Importing a security certificate in Rule Designer

Edit online

To be able to securely connect your Rule Designer to the Decision Server and Decision Center services that are running in Certified Kubernetes, you need to establish a TLS connection through a security certificate.

About this task

You must import the security certificate exposed by the Decision Server and Decision Center services into the Rule Designer JVM truststore. It is assumed that these services use the same certificate. If not, the following procedure must be applied to both services.

Procedure

  1. Put the certificate exposed by the ODM service in the odmserver.crt certificate file. 
    keytool -printcert -sslserver <ODM-SERVICE-ENDPOINT> -rfc > odmserver.crt
    For example:
    keytool -printcert -sslserver odm-dc-route.apps.mycompany.cp.ibm.com -rfc > odmserver.crt
  2. To import a certificate into the JVM, use the keystore keytool. 
    keytool -import -noprompt -alias odm -keystore truststore.jks -storepass changeme  < odmserver.crt

    Where changeme is the fixed password that is used to protect the integrity of the truststore.jks file.

  3. If Operational Decision Manager is configured with an OpenID provider, import the certificate of the OpenID server in the truststore.jks file.
    For example:
    keytool -printcert -sslserver openid-route.apps.mycompany.cp.ibm.com -rfc > openiderver.crt      
keytool -import -noprompt -alias openid -keystore truststore.jks -storepass changeme  < openiderver.crt
  4. Check that the truststore contains the required certificates. 
    keytool -list -keystore truststore.jks -storepass changeme -v
  5. Copy the truststore.jks file to your Rule Designer installation directory next to the eclipse.ini file.
  6. If Operational Decision Manager is configured with an OpenID provider, follow the documentation Defining OpenID Connect Providers for Rule Designer to create a JSON file where you specify your OpenID Connect providers.
  7. Add the SSL properties at the end of your eclipse.ini file.
    To use the default security certificate, enter the following lines:
    -Djavax.net.ssl.trustStore=<PATHDIR>/truststore.jks
-Djavax.net.ssl.trustStorePassword=changeme

    Where changeme is the fixed password to be used for the default truststore.jks file.

    If you use an OpenID provider, add the following option: 
    -Dcom.ibm.rules.authentication.oidcconfig=<PATHDIR>/OdmOidcProvidersRD.json
    Note: The truststore.jks and OdmOidcProvidersRD.json files can also be retrieved directly from the decisioncenter/assets endpoint.
  8. Restart Rule Designer.

What to do next

To make sure you are able to publish a decision service, test the connection between Rule Designer and Decision Center.