Passing parameters to the Decision Center Business console

Some parameters are used in the Decision Center Business console for enabling OpenID Connect authentication. You set up these parameters in the jvm.options file in the Liberty server or in the ilog/rules/teamserver/preferences.properties file in the decisioncenter.war archive.

About this task

You set parameters for Decision Center in the jvm.options file or in the ilog/rules/teamserver/preferences.properties file in the decisioncenter.war file.

To minimize manual configuration, a sample jvm.options file is provided in the <ODM_InstallDir>/shared/oidc directory.

Note:

You must verify the properties in the file of your choice and customize the configuration to suit your system.
If the parameters are provided both in the jvm.options and preference.properties files, the jvm.options file overrides the preference.properties file.

Procedure

For the Decision Center Business console, add the following parameters in the jvm.options file for your Liberty server, as shown in this example:

-Dcom.ibm.rules.authentication.scheme=oidc
-Dcom.ibm.rules.authentication.oidcconfig=<json_file_name_for_decision_center>.json:<provider_name>
-Dcom.ibm.rules.decisioncenter.referer-allowlist-patterns=<oicd_provider_url>
-Djavax.net.ssl.trustStore=<path><truststore_file_name>.jks
-Djavax.net.ssl.trustStorePassword=<truststore_password>

Parameter	Description
-Djavax.net.ssl.trustStore	Specify the file path and file name to the truststore file. The truststore must contain the Decision Center certificate. This parameter is required by Decision Center to access the decision model when you use SSL connection. You can use the same truststore file that is used by Rule Designer. Otherwise, see Importing a server certificate to your environment to generate a truststore file with a client certificate. Note: You must also add the Decision Center certificate for basic authentication with SSL connection (HTTPS), not only for OpenID Connect.

Parameter

Description

-Djavax.net.ssl.trustStore

Specify the file path and file name to the truststore file. The truststore must contain the Decision Center certificate.

This parameter is required by Decision Center to access the decision model when you use SSL connection. You can use the same truststore file that is used by Rule Designer.

Otherwise, see Importing a server certificate to your environment to generate a truststore file with a client certificate.

Note: You must also add the Decision Center certificate for basic authentication with SSL connection (HTTPS), not only for OpenID Connect.

You can also define these properties in the ilog/rules/teamserver/preferences.properties file. You can find this file in the teamserver-model.jar file, which is in the <ODM_InstallDir>/decisioncenter/applicationservers/WLP/decisioncenter.war archive.

See the following example:

com.ibm.rules.authentication.scheme=oidc 
com.ibm.rules.authentication.oidcconfig=<json_file_name_for_decision_center>.json:<provider_name> 
com.ibm.rules.decisioncenter.referer-allowlist-patterns=<oicd_provider_url>

Parameter Description

Parameter	Description
com.ibm.rules.authentication.scheme	Enables OpenID Connect as an authentication scheme. When OpenID Connect authentication is enabled, no other authentication scheme is supported. Basic authentication is no longer possible.
com.ibm.rules.authentication.oidcconfig	Format `<oicd_provider_file_name>:<oidc_name>` On the left side of the colon, specify the name of the configuration file. On the right side of the colon, the name corresponds to the `name` attribute in the JSON file of the provider to be used by Decision Center for authentication by default. The file should be placed in the class path of the Decision Center applications. For more information about the JSON file, see Defining OpenID Connect Providers for Decision Center. Note: You can add multiple provider names in the JSON file. However, Decision Center uses single OpenID Connect Provider for all connections.
com.ibm.rules.decisionserver.referer-allowlist-patterns	Specifies the URLs that need to be accessed by the OpenID Connect Providers. For example, if your OpenID Connect Provider uses the following URL: `"authorizationURL": "https://mydev.com:9445/oidc/endpoint/ssoserver/authorize"` Then, this parameter contains the following URL: `-Dcom.ibm.rules.decisionserver.referer-allowlist-patterns=https://mydev.com:9445/oidc/endpoint/ssoserver/` Note: You can specify several values, separated by a comma. You can also use "" as a wildcard to replace any number of characters.

com.ibm.rules.authentication.scheme

Enables OpenID Connect as an authentication scheme.

When OpenID Connect authentication is enabled, no other authentication scheme is supported. Basic authentication is no longer possible.

com.ibm.rules.authentication.oidcconfig

Format <oicd_provider_file_name>:<oidc_name>

On the left side of the colon, specify the name of the configuration file.

On the right side of the colon, the name corresponds to the name attribute in the JSON file of the provider to be used by Decision Center for authentication by default.

The file should be placed in the class path of the Decision Center applications.

For more information about the JSON file, see Defining OpenID Connect Providers for Decision Center.

Note: You can add multiple provider names in the JSON file. However, Decision Center uses single OpenID Connect Provider for all connections.

com.ibm.rules.decisionserver.referer-allowlist-patterns

Specifies the URLs that need to be accessed by the OpenID Connect Providers.

For example, if your OpenID Connect Provider uses the following URL:

"authorizationURL": "https://mydev.com:9445/oidc/endpoint/ssoserver/authorize"

Then, this parameter contains the following URL:

-Dcom.ibm.rules.decisionserver.referer-allowlist-patterns=https://mydev.com:9445/oidc/endpoint/ssoserver/*

Note: You can specify several values, separated by a comma. You can also use "*" as a wildcard to replace any number of characters.