Decision Management (ODM, ADS)

 View Only

How do I install ODM Silver topology with CP4BA 22.0.1?

By Sia Sin Tay posted Fri September 02, 2022 10:52 AM

  
This article is part of an article series around Operational Decision Manager (ODM) topologies in context of Cloud Pak for Business Automation (CP4BA). For more information about ODM environments and the topologies, see CP4BA ODM topologies on OpenShift.

Please find a version of PDF of this article here.


1. Introduction
This document aims at describing how to setup an ODM Silver topology deployment in the context of the Cloud Pak for Business Automation (CP4BA) 22.0.1. 
 
The ODM Silver topology is a deployment of several ODM environments, each in an individual namespace, within a single cluster. 
Minimum Silver topology consists of an Authoring, a Sand box, and a Production environment. 
Full Silver topology consists of an Authoring,  Sandboxes, a Pre-prod and a Production environment.   
Schema of a full ODM Silver topology (fig. 1)
There is one Decision Center to govern all Decision Servers.  All environments use the same Identity Access Management (IAM) for authentication and the databases are externalized. 
 
Silver topology is best suited for applications with medium production constraints (HA, Pre-Prod, ...). For more information about ODM environments and the topologies, see CP4BA ODM topologies on OpenShift.

2. Installing ODM Silver topology
Silver topology is based on default Bronze topology with additional customization to allow several ODM environments within the same cluster. To install ODM Silver topology, it is recommended to start with ODM Bronze topology for 22.0.1 to setup the cluster and then obtain a baseline Cloud Pak for Business Automation deployment Custom Resource (CR) YAML file. Use this CR file and customize it per ODM environment. Other settings such as IAM configuration and certificates management are discussed in the later part of this article.
Procedure:
  1. Follow the instruction in ODM Bronze topology for 22.0.1 to setup the cluster and prepare the ODM installation. Make sure to create a namespace for your ODM Silver environment. For example:
    oc new-project <silver_topo_name>
  2. Generate a CR file for ODM Bronze topology. For more information, see Generating the custom resource with the deployment script.
  3. Copy the CR file that is created at scripts/generated-cr/ibm_cp4a_cr_final.yaml and rename it as <your_odm_env>.yaml.
  4. Assign a value to the metadata.name parameter in the CR file. For example, metadata.name: authoring
  5. Set sc_deployment_profile_size: medium for Cloud Pak deployment profile.  The deployment profile (sc_deployment_profile_size) of Cloud Pak for Business Automation is small by default. It is recommended to set to medium for Silver topology environments and set the IBM Cloud Platform UI (Zen) service to the same size as Cloud Pak.  For more information, see System requirements
  6. Remove the following unwanted parameters: 
    • sc_deployment_fncm_license: "<Required>"
    • sc_deployment_baw_license: "<Required>"
    • sc_deployment_license: "<Required>"
    • sc_ingress_enable: false
    • sc_cpe_limited_storage: false
    • sc_ingress_tls_secret_name: <Required> 
  7. Fill in image_pull_secrets per your specific shared image pull secrets (if not so).
  8. Fill in ldap_configuration per your LDAP configuration.
  9. In datasource_configuration section, fill in dc_odm_datasource per your database configuration.
    • An example for Db2 with SSL enabled:
      datasource_configuration:
        dc_odm_datasource:
          database_servername: <db2_hostname>
          dc_common_database_instance_secret: <db2_credentials>
          dc_common_database_name: <odm_db_name>
          dc_common_database_port: '60001'
          dc_common_ssl_enabled: true
          dc_database_type: db2
          dc_ssl_secret_name: <odm-db2-ssl-cert> 
        dc_ssl_enabled: true
    • If SSL is used to secure the database connection, set dc_common_ssl_enabled  in the CR file to true and dc_ssl_secret_name parameter with a secret containing the Db2 SSL certificate.

      Create a secret by running the following command: 

      oc create secret generic odm-db2-ssl-secret --from-file=db2-server-certificate=<your_path>/server.crt

      whereby server.crt is the Db2 SSL certificate public key in ASCII format. For example:

      -----BEGIN CERTIFICATE----- 
      MIIHDzCCBfegAwIBAgIQCKZtYygfn9pg13D0uAX YzANBgkqhkiG9w0BAQsFADBg  ... 3R7IrdK8aS1WUGlKulqEDiV4TJ 1XpcoUq8wtmBSw1fyV7g= 
      -----END CERTIFICATE----

      For more information on how to generate the Db2 SSL certificate, see Self-signing digital certificates.

  10. Move the parameter deployment_profile_size: "small" to odm_configuration section.
  11. Change the value of this parameter to custom.
    odm_configuration:
      deployment_profile_size: custom
  12. Make sure that you have a fully defined CR file for an ODM Bronze topology. You can refer to the sample as provided at the end of ODM Bronze topology for 22.0.1.
  13. Apply the CR file to install the base ODM environment first. This is to avoid a limitation whereby the odm-zen-proxy configmap is not created correctly with a custom ODM environment.
    oc apply -f <your_odm_env>.yaml
  14. Verify the deployment that the ODM decision pods are all ready after a couple of reconcile loops of the CP4BA operator.
  15. Modify spec.odm_configuration and spec.olm_production_option.decisions sections in the icp4acluster deployment according to your desired ODM environment and save the changes. See the examples below for each ODM environment. 

    Authoring environment

    Authoring environment consists of
    Decision Server Console, 2 Decision Center and 2 Decision Runner. 
    Edit your
    Authoring YAML in the specific icp4acluster deployment to install these components. For example:
    odm_configuration:
      deployment_profile_size: custom
      decisionCenter:
        enabled: true
        replicaCount: 2
        resources:
          limits:
            cpu: '2'
            memory: 8Gi
          requests:
            cpu: '1'
            memory: 4Gi
      decisionServerRuntime:
        enabled: false
      decisionRunner:
        enabled: true
        replicaCount: 2
        resources:
          limits:
            cpu: '2'
            memory: 2Gi
          requests:
            cpu: 500m
            memory: 2Gi
      decisionServerConsole:
        resources:
          limits:
            cpu: '2'
            memory: 1Gi
          requests:
            cpu: 500m
            memory: 512Mi
    ...
    olm_production_option:
      decisions:
        bai: false
        decisionCenter: true
        decisionRunner: true
        decisionServerRuntime: false

    Sandbox environment

    Sandbox environment only consists of Decision Server Console and a Decision Server Runtime. 
    Edit your
    sandbox YAML in the specific icp4acluster deployment to only install Decision Server Console and Decision Server Runtime. For example:
    odm_configuration:
      deployment_profile_size: custom
      decisionCenter:
        enabled: false
      decisionServerRuntime:
        enabled: true
        replicaCount: 1
        resources:
          limits:
            cpu: '2'
            memory: 2Gi
          requests:
            cpu: '2'
            memory: 2Gi
      decisionRunner:
        enabled: false
      decisionServerConsole:
        resources:
          limits:
            cpu: '2'
            memory: 1Gi
          requests:
            cpu: 500m
            memory: 512Mi
    ...
    olm_production_option:
    ...
      decisions:
        bai: false
        decisionCenter: false
        decisionRunner: false
        decisionServerRuntime: true

    Production and Pre-Prod environment

    Production environment consists of Decision Server Console and 3 Decision Server Runtime.  Pre-prod environment is similar to Production environment with a Decision Server Console and several Decision Server Runtime.  
    Edit your YAML in the specific icp4acluster deployment to install these components. For example:

    odm_configuration:
      deployment_profile_size: custom
      decisionCenter:
        enabled: false
      decisionServerRuntime:
        enabled: true
        replicaCount: 3
        resources:
          limits:
            cpu: '2'
            memory: 2Gi
          requests:
            cpu: '2'
            memory: 2Gi
      decisionRunner:
        enabled: false
      decisionServerConsole:
        resources:
          limits:
            cpu: '2'
            memory: 1Gi
          requests:
            cpu: 500m
            memory: 512Mi
    ...
    olm_production_option:
      decisions:
        bai: false
        decisionCenter: false
        decisionRunner: false
        decisionServerRuntime: true
    See Performance Check List of OCP for CP4BA to perform some additional tuning to this Production or Pre-Production environment.

    3. Configuring your cluster

    Cloud Pak Platform UI (Zen) config
    User access to ODM is now managed through the Zen UI. Predefined ODM permissions and ODM roles are available. You can manage the permissions of your users for ODM in IBM Cloud Pak Platform UI (Zen). These permissions are used to access Decision Center and Decision Server console, or to control access to Decision Server Runtime and management REST API endpoints.
    A Zen API key is used to allow automatic authentication of the ODM services with the Cloud Pak Zen platform. For Decision Server Runtime REST API calls, although you can use a Zen API key, it is preferable to use basic authentication for performance reasons. 
    For more information about Zen and the relevant configuration for ODM, refer to Configuring user access of ODM installation guide

    Basic Authentication
    By default, a basic registry with the following users is provided in the form of a webSecurity.xml file:
    • resExecutor to execute rules on the Decision Server Runtime
    • odmAdmin to execute REST API calls on Decision Center and Decision Server Console
     
    Follow the following steps to have a customized registry for your ODM environment.
    1. Copy the default registry webSecurity.xml file. 
    2. Adapt the group mappings inside the webSecurity.xml file depending on your requirement. 
      Here is an example of a custom webSecurity.xml file for a production environment to be included in the secret my-auth-secret :
        <server>
            <basicRegistry id="basic" realm="basic">
              <user name="odmAdmin" password="odmAdmin"/>
              <user name="resExecutor" password="resExecutor"/>
              <user name="resAdmin1" password="resAdmin1"/>
              <group name="resExecutors">
                <member name="resExecutor" />
                <member name="odmAdmin" />
              </group>
              <group name="basicResAdministrators">
                <member name="resAdmin1" />
              </group>
            </basicRegistry>
            <variable name="odm.resAdministrators.group1" value="group:basic/basicResAdministrators"/>
            <variable name="odm.resMonitors.group1" value="group:basic/basicResAdministrators"/>
            <variable name="odm.resExecutors.group1" value="group:basic/resExecutors"/>
        </server> 
    3. Create a secret in your project namespace using the command:
      oc create secret generic my-auth-secret --from-file=webSecurity.xml=<your_path>/webSecurity.xml 
    4. Pass the secret to ODM configuration through the spec.odm_configuration.customization.authSecretRef parameter of the CR file:
      odm_configuration:
        customization:
          authSecretRef: my-auth-secret

      For more information, refer to Optional user access configurations.

    Managing TLS certificates
    Along with the LDAP connection issue that you can meet in secured connection context, the secured connection to other environments (different namespaces) is not configured by default and needs to manually push the certificate.

    LDAP
    If you use a SSL-enabled LDAP in your environment, you must create the SSL secret with the certificate of the LDAP server. Put the LDAP server certificate in the operator trust list as described in Importing the certificate of an external service.
    For related information about securing LDAP by SSL, see Configuring LDAP over SSL.

    Namespace
    By default, a secured connection between Decision Center in Authoring environment to Decision Server Console in another environment, leads to an error like the following one:
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Path does not chain with any of the trust anchors
    To overcome this issue, you need to import the certificate of Sandbox/Prep-prod/Production environment to Authoring environment. Here are the steps:
    1. Extract the RES certificate by downloading it from the RES console (for example Production environment) using a browser.
    2. Create a new secret in authoring namespace (key=tls.crt with cert content):
      oc create secret generic my-prod-env-secret --from-file=tls.crt=<your_path>/cpd.pem
    3. Specify this secret as your custom one in the list of secrets registered in the spec.shared_configuration.trusted_certificate_list parameter of the CR file.
        shared_configuration:
          trusted_certificate_list:
            - my-prod-env-secret
    4. Wait for some minutes while the ODM pods restart.

      Configuring Rule Designer
      To be able to securely connect your Rule Designer to the Decision Server and Decision Center components that are running in an OCP cluster, you need to establish a Transport Layer Security (TLS) connection through a security certificate. For more information, see Importing a security certificate in Rule Designer.

      Reaching out external services
      Last but not least, to integrate with an external service in general, you must first import its TLS certificate into the operator trust list. These certificates are added to the truststore of each component in the Cloud Pak.

      4. Validating your deployment
      Once everything is well configured and deployed, you can perform post installation tasks as described in completing post-installation tasks for ODM.  Additional validations can be done at ODM level using Validate your ODM topology - 22.0.1.


        #bestpractices
        #businessrules
        #CloudPakforBusinessAutomation
        #OperationalDecisionManager(ODM)
        #topology

        Permalink