IBM Support

Enabling Decision Server Insights Grid Security

Question & Answer


Question

How to enable Decision Server Insights Grid Security?

Answer

  1. Create an xs-server.properties file

    This step applies to the both the "cisCatalog" and "cisContainer" servers.
    1. Create xs-server.properties in the server config directory with the following contents:

      securityEnabled=true
      secureTokenManagerType=autoSecret
      authenticationSecret=OurGridServersExampleSecret
      transportType=TCP/IP
      credentialAuthentication=Required

      For example if the server config dir is C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog then you would create C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog\xs-server.properties.

      This file should exist in each catalog and container server directory.
    2. Update the <xsServer> element of the server's server.xml to reference the xs-server.properties file

      Add "serverProps" element to the xsServer referencing xs-server.properties:
      <xsServer ... serverProps="xs-server.properties" ... />

      For example:
      <xsServer catalogServer="false" listenerPort="${xs.port}" serverName="${ia.host}-${wlp.server.name}" transport="XIO" serverProps="xs-server.properties"/>
  2. Create an xs-security.xml file

    This step applies to the "cisCatalog" server only.
    1. Create xs-security.xml in the cisCatalog server directory with the following contents:

      <?xml version="1.0" encoding="UTF-8"?>
      <securityConfig xmlns:xsi=
      "www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd" xmlns="ibm.com/ws/objectgrid/config/security">
         <security securityEnabled="true">
             <authenticator className="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator"/>
         </security>
      </securityConfig>


      For example if the cisCatalog dir is C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog then you would create C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog\xs-security.xml
    2. Update the <xsServer> element of the server's server.xml to reference the xs-security.xml file

      <xsServer ... clusterSecurityURL="file://${server.config.dir}/xs-security.xml" ... />

      For example:
      <xsServer catalogServer="true" listenerPort="${xs.port}" serverName="${ia.host}-${wlp.server.name}" transport="XIO" serverProps="xs-server.properties" clusterSecurityURL="file://${server.config.dir}/xs-security.xml"/>
  3. Define the XS KeyStoreLoginModule

    This step applies to the both the "cisCatalog" and "cisContainer" servers.

    They KeyStoreLoginAuthenticator defined in the xs-security.xml from step 2 relies on a KeyStoreLogin JAAS configuration. The KeyStoreLogin JAAS configuration must be defined in the server.xml of both cisCatalog and cisContainer servers. Copy the XML below and paste anywhere inside the server's server.xml <server> element, such as beneath the <xsServer> element.

    <library id="xslib">
       <fileset dir="${wlp.install.dir}/lib" includes="com.ibm.ws.xs.server_1.1.jar"/>
    </library>
    <jaasLoginModule id="xsKeyStoreLoginModule" className="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule" controlFlag="REQUIRED" libraryRef="xslib">
       <options keyStoreFile="${server.config.dir}/resources/security/cis-key.jks" debug="true"/>
    </jaasLoginModule>
    <jaasLoginContextEntry id="KeyStoreLogin" name="KeyStoreLogin" loginModuleRef="xsKeyStoreLoginModule"/>
  4. Create the keystore

    This step applies to the both the "cisCatalog" and "cisContainer" servers.
    1. Use the keytool command to create the keystore
      Use the JRE keytool command to create a keystore. Here is an example keystore command which creates a keystore containing a key whose alias and password are both "tester", which is the same username and password that used for quick start security, suitable for testing purposes only:
      keytool -genkey -alias tester -keypass tester -keyalg RSA -dname CN=tester,O=ibm,C=us -storepass tester -keystore C:\tmp\cis-key.jks
    2. Copy the keystore into the cisCatalog and cisContainer servers' "resources/security" directory.
      Copy the keystore to ${server.config.dir}/resources/security/cis-key.jks. Create the resources/security directory if needed, though it will already exist and contain the default server keystore "key.jks" if the server has ever been started. Note that "${server.config.dir}" refers to the server directory, for example C:\IBM\ODMCI86\runtime\wlp\usr\servers\cisCatalog.
  5. Add the keystore username and password to the cisContainer server.xml

    This step applies to the "cisContainer" server only

    Create a <ia_gateway> configuration element inside the <server> element. In this element define the following three attributes:
    securityEnabled="true"
    username="<your-keystore-alias>"
    password="<your-keystore-alias-password>"

    For example:
    <ia_gateway securityEnabled="true" username="tester" password="tester"/>

    The password can be encoded using XOR or encrypted using AES using the securityUtil tool, or the WDT server.xml editor.
  6. Add the keystore username and password to the cisInbound and cisOutbound server.xml

    This step applies to the "cisInbound" and "cisOutbound" servers only

    Add the user and password to the <ia_connectivity> configuration element:
    user="<your-keystore-alias>"
    password="<your-keystore-alias-password>"


    For example:
    <ia_connectivity catalogServerEndpoint="${ia.bootstrapEndpoints}" user="tester" password="tester"/>

    The password can be encoded using XOR or encrypted using AES using the securityUtil tool, or the WDT server.xml editor.
  7. Add gridSecurityEnabled=true to testdriver.properties

    This step applies to the TestDriver client only

    Add these lines to testdriver.properties:
    gridSecurityEnabled=true
    gridUsername=<your-grid-username> (i.e. tester)
    gridPassword=<your-grid-password> (i.e. Tester)

[{"Product":{"code":"SS4QMG","label":"IBM Decision Server Advanced"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.7","Edition":""}]

Document Information

Modified date:
15 June 2018

UID

swg21694405