Wednesday, 21 September 2016

How can IBM Business Process Manager capabilities be exposed in an internet facing deployment?

This IBM Technote: -


has the latest ( as of August 2016 ) position on the oft vexing question about using IBM BPM for internet-facing solutions: -

<snip>
Question

How can IBM Business Process Manager capabilities be exposed in an internet facing deployment?

Cause

Introduction
IBM Business Process Manager is a powerful process development platform - designed to allow business analysts to model process flows and user interface elements in a single package. In order to achieve this goal, there must be compromises for example in functional scope and programming model:

• While most business analysts will be happy to not having to deal with all complexities of software development, programmers will likely observe a lack of control in certain areas.
• Similarly, creating coaches by dragging and dropping reusable components from a palette on a canvas is great, but does not provide the level of control that is required for pixel perfect user interfaces.
While the simplified programming model allows you to build applications with reasonable security, it is not on the same level as a lower level application development environment which for example gives you full control over HTTP requests. Also, the simplified programming model allows you to take shortcuts to build functional, but less secure applications.
</snip>

Please review the Technote for the full IBM position ...

Tuesday, 20 September 2016

IBM HTTP Server - Securing Cookies

The question of secured cookies has arisen recently, where a security penetration test identified a potential risk of cookies being exposed in the clear.

Specifically, this relates to cookies that pass through the IBM HTTP Server web server.

Whilst one would expect the application tier ( in our case, WebSphere Application Server ) to secure cookies, such as the JSESSIONID cookie: -

<snip>
An even more dangerous yet subtle problem with using the HTTP session for security is that the session cookie (JSESSIONID) is usually created before a user authenticates -- typically when they first access the site. At this point, the cookie is often sent in the clear over HTTP. Once the user authenticates, most applications will switch to HTTPS for all future traffic (protecting cookies and content) -- but the JSESSIONID cookie could already have been stolen because an attacker could have captured the cookie when it was initially sent over HTTP. In addition to the obvious point of not using the HTTP session for security, the risk of stealing an HTTP session can be reduced by enabling session security and restricting the LTPA cookie to HTTPS, as discussed earlier.

In addition, cookies created by your applications should be Secure (restricted to HTTPS), and all cookies should be marked HTTPOnly, with a possible exception (which needs to documented, and signed off in a design review) where an application explicitly requires it to function because of client side JavaScript needing access to the cookie.
</snip>


However, as a potential mitigation, it's also possible to instruct the web tier to secure cookies, just in case the application developer ( or WAS administrator ) neglects to so do.

This was my source: -


I'm using IBM HTTP Server 8.5.5.10, which is based upon Apache 2.2

/opt/IBM/HTTPServer/bin/apachectl -V

<snip>
Server version: IBM_HTTP_Server/8.5.5.10 (Unix)
Apache version: 2.2.8 (with additional fixes)

</snip>

By inspecting the HTTP headers in the response from IHS to my browser ( Firefox using the builtin Web Developer tools ), I was able to see that the HttpOnly and Secure flags were NOT set by default: -

HTTP/1.1 304 Not Modified
Date: Tue, 20 Sep 2016 07:47:34 GMT
Connection: Keep-Alive
Keep-Alive: timeout=10, max=97
Etag: "df-5360a4cf12c00"

It was necessary to enable the mod_headers directive in the IHS httpd.conf and then enforce secure cookies: -

LoadModule headers_module modules/mod_headers.so
Header set Set-Cookie HttpOnly;Secure


Once I restarted IHS, and rechecked the response, I could see the additional Set-Cookie header: -

HTTP/1.1 304 Not Modified
Date: Tue, 20 Sep 2016 07:41:30 GMT
Connection: Keep-Alive
Keep-Alive: timeout=10, max=99
Etag: "4a0-5360a4cf12c00"
Set-Cookie: HttpOnly;Secure


The job, as they say, is a good 'un


Thursday, 15 September 2016

IBM Operational Decision Manager - Running Decision Center on WebSphere Liberty Profile on Windows

This is yet another Work-In-Progress, and reflects my current obsession with WebSphere Liberty Profile: -


So today's challenge ( well, it was yesterday but that's not important right now ) was to coach a colleague to build out an IBM ODM Decision Center environment on Windows.

This is for a local development / test environment, rather than anything more "serious".

Thus I decided to see whether I could use WebSphere Liberty Profile and, whilst I was at it, use Apache Derby as a database, instead of my usual favourite, DB2.

The answer is …. "YES I CAN"

I downloaded Liberty from here: -


and Derby from here: -


having previously installed ODM Advanced 8.7: -

"c:\IBM\Installation Manager\eclipse\tools\imcl.exe" listInstalledPackages

com.ibm.cic.agent_1.8.5000.20160506_1125
com.ibm.websphere.odm.dc.v87_8.7.0.20141114_0935


using an IBM Installation Manager response file: -

installODM4WLP.rsp

<?xml version='1.0' encoding='UTF-8'?>
<agent-input>
  <server>
    <repository location='C:\temp\odm87\DEC_CENTER_WIN_32_64_BITS_V8.7_ML\DC' 
temporary='true'/>
  </server>
  <profile id='Operational Decision Manager V8.7' installLocation='C:\Program Files\IBM\ODM87'>
    <data key='cic.selector.arch' value='x86_64'/>
    <data key='user.lic.dc' value='full'/>
  </profile>
  <install>
    <!-- Decision Center 8.7.0.0 -->
    <offering profile='Operational Decision Manager V8.7' id='com.ibm.websphere.odm.dc.v87' version='8.7.0.20141114_0935' features='jdk,base,Rule Solutions for Office,com.ibm.wdc.rules.samples.feature,Documentation,com.ibm.wbdm.dts.wlp.feature'/>
  </install>
  <preference name='com.ibm.cic.common.core.preferences.eclipseCache' value='c:\IBM\IBMIMShared
'/>
</agent-input>

having previously installed IBM Installation Manager 1.8.5 : -

installIIM185Win.rsp

<?xml version='1.0' encoding='UTF-8'?>
<agent-input>
  <server>
    <repository location='c:\temp\iim\' temporary='true'/>
  </server>
  <profile id='IBM Installation Manager' installLocation='C:\IBM\Installation Manager\eclipse' kind='self'>
    <data key='eclipseLocation' value='C:\IBM\Installation Manager\eclipse'/>
    <data key='user.import.profile' value='false'/>
    <data key='cic.selector.nl' value='de,no,fi,ru,hr,fr,hu,sk,sl,sv,ko,el,en,pt_BR,it,iw,zh,es,cs,ar,zh_HK,zh_TW,th,ja,pl,da,tr,nl'/>
    <data key='cic.selector.os' value='win32'/>
    <data key='cic.selector.arch' value='x86_64'/>
    <data key='cic.selector.ws' value='win32'/>
  </profile>
  <install modify='false'>
    <offering profile='IBM Installation Manager' id='com.ibm.cic.agent' version='1.8.5000.20160506_1125' features='agent_core,agent_jre' installFixes='none'/>
  </install>
  <preference name='com.ibm.cic.common.core.preferences.connectTimeout' value='30'/>
  <preference name='com.ibm.cic.common.core.preferences.readTimeout' value='45'/>
  <preference name='com.ibm.cic.common.core.preferences.downloadAutoRetryCount' value='0'/>
  <preference name='offering.service.repositories.areUsed' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.ssl.nonsecureMode' value='false'/>
  <preference name='com.ibm.cic.common.core.preferences.http.disablePreemptiveAuthentication' value='false'/>
  <preference name='http.ntlm.auth.kind' value='NTLM'/>
  <preference name='http.ntlm.auth.enableIntegrated.win32' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.preserveDownloadedArtifacts' value='true'/>
  <preference name='com.ibm.cic.common.core.preferences.keepFetchedFiles' value='false'/>
  <preference name='PassportAdvantageIsEnabled' value='false'/>
  <preference name='com.ibm.cic.common.core.preferences.searchForUpdates' value='false'/>
  <preference name='com.ibm.cic.agent.ui.displayInternalVersion' value='false'/>
  <preference name='com.ibm.cic.common.sharedUI.showErrorLog' value='true'/>
  <preference name='com.ibm.cic.common.sharedUI.showWarningLog' value='true'/>
  <preference name='com.ibm.cic.common.sharedUI.showNoteLog' value='true'/>
</agent-input>


Note that I specifically focused on the element of Decision Center that's focused upon WebSphere Liberty Profile, rather than the more widely used set of binaries for WebSphere Application Server Full Profile.

Specifically, I took two WAR files: -

14/09/2016  16:10        97,006,199 decisioncenter.war
14/09/2016  16:10       101,334,161 teamserver.war


and, having unpacked Liberty onto my Windows desktop - C:\Users\Administrator\Desktop - I copied  the DC JAR files into the apps folder of the defaultServer instance - C:\Users\Administrator\Desktop\wlp\usr\servers\defaultServer\apps.

I re-used the server.xml from the ODM on Liberty on Docker lab, edited for Decision Center only: -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

<!-- Enable features -->
<featureManager>
<feature>servlet-3.1</feature>
<feature>jsp-2.3</feature>
<feature>jdbc-4.1</feature>
<feature>appSecurity-2.0</feature>
<feature>jaxrs-1.1</feature>
<feature>concurrent-1.0</feature>
<feature>jndi-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>

<httpSession cookieName="DCSESSIONID"
invalidateOnUnauthorizedSessionRequestException="true" />

<!-- To access this server from a remote client add a host attribute to 
the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080"
httpsPort="9443" />

<jdbcDriver id="DerbyEmbedded" libraryRef="DerbyLib" />
<library id="DerbyLib" filesetRef="DerbyFileset" />
<fileset id="DerbyFileset" dir="${shared.resource.dir}/derby"
includes="derby.jar" />

<!-- RTS data source -->
<dataSource id="derbyEmbedded" isolationLevel="TRANSACTION_READ_COMMITTED"
jndiName="jdbc/ilogDataSource" jdbcDriverRef="DerbyEmbedded">
<properties.derby.embedded databaseName="${shared.resource.dir}/data/rtsdb"
createDatabase="create" user="rtsdbUser" password="rtsdbUser" />
</dataSource>

<webContainer deferServletLoad="false"
enableDefaultIsElIgnoredInTag="true" enableJspMappingOverride="true" />

<!-- Web application security -->
<basicRegistry id="basic" realm="customRealm">

<!-- RTS users and groups -->
<user name="rtsAdmin" password="rtsAdmin" />
<user name="rtsConfig" password="rtsConfig" />
<user name="rtsUser1" password="rtsUser1" />
<user name="Eli" password="Eli" />
<user name="Val" password="Val" />
<group name="rtsAdministrator">
<member name="rtsAdmin" />
</group>
<group name="rtsInstaller">
<member name="rtsAdmin" />
</group>
<group name="rtsConfigManager">
<member name="rtsConfig" />
</group>
<group name="rtsUser">
<member name="rtsUser1" />
<member name="Eli" />
<member name="Val" />
</group>
<group name="Validator">
<member name="Val" />
</group>
<group name="Eligibility">
<member name="Eli" />
<member name="Val" />
</group>
</basicRegistry>

<!-- Decision Center -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- Team Server -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- Business console -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<classloader delegation="parentLast" />
...
</application>

<!-- Enterprise console -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<classloader delegation="parentLast" />
...
</application>

</server>

I then start the default server instance: -

c:\Users\Administrator\Desktop\wlp\bin\server start

Starting server defaultServer.
Server defaultServer started.


checked the logs: -

C:\Users\Administrator\Desktop\wlp\usr\servers\defaultServer\logs\console.log

Launching defaultServer (WebSphere Application Server 16.0.0.2/wlp-1.0.13.cl160220160526-2258) on Java HotSpot(TM) Client VM, version 1.8.0_91-b15 (en_GB)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKE0100I: This product is licensed for development, and limited production use. The full license terms can be viewed here: https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/license/base_ilan/ilan/16.0.0.2/lafiles/en.html
[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  concurrent-1.0 feature.  Try running the command, bin/installUtility install concurrent-1.0,  to install the feature. Alternatively, you can run the command, bin/installUtility install defaultServer,  to install all features that are referenced by this configuration.
[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  jaxrs-1.1 feature.  Try running the command, bin/installUtility install jaxrs-1.1,  to install the feature. Alternatively, you can run the command, bin/installUtility install defaultServer,  to install all features that are referenced by this configuration.
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://w2k8.uk.ibm.com:9080/teamserver/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://w2k8.uk.ibm.com:9080/decisioncenter/
[WARNING ] Locale name in faces-config.xml null or empty, setting locale to default locale : en_GB
[AUDIT   ] CWWKZ0001I: Application teamserver started in 29.162 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [jsp-2.3, servlet-3.1, ssl-1.0, jndi-1.0, distributedMap-1.0, appSecurity-2.0, jdbc-4.1, el-3.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[WARNING ] [dc] Solr index directory 'c:\temp\solr.data3444738204048276327.dir\index' doesn't exist. Creating new index...
[AUDIT   ] CWWKZ0022W: Application decisioncenter has not started in 30.150 seconds.
[AUDIT   ] CWWKZ0001I: Application decisioncenter started in 33.371 seconds.
[WARNING ] The database does not contain a project. Import a project or contact your administrator.


C:\Users\Administrator\Desktop\wlp\usr\servers\defaultServer\logs\messages.log

********************************************************************************
product = WebSphere Application Server 16.0.0.2 (wlp-1.0.13.cl160220160526-2258)
wlp.install.dir = C:/Users/Administrator/Desktop/wlp/
java.home = C:\Program Files (x86)\Java\jre1.8.0_91
java.version = 1.8.0_91
java.runtime = Java(TM) SE Runtime Environment (1.8.0_91-b15)
os = Windows Server 2008 R2 (6.1; x86) (en_GB)
process = 2832@w2k8
...
[15/09/16 14:29:41:998 BST] 00000020 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [decisioncenter] [/decisioncenter] [dispatcher]: Initialization successful.
[15/09/16 14:29:42:050 BST] 00000020 com.ibm.ws.app.manager.AppMessageHelper                      A CWWKZ0001I: Application decisioncenter started in 33.371 seconds.
[15/09/16 14:30:27:852 BST] 00000024 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [teamserver] [/teamserver] [/login.jsp]: Initialization successful.
[15/09/16 14:31:12:299 BST] 00000034 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [teamserver] [/teamserver] [/index.jsp]: Initialization successful.
[15/09/16 14:31:42:097 BST] 0000004f com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [decisioncenter] [/decisioncenter] [/WEB-INF/views/login.jsp]: Initialization successful.
[15/09/16 14:31:52:506 BST] 00000024 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [teamserver] [/teamserver] [ConnectServlet]: Initialization successful.
[15/09/16 14:31:53:001 BST] 00000038 com.ibm.ws.recoverylog.spi.RecoveryDirectorImpl              I CWRLS0010I: Performing recovery processing for local WebSphere server (defaultServer).
[15/09/16 14:31:53:044 BST] 00000038 com.ibm.ws.recoverylog.spi.RecoveryDirectorImpl              I CWRLS0012I: All persistent services have been directed to perform recovery processing for this WebSphere server (defaultServer).
[15/09/16 14:31:53:067 BST] 00000038 com.ibm.ws.jca.cm.ConnectorService                           I J2CA8050I: An authentication alias should be used instead of defining a user name and password on dataSource[derbyEmbedded].
[15/09/16 14:31:53:168 BST] 00000052 com.ibm.tx.jta.impl.RecoveryManager                          I WTRN0135I: Transaction service recovering no transactions.
[15/09/16 14:31:54:386 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8203I: Database product name : Apache Derby
[15/09/16 14:31:54:390 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8204I: Database product version : 10.12.1.1 - (1704137)
[15/09/16 14:31:54:391 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8205I: JDBC driver name  : Apache Derby Embedded JDBC Driver
[15/09/16 14:31:54:391 BST] 00000038 com.ibm.ws.rsadapter.spi.InternalGenericDataStoreHelper      I DSRA8206I: JDBC driver version  : 10.12.1.1 - (1704137)
[15/09/16 14:31:56:314 BST] 00000038 org.springframework.web.method.HandlerMethod                 W The database does not contain a project. Import a project or contact your administrator.
[15/09/16 14:31:56:441 BST] 00000038 com.ibm.ws.webcontainer.servlet                              I SRVE0242I: [decisioncenter] [/decisioncenter] [/WEB-INF/views/error.jsp]: Initialization successful.


and confirmed that I could log into Team Server and: -


and Decision Center: -

Now off to author some rules in Rule Designer and connect to Decision Center …..

Wednesday, 7 September 2016

IBM Operational Decision Manager - Running it on WebSphere Liberty Profile on Docker - And finally

Following my earlier two posts: -


I've now added the Decision Service WAR to the Liberty build, allowing me to test my Rule Services via SOAP and REST, providing the Hosted Transformation Decision Service (HTDS) capability.

This is what I now have in server.xml : -

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">

<!-- Enable features -->
<featureManager>
<feature>servlet-3.1</feature>
<feature>jsp-2.3</feature>
<feature>jdbc-4.1</feature>
<feature>appSecurity-2.0</feature>
<feature>jaxrs-1.1</feature>
<feature>concurrent-1.0</feature>
<feature>jndi-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>

<httpSession cookieName="DCSESSIONID"
invalidateOnUnauthorizedSessionRequestException="true" />

<!-- To access this server from a remote client add a host attribute to 
the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080"
httpsPort="9443" />

<jdbcDriver id="DerbyEmbedded" libraryRef="DerbyLib" />
<library id="DerbyLib" filesetRef="DerbyFileset" />
<fileset id="DerbyFileset" dir="${shared.resource.dir}/derby"
includes="derby.jar" />
<!-- RES data source -->
<dataSource id="jdbc/resdatasource" jndiName="jdbc/resdatasource"
jdbcDriverRef="DerbyEmbedded">
<properties databaseName="${shared.resource.dir}/data/resdb"
createDatabase="create" user="resdbUser" password="resdbUser" />
</dataSource>
<!-- RTS data source -->
<dataSource id="derbyEmbedded" isolationLevel="TRANSACTION_READ_COMMITTED"
jndiName="jdbc/ilogDataSource" jdbcDriverRef="DerbyEmbedded">
<properties.derby.embedded databaseName="${shared.resource.dir}/data/rtsdb"
createDatabase="create" user="rtsdbUser" password="rtsdbUser" />
</dataSource>

<!-- Managed executor service for Decision Runner -->
<managedExecutorService jndiName="concurrent/drExecutorService" />

<webContainer deferServletLoad="false"
enableDefaultIsElIgnoredInTag="true" enableJspMappingOverride="true" />

<!-- Web application security -->
<basicRegistry id="basic" realm="customRealm">
<!-- RES users and groups -->
<user name="resAdmin" password="resAdmin" />
<user name="resDeploy" password="resDeploy" />
<user name="resMonitor" password="resMonitor" />
<group name="resAdministrators">
<member name="resAdmin" />
</group>
<group name="resDeployers">
<member name="resAdmin" />
<member name="resDeploy" />
</group>
<group name="resMonitors">
<member name="resAdmin" />
<member name="resDeploy" />
<member name="resMonitor" />
</group>

<!-- RTS users and groups -->
<user name="rtsAdmin" password="rtsAdmin" />
<user name="rtsConfig" password="rtsConfig" />
<user name="rtsUser1" password="rtsUser1" />
<user name="Eli" password="Eli" />
<user name="Val" password="Val" />
<group name="rtsAdministrator">
<member name="rtsAdmin" />
</group>
<group name="rtsInstaller">
<member name="rtsAdmin" />
</group>
<group name="rtsConfigManager">
<member name="rtsConfig" />
</group>
<group name="rtsUser">
<member name="rtsUser1" />
<member name="Eli" />
<member name="Val" />
</group>
<group name="Validator">
<member name="Val" />
</group>
<group name="Eligibility">
<member name="Eli" />
<member name="Val" />
</group>
</basicRegistry>

<!-- RES console -->
<application type="war" id="res" name="res"
location="${server.config.dir}/apps/res.war">
<application-bnd>
<security-role name="resAdministrators">
<group name="resAdministrators" />
</security-role>
<security-role name="resDeployers">
<group name="resDeployers" />
</security-role>
<security-role name="resMonitors">
<group name="resMonitors" />
</security-role>
</application-bnd>
</application>

<!-- Decision Center -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- Team Server -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="rtsAdministrator" />
</security-role>
<security-role name="rtsInstaller">
<group name="rtsInstaller" />
</security-role>
<security-role name="rtsConfigManager">
<group name="rtsConfigManager" />
</security-role>
<security-role name="rtsUser">
<group name="rtsUser" />
</security-role>
<security-role name="Eligibility">
<group name="Eligibility" />
</security-role>
<security-role name="Validator">
<group name="Validator" />
</security-role>
</application-bnd>
</application>

<!-- SSP -->
<application type="war" id="testing" name="testing"
location="${server.config.dir}/apps/testing.war">
<application-bnd>
<security-role name="resAdministrators">
<group name="resAdministrators" />
</security-role>
<security-role name="resDeployers">
<group name="resDeployers" />
</security-role>
</application-bnd>
</application>

<!-- Decision Runner -->
<application type="war" id="DecisionRunner" name="DecisionRunner"
location="${server.config.dir}/apps/DecisionRunner.war">
<application-bnd>
<security-role name="resAdministrators">
<group name="resAdministrators" />
</security-role>
<security-role name="resDeployers">
<group name="resDeployers" />
</security-role>
</application-bnd>
</application>

<!-- Business console -->
<application type="war" id="decisioncenter" name="decisioncenter"
location="${server.config.dir}/apps/decisioncenter.war">
<classloader delegation="parentLast" />
...
</application>

<!-- Enterprise console -->
<application type="war" id="teamserver" name="teamserver"
location="${server.config.dir}/apps/teamserver.war">
<classloader delegation="parentLast" />
...
</application>

<!-- HTDS -->
<application type="war" id="DecisionService" name="DecisionService"
location="${server.config.dir}/apps/DecisionService.war">
</application>


</server>



and the logs confirm that Decision Service is now running: -

Launching defaultServer (WebSphere Application Server 8.5.5.9/wlp-1.0.12.cl50920160227-1523) on IBM J9 VM, version pxa6480sr3-20160428_01 (SR3) (en_US)
[AUDIT   ] CWWKE0001I: The server defaultServer has been launched.
[AUDIT   ] CWWKE0100I: This product is licensed for development, and limited production use. The full license terms can be viewed here: https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/license/base_ilan/ilan/8.5.5.9/lafiles/en.html
[AUDIT   ] CWWKG0093A: Processing configuration drop-ins resource: /opt/ibm/wlp/usr/servers/defaultServer/configDropins/defaults/keystore.xml
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[AUDIT   ] CWWKS4104A: LTPA keys created in 1.779 seconds. LTPA key file: /opt/ibm/wlp/output/defaultServer/resources/security/ltpa.keys
[AUDIT   ] CWPKI0803A: SSL certificate created in 5.991 seconds. SSL key file: /opt/ibm/wlp/output/defaultServer/resources/security/key.jks
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/testing/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/res/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/DecisionService/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/DecisionRunner/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/teamserver/
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://cf93bfdacb28:9080/decisioncenter/
[AUDIT   ] CWWKZ0001I: Application DecisionService started in 18.475 seconds.
[AUDIT   ] CWWKZ0001I: Application testing started in 18.593 seconds.
[AUDIT   ] CWWKZ0001I: Application DecisionRunner started in 19.447 seconds.
[AUDIT   ] CWWKZ0001I: Application res started in 19.868 seconds.
[AUDIT   ] CWWKZ0001I: Application teamserver started in 20.632 seconds.
[WARNING ] [dc] Solr index directory '/tmp/solr.data4281916500924696159.dir/index' doesn't exist. Creating new index...
[AUDIT   ] CWWKZ0022W: Application decisioncenter has not started in 30.007 seconds.
[AUDIT   ] CWWKF0012I: The server installed the following features: [jsp-2.3, concurrent-1.0, servlet-3.1, ssl-1.0, jndi-1.0, json-1.0, distributedMap-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-1.1, el-3.0].
[AUDIT   ] CWWKF0011I: The server defaultServer is ready to run a smarter planet.
[AUDIT   ] CWWKZ0001I: Application decisioncenter started in 31.085 seconds.

and this is what I see: -





and my WSDL: -


accessible via SoapUI: -


Tuesday, 6 September 2016

IBM Operational Decision Manager - Running it on WebSphere Liberty Profile on Docker - And there's more

So following my earlier post: -


I noticed that the Rule Execution Server ( Decision Server ) and Rule Team Server ( Decision Center ) capabilities weren't quite working as I'd expected.

Given that the original developerWorks article: -


was written for an older version of ODM ( 8.7.1 whereas I have 8.8.1 ), I reviewed the IBM Knowledge Center here: -


and: -

specifically the server.xml for ODM 8.8.1 on Liberty is subtly different.

The Unix diff command showed me this: -

diff server.xml /tmp/server.xml 

New

<feature>servlet-3.1</feature>
<feature>jsp-2.3</feature>
<feature>jdbc-4.1</feature>
<feature>appSecurity-2.0</feature>


Old

<feature>servlet-3.0</feature>
<feature>jsp-2.2</feature>
<feature>jdbc-4.0</feature>
<feature>appSecurity-1.0</feature>


New

<     <httpSession cookieName="DCSESSIONID" invalidateOnUnauthorizedSessionRequestException="true"/> 

New

<         <webContainer deferServletLoad="false" enableDefaultIsElIgnoredInTag="true" enableJspMappingOverride="true"/>

New

< <!-- Business console -->
< <application type="war" id="decisioncenter" name="decisioncenter" location="${server.config.dir}/apps/decisioncenter.war">
<     <classloader delegation="parentLast" />
< ...
< </application>

< <!-- Enterprise console -->
< <application type="war" id="teamserver" name="teamserver" location="${server.config.dir}/apps/teamserver.war">
<     <classloader delegation="parentLast" />
< ...
< </application>

Once I rebuilt my Image with this updated server.xml, things went much better, and I can now log into my Decision Server and Decision Center, and things appear mainly normal.

I still need to sort out the Hosted Transformation Decision Server (HTDS) component, as per this: -

which is tomorrow's job :-)

To Docker ... And Beyond ....

These two articles are on my reading list: -


To transition an IT environment to the cloud, enterprises are using container technology, primarily Docker containers. This approach helps to streamline resource consumption and further automate operational processes. At the same time, several services are required to support enterprise-grade business applications, that is, the existing middleware functions. Such services can apply to integration, messaging, APIs, or hosting applications in a controlled, managed application server environment.

But, to run a Docker container, you must have an image. This tutorial explains how to create and extend Docker images that contain middleware functions so that you can add applications that leverage Docker image layering.


Many of us who develop with Docker often find that we are:

• Building layers upon layers of  images
• Running a whole fleet of containers originating from various base images and different versions of our own apps
After all, being able to quickly build, spin up and test various code and environment combinations is one of the greatest benefits of container-based development. And there's no better way to test your changes than running a few environments in parallel and switching between them. It's blue-green deployment and A/B testing at your fingertips! But even the strongest development machine has resource limitations. Eventually, we need to remove images and kill some containers just to be able to build and run new versions.

So here are a few useful command-line tricks to help you clean up your working environment.

And then I find out that Docker is being obsoleted by … rat


rkt is the next-generation container manager for Linux clusters. Designed for security, simplicity, and composability within modern cluster architectures, rkt discovers, verifies, fetches, and executes application containers with pluggable isolation. rkt can run the same container with varying degrees of protection, from lightweight, OS-level namespace and capabilities isolation to heavier, VM-level hardware virtualisation.

but I won't panic just yet …..