This article is part of an article series around Operational Decision Manager (ODM) topologies in context of Cloud Pak for Business Automation (CP4BA). For more information about ODM environments and the topologies, see CP4BA ODM topologies on OpenShift.
Please find a version of PDF of this article here.1. Introduction
This document aims at describing how to setup an ODM Silver topology deployment in the context of the Cloud Pak for Business Automation (CP4BA) 22.0.1.
The ODM Silver topology is a deployment of several ODM environments, each in an individual namespace, within a single cluster.
Minimum Silver topology consists of an Authoring, a Sand box, and a Production environment.
Full Silver topology consists of an Authoring, Sandboxes, a Pre-prod and a Production environment.
Schema of a full ODM Silver topology (fig. 1)
There is one Decision Center to govern all Decision Servers. All environments use the same Identity Access Management (IAM) for authentication and the databases are externalized.
Silver topology is best suited for applications with medium production constraints (HA, Pre-Prod, ...). For more information about ODM environments and the topologies, see CP4BA ODM topologies on OpenShift.
2. Installing ODM Silver topology
Silver topology is based on default Bronze topology with additional customization to allow several ODM environments within the same cluster. To install ODM Silver topology, it is recommended to start with ODM Bronze topology for 22.0.1 to setup the cluster and then obtain a baseline Cloud Pak for Business Automation deployment Custom Resource (CR) YAML file. Use this CR file and customize it per ODM environment. Other settings such as IAM configuration and certificates management are discussed in the later part of this article.
Procedure:
- Follow the instruction in ODM Bronze topology for 22.0.1 to setup the cluster and prepare the ODM installation. Make sure to create a namespace for your ODM Silver environment. For example:
| oc new-project <silver_topo_name> |
- Generate a CR file for ODM Bronze topology. For more information, see Generating the custom resource with the deployment script.
- Copy the CR file that is created at scripts/generated-cr/ibm_cp4a_cr_final.yaml and rename it as <your_odm_env>.yaml.
- Assign a value to the metadata.name parameter in the CR file. For example, metadata.name: authoring
- Set sc_deployment_profile_size: medium for Cloud Pak deployment profile. The deployment profile (sc_deployment_profile_size) of Cloud Pak for Business Automation is small by default. It is recommended to set to medium for Silver topology environments and set the IBM Cloud Platform UI (Zen) service to the same size as Cloud Pak. For more information, see System requirements.
- Remove the following unwanted parameters:
- sc_deployment_fncm_license: "<Required>"
- sc_deployment_baw_license: "<Required>"
- sc_deployment_license: "<Required>"
- sc_ingress_enable: false
- sc_cpe_limited_storage: false
- sc_ingress_tls_secret_name: <Required>
- Fill in image_pull_secrets per your specific shared image pull secrets (if not so).
- Fill in ldap_configuration per your LDAP configuration.
- In datasource_configuration section, fill in dc_odm_datasource per your database configuration.
- An example for Db2 with SSL enabled:
|
datasource_configuration:
dc_odm_datasource:
database_servername: <db2_hostname>
dc_common_database_instance_secret: <db2_credentials>
dc_common_database_name: <odm_db_name>
dc_common_database_port: '60001'
dc_common_ssl_enabled: true
dc_database_type: db2
dc_ssl_secret_name: <odm-db2-ssl-cert>
dc_ssl_enabled: true
|
- If SSL is used to secure the database connection, set dc_common_ssl_enabled in the CR file to true and dc_ssl_secret_name parameter with a secret containing the Db2 SSL certificate.
Create a secret by running the following command:
| oc create secret generic odm-db2-ssl-secret --from-file=db2-server-certificate=<your_path>/server.crt |
whereby server.crt is the Db2 SSL certificate public key in ASCII format. For example:
|
-----BEGIN CERTIFICATE-----
MIIHDzCCBfegAwIBAgIQCKZtYygfn9pg13D0uAX YzANBgkqhkiG9w0BAQsFADBg ... 3R7IrdK8aS1WUGlKulqEDiV4TJ 1XpcoUq8wtmBSw1fyV7g=
-----END CERTIFICATE----
|
For more information on how to generate the Db2 SSL certificate, see Self-signing digital certificates.
- Move the parameter deployment_profile_size: "small" to odm_configuration section.
- Change the value of this parameter to custom.
|
odm_configuration:
deployment_profile_size: custom
|
- Make sure that you have a fully defined CR file for an ODM Bronze topology. You can refer to the sample as provided at the end of ODM Bronze topology for 22.0.1.
- Apply the CR file to install the base ODM environment first. This is to avoid a limitation whereby the odm-zen-proxy configmap is not created correctly with a custom ODM environment.
| oc apply -f <your_odm_env>.yaml |
- Verify the deployment that the ODM decision pods are all ready after a couple of reconcile loops of the CP4BA operator.
-
Modify spec.odm_configuration and spec.olm_production_option.decisions sections in the icp4acluster deployment according to your desired ODM environment and save the changes. See the examples below for each ODM environment.
Authoring environment
Authoring environment consists of Decision Server Console, 2 Decision Center and 2 Decision Runner.
Edit your Authoring YAML in the specific icp4acluster deployment to install these components. For example:
|
odm_configuration:
deployment_profile_size: custom
decisionCenter:
enabled: true
replicaCount: 2
resources:
limits:
cpu: '2'
memory: 8Gi
requests:
cpu: '1'
memory: 4Gi
decisionServerRuntime:
enabled: false
decisionRunner:
enabled: true
replicaCount: 2
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: 500m
memory: 2Gi
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
...
olm_production_option:
decisions:
bai: false
decisionCenter: true
decisionRunner: true
decisionServerRuntime: false
|
Sandbox environment
Sandbox environment only consists of Decision Server Console and a Decision Server Runtime.
Edit your sandbox YAML in the specific icp4acluster deployment to only install Decision Server Console and Decision Server Runtime. For example:
|
odm_configuration:
deployment_profile_size: custom
decisionCenter:
enabled: false
decisionServerRuntime:
enabled: true
replicaCount: 1
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: '2'
memory: 2Gi
decisionRunner:
enabled: false
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
...
olm_production_option:
...
decisions:
bai: false
decisionCenter: false
decisionRunner: false
decisionServerRuntime: true
|
Production and Pre-Prod environment
Production environment consists of Decision Server Console and 3 Decision Server Runtime. Pre-prod environment is similar to Production environment with a Decision Server Console and several Decision Server Runtime.
Edit your YAML in the specific icp4acluster deployment to install these components. For example:
|
odm_configuration:
deployment_profile_size: custom
decisionCenter:
enabled: false
decisionServerRuntime:
enabled: true
replicaCount: 3
resources:
limits:
cpu: '2'
memory: 2Gi
requests:
cpu: '2'
memory: 2Gi
decisionRunner:
enabled: false
decisionServerConsole:
resources:
limits:
cpu: '2'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
...
olm_production_option:
decisions:
bai: false
decisionCenter: false
decisionRunner: false
decisionServerRuntime: true
|
3. Configuring your cluster
Cloud Pak Platform UI (Zen) config
User access to ODM is now managed through the Zen UI. Predefined ODM permissions and ODM roles are available. You can manage the permissions of your users for ODM in IBM Cloud Pak Platform UI (Zen). These permissions are used to access Decision Center and Decision Server console, or to control access to Decision Server Runtime and management REST API endpoints.
A Zen API key is used to allow automatic authentication of the ODM services with the Cloud Pak Zen platform. For Decision Server Runtime REST API calls, although you can use a Zen API key, it is preferable to use basic authentication for performance reasons.
Basic Authentication
By default, a basic registry with the following users is provided in the form of a webSecurity.xml file:
- resExecutor to execute rules on the Decision Server Runtime
- odmAdmin to execute REST API calls on Decision Center and Decision Server Console
Follow the following steps to have a customized registry for your ODM environment.
- Copy the default registry webSecurity.xml file.
- Adapt the group mappings inside the webSecurity.xml file depending on your requirement.
Here is an example of a custom webSecurity.xml file for a production environment to be included in the secret my-auth-secret :
|
<server>
<basicRegistry id="basic" realm="basic">
<user name="odmAdmin" password="odmAdmin"/>
<user name="resExecutor" password="resExecutor"/>
<user name="resAdmin1" password="resAdmin1"/>
<group name="resExecutors">
<member name="resExecutor" />
<member name="odmAdmin" />
</group>
<group name="basicResAdministrators">
<member name="resAdmin1" />
</group>
</basicRegistry>
<variable name="odm.resAdministrators.group1" value="group:basic/basicResAdministrators"/>
<variable name="odm.resMonitors.group1" value="group:basic/basicResAdministrators"/>
<variable name="odm.resExecutors.group1" value="group:basic/resExecutors"/>
</server>
|
- Create a secret in your project namespace using the command:
| oc create secret generic my-auth-secret --from-file=webSecurity.xml=<your_path>/webSecurity.xml |
- Pass the secret to ODM configuration through the spec.odm_configuration.customization.authSecretRef parameter of the CR file:
|
odm_configuration:
customization:
authSecretRef: my-auth-secret
|
For more information, refer to Optional user access configurations.
Managing TLS certificates
Along with the LDAP connection issue that you can meet in secured connection context, the secured connection to other environments (different namespaces) is not configured by default and needs to manually push the certificate.
LDAP
If you use a SSL-enabled LDAP in your environment, you must create the SSL secret with the certificate of the LDAP server. Put the LDAP server certificate in the operator trust list as described in Importing the certificate of an external service.
Namespace
By default, a secured connection between Decision Center in Authoring environment to Decision Server Console in another environment, leads to an error like the following one:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Path does not chain with any of the trust anchors
To overcome this issue, you need to import the certificate of Sandbox/Prep-prod/Production environment to Authoring environment. Here are the steps:
- Extract the RES certificate by downloading it from the RES console (for example Production environment) using a browser.
- Create a new secret in authoring namespace (key=tls.crt with cert content):
| oc create secret generic my-prod-env-secret --from-file=tls.crt=<your_path>/cpd.pem |
- Specify this secret as your custom one in the list of secrets registered in the spec.shared_configuration.trusted_certificate_list parameter of the CR file.
|
shared_configuration:
trusted_certificate_list:
- my-prod-env-secret
|
- Wait for some minutes while the ODM pods restart.
Configuring Rule Designer
To be able to securely connect your Rule Designer to the Decision Server and Decision Center components that are running in an OCP cluster, you need to establish a Transport Layer Security (TLS) connection through a security certificate. For more information, see Importing a security certificate in Rule Designer.
Reaching out external services
Last but not least, to integrate with an external service in general, you must first import its TLS certificate into the operator trust list. These certificates are added to the truststore of each component in the Cloud Pak.
4. Validating your deployment
#bestpractices#businessrules#CloudPakforBusinessAutomation#OperationalDecisionManager(ODM)#topology