Question & Answer
Question
How to enable Decision Server Insights Grid Security?
Answer
- Create an xs-server.properties file
This step applies to the both the "cisCatalog" and "cisContainer" servers.
- Create xs-server.properties in the server config directory with the following contents:
securityEnabled=true
secureTokenManagerType=autoSecret
authenticationSecret=OurGridServersExampleSecret
transportType=TCP/IP
credentialAuthentication=Required
For example if the server config dir is C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog then you would create C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog\xs-server.properties.
This file should exist in each catalog and container server directory.
- Update the <xsServer> element of the server's server.xml to reference the xs-server.properties file
Add "serverProps" element to the xsServer referencing xs-server.properties:
<xsServer ... serverProps="xs-server.properties" ... />
For example:
<xsServer catalogServer="false" listenerPort="${xs.port}" serverName="${ia.host}-${wlp.server.name}" transport="XIO" serverProps="xs-server.properties"/>
- Create an xs-security.xml file
This step applies to the "cisCatalog" server only.
- Create xs-security.xml in the cisCatalog server directory with the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns:xsi="www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd" xmlns="ibm.com/ws/objectgrid/config/security">
<security securityEnabled="true">
<authenticator className="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator"/>
</security>
</securityConfig>
For example if the cisCatalog dir is C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog then you would create C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog\xs-security.xml
- Update the <xsServer> element of the server's server.xml to reference the xs-security.xml file
<xsServer ... clusterSecurityURL="file://${server.config.dir}/xs-security.xml" ... />
For example:
<xsServer catalogServer="true" listenerPort="${xs.port}" serverName="${ia.host}-${wlp.server.name}" transport="XIO" serverProps="xs-server.properties" clusterSecurityURL="file://${server.config.dir}/xs-security.xml"/>
- Define the XS KeyStoreLoginModule
This step applies to the both the "cisCatalog" and "cisContainer" servers.
They KeyStoreLoginAuthenticator defined in the xs-security.xml from step 2 relies on a KeyStoreLogin JAAS configuration. The KeyStoreLogin JAAS configuration must be defined in the server.xml of both cisCatalog and cisContainer servers. Copy the XML below and paste anywhere inside the server's server.xml <server> element, such as beneath the <xsServer> element.
<library id="xslib">
<fileset dir="${wlp.install.dir}/lib" includes="com.ibm.ws.xs.server_1.1.jar"/>
</library>
<jaasLoginModule id="xsKeyStoreLoginModule" className="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule" controlFlag="REQUIRED" libraryRef="xslib">
<options keyStoreFile="${server.config.dir}/resources/security/cis-key.jks" debug="true"/>
</jaasLoginModule>
<jaasLoginContextEntry id="KeyStoreLogin" name="KeyStoreLogin" loginModuleRef="xsKeyStoreLoginModule"/>
- Create the keystore
This step applies to the both the "cisCatalog" and "cisContainer" servers.
- Use the keytool command to create the keystore
Use the JRE keytool command to create a keystore. Here is an example keystore command which creates a keystore containing a key whose alias and password are both "tester", which is the same username and password that used for quick start security, suitable for testing purposes only:
keytool -genkey -alias tester -keypass tester -keyalg RSA -dname CN=tester,O=ibm,C=us -storepass tester -keystore C:\tmp\cis-key.jks - Copy the keystore into the cisCatalog and cisContainer servers' "resources/security" directory.
Copy the keystore to ${server.config.dir}/resources/security/cis-key.jks. Create the resources/security directory if needed, though it will already exist and contain the default server keystore "key.jks" if the server has ever been started. Note that "${server.config.dir}" refers to the server directory, for example C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog. - Add the keystore username and password to the cisContainer server.xml
This step applies to the "cisContainer" server only
Create a <ia_gateway> configuration element inside the <server> element. In this element define the following three attributes:
securityEnabled="true"
username="<your-keystore-alias>"
password="<your-keystore-alias-password>"
For example:
<ia_gateway securityEnabled="true" username="tester" password="tester"/>
The password can be encoded using XOR or encrypted using AES using the securityUtil tool, or the WDT server.xml editor. - Add the keystore username and password to the cisInbound and cisOutbound server.xml
This step applies to the "cisInbound" and "cisOutbound" servers only
Add the user and password to the <ia_connectivity> configuration element:
user="<your-keystore-alias>"
password="<your-keystore-alias-password>"
For example:
<ia_connectivity catalogServerEndpoint="${ia.bootstrapEndpoints}" user="tester" password="tester"/>
The password can be encoded using XOR or encrypted using AES using the securityUtil tool, or the WDT server.xml editor.
- Add gridSecurityEnabled=true to testdriver.properties
This step applies to the TestDriver client only
Add these lines to testdriver.properties:
gridSecurityEnabled=true
gridUsername=<your-grid-username> (i.e. tester)
gridPassword=<your-grid-password> (i.e. Tester)
[{"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.7","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
17 February 2022
UID
swg21694405