies in a form that is understandable to the non-technical user and deployable to the systems that use them to automate decisions, thus facilitating clear communication between the policy managers defining the requirements and the developers implementing the business system solution.

Typically, with a hosted transparent decision service approach, business applications are web service clients that make SOAP-based web service calls to business rules in IBM ODM. For security purposes, the web service client makes an SSL call to the hosted transparent decision service and passes a username and password. The web service client makes an SSL call to the hosted transparent decision service and passes a username and password. The hosted transparent decision service uses LDAP for authentication. If the credentials are valid, the authorization code is triggered to validate the calling username against a reference table. This reference table has a list of SOAP URLs for all rule projects and authorized ids for each project. If the authorization is successful, the web service call goes through. Otherwise, the web service client gets an error message.

Prerequisites

This article is written for the intermediate IBM ODM developer and focuses on a specific area of implementation. It is assumed that the reader has a basic understanding of IBM ODM from a developer's perspective. This article and the sample are compatible with WebSphere ILOG V7.1, WebSphere ODM V7.5 and IBM ODM V8. The steps in the article are based on ODM running on WebSphere Application Server.

Customizing a hosted transparent decision service

Let's start by customizing a hosted transparent decision service EAR file to add security to it:

Exporting the hosted transparent decision service EAR

After installing ODM on WebSphere, log in to the WebSphere Integrated Solutions Console and export the jrules-res-htds application.

Figure 1. Export the jrules-res-htds application
Export the jrules-res-htds application

After downloading the EAR file, you need to make changes to the following files in the jrules-res-htds.ear:

Make changes in the META-INF folder to add security to the hosted transparent decision service

You need to change three files (Application.xml, ibm-application-bnd.xml, and was.policy) in the META-INF folder in jrules-res-htds.ear to add security:

Figure 2. META-INF folder structure
META-INF folder structure

Update application.xml

In application.xml, replace the bold text in the header in Listing 1 with the bold text in Listing 2, to enable Java EE 5 support in the customized EAR file.

Listing 1. Old application.xml configuration

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC "-//Sun Microsystems, Inc.//DTD J2EE Application 1.3//EN" 
    "http://java.sun.com/dtd/application_1_3.dtd">
<application id="Application_1352340619765">
  <display-name>jrules-res-htds</display-name>
  <description>Enterprise application archive for the Websphere 
               application server.</description>
  <module>
    <web>
      <web-uri>jrules-res-htds.war</web-uri>
      <context-root>DecisionService</context-root>
    </web>
  </module>
</application>
Listing 2. Revised application.xml configuration

<?xml version="1.0" encoding="UTF-8"?>
<application id="Application_1352340619765" 
   xmlns="http://java.sun.com/xml/ns/javaee" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
   http://java.sun.com/xml/ns/javaee/application_5.xsd" version="5">
   <display-name>jrules-res-htds</display-name>
  <description>Enterprise application archive for the Websphere
               application server.</description>
  <module>
    <web>
      <web-uri>jrules-res-htds.war</web-uri>
      <context-root>DecisionService</context-root>
    </web>
  </module>
</application>

Create a ibm-application-bnd.xml file

Important: Before performing this step, remove the ibm-application-bnd.xmi file, which is not supported by Java EE 5.

Create a new file called ibm-application-bnd.xml in the META-INF folder and add the following XML to the file.

Listing 3. New ibm-application-bnd.xml configuration
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
	xmlns="http://websphere.ibm.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee 
	http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
	version="1.0">
	<security-role name="WODMSecurity">
		<special-subject type="ALL_AUTHENTICATED_IN_TRUSTED_REALMS" />
	</security-role>
</application-bnd>

Now you've added a security role called WODMSecurity, which will be used in web.xml. You can give the security role any name as long as you use the same name in the other files.

Update was.policy

In the was.policy file, you need to add a new line to grant permissions to getCallerSubject as follows:

Listing 4. New was.policy configuration
//grant additional permissions
grant codeBase "file:${application}" {
  permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject";
};

You've now finished the changes in the META-INF folder and can move on to the next step.


Make changes to the WAR changes in the WEB-INF folder

Modify web.xml

You need modify the web.xml file, as shown in Listing 5, by adding filter tags (AuthFilter) to validate the incoming web service calls to the hosted transparent decision service. The filter will execute the customized com.ibm.security.AuthFilter class. Also, you need to add the filter-mapping tag to enforce the filter on all web service calls (/ws/*).

Listing 5. Filter configuration
<filter>
 	<display-name>AuthFilter</display-name>
 	<filter-name>AuthFilter</filter-name>
 	<filter-class>com.ibm.security.AuthFilter</filter-class>
</filter>
<filter-mapping>
	<filter-name>AuthFilter</filter-name>
 	<url-pattern>/ws/*</url-pattern>
</filter-mapping>

Add the database data source to be used by the customized code to connect to the reference table APP_WS_LOGIN, which has a list of SOAP URLs for all rule projects and authorized ids for each project, as shown in Listing 6.

Listing 6. Data source configuration
<resource-ref id="ResourceRef_1282067150040">
	<description>DB Connection</description>
	<res-ref-name>jdbc/filter</res-ref-name>
	<res-type>javax.sql.DataSource</res-type>
	<res-auth>Container</res-auth>
</resource-ref>

Figure 3 shows sample data for the APP_WS_LOGIN table.

Figure 3. APP_WS_LOGIN sample table
APP_WS_LOGIN sample table

Add WebSphere Application Server authentication security configuration into web.xml, as shown in Listing 7.

Listing 7. WebSphere Application Server authentication security configuration
<security-constraint>
	<web-resource-collection>
		<web-resource-name>Security Resource</web-resource-name>
		<url-pattern>/ws/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>WODMSecurity</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>
<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>LDAP_Server:PortNum</realm-name>
</login-config>
<security-role>
	<role-name>WODMSecurity</role-name>
</security-role>

Make sure the role name WODMSecurity is the same as that defined in ibm-application-bnd.xml.

Update ibm-web-bnd.xmi

Add resource reference configuration to ibm-web-bnd.xmi, as shown in Listing 8.

Listing 8. Resource reference configuration
<resRefBindings xmi:id="ResourceRefBinding_1282067150040" jndiName="jdbc/filter">
    <bindingResourceRef href="WEB-INF/web.xml#ResourceRef_1282067150040"/>
</resRefBindings>

Add log4j JAR to the lib folder

Add the log4j JAR file to the lib folder, as shown in Figure 4. This file is used for logging and JSON-RPC, which is used in the DBHelper class.

Figure 4. lib folder structure
lib folder structure

Add class and configuration files

Add the configuration files config.properties, log4j.xml, and log4j.properties and the com folder into \WEB-INF\classes\ after you compile the project code. The com folder contains all compiled classes as shown in Figures 7 and 8.

Figure 5. Configuration and class files
Configuration and class files

Don't forget to change the schema to match your database schema, as shown in Figure 6.

Figure 6. DB SCHEMA
DB SCHEMA change

Now you need to add the compiled classes to the hosted transparent decision service EAR file. Add the DB classes DBHelper.class and DBException.class to jrules-res-htds.ear\jrules-res-htds.war\WEB-INF\classes\com\ibm\db\, as shown in Figure 7.

Figure 7. DB classes
DB classes

Add the security classes Config.class, AuthFilter.class and Base64.class to jrules-res-htds.ear\jrules-res-htds.war\WEB-INF\classes\com\ibm\security\, as shown in Figure 8.

Figure 8. Security classes
Security classes

Finally, redeploy the EAR file. Make sure your WebSphere Application Server is configured to connect to LDAP!


SSL connection for the client

To make the web service call secure, you need enable SSL connection:

Call the service via an SSL connection in the Java application

If you need to call the web service via an SSL connection using a Java application client, complete the follow these steps:

  1. Download the certificate from the browser and save it as dpevxxx.cer, as shown in Figure 9.
    Figure 9. SSL certificate
    SSL certificate
  2. Go to the JDK/JRE bin directory C:\Java\IBM\SDP\runtimes\base_v7\java\jre\bin\ and import the dpevxxx.cer file into the truststore using the following command:
    keytool -import -file "C:\Downloads\dpevxxx.cer" -storepass xxxxxx 
    -keystore dpevxxx.truststore -alias dpevxxxkey -noprompt
  3. Now set the property for trustStore and trustStorePassword as follows:
    System.setProperty("javax.net.ssl.trustStore","dpevxxx.truststore");
    System.setProperty("javax.net.ssl.trustStorePassword","xxxxxx");

Call the service via an SSL connection in a web application

If you need call the web service via an SSL connection in a web application in Websphere Application Server, complete the following steps to import the signer certificate:

  1. Open the Websphere Admin Console and select Security => SSL certificate and key management, then click Key stores and certificates as shown in Figure 10.
    Figure 10. SSL certificate and key management
    SSL certificate and key management
  2. Click the NodeDefaultTrustStore link in the list, as shown in Figure 11.
    Figure 11. NodeDefaultTrustStore
    NodeDefaultTrustStore
  3. Click the Signer certificates link in Additional Properties, as shown in Figure 12.
    Figure 12. Signer certificates
    Signer certificates
  4. Click Retrieve from port, as shown in Figure 13.
    Figure 13. Retrieve from port
    Retrieve from port
  5. Specify the host name, port number, and alias name, then click Retrieve signer information. You'll see results as shown in Figure 14.
    Figure 14. Retrieve signer information
    Retrieve signer information
  6. Click OK to save the signer certificate.

Update the client code for BASIC authorization

Need a paragraph here introducing this section. Can't stack heads with no text between.

Set the user name and password for JAX-WS

Set the user name and password in the web service client code, as shown in Listing 9:

Listing 9. Set the user name and password for JAX-WS
DecisionServiceTestSecurityRule_Service service=
    new DecisionServiceTestSecurityRule_Service();  
DecisionServiceTestSecurityRule test=
    service.getDecisionServiceSOAPdpev262InnovateIbmCom();
BindingProvider bp=(BindingProvider)test;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "xxx@xx.ibm.com");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "xxxxxx");

Set the user name and password for JAX-RPC

Find the file named xxx_ServiceLocator.java and search for _stub instanceof. After that, add the user name and password as shown in Listing 10.

Listing 10. Set the user name and password for JAX-RPC
if (_stub instanceof com.ibm.ws.webservices.engine.client.Stub) {
    ((com.ibm.ws.webservices.engine.client.Stub) _stub).setPortName(
        decisionServiceSOAPdpev262InnovateIbmComWSDDPortName);
    ((com.ibm.ws.webservices.engine.client.Stub) _stub).setUsername("xxxx@xx.ibm.com");
    ((com.ibm.ws.webservices.engine.client.Stub) _stub).setPassword("xxxxxx");
}

Conclusion

Congratulations! In a short amount of time you have secured your hosted transparent decision service in IBM ODM. You can now make secure calls to your rule project. Also, you can host multiple rule projects on the same server, and these projects are unable to access each other's rules. Each project will have its own authorized ids to invoke the rules and to access the WSDL file.


Download

DescriptionNameSize
Sample project for this articleSecurityFilter.zip444KB

Resources

  • IBM Operational Decision Manager provides functionality to build and deploy rule-based applications for Java, mainframe and SOA-based environments.
  • WebSphere ILOG JRules Information Center contains information describing the IBM WebSphere ILOG JRules BRMS product line and features.
  • Configuring WS-Security for JAX-RPC web services shows you how to configure WS-Security and the WebSphere environment so that a JSP client in one WebSphere cell can call a JAX-RPC Web service in WebSphere Process Server in a different cell.
  • developerWorks BPM zone: Get the latest technical resources on IBM BPM solutions, including downloads, demos, articles, tutorials, events, webcasts, and more.
  • IBM BPM Journal: Get the latest articles and columns on BPM solutions in this quarterly journal, also available in both Kindle and PDF versions.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Business process management on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Business process management, WebSphere
ArticleID=857676
ArticleTitle=How to secure a hosted transparent decision service in IBM Operational Decision Management
publish-date=02132013