Using a Zen API key for authentication

To automatically authenticate with the Operational Decision Manager services through the Cloud Pak Zen platform, you must use an API key.

About this task

To deploy RuleApps or to run tests and simulations, you must create server configurations so that you can connect from Operational Decision Manager to the Decision Server console and to Decision Runner. A Zen OpenID provider allows you to manage these server configurations through a Zen API key. You need at least one of the following roles:
  • ODM Administrator (permission: ODM - Administer Decision Server; ODM Liberty role: resAdministrators)
  • ODM Runtime administrator (permission: ODM - Monitor and deploy decision services in Decision Server; ODM Liberty role: resDeployers)

Procedure

  1. Generate an API key.

    Follow the procedure described in Generating API keys for authentication.

  2. To consume a Zen API key, note the following recommendations.
    • For Operational Decision Manager API calls and Decision Server console REST API calls, use a Zen API key.

      A Zen API key with the "Authorization: ZenApiKey <username:zenapikey base64 encoded>" header does not expire. For more information, see Authorizing HTTP requests by using the Zen API key

    • For Decision Server Runtime REST API calls, although you can use a Zen API key, it is preferable to use basic authentication for performance reasons.

      Basic authentication with the "Authorization: Basic <username:password base64 encoded>" header provides the best performance.

      A default basic registry with the following users is provided in the form of a webSecurity.xml file:
      • resExecutor to execute rules on the Decision Server Runtime
      • odmAdmin to execute REST API calls on Operational Decision Manager and Decision Server console

      To customize the default basic registry, you must provide your own webSecurity.xml in the customization.authSecretRef secret. For more information, see Optional user access configurations.

      Here are two curl examples that illustrate the usage of the basic auth header to call a decision service:

      curl -H "Content-Type: application/json" -k --data @loanvalidation.json -H "Authorization: Basic cmVzRXhlY3V0b3I6cmVzRXhlY3V0b3I=" https://DecisionServerRuntime:Port/DecisionService/rest/LoanValidationDS/1.0/loan_validation_with_score_and_grade/1.0

      Where cmVzRXhlY3V0b3I6cmVzRXhlY3V0b3I= is the base64 encoding of the current username:password resExecutor:resExecutor

      curl -H "Content-Type: application/json" -k --data @loanvalidation.json -H "Authorization: ZenApiKey Y3A0YWRtaW46OTBFYnpCTkt5Y1ZnZ3dGc1dEMkhSeGhsWU80VFZvRmh1d3VMUkVEbg==" https://DecisionServerRuntime:Port/DecisionService/rest/LoanValidationDS/1.0/loan_validation_with_score_and_grade/1.0

      Where Y3A0YWRtaW46OTBFYnpCTkt5Y1ZnZ3dGc1dEMkhSeGhsWU80VFZvRmh1d3VMUkVEbg== is the base64 encoding of the current username:ZenApiKey cp4admin:90EbzBNKycVggwFsWD2HRxhlYO4TVoFhuwuLREDn