Deliver 8.12.0.1 Release (#339)

* https://jsw.ibm.com/browse/DBACLD-73409 * https://jsw.ibm.com/browse/DBACLD-73692 * Remove slack (#319) * 8.11.1 Release (#318) * Include missing change from master (#310) * Deliver 8.11 Release (#290) * enable FIPS * https://github.ibm.com/dba/icp4a-odm/issues/576 * https://github.ibm.com/dba/icp4a-odm/issues/567 * https://github.ibm.com/dba/icp4a-odm/issues/580 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/576 * enable FIPS by default on Docker image * move FIPS enable on amd64 base image only * Update or add context-param in web.xml runtime * Allow to specify a docker builder image. (#275) * Allow to specify a docker builder image. * Remove volume section * Use dockerbuilder env variable * Improve build by adding the capability to override the settings.xml for the maven part * Try to fix bamboo build * Update setting.xml * remove decision-center-client-api.zip build * Add authentication customization in web.xml using ENABLE_TLS_AUTH env var * update IAM tests * https://github.ibm.com/dba/icp4a-odm/issues/549 * update IAM tests * removing teamserver from md doc * referencing teamserver not needed anymore * removing teamserver from md doc * https://github.ibm.com/dba/icp4a-odm/issues/511 * Move to github action (#279) * pb with rm swidtag on OKD * Move to new release. * Renamed workflow * no message * First try * Get docker-compose * Env variables are not in a list, it's a YAML dict * Try sudo * Try the full chain * Don't know what the (failing) egrep is about * Try to download ODM dist from right place * Debug * Try to get right value from secret * Try sth else * 8.10.5.1 seems to be unavailable * Debug * Removed debug * Update the VM * Try to get meaningful error messages * Try another way to build Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> * Rename settings file * Refresh liberty + Upgrade to Postgresql13 * Move to the latest postgresql version. No that the 42.2.19 version include fixes in sasl protocol. * restore teamserver-dbdump war copy * https://github.ibm.com/dba/icp4a-odm/issues/612 * Change VTT to pull images * Change VTT To pull images * Refresh liberty version to 21.0.0.9 * Update build.sh * take into account server config in demo mode with contextroot DBACLD-11443 * Implement support of context root in case of db sample. * Update description in Dockerhub (#280) * keycloak material * Fix issue tracker link * Fix download of the postgresql driver * Fix download of the postgresql driver. * Typo to retrieve the jar files. * move to client_credentials grant_type * Add -Xshareclasses:none jvm option in keytool commands (#281) * adapt server update in demo mode for Zen * put RuleDesigner files under assets * forgor RD provider template * typo * missing context root replace * replace URL internal service token URL endpoint by external URL * typo * Move the actions build to 8.10.5.1 Release (#285) * to trigger action * Update to 8.10.5.1 release * disable ALL_AUTHENTICATED_USER for rtsUser * Prepare next release. License update. * Add doc for metering annotation (#284) * Add new md file to document metering annotations * Add example * Update README-license-annotations.md I added a few mentions to "custom ODM containers" * Fix example to use res * Fix image name * Update after review Co-authored-by: avi44522 <antviaud@gmail.com> * Fix productVersion value (#286) * Update ODM version * move UMS server * https://jsw.ibm.com/browse/DBACLD-16340 * update eclipse version * Update to raw version * Add env var USERS_PASSWORD to configure the password used for the default users in standalone image * Fix sed * remove teamserver URL * change the ODM doc link * update free image welcome page * new www.ibm.com & doc cert * Try to fix KPI Issue * Fix build * Fix prod build * Fix last kpi * Update doc links for 8.11.0.0 * Update build-and-test.yml Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> * Bump httpclient from 4.5.2 to 4.5.13 in /standalone/samples/loan-server (#270) Bumps httpclient from 4.5.2 to 4.5.13. --- updated-dependencies: - dependency-name: org.apache.httpcomponents:httpclient dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * https://jsw.ibm.com/browse/DBACLD-31678 make server definition editable * https://jsw.ibm.com/browse/DBACLD-31678 update server password * Update README-license-annotations.md (#292) Added a line to indicate that the annotations are also valid for ODM 8.10.5.1 * Update README.md (#291) Replaced link to old Developer Center by one to the BA community - Decision Management topic. * Simplify merge Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Remove hack to workaround issue https://www.ibm.com/support/pages/apar/IJ39517 Workaround * https://jsw.ibm.com/browse/DBACLD-54232 * lib directory not necessary any more * https://jsw.ibm.com/browse/DBACLD-53629 * missing decisionmodel URL config * https://jsw.ibm.com/browse/DBACLD-53629 * https://jsw.ibm.com/browse/DBACLD-53629 * keep only decision services in samples * https://jsw.ibm.com/browse/DBACLD-55813 * https://jsw.ibm.com/browse/DBACLD-58998 * Add possibility to pass db-config credentials as volume mount * Add possibility to pass tls passwords as volume mount * Add possibility to pass Openid credentials as volume mount * Add possibility to pass dba env context as volume mount * Add possibility to pass db ssl trustore password as volume mount * Fix indentation * Fix indentation * Fix tls configuration * Add possibility to pass Postgres credentials as volume mount * Try to fix usage of postgres credentials file * DBACLD-9972 : DecisionRunner diagnostic failed sometimes * https://jsw.ibm.com/browse/DBACLD-59255 * https://jsw.ibm.com/browse/DBACLD-59255 * Fix usage of postgres credentials files * https://jsw.ibm.com/browse/DBACLD-59255 * https://jsw.ibm.com/browse/DBACLD-59255 * Improve rundb.sh to depend on POSTGRESQL_USER_FILE env var * Fix tls secret config path * DBACLD-56118 - Add checkdb script (#314) Add checkdb.sh script to replace command line in init container * DBACLD-56118 - Fix Permission denied error for checkdb.sh in postgres official image * missing -J-Xshareclasses:none option with keytool * Fix DBACLD-62930 Fix CVE-2022-31197 Postgres 42.3.3-> 42.4.1 or above. on Postgresql driver * Sync up Dockerhub description with the committed version * DBACLD-55794 Add Getting Started link in the landing page. * Update README.md * https://jsw.ibm.com/browse/DBACLD-65956 * bad place for the new logoutTokenParam parameter in the template * use an always present property as last place * https://jsw.ibm.com/browse/DBACLD-65621 * https://jsw.ibm.com/browse/DBACLD-65621 * Update README.md * Update README.md * always provide a downloadable truststore.jks * Add classloader on rest-api - case TS010968326 * move /res/api endpoint filter * Change doc version * Update License : DBACLD-70802 * Update full-description.md * Update full-description.md * Update .env * Update README.md * update badge * fix badges * improve badge * Use Acvtion instead of Travis * Fix secret name * ODM 8.11.1 Release Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fredibm <35365560+fredibm@users.noreply.github.com> Co-authored-by: cmosbach <c.mosbach@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <31895642+PYLochou@users.noreply.github.com> * Update README.md Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fredibm <35365560+fredibm@users.noreply.github.com> Co-authored-by: cmosbach <c.mosbach@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <31895642+PYLochou@users.noreply.github.com> * https://jsw.ibm.com/browse/DBACLD-75171 * Fix after assessment (#320) * 8.11.1 Release (#318) * Include missing change from master (#310) * Deliver 8.11 Release (#290) * enable FIPS * https://github.ibm.com/dba/icp4a-odm/issues/576 * https://github.ibm.com/dba/icp4a-odm/issues/567 * https://github.ibm.com/dba/icp4a-odm/issues/580 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/575 * https://github.ibm.com/dba/icp4a-odm/issues/576 * enable FIPS by default on Docker image * move FIPS enable on amd64 base image only * Update or add context-param in web.xml runtime * Allow to specify a docker builder image. (#275) * Allow to specify a docker builder image. * Remove volume section * Use dockerbuilder env variable * Improve build by adding the capability to override the settings.xml for the maven part * Try to fix bamboo build * Update setting.xml * remove decision-center-client-api.zip build * Add authentication customization in web.xml using ENABLE_TLS_AUTH env var * update IAM tests * https://github.ibm.com/dba/icp4a-odm/issues/549 * update IAM tests * removing teamserver from md doc * referencing teamserver not needed anymore * removing teamserver from md doc * https://github.ibm.com/dba/icp4a-odm/issues/511 * Move to github action (#279) * pb with rm swidtag on OKD * Move to new release. * Renamed workflow * no message * First try * Get docker-compose * Env variables are not in a list, it's a YAML dict * Try sudo * Try the full chain * Don't know what the (failing) egrep is about * Try to download ODM dist from right place * Debug * Try to get right value from secret * Try sth else * 8.10.5.1 seems to be unavailable * Debug * Removed debug * Update the VM * Try to get meaningful error messages * Try another way to build Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> * Rename settings file * Refresh liberty + Upgrade to Postgresql13 * Move to the latest postgresql version. No that the 42.2.19 version include fixes in sasl protocol. * restore teamserver-dbdump war copy * https://github.ibm.com/dba/icp4a-odm/issues/612 * Change VTT to pull images * Change VTT To pull images * Refresh liberty version to 21.0.0.9 * Update build.sh * take into account server config in demo mode with contextroot DBACLD-11443 * Implement support of context root in case of db sample. * Update description in Dockerhub (#280) * keycloak material * Fix issue tracker link * Fix download of the postgresql driver * Fix download of the postgresql driver. * Typo to retrieve the jar files. * move to client_credentials grant_type * Add -Xshareclasses:none jvm option in keytool commands (#281) * adapt server update in demo mode for Zen * put RuleDesigner files under assets * forgor RD provider template * typo * missing context root replace * replace URL internal service token URL endpoint by external URL * typo * Move the actions build to 8.10.5.1 Release (#285) * to trigger action * Update to 8.10.5.1 release * disable ALL_AUTHENTICATED_USER for rtsUser * Prepare next release. License update. * Add doc for metering annotation (#284) * Add new md file to document metering annotations * Add example * Update README-license-annotations.md I added a few mentions to "custom ODM containers" * Fix example to use res * Fix image name * Update after review Co-authored-by: avi44522 <antviaud@gmail.com> * Fix productVersion value (#286) * Update ODM version * move UMS server * https://jsw.ibm.com/browse/DBACLD-16340 * update eclipse version * Update to raw version * Add env var USERS_PASSWORD to configure the password used for the default users in standalone image * Fix sed * remove teamserver URL * change the ODM doc link * update free image welcome page * new www.ibm.com & doc cert * Try to fix KPI Issue * Fix build * Fix prod build * Fix last kpi * Update doc links for 8.11.0.0 * Update build-and-test.yml Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> * Bump httpclient from 4.5.2 to 4.5.13 in /standalone/samples/loan-server (#270) Bumps httpclient from 4.5.2 to 4.5.13. --- updated-dependencies: - dependency-name: org.apache.httpcomponents:httpclient dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * https://jsw.ibm.com/browse/DBACLD-31678 make server definition editable * https://jsw.ibm.com/browse/DBACLD-31678 update server password * Update README-license-annotations.md (#292) Added a line to indicate that the annotations are also valid for ODM 8.10.5.1 * Update README.md (#291) Replaced link to old Developer Center by one to the BA community - Decision Management topic. * Simplify merge Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Remove hack to workaround issue https://www.ibm.com/support/pages/apar/IJ39517 Workaround * https://jsw.ibm.com/browse/DBACLD-54232 * lib directory not necessary any more * https://jsw.ibm.com/browse/DBACLD-53629 * missing decisionmodel URL config * https://jsw.ibm.com/browse/DBACLD-53629 * https://jsw.ibm.com/browse/DBACLD-53629 * keep only decision services in samples * https://jsw.ibm.com/browse/DBACLD-55813 * https://jsw.ibm.com/browse/DBACLD-58998 * Add possibility to pass db-config credentials as volume mount * Add possibility to pass tls passwords as volume mount * Add possibility to pass Openid credentials as volume mount * Add possibility to pass dba env context as volume mount * Add possibility to pass db ssl trustore password as volume mount * Fix indentation * Fix indentation * Fix tls configuration * Add possibility to pass Postgres credentials as volume mount * Try to fix usage of postgres credentials file * DBACLD-9972 : DecisionRunner diagnostic failed sometimes * https://jsw.ibm.com/browse/DBACLD-59255 * https://jsw.ibm.com/browse/DBACLD-59255 * Fix usage of postgres credentials files * https://jsw.ibm.com/browse/DBACLD-59255 * https://jsw.ibm.com/browse/DBACLD-59255 * Improve rundb.sh to depend on POSTGRESQL_USER_FILE env var * Fix tls secret config path * DBACLD-56118 - Add checkdb script (#314) Add checkdb.sh script to replace command line in init container * DBACLD-56118 - Fix Permission denied error for checkdb.sh in postgres official image * missing -J-Xshareclasses:none option with keytool * Fix DBACLD-62930 Fix CVE-2022-31197 Postgres 42.3.3-> 42.4.1 or above. on Postgresql driver * Sync up Dockerhub description with the committed version * DBACLD-55794 Add Getting Started link in the landing page. * Update README.md * https://jsw.ibm.com/browse/DBACLD-65956 * bad place for the new logoutTokenParam parameter in the template * use an always present property as last place * https://jsw.ibm.com/browse/DBACLD-65621 * https://jsw.ibm.com/browse/DBACLD-65621 * Update README.md * Update README.md * always provide a downloadable truststore.jks * Add classloader on rest-api - case TS010968326 * move /res/api endpoint filter * Change doc version * Update License : DBACLD-70802 * Update full-description.md * Update full-description.md * Update .env * Update README.md * update badge * fix badges * improve badge * Use Acvtion instead of Travis * Fix secret name * ODM 8.11.1 Release Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fredibm <35365560+fredibm@users.noreply.github.com> Co-authored-by: cmosbach <c.mosbach@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <31895642+PYLochou@users.noreply.github.com> * Update README.md * Some update about versions and link broken Co-authored-by: mathias-mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fredibm <35365560+fredibm@users.noreply.github.com> Co-authored-by: cmosbach <c.mosbach@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <31895642+PYLochou@users.noreply.github.com> * https://jsw.ibm.com/browse/DBACLD-75162 * https://jsw.ibm.com/browse/DBACLD-75162 * Fix links in welcome page * https://jsw.ibm.com/browse/DBACLD-76886 * try to fix MAT tests issues * try to hide warning on jaxb * Fix for JDK 11 support * https://jsw.ibm.com/browse/DBACLD-78354 * Fix DBACLD-79445 duplicate context-root * Improve fix DBACLD-79445 duplicate context-root * https://jsw.ibm.com/browse/DBACLD-74128 * Fix DBACLD-79445 * https://jsw.ibm.com/browse/DBACLD-79785 * https://jsw.ibm.com/browse/DBACLD-79965 * Fix issue following the move to jdk 11 : DBACLD-76865 * Fix Free image testing * https://jsw.ibm.com/browse/DBACLD-74128 * upgrade maven-compiler-plugin * add javax.xml.bind dependency * fix properties * Add /opt/ibm/version.txt in the container. DBACLD-81018 * Missing file :DBACLD-81018 * Miss to copy version file. * https://jsw.ibm.com/browse/DBACLD-79785 * replace JKS by p12 on DB2 * replace JKS by p12 on DB2 * remove sslVersion to check if really necessary * sslVersion="TLSv1.2" is compulsory for DB2 SSL * https://jsw.ibm.com/browse/DBACLD-79965 * https://jsw.ibm.com/browse/DBACLD-79965 * Work on DBACLD-83524 * https://jsw.ibm.com/browse/DBACLD-85745 * Fix copyright for 2023: DBACLD-90119 * best managed by diagnostic * https://jsw.ibm.com/browse/DBACLD-87369 * https://jsw.ibm.com/browse/DBACLD-87369 * Enable final liberty version 23.0.0.3 version * https://jsw.ibm.com/browse/DBACLD-87369 * Refresh sample db for 8.12 Release * Improve stability of the build * Improve stability of the production image build * Fix labels in Dockerfiles (#327) * Fix docker labels to respect best practices * Add labels in dc to be consistent * DBACLD-72801 - Add a script to validate an ODM instance (#323) * First version of the script * Factorize curl request * Create functions * Create main function * Add usage and parameters * Fix parse_args function * Add test of Loan Validation ruleset * Clean script * Improve curlRequest to accept json filename * Improve script to manage url with spaces * Add OpenId support * Add error catching for getDeploymentIds function * Remove trailing slash * USe DSR to test ruleset and add response payload validation * Fix waiting for test completion * Handle errors in curlRequest function * Add error function * Handle errors in setDecisionServiceId function * Handle errors in runTestSuite function * Handle errors in getDeploymentIds function * Handle errors in deployRuleApp function * Handle errors in verifyRuleApp function * Handle errors in testRuleSet function * Log sucess uin green in terminal * Add default value for error code return * Use configuration file to get script parameters * Add a config file template * Add json test definition and expected response * Add timeout for while loop * Refactor to deploy and verify in one loop * Add optional clean at the end of the script * Add README and fix typos * Improve function to get deployment information and create a clean function * Add ruleapp version * Improve functions to get and use decision service id * Improve doc * Improve script name * Fix format for openId URL variable * Download Loan_Validation_Service.zip file if it does not exist locally * Do not ask for cleaning at the end of the script * Move script to validate odm in contrib folder * Improve verification of ruleApp deployment * Test if zip file is valid * Simplify by removing -f option and using .env file or environment variables * Fix error hadnling when import in DC fails * Improve error handling * Improve logs * Improve script documentation * Add image for article * Improve README and reorganize folder * Improve README * Fix error handling when import fail * Fix wait for test * Add spinner when waiting for longer steps * Fix error handling when testing ruleApp deployment * Fix syntaxe and typos after first review * Create a zip file automatically at publication (#324) * First version of the script * Factorize curl request * Create functions * Create main function * Add usage and parameters * Fix parse_args function * Add test of Loan Validation ruleset * Clean script * Improve curlRequest to accept json filename * Improve script to manage url with spaces * Add OpenId support * Add error catching for getDeploymentIds function * Remove trailing slash * USe DSR to test ruleset and add response payload validation * Fix waiting for test completion * Handle errors in curlRequest function * Add error function * Handle errors in setDecisionServiceId function * Handle errors in runTestSuite function * Handle errors in getDeploymentIds function * Handle errors in deployRuleApp function * Handle errors in verifyRuleApp function * Handle errors in testRuleSet function * Log sucess uin green in terminal * Add default value for error code return * Use configuration file to get script parameters * Add a config file template * Add json test definition and expected response * Add timeout for while loop * Refactor to deploy and verify in one loop * Add optional clean at the end of the script * Add README and fix typos * Improve function to get deployment information and create a clean function * Add ruleapp version * Improve functions to get and use decision service id * Improve doc * Improve script name * Fix format for openId URL variable * Download Loan_Validation_Service.zip file if it does not exist locally * Do not ask for cleaning at the end of the script * Move script to validate odm in contrib folder * Improve verification of ruleApp deployment * Test if zip file is valid * Simplify by removing -f option and using .env file or environment variables * Fix error hadnling when import in DC fails * Improve error handling * Improve logs * Improve script documentation * Add image for article * Improve README and reorganize folder * Improve README * Add Download button in README * Add workflow to create a draft release and add zip asset when pushing v* tag * Add workflow to create a branch and update the Download link when publishing a release * Fix script permission * Fix README * Improve validate-odm script documentation following review * Update full-description.md Remove specificity about Memory for mac * Remove deprecated feature * Remove Rule Designer section as it's for ODM on Cloud * Change version * Remove decision model from the docs * DBACLD-93708 Update Licenses for the next release * Update ODM version * Replace wget with curl and increase timeout to get test suite result * Miss some locale Licenses file. * Prepare 8.12.0 delivery. change from 8.11 to 8.12 * 8.12 Delivery * Update build-and-test.yml * Update full-description.md * Fix asset creation workflow * Fix branch creation workflow when publishing * Improve ARM Support * #DBACLD-97272 Import Private Certifiate * try fix build * Fix build for ARM * Fix CP4BA Version * add PKCE and private key JWT support * remove not needed clientSecret * liberty change the way to register private key * https://jsw.ibm.com/browse/DBACLD-81167 * https://jsw.ibm.com/browse/DBACLD-79811 * https://jsw.ibm.com/browse/DBACLD-79811 * Add date and architecture informations * https://jsw.ibm.com/browse/DBACLD-79811 * Update .env temporary rollback to see if it fixes ZEN Demo Mode tests * Docker image manage P12 format internally : DBACLD-104767 Replace JKS support by P12 format * Fix bad commit * update IBM cert * missing JVM option * Enable FISP nssdb DBACLD-104767 (#334) * Enable FISP nssdb DBACLD-104767 * Resolv conflict --------- Co-authored-by: root <root@fips-dev1.fyre.ibm.com> * missing directory creation for FIPS * DBACLD-79811 Revert hack to workaround SOLR FIPS issue. * Try new liberty version * load public certificate with same alias than private * load public certificate with same alias than private * Systematically download latest working version of loan services * Update enablefips-java.security Try to fix cp4ba FIPS deployment from DC to RES * Trust certs as in https://openliberty.io/docs/latest/enable-fips.html * Update README.md * try to use pcks12 format in FIPS * Update .env Switch Liberty images 23.0.0.9 DBACLD-109060 * Fix issue issue with ltpa token configuration on 23.0.0.9 Release. DBACLD-109060 * DBACLD-79811 always import cert in nssdb * Update enablefips-java.security * DBACLD-109819 Renew automically the IBM certificate. * update dbserver sample demo * https://jsw.ibm.com/browse/DBACLD-110112 * remaining decisionmodel extract * Revert "DBACLD-79811 always import cert in nssdb" This reverts commit f8e3932. * https://jsw.ibm.com/browse/DBACLD-112133 * Add mpmetric feature * Update build.sh * Update images (#337) * Draft of the update image contribution * Update after testing on an x86 machine * README for update images * Update README.md * Update README.md * Update README.md * updat table of content * Update .env * Update README.md * Update README.md * Update build.sh (#338) * Update full-description.md * Update full-description.md * Add arm64 --------- Co-authored-by: Mathias Mouly <mathias.mouly@fr.ibm.com> Co-authored-by: Julie Garrone <julie.garrone@fr.ibm.com> Co-authored-by: Julie Garrone <47252804+julie-garrone@users.noreply.github.com> Co-authored-by: Pierre-Yves Lochou <pylochou@fr.ibm.com> Co-authored-by: avi44522 <antviaud@gmail.com> Co-authored-by: julie-garrone <julie.garrone@fr.ibm.om> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: fredibm <35365560+fredibm@users.noreply.github.com> Co-authored-by: cmosbach <c.mosbach@fr.ibm.com> Co-authored-by: Pierre-Yves Lochou <31895642+PYLochou@users.noreply.github.com> Co-authored-by: root <root@fips-dev1.fyre.ibm.com>
DecisionsDev · Dec 11, 2023 · 0863138 · 0863138
1 parent 6692a8c
commit 0863138
Show file tree

Hide file tree

Showing 45 changed files with 655 additions and 238 deletions.
diff --git a/.env b/.env
@@ -2,7 +2,7 @@
 ODMVERSION=8.12.0.0
 
 # CP4BA product version
-CP4BAVERSION=23.0.1
+CP4BAVERSION=23.2.0
 
 # ODM database schema version
 ODMDBVERSION=8.12.next
@@ -11,7 +11,7 @@ ODMDBVERSION=8.12.next
 ODMDOCKERDIR=odm-ondocker
 
 # Image use to do multistage build
-FROMDOCKERBUILD=maven:3.8.7-eclipse-temurin-11-alpine
+FROMDOCKERBUILD=maven:3.9.3-ibm-semeru-11-focal
 
 # Repository name of the images
 REPOSITORY=ibmcom
@@ -20,7 +20,7 @@ REPOSITORY=ibmcom
 PREFIXIMAGE=odm
 
 # Liberty Version
-FROMLIBERTY=ibmcom/websphere-liberty:23.0.0.3-kernel-java11-openj9-ubi
+FROMLIBERTY=ibmcom/websphere-liberty:23.0.0.9-kernel-java11-openj9-ubi
 
 # Postgres Version
 FROMPOSTGRES=postgres:13

diff --git a/azuread/AzureADProvider.json b/azuread/AzureADProvider.json
@@ -0,0 +1,13 @@
+{
+  "providers": [
+    {
+        "grantType": "password",
+        "authorizationURL": "https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/authorize",
+        "tokenURL": "https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/token",
+        "logoutURL": "https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/logout",
+        "clientId": "b173bdb8-fd2c-4208-aef7-773df33456bb",
+        "scope": "b173bdb8-fd2c-4208-aef7-773df33456bb/.default",
+        "name": "azure_ad"
+    }
+  ]
+}
diff --git a/azuread/openIdParameters.properties b/azuread/openIdParameters.properties
@@ -0,0 +1,7 @@
+OPENID_SERVER_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334
+OPENID_PROVIDER=azure_ad
+OPENID_AUTHORIZATION_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/authorize
+OPENID_TOKEN_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/token
+OPENID_CLIENT_ID=b173bdb8-fd2c-4208-aef7-773df33456bb
+OPENID_LOGOUT_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/logout
+OPENID_ALLOWED_DOMAINS=login.microsoftonline.com,login.w3.ibm.com
diff --git a/azuread/openIdWebSecurity.xml b/azuread/openIdWebSecurity.xml
@@ -0,0 +1,25 @@
+<server>
+
+  <variable name="ServerHost" value="https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334"/>
+
+  <!-- Open ID Connect -->
+  <!-- Client with inbound propagation set to supported -->
+  <openidConnectClient authFilterRef="browserAuthFilter" id="odm" scope="openid" accessTokenInLtpaCookie="true"
+                       clientId="b173bdb8-fd2c-4208-aef7-773df33456bb" pkceCodeChallengeMethod="S256"
+                       signatureAlgorithm="RS256" inboundPropagation="supported"
+                       jwkEndpointUrl="${ServerHost}/discovery/v2.0/keys"
+                       issuerIdentifier="${ServerHost}/v2.0"
+                       authorizationEndpointUrl="${ServerHost}/oauth2/v2.0/authorize"
+                       tokenEndpointUrl="${ServerHost}/oauth2/v2.0/token"
+                       userIdentifier="email" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>
+
+  <!-- Client with inbound propagation set to required -->
+  <openidConnectClient authFilterRef="apiAuthFilter" id="odmapi" scope="openid"
+                       clientId="b173bdb8-fd2c-4208-aef7-773df33456bb"
+                       signatureAlgorithm="RS256" inboundPropagation="required"
+                       jwkEndpointUrl="${ServerHost}/discovery/v2.0/keys"
+                       issuerIdentifier="${ServerHost}/v2.0"
+                       authorizationEndpointUrl="${ServerHost}/oauth2/v2.0/authorize"
+                       tokenEndpointUrl="${ServerHost}/oauth2/v2.0/token"
+                       userIdentifier="aud" groupIdentifier="groups" audiences="ALL_AUDIENCES"/>
+</server>
diff --git a/azuread/webSecurity.xml b/azuread/webSecurity.xml
@@ -0,0 +1,29 @@
+<server>
+  <basicRegistry id="basic" realm="basic">
+    <user name="odmAdmin" password="odmAdmin"/>
+    <group name="basicAdministrators">
+      <member name="odmAdmin" />
+    </group>
+</basicRegistry>
+<variable name="odm.resAdministrators.group2" value="group:basic/basicAdministrators"/>
+<variable name="odm.resExecutors.group2" value="group:basic/basicAdministrators"/>
+<variable name="odm.rtsAdministrators.group2" value="group:basic/basicAdministrators"/>
+
+
+<!-- group mapping to authorize users of the OKTA_ODM_GROUP group -->
+<variable name="group1" value="group:https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/v2.0/1e21bc53-8eed-4b4e-8edd-2d8e2fdc7e27"/>
+
+<variable name="odm.rtsAdministrators.group1" value="${group1}"/>
+<variable name="odm.rtsInstallers.group1" value="${group1}"/>
+<variable name="odm.rtsConfigManagers.group1" value="${group1}"/>
+<variable name="odm.resAdministrators.group1" value="${group1}"/>
+<variable name="odm.resDeployers.group1" value="${group1}"/>
+<variable name="odm.resMonitors.group1" value="${group1}"/>
+<variable name="odm.resExecutors.group1" value="${group1}"/>
+
+<variable name="user1" value="user:https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/v2.0/b173bdb8-fd2c-4208-aef7-773df33456bb"/>
+
+<variable name="odm.resAdministrators.user1" value="${user1}"/>
+<variable name="odm.resDeployers.user1" value="${user1}"/>
+
+</server>
diff --git a/build.sh b/build.sh
@@ -25,7 +25,7 @@ source .env
 echo "Using this properties from .env file."
 cat .env
 docker run --user 'root' -v $PWD/wlp:/opt/wlp  $FROMLIBERTY  /bin/sh -c "mkdir -p /opt/wlp ;\
- installUtility download openidconnectclient-1.0 collectiveMember-1.0 sessionCache-1.0 ldapRegistry-3.0 localConnector-1.0 \
+ installUtility download mpMetrics-2.3 openidconnectclient-1.0 collectiveMember-1.0 sessionCache-1.0 ldapRegistry-3.0 localConnector-1.0 \
   microProfile-1.0 microProfile-1.2 microProfile-1.3 microProfile-1.4 monitor-1.0 restConnector-1.0 \
   requestTiming-1.0 restConnector-2.0 sessionDatabase-1.0 ssl-1.0 transportSecurity-1.0 webCache-1.0 \
   webProfile-7.0 webProfile-7.0 --location=/opt/wlp"

diff --git a/common/config/authOidc/openIdWebSecurityTemplate.xml b/common/config/authOidc/openIdWebSecurityTemplate.xml
@@ -6,7 +6,7 @@
   <!-- Client with inbound propagation set to supported -->
   <openidConnectClient authFilterRef="browserAuthFilter" id="odm" scope="openid" accessTokenInLtpaCookie="true"
 		       clientId="__OPENID_CLIENT_ID__" clientSecret="__OPENID_CLIENT_SECRET__"
-		       signatureAlgorithm="RS256" inboundPropagation="supported"
+		       signatureAlgorithm="RS256" inboundPropagation="supported" tokenReuse="true"
 		       jwkEndpointUrl="${ServerHost}/oidc/endpoint/__OPENID_PROVIDER__/jwk"
 		       issuerIdentifier="${ServerHost}/oidc/endpoint/__OPENID_PROVIDER__"
                        authorizationEndpointUrl="${ServerHost}/oidc/endpoint/__OPENID_PROVIDER__/authorize"
@@ -16,7 +16,7 @@
   <!-- Client with inbound propagation set to required -->
   <openidConnectClient authFilterRef="apiAuthFilter" id="odmapi" scope="openid" audiences="ALL_AUDIENCES"
 		       clientId="__OPENID_CLIENT_ID__" clientSecret="__OPENID_CLIENT_SECRET__"
-		       signatureAlgorithm="RS256" inboundPropagation="required"
+		       signatureAlgorithm="RS256" inboundPropagation="required" tokenReuse="true"
 		       jwkEndpointUrl="${ServerHost}/oidc/endpoint/__OPENID_PROVIDER__/jwk"
 		       issuerIdentifier="${ServerHost}/oidc/endpoint/__OPENID_PROVIDER__"
                        authorizationEndpointUrl="${ServerHost}/oidc/endpoint/__OPENID_PROVIDER__/authorize"

diff --git a/common/config/jvm/enablefips-java-pkcs12.security b/common/config/jvm/enablefips-java-pkcs12.security
@@ -0,0 +1,5 @@
+RestrictedSecurity1.jce.provider.5 = SunJCE [{AlgorithmParameters, PBEWithSHA1AndDESede, *}, \
+{AlgorithmParameters, PBEWithMD5AndDES, *}, \
+{SecretKeyFactory, PBEWithMD5AndDES, *}, \
+{Cipher, PBEWithSHA1AndDESede, *}, \
+{Mac, HmacPBESHA1, *}]
diff --git a/common/config/jvm/enablefips-java.security b/common/config/jvm/enablefips-java.security
@@ -1,11 +1,68 @@
-security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
-security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
-security.provider.3=com.ibm.crypto.provider.IBMJCE
-security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
-security.provider.5=com.ibm.security.cert.IBMCertPath
-security.provider.6=com.ibm.security.sasl.IBMSASL
-security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
-security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
-security.provider.9=org.apache.harmony.security.provider.PolicyProvider
-security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
-jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC, RSAPSS, RSASSA-PSS5
+RestrictedSecurity1.jce.provider.5 = SunJCE [{AlgorithmParameters, PBES2, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA1AndAES_128, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA1AndAES_256, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA224AndAES_128, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA224AndAES_256, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA256AndAES_128, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA256AndAES_256, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA384AndAES_128, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA384AndAES_256, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA512AndAES_128, *}, \
+    {AlgorithmParameters, PBEWithHmacSHA512AndAES_256, *}, \
+    {AlgorithmParameters, PBEWithMD5AndDES, *}, \
+    {AlgorithmParameters, PBEWithMD5AndTripleDES, *}, \
+    {AlgorithmParameters, PBEWithSHA1AndDESede, *}, \
+    {AlgorithmParameters, PBEWithSHA1AndRC2_128, *}, \
+    {AlgorithmParameters, PBEWithSHA1AndRC2_40, *}, \
+    {AlgorithmParameters, PBEWithSHA1AndRC4_128, *}, \
+    {AlgorithmParameters, PBEWithSHA1AndRC4_40, *}, \
+    {Cipher, PBEWithHmacSHA1AndAES_128, *}, \
+    {Cipher, PBEWithHmacSHA1AndAES_256, *}, \
+    {Cipher, PBEWithHmacSHA224AndAES_128, *}, \
+    {Cipher, PBEWithHmacSHA224AndAES_256, *}, \
+    {Cipher, PBEWithHmacSHA256AndAES_128, *}, \
+    {Cipher, PBEWithHmacSHA256AndAES_256, *}, \
+    {Cipher, PBEWithHmacSHA384AndAES_128, *}, \
+    {Cipher, PBEWithHmacSHA384AndAES_256, *}, \
+    {Cipher, PBEWithHmacSHA512AndAES_128, *}, \
+    {Cipher, PBEWithHmacSHA512AndAES_256, *}, \
+    {Cipher, PBEWithMD5AndDES, *}, \
+    {Cipher, PBEWithMD5AndTripleDES, *}, \
+    {Cipher, PBEWithSHA1AndDESede, *}, \
+    {Cipher, PBEWithSHA1AndRC2_128, *}, \
+    {Cipher, PBEWithSHA1AndRC2_40, *}, \
+    {Cipher, PBEWithSHA1AndRC4_128, *}, \
+    {Cipher, PBEWithSHA1AndRC4_40, *}, \
+    {Mac, HmacPBESHA1, *}, \
+    {Mac, HmacPBESHA224, *}, \
+    {Mac, HmacPBESHA256, *}, \
+    {Mac, HmacPBESHA384, *}, \
+    {Mac, HmacPBESHA512, *}, \
+    {Mac, PBEWithHmacSHA1, *}, \
+    {Mac, PBEWithHmacSHA224, *}, \
+    {Mac, PBEWithHmacSHA256, *}, \
+    {Mac, PBEWithHmacSHA384, *}, \
+    {Mac, PBEWithHmacSHA512, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA1AndAES_128, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA1AndAES_256, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA224AndAES_128, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA224AndAES_256, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA256AndAES_128, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA256AndAES_256, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA384AndAES_128, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA384AndAES_256, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA512AndAES_128, *}, \
+    {SecretKeyFactory, PBEWithHmacSHA512AndAES_256, *}, \
+    {SecretKeyFactory, PBEWithMD5AndDES, *}, \
+    {SecretKeyFactory, PBEWithMD5AndTripleDES, *}, \
+    {SecretKeyFactory, PBEWithSHA1AndDESede, *}, \
+    {SecretKeyFactory, PBEWithSHA1AndRC2_128, *}, \
+    {SecretKeyFactory, PBEWithSHA1AndRC2_40, *}, \
+    {SecretKeyFactory, PBEWithSHA1AndRC4_128, *}, \
+    {SecretKeyFactory, PBEWithSHA1AndRC4_40, *}, \
+    {SecretKeyFactory, PBKDF2WithHmacSHA1, *}, \
+    {SecretKeyFactory, PBKDF2WithHmacSHA224, *}, \
+    {SecretKeyFactory, PBKDF2WithHmacSHA256, *}, \
+    {SecretKeyFactory, PBKDF2WithHmacSHA384, *}, \
+    {SecretKeyFactory, PBKDF2WithHmacSHA512, *}, \
+    {AlgorithmParameters, AES, *}]
diff --git a/common/config/jvm/pkcs11cfg.cfg b/common/config/jvm/pkcs11cfg.cfg
@@ -0,0 +1,4 @@
+name = NSS-FIPS
+library = /usr/lib64/libsoftokn3.so
+slot = 3
+showInfo=true
diff --git a/common/config/tlsSecurity.xml b/common/config/tlsSecurity.xml
@@ -1,6 +1,6 @@
 <server>
   <sslDefault sslRef="odmDefaultSSLConfig" />
   <ssl id="odmDefaultSSLConfig" keyStoreRef="odmDefaultKeyStore" trustStoreRef="odmDefaultTrustStore" sslProtocol="TLSv1.2" enabledCiphers="ENABLED_CIPHERS" />
-  <keyStore id="odmDefaultKeyStore" location="/config/security/keystore.jks" password="__KEYSTORE_PASSWORD__" type="JKS" />
-  <keyStore id="odmDefaultTrustStore" location="/config/security/truststore.jks" password="__TRUSTSTORE_PASSWORD__" type="JKS" />
+  <keyStore id="odmDefaultKeyStore" location="/config/security/keystore.p12" password="__KEYSTORE_PASSWORD__" type="PKCS12" />
+  <keyStore id="odmDefaultTrustStore" location="/config/security/truststore.p12" password="__TRUSTSTORE_PASSWORD__" type="PKCS12" />
 </server>
diff --git a/common/config/tlsSecurityFIPS.xml b/common/config/tlsSecurityFIPS.xml
@@ -0,0 +1,5 @@
+<server>
+  <sslDefault sslRef="odmDefaultSSLConfig" />
+  <ssl id="odmDefaultSSLConfig" keyStoreRef="odmDefaultKeyStore"  sslProtocol="TLSv1.2" enabledCiphers="ENABLED_CIPHERS" />
+  <keyStore id="odmDefaultKeyStore" location="/config/jvm/pkcs11cfg.cfg" type="PKCS11-NSS-FIPS" fileBased="false" password="__KEYSTORE_PASSWORD__" provider="SunPKCS11-NSS-FIPS"/>
+</server>
diff --git a/common/resources/.nodelete b/common/resources/.nodelete
diff --git a/common/resources/ibm-docs.crt b/common/resources/ibm-docs.crt