Post-installation setup for IBM Match 360

To finish setting up the IBM Match 360 service after installation, complete the mandatory tasks and the appropriate optional tasks.

Mandatory tasks

Give users access to the service

IBM® Software Hub administrators are not granted any access to the IBM Match 360 service by default. To access the service, even administrator users must also be added to an appropriate service user group. For example, to create and set up a master data configuration asset, users must belong to the DataEngineer user group. For details, see Adding users to IBM Match 360 on IBM Software Hub.

Required role: To complete this task, you must be a IBM Software Hub administrator.

Set up the service

To get your IBM Match 360 service instance up and running after installation, a data engineer user must create your master data configuration asset. The configuration asset is where you can onboard data sources, map your data into the system, customize your data model, and set up and tune the matching algorithm. For details, see Creating a master data configuration asset.

Required role: To complete this task, you must belong to the IBM Match 360 DataEngineer user group.

Optional tasks

Configure how IBM Match 360 recognizes and prioritizes processing for large sized entities

When the IBM Match 360 matching service encounters records that belong to an entity that is very large, they can take a longer amount of time to process. As a result, matching for records that are involved in large entities can result in strenuous resource consumption or longer wait times. To address this concern, the IBM Match 360 matching service can establish a lower priority queue for records associated with large entities. This separate queue can prevent regular-sized entities from being blocked by concurrently-processing large entities.

You can configure the way IBM Match 360 recognizes and prioritizes processing for large sized entities.
  • To configure the size of entity that IBM Match 360 considers to be a large entity, edit the following section of the CR (mdm-cr):
    mdm_matching:
  large_entity_handling:
    maximum_entity_size: 500
    maximum_candidate_size: 2000
    • If an entity contains more records than the number defined as the maximum_entity_size, then it is considered to be a large entity and will be processed by the separate large entity queue. A lower maximum_entity_size value can potentially result in more entities being treated as large entities.
    • If an entity has more potential match candidates than the number defined as the maximum_candidate_size, then it is considered to be a large entity and will be processed accordingly. A lower maximum_candidate_size value can potentially result in more entities being treated as large entities.
  • To configure the number of parallel threads that IBM Match 360 uses to process entities from the large entity queue, edit the following section of the CR (mdm-cr):
    mdm_matching:
  rabbitmq:
    listener:
      large_entity:
        consumer_count: 2
    The consumer_count parameter defines the number of parallel threads for the large entity queue. If you have a lot of potential large entities in the queue, it might be beneficial to increase the consumer_count value to process them faster.
    Important: Increasing the consumer_count value for the large entity queue can negatively impact the performance of regular-sized entity processing.
If you change the configuration of the large entity exchange or queue, it is a good practice to also update the exchange and queue names so that they can get recreated with the new configurations. After the new one is successfully created, you can then manually drop the original version.
  • To change the exchange name, update the name parameter in the following section of the CR (mdm-cr):
    rabbitmq:
  exchange:
    large_entity:
      message_expiry: 8640000
      name: "matching-internal-exchange"
  • To change the queue name, update the queue_name parameter in the following section of the CR (mdm-cr):
    
mdm_matching:
  rabbitmq:
    listener:
      large_entity:
        queue_name: "matching-internal-queue-default"
        message_expiry: 8640000
Configure the service to hide data export functionality for reader users

In some scenarios, you might want to control which IBM Match 360 users have the ability to export data. You can configure the master data explorer UI to hide the data export functionality for users who have only a reader role.

To configure the UI to hide the export data capability for reader users:
  1. Run the following command to update the CR (mdm-cr) to hide the Export button:
    oc patch mdm mdm-cr --type=merge -p '{"spec":{"mdm_em_ui":{"features": {"oc_ui_search_export":{"enabled":false}, "export_writer": {"enabled":true}}}}}' -n ${PROJECT_CPD_INST_OPERANDS}
  2. Wait for the IBM Match 360 operator reconciliation to complete. Run the following command to monitor the reconciliation status: 
    oc get mdm mdm-cr -n ${PROJECT_CPD_INST_OPERANDS}
  3. If the entity maintenance UI (em-ui) pods do not automatically restart after reconciliation, manually restart them.
Change your deployment to use self-defined credentials instead of generated credentials

By default, the IBM Match 360 installation generates credentials that are used for authenticating the service to IBM WebSphere® Liberty Profile, RabbitMQ, Elasticsearch, and Redis. If you choose, you can define your own credentials to use in place of the generated ones.

Note: Credentials must be at least 8 characters in length and contain at least one lowercase letter, one uppercase letter, and one number. If invalid credentials are provided, the operator logs an error and uses generated credentials instead.

Required role: To complete this task, you must be a cluster administrator.

To provide your own authentication credentials after installing IBM Match 360:
  1. Shut down the IBM Match 360 service instance.
    oc patch mdm mdm-cr -n ${PROJECT_CPD_INST_OPERANDS} -p '{"spec":{"shutdown":"true"}}' --type=merge
  2. Wait for the status to return as shutdown. Check the status using the following command.
    cpd-cli help get-cr-status \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=match360
  3. Delete the existing service authentication secrets.
    MDM_INSTANCE_ID=$(oc get mdm -n ${PROJECT_CPD_INST_OPERANDS}} -o json | jq '.items[0].status.instance_id' | tr -d '"')
oc delete secret -n ${PROJECT_CPD_INST_OPERANDS} mdm-${MDM_INSTANCE_ID}-ibm-rabbitmq-auth-secret mdm-rabbitmq-secret-${MDM_INSTANCE_ID}
oc delete secret -n ${PROJECT_CPD_INST_OPERANDS} c-mdm-redis-${MDM_INSTANCE_ID}-m c-mdm-redis-${MDM_INSTANCE_ID}-s mdm-redis-secret-${MDM_INSTANCE_ID}
oc delete secret -n ${PROJECT_CPD_INST_OPERANDS} mdm-elasticsearch-secret-${MDM_INSTANCE_ID} mdm-elasticsearch-auth-secret-${MDM_INSTANCE_ID} mdm-${MDM_INSTANCE_ID}-ibm-elasticsearch-haproxy-config
oc delete secret -n ${PROJECT_CPD_INST_OPERANDS} mdm-wlp-secret-${MDM_INSTANCE_ID}
  4. Delete the RedisSentinal CR.
    oc delete RedisSentinel -n ${PROJECT_CPD_INST_OPERANDS} mdm-redis-${MDM_INSTANCE_ID}
  5. Check to see if there's an existing secret named mdm-user-defined-auth.
    • If the mdm-user-defined-auth secret exists and you want to define new credentials, edit the Secret to update the credentials.
    • If the mdm-user-defined-auth secret does not exist and you want the system to generate new credentials, go to the next step.
    • If the mdm-user-defined-auth secret does not exist and you want to define new credentials, create a secret containing your chosen credentials named mdm-user-defined-auth. Use the following format:
      secrets:
  user_defined_auth:
    name: mdm-user-defined-auth
    elasticsearch:
      password: elasticsearch.password
    rabbitmq:
      erlang_cookie: rabbitmq.erlang-cookie
      management_password: rabbitmq.management-password
      password: rabbitmq.password
    redis:
      compose_password: redis.compose_password
    wlp:
      keystore_pass: wlp.key.store.password
      Sample Secret template:
      apiVersion: v1
data:
  elasticsearch.password: [ENCODED_CRED]
  rabbitmq.management-password: [ENCODED_CRED]
  rabbitmq.password: [ENCODED_CRED]
  rabbitmq.erlang-cookie: [ENCODED_CRED]
  redis.compose_password: [ENCODED_CRED]
  wlp.key.store.password: [ENCODED_CRED]
kind: Secret
metadata:
  name: mdm-user-defined-auth
  namespace: $MDM_OPERAND_NAMESPACE
type: Opaque
  6. Restart the service.
    oc patch mdm mdm-cr -n ${PROJECT_CPD_INST_OPERANDS} -p '{"spec":{"shutdown":"false"}}' --type=merge
    When the service restarts, it will use the new credentials.
Tune and customize the IBM Match 360 deployment

IBM Match 360 provides several configuration options in the custom resource (CR) spec to enable you to adjust your IBM Match 360 deployment. For details and information about the parameters in the CR, see Modifying the CR to customize your IBM Match 360 installation.

To edit the value of a single property in the IBM Match 360 CR (mdm-cr) spec, use the oc patch command.
oc patch mdm mdm-cr --namespace ${PROJECT_CPD_INST_OPERANDS} -p '{"spec":{"<SPEC-FIELD-NAME>":"<VALUE>"}}' --type=merge
To edit the values of multiple properties in the IBM Match 360 CR spec, use the oc edit command. 
oc edit mdm mdm-cr --namespace ${PROJECT_CPD_INST_OPERANDS}

Required role: To complete this task, you must be a cluster administrator.

Administration tasks

After the IBM Match 360 service is set up, you can administer the service and the platform. For more information, see Administering IBM Match 360 and Administering IBM Software Hub.