Thursday, March 10, 2011

IBM ILOG Team Server Setup on JBOSS EAP 5.1

1) Download the software from IBM passport advantage website
a) IBM WebSphere ILOG BRMS JRules V7.1.1 for UNIX Multilingual(CZLX6ML) - JRules_V711_CZLX6ML.bin
b) IBM WebSphere ILOG BRMS Rule Team Server V7.1.1 for UNIX Multilingual(CZM2UML) - RTS_V711_CZM2UML.bin
c) IBM WebSphere ILOG BRMS Rule Team Server V7.1.1.1 for UNIX Multilingual(CZUW0ML) - RTS_V7111_CZUW0ML.bin
d) IBM WebSphere ILOG BRMS JBoss Bundle V7.1.1 for Multiplatform Multilingual(CZLY1ML) - JRules_JBoss_V711_CZLY1ML.jar
e) IBM WebSphere ILOG BRMS JBoss Bundle V7.1.1.1 for Multiplatform Multilingual(CZUW8ML) - JRules_JBoss_V7111_CZUW8ML.jar

2) Install JDK on the server and make sure Java runtime is set.

3) Install the ILOG software in the above order (a through e) and select the default install options
./JRules_V711_CZLX6ML.bin
./RTS_V711_CZM2UML.bin
./RTS_V7111_CZUW0ML.bin
java -jar JRules_JBoss_V711_CZLY1ML.jar
java -jar JRules_JBoss_V7111_CZUW8ML.jar
Note: These installations can happen on any other machine and ear file can be copied over to target team server.

4) Install JBOSS EAP 5.1 on server. I slimmed JBOSS to bare minimum with no admin or jmx console and deleted all additional package. Follow the IBM ILOG infocenter instructions on cleaning up the environment under JBOSS section.
Some of the directories I deleted include
cd /opt/jboss-eap-5.1
rm -Rf mod_cluster picketlink resteasy seam
cd /opt/jboss-eap-5.1/jboss-as/server
rm -Rf production minimal all standard web

5) Create a local transaction data source (jdbc_ilogDataSource-ds.xml) with <jndi-name>jdbc/ilogDataSource</jndi-name>

6) Copy the jrules-teamserver-JBOSS5.ear from the teamserver directory to the deploy folder.
Expand the EAR file

7) If you have any custom groups to be added, append security roles to files
a) jrules-teamserver-JBOSS5.ear/META-INF/application.xml.
b) jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/web.xml
I have added two custom groups ilog-readonly and ilog-readwrite
  <security-role>
    <role-name>ilog-readonly</role-name>
  </security-role>
  <security-role>
    <role-name>ilog-readwrite</role-name>
  </security-role>

8) Add the following application security policy to jboss-eap-5.1/jboss-as/server/default/conf/login-config.xml
<application-policy name="jldap">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.provider.url">ldap://servername:389</module-option>
<module-option name="bindDN">CN=ldapbindid,OU=_Service Accounts,dc=something,dc=com</module-option>
<module-option name="bindCredential">ldapbindid-password</module-option>
<module-option name="baseCtxDN">DC=something,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">OU=ILOG,OU=_SECURITY GROUPS,OU=something,DC=something,DC=COM</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="trace">true</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">props/ilog-users.properties</module-option>
<module-option name="rolesProperties">props/ilog-roles.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>

9) Create these files under jboss-eap-5.1/jboss-as/server/default/conf/props directory
ilog-users.properties  file is empty bcoz we use ldap authentication

ilog-roles.properties
user1=rtsUser,ilog-readonly
user2=rtsUser,ilog-readwrite
rtsAdmin=rtsAdministrator,rtsInstaller,ilog-readwrite
rtsConfig=rtsConfigManager,ilog-readwrite
ilogadminuser1=rtsAdministrator,rtsConfigManager,rtsInstaller,rtsUser

10) Update jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/web.xml to use the above application policy.
<jboss-web>
         <security-domain>java:/jaas/jldap</security-domain>
         <context-root>teamserver</context-root>
        <resource-ref>
                <res-ref-name>jdbc/ilogDataSource</res-ref-name>
                <jndi-name>java:/jdbc/ilogDataSource</jndi-name>
        </resource-ref>
</jboss-web>

11) Delete *jsf* JARs from jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/lib directory.

12) Place any Dynamic Domain jar under jrules-teamserver-JBOSS5.ear/teamserver.war/WEB-INF/lib directory.

13) Start the jboss ilog server

14) If your login is slow or you get IBM URL messages in logs, add the following line to /etc/hosts
127.0.0.1  publib.boulder.ibm.com

15) Access the team server http://ip_addr:8080/teamserver

posted by Jayanthi Krishnamurthy @ 5:21 PM   0 Comments

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home

Newer›  ‹Older