Customizing JVM options

You might need to change the default JVM setting for the time zone in Decision Center as it is set to Central European Time (CET), by default. By changing a JVM argument to a different time zone, you can change the dates and calendars you see in the user interface.

Before you begin

You can customize the JVM arguments in an ODM for production instance at installation time, or use the default settings. The jvmOptionsRef parameters in the custom resources .yaml file can be used. For more information, see ODM for production parameters.

About this task

When you install an ODM instance the following configmap files are created, which define the default Liberty server JVM arguments for each ODM component.

Table 1. Naming convention for configmap files
Component Name of configmap
Decision Center <instance_name>-odm-dc-jvm-options-configmap
Decision Runner <instance_name>-odm-dr-jvm-options-configmap
Decision Server Console <instance_name>-odm-ds-console-jvm-options-configmap
Decision Server Runtime <instance_name>-odm-ds-runtime-jvm-options-configmap

Where <instance_name> is the name of the CR file.

By default, the only JVM argument in the Decision Center configmap file is the time zone.

-Duser.timezone=Europe/Paris

Procedure

  1. Create a jvm.options file with the new settings for the liberty JVM.
    The name must be jvm.options as it replaces the default file in the container.
    Tip: If you do need to add multiple options in Decision Center or in the other components, separate the options by using the \n separator. 
    -Dprop1=val1\n-Dprop2=val2
  2. Create a configmap with a key that corresponds to the component that you want to modify.
    The following keys must be used:
    • Decision Center: dc-jvm-options
    • Decision Runner: dr-jvm-options
    • Decision Server Console: dsc-jvm-options
    • Decision Server Runtime: dsr-jvm-options

    To create a JVM options configmap for Decision Center for example, enter the following command:

    kubectl create configmap my-odm-dc-jvm-options-configmap --from-file=dc-jvm-options=jvm.options
  3. Associate the new configmap to the application definition by using the jvmOptionsRef parameter in the custom resources .yaml file that the operator used to deploy ODM.

    For example, to change the logging in Decision Center use the following YAML:

    decisionCenter:
   jvmOptionsRef: my-odm-dc-jvm-options-configmap
  4. Modify the existing containers by running the kubectl apply command on the custom resources .yaml file. 
    kubectl apply -f custom_resources.yaml

Results

The operator modifies the application to use the new configmap and updates the /config/configDropins/overrides/jvm.options file.

Example

To activate FIPS by using an external Java™ option, use the usefipsprovider option in a configmap for all the containers that you include.

  1. Create a file, name it fips.jvmoptions, and add the following content.
    -Duser.timezone=Europe/Paris
-Dcom.ibm.jsse2.overrideDefaultTLS=true
-Dcom.ibm.jsse2.usefipsprovider=true
-Dcom.ibm.jsse2.sp800-131=transition
-Dcom.ibm.jsse2.usefipsProviderName=com.ibm.crypto.fips.provider.IBMJCEFIPS
-Dsecurity.overridePropertiesFile=true
-Djava.security.properties==file://localhost/opt/ibm/wlp/usr/servers/defaultServer/security/trusted-cert-volume/my-fips-javasecurity/java.security
  2. Create a configmap for each component in your deployment.
    oc create cm dsr-fips-options-cm --from-file=dsr-jvm-options=fips.jvmoptions
oc create cm dr-fips-options-cm --from-file=dr-jvm-options=fips.jvmoptions
oc create cm dc-fips-options-cm --from-file=dc-jvm-options=fips.jvmoptions
oc create cm dsc-fips-options-cm --from-file=dsc-jvm-options=fips.jvmoptions
  3. Create a file, name it java.security, and add the following content.
    security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.security.sasl.IBMSASL
security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.9=org.apache.harmony.security.provider.PolicyProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC, RSAPSS, RSASSA-PSS5.
  4. Create a secret with the name my-fips-javasecurity by running the following command.
    kubectl create secret generic my-fips-javasecurity --from-file=java.security
  5. Update the Cloud Pak deployment custom resource with the following parameters.
    apiVersion: icp4a.ibm.com/v1
kind: ICP4ACluster
metadata:
   labels:
      app.kubernetes.io/instance: ibm-dba
      app.kubernetes.io/managed-by: ibm-dba
      app.kubernetes.io/name: ibm-dba
   name: odm-fips
spec:
...
   odm_configuration:
      customization:
         trusted_certificate_list: my-fips-javasecurity
      decisionCenter:
         jvmOptionsRef: dc-fips-options-cm
      decisionServerConsole:
         jvmOptionsRef: dsc-fips-options-cm
      decisionServerRuntime:
         jvmOptionsRef: dsr-fips-options-cm
      decisionRunner:
         jvmOptionsRef: dr-fips-options-cm
      ...