Security architecture

You must identify the components and their shared network connections to understand the security architecture of Operational Decision Manager.

On-premises server installation

The following diagram shows where Operational Decision Manager is installed on your application server:

Figure 1. Operational Decision Manager security architecture
Operational Decision Manager security architecture

The following applications and APIs are shared:

  • Decision Center Business console
  • Rule Execution Server console
  • Decision Center API
  • Rule Execution Server management API
  • Decision service API

The following components are part of the installation, but they are not publicly accessible because they are back-end components:

  • Rule Execution Server
  • Decision Runner

Data is stored in databases, and they are not publicly accessible because they are back-end components:

  • Decision Center database
  • Rule Execution Server database
  • Decision Warehouse database

You secure the connections between the applications and data sources (databases and directory services) by configuring Java™ database connectivity (JDBC) over Transport Layer Security (TLS).

Operational Decision Manager can use the directory service of your company. In Decision Center, you can tap your own Lightweight Directory Access Protocol (LDAP) directories for authentication purposes, and to import users and groups, and assign permissions to groups. When you use LDAP over Secure Sockets Layer (SSL), use ldaps://<host or IP>:<ldaps port>.

Clients

On the client side of the diagram, you can see the following client applications:
  • Rule Designer is an Eclipse-based development environment that also interacts with the servers to synchronize projects and deploy decision services. This component is included in Operational Decision Manager.
  • Web browsers are used to interact with the Operational Decision Manager web applications:
    • Decision Center Business console
    • Rule Execution Server console

    For supported web browsers, see IBM® Operational Decision Manager compatible software External link opens a new window or tab.

  • Any command-line or client-side task to run administrative tasks, such as ANT tasks, scripts, and cURL commands.
  • Client applications invoke decision services at run time to run decision services.

Client/server communications

The following table summarizes which Operational Decision Manager component is the client and which is the server in different network communications.

Table 1. Client/server communications
Client Server Task
Rule Designer Decision Center Synchronize rule projects.
Rule Designer Rule Execution Server Deploy decision services.
Decision Center

(In this case, Decision Center is the client because it connects to Rule Execution Server for deployment.)

 Rule Execution Server Deploy decision services.
Web browser Decision Center Business console Author and manage rules.
Web browser Rule Execution Server console Browse and deploy decision services.
Ant tasks
  • Rule Execution Server management API
  • Decision Center API
 Any administrative tasks
Client applications Decision service API Invoke decision services.