Wednesday, 7 May 2014

IBM Operational Decision Manager - Problems connecting Rule Designer to Decision Center and Decision Server

I installed Rule Designer into my W2K8 VM, and immediately saw issues connecting to Decision Server (RES) and Decision Center (RTS), including: -



Unexpected error: ilog.rules.res.util.http.IlrConnectionException
IO error when contacting "/res/repositoryService"

This is the same problem that I saw at a client back in late 2012, and occurs because, unlike Process Designer, Rule Designer doesn't seem "smart" enough to retrieve the SSL certificates from the JVMs on which RES and RTS are running.

The solution is to grab the endpoint certificates from the RES and RTS URLs - I chose to use Internet Explorer to do this, and save the certificates, in DER encoded binary X.509 (.CER) format, to my hard drive ( C:\temp\rts.cer and C:\temp\res.cer respectively ).

I then imported each into the Rule Designer's local SSL key/trust store ( CACerts ), as follows: -

"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\odm.cer -alias RES-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit

Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionServerNode01, O=IBM,
 C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: 912cd201ddc8
Valid from: 4/30/14 6:00 PM until: 4/30/15 6:00 PM
Certificate fingerprints:
         MD5:  9A:7B:E3:1B:B1:02:D3:38:08:A4:4B:24:6D:04:CB:1B
         SHA1: 47:42:81:7F:CC:A2:25:D3:5F:BE:47:6F:92:91:A8:74:F9:6C:ED:7B
         SHA256: 86:3A:1D:49:EC:5B:08:E7:CE:03:9B:FD:59:13:B1:12:90:A9:5B:EE:45:
65:BE:5F:DA:19:B3:F9:54:8A:D2:4A
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4e 7e a8 9c 7b fa f8 eb                           N.......
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore


"C:\Program Files\IBM\ODM851\jdk\bin\keytool.exe" -import -file c:\temp\rts.cer -alias RTS-P71005LPAR1.static1.tec.hur.cdn -keystore "c:\Program Files\IBM\ODM851\jdk\jre\lib\security\cacerts" -storepass changeit

Owner: CN=P71005LPAR1, OU=P71005LPAR1Node01Cell, OU=DecisionCenterNode01, O=IBM,
 C=US
Issuer: CN=P71005LPAR1.static1.tec.hur.cdn, OU=Root Certificate, OU=odm85Cell, O
U=odm85Node1, O=IBM, C=US
Serial number: d8b5af263526
Valid from: 5/1/14 3:51 PM until: 5/1/15 3:51 PM
Certificate fingerprints:
         MD5:  E5:BB:A2:FA:81:D1:2E:7C:23:50:9D:68:E7:E8:AA:71
         SHA1: 77:33:BE:8C:14:AA:1B:CF:40:15:D8:A8:C9:3B:0F:7B:BB:0B:E3:94
         SHA256: 4A:83:6E:61:1E:A1:65:D3:42:1A:79:F4:74:9E:2E:41:0A:B9:EE:7C:65:
C0:5F:DB:7A:01:36:03:29:E9:35:A4
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:Dmgr01-DEPLOYMENT_MANAGER-1d2ca68d-5864-4176-a6ed-63293
baa9766]]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 40 4d 83 cb f4 e0 56 b4                           .M....V.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore


Note that the command will prompt you to Trust this certificate to which you need to respond yes :-)

Once both certificates are added to CACerts, I simply restarted Rule Designer, and was then able to publish projects to Decision Center (RTS) and rulesets to Decision Server (RES).

2 comments:

Abhinav Anshuman said...

Hi I have tried the above approach to deploy my ruleapp on red but its not working still its giving same error as mentioned above ,do I need to import private key of certificate.is there any solution using ant file

Dave Hay said...

@Abhinav

Hmm, that definitely worked for me, although I've not seen the problem again for a while now.

Check the certificates that you have in the client's cacerts store using keytool, and compare the signature against that which you see when you access Decision Center and/or Decision Server via a web browser.

If no joy, consider raising a PMR with IBM Support.

Cheers, Dave