diff --git a/.env b/.env
index 3a7c8ddf..c828fa6b 100644
--- a/.env
+++ b/.env
@@ -2,7 +2,7 @@
ODMVERSION=8.12.0.0
# CP4BA product version
-CP4BAVERSION=23.0.1
+CP4BAVERSION=23.2.0
# ODM database schema version
ODMDBVERSION=8.12.next
@@ -11,7 +11,7 @@ ODMDBVERSION=8.12.next
ODMDOCKERDIR=odm-ondocker
# Image use to do multistage build
-FROMDOCKERBUILD=maven:3.8.7-eclipse-temurin-11-alpine
+FROMDOCKERBUILD=maven:3.9.3-ibm-semeru-11-focal
# Repository name of the images
REPOSITORY=ibmcom
@@ -20,7 +20,7 @@ REPOSITORY=ibmcom
PREFIXIMAGE=odm
# Liberty Version
-FROMLIBERTY=ibmcom/websphere-liberty:23.0.0.3-kernel-java11-openj9-ubi
+FROMLIBERTY=ibmcom/websphere-liberty:23.0.0.9-kernel-java11-openj9-ubi
# Postgres Version
FROMPOSTGRES=postgres:13
diff --git a/azuread/AzureADProvider.json b/azuread/AzureADProvider.json
new file mode 100644
index 00000000..61159b00
--- /dev/null
+++ b/azuread/AzureADProvider.json
@@ -0,0 +1,13 @@
+{
+ "providers": [
+ {
+ "grantType": "password",
+ "authorizationURL": "https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/authorize",
+ "tokenURL": "https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/token",
+ "logoutURL": "https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/logout",
+ "clientId": "b173bdb8-fd2c-4208-aef7-773df33456bb",
+ "scope": "b173bdb8-fd2c-4208-aef7-773df33456bb/.default",
+ "name": "azure_ad"
+ }
+ ]
+}
diff --git a/azuread/openIdParameters.properties b/azuread/openIdParameters.properties
new file mode 100644
index 00000000..e265696d
--- /dev/null
+++ b/azuread/openIdParameters.properties
@@ -0,0 +1,7 @@
+OPENID_SERVER_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334
+OPENID_PROVIDER=azure_ad
+OPENID_AUTHORIZATION_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/authorize
+OPENID_TOKEN_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/token
+OPENID_CLIENT_ID=b173bdb8-fd2c-4208-aef7-773df33456bb
+OPENID_LOGOUT_URL=https://login.microsoftonline.com/00df3463-7019-4488-aa48-b4ae46038334/oauth2/v2.0/logout
+OPENID_ALLOWED_DOMAINS=login.microsoftonline.com,login.w3.ibm.com
diff --git a/azuread/openIdWebSecurity.xml b/azuread/openIdWebSecurity.xml
new file mode 100644
index 00000000..36b5a8e3
--- /dev/null
+++ b/azuread/openIdWebSecurity.xml
@@ -0,0 +1,25 @@
+
+
+
+
+
+
+
+
+
+
+
diff --git a/azuread/webSecurity.xml b/azuread/webSecurity.xml
new file mode 100644
index 00000000..c137154e
--- /dev/null
+++ b/azuread/webSecurity.xml
@@ -0,0 +1,29 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/build.sh b/build.sh
index 70c461fd..bd5aa624 100755
--- a/build.sh
+++ b/build.sh
@@ -25,7 +25,7 @@ source .env
echo "Using this properties from .env file."
cat .env
docker run --user 'root' -v $PWD/wlp:/opt/wlp $FROMLIBERTY /bin/sh -c "mkdir -p /opt/wlp ;\
- installUtility download openidconnectclient-1.0 collectiveMember-1.0 sessionCache-1.0 ldapRegistry-3.0 localConnector-1.0 \
+ installUtility download mpMetrics-2.3 openidconnectclient-1.0 collectiveMember-1.0 sessionCache-1.0 ldapRegistry-3.0 localConnector-1.0 \
microProfile-1.0 microProfile-1.2 microProfile-1.3 microProfile-1.4 monitor-1.0 restConnector-1.0 \
requestTiming-1.0 restConnector-2.0 sessionDatabase-1.0 ssl-1.0 transportSecurity-1.0 webCache-1.0 \
webProfile-7.0 webProfile-7.0 --location=/opt/wlp"
diff --git a/common/config/authOidc/openIdWebSecurityTemplate.xml b/common/config/authOidc/openIdWebSecurityTemplate.xml
index 04178c04..e21d0e12 100644
--- a/common/config/authOidc/openIdWebSecurityTemplate.xml
+++ b/common/config/authOidc/openIdWebSecurityTemplate.xml
@@ -6,7 +6,7 @@
-
-
+
+
diff --git a/common/config/tlsSecurityFIPS.xml b/common/config/tlsSecurityFIPS.xml
new file mode 100644
index 00000000..6dbf2848
--- /dev/null
+++ b/common/config/tlsSecurityFIPS.xml
@@ -0,0 +1,5 @@
+
+
+
+
+
diff --git a/common/resources/.nodelete b/common/resources/.nodelete
new file mode 100644
index 00000000..e69de29b
diff --git a/common/resources/ibm-docs.crt b/common/resources/ibm-docs.crt
deleted file mode 100644
index c3d8a4d9..00000000
--- a/common/resources/ibm-docs.crt
+++ /dev/null
@@ -1,97 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGRTCCBS2gAwIBAgISBERANHfh8G7YDlotd5LkGqBYMA0GCSqGSIb3DQEBCwUA
-MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-EwJSMzAeFw0yMTExMjcxMDUxMDlaFw0yMjAyMjUxMDUxMDhaMEUxQzBBBgNVBAMT
-OmlibWRvY3MtcHJvZHVjdGlvbi1kYWwudXMtc291dGguY29udGFpbmVycy5hcHBk
-b21haW4uY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDduikf
-2Srtf7A8pxG4w4rQRIuJWktDt1vdJLCfEbkIPuYuZVOrVZsItgLjfwsIdoi5yqZA
-lZCMfnObwllQTnlEh1JDRvzx5VaCIrXt2kfoPq739RGwNWyphlAtDrcB37hkUIMZ
-DDvBqJtY/4V8DrWYNhxdKcTcYbL3DGweYcaLqqODj7P1VZVtAiUjHEcttMD/Ot4Q
-ZiwYg+PbBAQbmprcSyxkvlq+UpzMjAG8raHY/4dATgxzWdvdThCdaLDLZNil0UDT
-Spkkh8Vx5QWCfPY6aloFxcnGgOukhqO/2LAoZv5YzHu+JvawSlpuYmz3hLfRfiiK
-f+Nc1TYW43rSMPV7AgMBAAGjggNAMIIDPDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
-BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
-FK1c3afOfgJ/48PFpL/pNlah7nmbMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
-r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
-bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMIIB
-DwYDVR0RBIIBBjCCAQKCYiouaWJtZG9jcy1wcm9kdWN0aW9uLWRhbC02MDk5MTIz
-Y2U3NzRlNTkyYTUxOWQ3YzMzZGI4MjY1ZS0wMDAwLnVzLXNvdXRoLmNvbnRhaW5l
-cnMuYXBwZG9tYWluLmNsb3VkgmBpYm1kb2NzLXByb2R1Y3Rpb24tZGFsLTYwOTkx
-MjNjZTc3NGU1OTJhNTE5ZDdjMzNkYjgyNjVlLTAwMDAudXMtc291dGguY29udGFp
-bmVycy5hcHBkb21haW4uY2xvdWSCOmlibWRvY3MtcHJvZHVjdGlvbi1kYWwudXMt
-c291dGguY29udGFpbmVycy5hcHBkb21haW4uY2xvdWQwTAYDVR0gBEUwQzAIBgZn
-gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
-ZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDfpV6raIJP
-H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAX1hPB0hAAAEAwBHMEUCIGf8KtwO
-CIWRC9ppOasu1nEgpUy8Sfqe7/U1qVS3/MRPAiEAjdDdm2lv306NzEUjB2vZ9aES
-MuvR+BpOqCOM3xg2t78AdQBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t
-RwAAAX1hPB1LAAAEAwBGMEQCICsrKAbIfYr1We5EQ3zkcJLqwGtP4Zone9OjZ9u5
-0Mc9AiBv66IPUvyEHlZFM7ZcaZ0JBYO41kxqvbtVPatogkxOZTANBgkqhkiG9w0B
-AQsFAAOCAQEAd/FF5oTqe5c7S3apaTLlNaCRwuaoW0SBadzPUONCZHWItIxmwM6W
-MmcbT3fixjC+6E5LjpCkmWCsPI/UR39RhsNn4SVgRBnkMiQ7ypqaLXCzjkK/hgcD
-nagTgUPuTMbNEFiy7BqO6Xecsby9A6Yn7t9CNjTpXyJGI2pSjIDrVRjjcOpf/On+
-v5JRWKmtl6+by/cx3GvLhlPYbhNlnkgjmB4Ap9vQtDbbCWSJrLzOS2zC0aiHa3A4
-em2pYUElwlWAvW2YmzKccnrJEsPBarUWZlUteB4k58C6dNU8l9OfXu8NtRrWhsBt
-zqEAaRqB8jw+0z6QhnYnjQkbyEnlsS8t0g==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
-WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
-R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
-sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
-NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
-Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
-/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
-FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
-AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
-Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
-gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
-PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
-ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
-CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
-lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
-avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
-yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
-yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
-hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
-HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
-MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
-nLRbwHOoq7hHwg==
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
-ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
-wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
-LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
-4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
-bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
-sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
-Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
-FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
-SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
-PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
-TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
-c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
-+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
-ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
-b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
-U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
-MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
-5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
-9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
-WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
-he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
-Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
------END CERTIFICATE-----
diff --git a/common/resources/ibm-public.crt b/common/resources/ibm-public.crt
deleted file mode 100644
index 09cb7ed6..00000000
--- a/common/resources/ibm-public.crt
+++ /dev/null
@@ -1,81 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIJrTCCCJWgAwIBAgIQCddxKpTPPg7Q87c0NppKmzANBgkqhkiG9w0BAQsFADBN
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
-aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjEwOTMwMDAwMDAwWhcN
-MjIwOTMwMjM1OTU5WjB9MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsx
-DzANBgNVBAcTBkFybW9uazE0MDIGA1UEChMrSW50ZXJuYXRpb25hbCBCdXNpbmVz
-cyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjEUMBIGA1UEAxMLd3d3LmlibS5jb20wggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1O7/WRtur6vZuYL2CMXHP2aL0
-wLSIVmzgv+ULLimjyBoOYMaReDC9ZpwgX5AzLrkTTirMV6woCy9SZv8x7GyouOTR
-c6N4Lh8uSHhe0EK3vRCwl0DQGz5BLbF1PlvWVQo/BxrSuPRPjXL0EtOa0d+U59jj
-pGvPm4DHU/6JmXLAa0TbDnDROV3n5B7OoWNvqjIr7WZHy/bisfm41DC+FnVKwS0c
-d9z2VSLvTZZ3PrOJKjWNLxW5YplhLVq7cOV1FgL52hWkO1yfjkqY1xBDyUemasam
-7iOntLTUITQVA5B73fobWkTJOo2RWy+UnI45S9R4YuWegLEtuEuaX4Ed60j/AgMB
-AAGjggZXMIIGUzAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNV
-HQ4EFgQU/IP8l0rkDsZUIT9Gji4ABH2NFd0wggMjBgNVHREEggMaMIIDFoIPd3d3
-dGVzdC5pYm0uY29tghN3d3d0ZXN0LTExMi5pYm0uY29tghB3d3dzdGFnZS5pYm0u
-Y29tgg53d3dwb2MuaWJtLmNvbYISd3d3cG9jLTExMi5pYm0uY29tggt3d3cubmlj
-LmlibYILd3d3LmlibS5jb22CFXd3dy5kZXZlbG9wZXIuaWJtLmNvbYIdd3d3LmF0
-c3MwMDF1YXQuYXQuc21pLmlibS5jb22CD3d3dy1hcGkuaWJtLmNvbYIUd3d3LTk2
-OXN0YWdlLmlibS5jb22CD3d3dy05NjkuaWJtLmNvbYIPd3d3LTk0Ni5pYm0uY29t
-gg93d3ctOTM1LmlibS5jb22CDnd3dy01MC5pYm0uY29tgg53d3ctNDAuaWJtLmNv
-bYIPd3d3LTM1Ni5pYm0uY29tghB3d3ctMjAwMC5pYm0uY29tgg93d3ctMTEyLmli
-bS5jb22CDnd3dy0wNy5pYm0uY29tgg53d3ctMDYuaWJtLmNvbYIOd3d3LTA1Lmli
-bS5jb22CDnd3dy0wMy5pYm0uY29tgg53d3ctMDEuaWJtLmNvbYIRdXNtci5jbXMu
-czgxYy5jb22CD3VzLmNtcy5zODFjLmNvbYINbXlpYm0uaWJtLmNvbYILbXAuczgx
-Yy5jb22CB2libS5jb22CD2V1LmNtcy5zODFjLmNvbYIRZGV2ZWxvcGVyLmlibS5j
-b22CGWNkbi1wcm9kLWVkaXQuY21zLmlibS5uZXSCEGFwaS53d3cuczgxYy5jb22C
-D2FwLmNtcy5zODFjLmNvbYITMS53d3dzdGFnZS5zODFjLmNvbYIOMS53d3cuczgx
-Yy5jb22CEzEuZGFtc3RhZ2UuczgxYy5jb22CDjEuZGFtLnM4MWMuY29tghIxLmNt
-c3Rlc3QuczgxYy5jb22CFjEuY21zc3RhZ2VuZXcuczgxYy5jb22CEzEuY21zc3Rh
-Z2UuczgxYy5jb22CETEuY21zcG9jLnM4MWMuY29tghExLmNtc25ldy5zODFjLmNv
-bYIOMS5jbXMuczgxYy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
-AQUFBwMBBggrBgEFBQcDAjBvBgNVHR8EaDBmMDGgL6AthitodHRwOi8vY3JsMy5k
-aWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LTEuY3JsMDGgL6AthitodHRwOi8vY3Js
-NC5kaWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LTEuY3JsMD4GA1UdIAQ3MDUwMwYG
-Z4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
-UzB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj
-ZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t
-L0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIB
-fAYKKwYBBAHWeQIEAgSCAWwEggFoAWYAdQApeb7wnjk5IfBWc59jpXflvld9nGAK
-+PlNXSZcJV3HhAAAAXw3XrX9AAAEAwBGMEQCIEWgJL1hVkBhBXNIKU/eXxXHf/Ag
-c3eZx7BfvUAxXxEVAiAIKG6r4AVQNBDisBSl1fwmGldM1890HFfU6oKv/GUwhQB1
-AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7UiwXlAAABfDdetbYAAAQDAEYw
-RAIgMIMfvKkrnLB/AbT498+66CaOD12e2OrW7zXHCaQVdxECIFvT1D1+om3p35AQ
-BiDVCmMjr0Vfij7oBVtb7wfgbCvGAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tL
-x2jwkGKWBvYAAAF8N161pgAABAMARzBFAiEAqoE9PWkJ5o7E4GvOQMgqNA+I8bJo
-VfA6ZW/BRryEpLICIHw6BjGRctdTzlyy8PI8lWgmM7aELRonDA8mWekqQwbEMA0G
-CSqGSIb3DQEBCwUAA4IBAQASmNrm6LBAWIB5Te5z8DBfW1/POC2yD/07JBOHSuQ+
-s5K2N5OP8bnW76dkmSk1N4BiOOQjpL357gHsAjxGakk99VrV8c7sj7MdbzdKorMM
-EqPaAuVTrvLUEBaMMK/3LKmnZPdk3KmJPk9ZTw2WIWNI4OkjKKHKGURTjMgyEgn5
-zJCT7/p7ss5JJvYfI9AjRoYw8f4/GSdOv/JCgmSFMJ5nJajdbdSr6HWjLkYweCkz
-sjQZmRDSsIet30eKCaXoyo8qfjX0rS1agZszYSyp7JcEUTJozvNhTml39iYT6pUu
-FwFNNSalPFVmy0QFLSBX5piJV9CTt5rBTd8IQqfSYcxz
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
-MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
-d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
-QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
-MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
-U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
-nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
-KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
-/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
-kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
-/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
-AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
-aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
-Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
-oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
-QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
-d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
-xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
-CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
-5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
-8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
-2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
-c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
-j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
------END CERTIFICATE-----
diff --git a/common/script/configureTlsSecurity.sh b/common/script/configureTlsSecurity.sh
index 92a95bd2..c8d81d27 100755
--- a/common/script/configureTlsSecurity.sh
+++ b/common/script/configureTlsSecurity.sh
@@ -1,5 +1,14 @@
#!/bin/bash
# Using -Xshareclasses:none jvm option in keytool commands to avoid jvm errors in logs on z/os
+if [ -n "$ENABLE_FIPS" ]
+then
+ if [[ $ENABLE_FIPS =~ "true" ]]
+ then
+ echo "FIPS Enabled : Use appropriate configuring keystore for FIPS"
+ # Workaround on a FIPS implementation see
+ cp /config/tlsSecurityFIPS.xml /config/tlsSecurity.xml
+ fi
+fi
if [ -s "/config/auth/tlsSecurity.xml" ]
then
@@ -131,6 +140,32 @@ if [ -d $CERTDIR ]; then
echo "done"
fi
+# This part allow to import a list of PEM certificate in the JVM
+ echo "Importing private certificates $dir"
+PRIVATE_CERTDIR="/config/security/private-cert-volume/"
+if [ -d $PRIVATE_CERTDIR ]; then
+ cd $PRIVATE_CERTDIR
+ for dir in *; do
+ echo "Importing private certificates $dir"
+ if [ -d $dir ]; then
+ if [ -f $dir/tls.key ]; then
+ if [ -f $dir/tls.crt ]; then
+ echo "public key $dir/tls.crt has been found for the relative $dir/tls.key private key"
+ openssl pkcs12 -export -inkey $dir/tls.key -in $dir/tls.crt -name $dir -out /config/security/$dir.p12 -passout pass:$DEFAULT_KEYSTORE_PASSWORD
+ keytool -J"-Xshareclasses:none" -importkeystore -srckeystore /config/security/$dir.p12 -srcstorepass $DEFAULT_KEYSTORE_PASSWORD -srcstoretype PKCS12 -destkeystore /config/security/keystore.jks -deststoretype JKS -deststorepass $DEFAULT_KEYSTORE_PASSWORD
+
+ keytool -J"-Xshareclasses:none" -import -v -trustcacerts -alias $dir -file $dir/tls.crt -keystore $TRUSTSTORE -storepass $DEFAULT_TRUSTSTORE_PASSWORD -noprompt
+ else
+ echo "cannot register $dir/tls.key private key has the associated $dir/tls.crt public key is not present"
+ fi
+ else
+ echo "Couldn't find certificate $dir/tls.key skipping this certificate "
+ fi
+ fi
+ done
+ echo "done"
+fi
+
if [ -n "$ENABLED_CIPHERS" ]
then
echo "configure enabled ciphers with $ENABLED_CIPHERS"
@@ -148,3 +183,20 @@ then
echo "Importing IBM Docs certificate"
keytool -J"-Xshareclasses:none" -import -v -trustcacerts -alias IBM-DOCS -file /config/resources/ibm-docs.crt -keystore /config/security/truststore.jks -storepass $DEFAULT_TRUSTSTORE_PASSWORD -noprompt
fi
+
+
+echo "Change certificate format from JKS to P12"
+keytool -J"-Xshareclasses:none" -importkeystore -srckeystore /config/security/truststore.jks -srcstorepass $DEFAULT_TRUSTSTORE_PASSWORD -destkeystore /config/security/truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass $DEFAULT_TRUSTSTORE_PASSWORD -noprompt
+keytool -J"-Xshareclasses:none" -importkeystore -srckeystore /config/security/keystore.jks -srcstorepass $DEFAULT_KEYSTORE_PASSWORD -destkeystore /config/security/keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass $DEFAULT_KEYSTORE_PASSWORD -noprompt
+
+
+if [ -n "$ENABLE_FIPS" ]
+then
+ if [[ $ENABLE_FIPS =~ "true" ]]
+ then
+ echo "FIPS Enabled importing certification in the nssdb"
+ pk12util -i /config/security/keystore.p12 -W $DEFAULT_KEYSTORE_PASSWORD -d /etc/pki/nssdb
+ pk12util -i /config/security/truststore.p12 -W $DEFAULT_TRUSTSTORE_PASSWORD -d /etc/pki/nssdb
+ for cert in $(certutil -L -d /etc/pki/nssdb | tail -n +5 | awk '{print $1}'); do certutil -M -n ${cert} -t CT,CT,CT -d /etc/pki/nssdb; done
+ fi
+fi
diff --git a/common/script/enableFips.sh b/common/script/enableFips.sh
index 816ae6cf..47e7587b 100644
--- a/common/script/enableFips.sh
+++ b/common/script/enableFips.sh
@@ -5,6 +5,5 @@ then
if [[ $ENABLE_FIPS =~ "true" ]]
then
echo "Enable FIPS"
- cp /config/jvm/enablefips-jvm.options /config/configDropins/overrides/jvm.options
fi
fi
diff --git a/common/script/generateVersionFile.sh b/common/script/generateVersionFile.sh
index a24c7611..cb88c9e0 100644
--- a/common/script/generateVersionFile.sh
+++ b/common/script/generateVersionFile.sh
@@ -5,4 +5,6 @@ echo "IBM Operational Decision Manager (ODM on Certified Kubernetes) : "$ODMVERS
LIBERTY_VERSION=$(/opt/ibm/wlp/bin/server version)
echo "Liberty : "${LIBERTY_VERSION} >> $VERSIONFILE
JAVA_VERSION=$(java --version | head -2 | tail -1)
-echo "Java : "${JAVA_VERSION} >> $VERSIONFILE
\ No newline at end of file
+echo "Java : "${JAVA_VERSION} >> $VERSIONFILE
+echo "Date : " $(date) >> $VERSIONFILE
+echo "Arch : " $(uname -m) >> $VERSIONFILE
\ No newline at end of file
diff --git a/common/script/installFeatures.sh b/common/script/installFeatures.sh
index 9c1b7a72..88d8f5de 100755
--- a/common/script/installFeatures.sh
+++ b/common/script/installFeatures.sh
@@ -3,7 +3,7 @@
# Install the driver for Derby
echo "Install the feature list for ODM on Liberty"
ROOTFEATUREDIR=/opt/wlppackage
-PACKAGELIST="openidconnectclient-1.0 collectiveMember-1.0 sessionCache-1.0 ldapRegistry-3.0 localConnector-1.0 \
+PACKAGELIST="mpMetrics-2.3 openidconnectclient-1.0 collectiveMember-1.0 sessionCache-1.0 ldapRegistry-3.0 localConnector-1.0 \
microProfile-1.0 microProfile-1.2 microProfile-1.3 microProfile-1.4 monitor-1.0 restConnector-1.0 \
requestTiming-1.0 restConnector-2.0 sessionDatabase-1.0 ssl-1.0 transportSecurity-1.0 webCache-1.0 webProfile-7.0"
diff --git a/contrib/populate-sample-db/Loan_Validation_Service_main.zip b/contrib/populate-sample-db/Loan_Validation_Service_main.zip
deleted file mode 100644
index 64c78b69..00000000
Binary files a/contrib/populate-sample-db/Loan_Validation_Service_main.zip and /dev/null differ
diff --git a/contrib/populate-sample-db/populate.sh b/contrib/populate-sample-db/populate.sh
old mode 100644
new mode 100755
index 39325864..0996247e
--- a/contrib/populate-sample-db/populate.sh
+++ b/contrib/populate-sample-db/populate.sh
@@ -23,7 +23,13 @@ done
type jq >& /dev/null || (echo "jq must be installed!" && exit 1)
-# Get Decision Service https://github.com/DecisionsDev/odm-for-dev-getting-started/blob/master/Loan%20Validation%20Service.zip?raw=1
+echo -n "$(date) - ### Download Loan Validation Service from GitHub: "
+curl --location --silent --output Loan_Validation_Service_main.zip "https://github.com/DecisionsDev/odm-for-dev-getting-started/blob/master/Loan%20Validation%20Service.zip?raw=1"
+if [[ $? != 0 ]]; then
+ echo "Could not download https://github.com/DecisionsDev/odm-for-dev-getting-started/blob/master/Loan%20Validation%20Service.zip"
+ exit 1
+fi
+echo "DONE"
echo -n "$(date) - ### Upload Loan Validation Service to DC: "
curl_result=$(curl --silent --insecure --request POST "${DC_URL}/decisioncenter-api/v1/decisionservices/import" --header "accept: */*" --header "Content-Type: multipart/form-data" --form "file=@$(dirname "$0")/Loan_Validation_Service_main.zip;type=application/zip" --user ${DC_USER}:${DC_USER})
if [[ $? != 0 ]]; then
@@ -45,8 +51,13 @@ if [[ "${decisionServiceId}" == "null" ]]; then
decisionServiceId=4ea8ed3f-98a0-4b25-853c-6cc857215ae8
fi
-
-# Get Decision Service https://github.com/DecisionsDev/odm-for-dev-getting-started/blob/master/Miniloan%20Service.zip?raw=1
+echo -n "$(date) - ### Download Miniloan Service from GitHub: "
+curl --location --silent --output Miniloan_Service_main.zip "https://github.com/DecisionsDev/odm-for-dev-getting-started/blob/master/Miniloan%20Service.zip?raw=1"
+if [[ $? != 0 ]]; then
+ echo "Could not download https://github.com/DecisionsDev/odm-for-dev-getting-started/blob/master/Miniloan%20Service.zip"
+ exit 1
+fi
+echo "DONE"
echo -n "$(date) - ### Upload Miniloan Service to DC: "
curl_result=$(curl --silent --insecure --request POST "${DC_URL}/decisioncenter-api/v1/decisionservices/import" --header "accept: */*" --header "Content-Type: multipart/form-data" --form "file=@$(dirname "$0")/Miniloan_Service_main.zip;type=application/zip" --user ${DC_USER}:${DC_USER})
if [[ $? != 0 ]]; then
diff --git a/contrib/update-images/.env b/contrib/update-images/.env
new file mode 100644
index 00000000..1aa44201
--- /dev/null
+++ b/contrib/update-images/.env
@@ -0,0 +1,5 @@
+# Liberty Version
+SOURCEREGISTRY=cp.icr.io/cp/cp4a/odm
+SOURCETAG=8.12.0.1-amd64
+TARGETREGISTRY=myrepo
+TARGETTAG=8.12.0.1-amd64
diff --git a/contrib/update-images/DbserverDockerfile b/contrib/update-images/DbserverDockerfile
new file mode 100644
index 00000000..2cc2436c
--- /dev/null
+++ b/contrib/update-images/DbserverDockerfile
@@ -0,0 +1,13 @@
+ARG SOURCEIMAGE
+FROM ${SOURCEIMAGE}
+ARG USERID
+USER 0
+RUN set -ex; \
+ dnf upgrade --assumeyes --disableplugin=subscription-manager --nodocs; \
+ dnf install --assumeyes nss nss-tools unzip procps-ng net-tools --disableplugin=subscription-manager --nodocs; \
+ dnf clean all --disableplugin=subscription-manager; \
+ rm -rf /var/cache/dnf; \
+ /usr/libexec/fix-permissions /var/lib/pgsql; \
+ /usr/libexec/fix-permissions /var/run/postgresql; \
+ set +ex
+USER 26
\ No newline at end of file
diff --git a/contrib/update-images/Dockerfile b/contrib/update-images/Dockerfile
new file mode 100644
index 00000000..03d4811e
--- /dev/null
+++ b/contrib/update-images/Dockerfile
@@ -0,0 +1,14 @@
+ARG SOURCEIMAGE
+FROM ${SOURCEIMAGE}
+ARG USERID
+
+USER root
+
+RUN set -ex; \
+ dnf erase -y python3-subscription-manager-rhsm --disableplugin=subscription-manager; \
+ dnf -y upgrade --disableplugin=subscription-manager; \
+ dnf -y install nss nss-tools unzip procps-ng net-tools --disableplugin=subscription-manager; \
+ dnf clean all --disableplugin=subscription-manager; \
+ rm -rf /var/cache/dnf;
+
+USER $USERID
\ No newline at end of file
diff --git a/contrib/update-images/README.md b/contrib/update-images/README.md
new file mode 100644
index 00000000..995e4c1f
--- /dev/null
+++ b/contrib/update-images/README.md
@@ -0,0 +1,88 @@
+# Updating ODM Docker Images with Latest CVE Fixes
+
+## Introduction
+IBM is committed to providing monthly updates for its images, but if you want to update them more frequently, this method allows you to do so on your own.
+
+This guide will walk you through the process of updating your ODM Docker images to ensure they are protected against known security vulnerabilities and Common Vulnerabilities and Exposures (CVEs). Regularly updating your Docker images is crucial to maintaining a secure and reliable containerized environment.
+
+## Table of Contents
+
+1. [Prerequisites](#1-prerequisites)
+2. [Preparing the Environment](#2-preparing-the-environment)
+3. [Updating Docker Images](#3-updating-docker-images)
+ - [a. Build the Images](#a-build-the-images)
+ - [b. Optional: Push to Your Target Registry](#b-optional-push-to-your-target-registry)
+4. [Best Practices](#best-practices)
+5. [Conclusion](#conclusion)
+
+## 1. Prerequisites
+
+Before you start, make sure you have the following prerequisites in place:
+
+- Docker installed on your system
+- Docker compose installed on your system
+- Access to the the IBM Entitled Registry
+- Familiarity with the Docker command-line interface (CLI)
+
+## 2. Preparing the Environment
+
+To gain access to the ODM material, you will need an IBM entitlement key for downloading images from the IBM Entitled Registry.
+
+ 1. Sign in to the [MyIBM Container Software Library](https://myibm.ibm.com/products-services/containerlibrary) using your IBMid and associated password for the entitled software.
+ 2. On the Container software library tile, ensure your entitlement by navigating to the View library page. Then proceed to obtain the entitlement key.
+ 3. Next, use this key to log in to Docker as follows:
+
+```bash
+docker login cp.icr.io -u cp -p
+```
+
+
+## 3. Updating Docker Images
+
+### a. Build the Images
+
+To update your Docker images, follow these steps:
+
+1. Download or clone this GitHub repository.
+2. Navigate to the `contrib/update-images` directory.
+3. Build the images using the following Docker Compose command. Make sure to change the values according to the ODM Version and your targeted environment:
+
+```bash
+export SOURCEREGISTRY=cp.icr.io/cp/cp4a/odm
+export SOURCETAG=8.12.0.1-amd64
+export TARGETREGISTRY=myrepo
+export TARGETTAG=8.12.0.1-amd64
+docker compose build
+```
+
+Change the values according to the ODM Version and your targeted environment.
+
+### b. Optional: Push to Your Target Registry
+
+If you want to push the updated images to your target registry, follow these steps:
+
+1. Log in to your targeted registry.
+2. Push your images using the following command. Make sure to modify the values according to your specific setup:
+
+```bash
+export SOURCEREGISTRY=cp.icr.io/cp/cp4a/odm
+export SOURCETAG=8.12.0.1-amd64
+export TARGETREGISTRY=myrepo
+export TARGETTAG=8.12.0.1-amd64
+docker compose push
+```
+
+## Best Practices
+
+To ensure a secure and efficient process of updating Docker images, consider the following best practices:
+
+- Implement automation: Use continuous integration/continuous deployment (CI/CD) pipelines to automate the scanning and updating of Docker images.
+- Regularly monitor CVE databases and subscribe to security mailing lists for timely updates.
+- Maintain a versioning strategy for your Docker images to keep track of updates and changes.
+- Secure your container registry with access controls and policies to prevent unauthorized access.
+
+## Conclusion
+
+By following the steps outlined in this guide and adopting best practices, you can effectively update your Docker images with the latest OS-related CVE fixes ensuring the security and stability of your containerized applications. Regularly checking for vulnerabilities and staying up-to-date is crucial in the ever-evolving world of container security.
+
+Feel free to customize and expand upon this guide to fit your specific needs and environment.
diff --git a/contrib/update-images/docker-compose.yml b/contrib/update-images/docker-compose.yml
new file mode 100644
index 00000000..fbc1aec6
--- /dev/null
+++ b/contrib/update-images/docker-compose.yml
@@ -0,0 +1,48 @@
+version: '3'
+services:
+
+ dbserver:
+ image: $TARGETREGISTRY/dbserver:$TARGETTAG
+ build:
+ context: ./
+ dockerfile: ./DbserverDockerfile
+ args:
+ - SOURCEIMAGE=$SOURCEREGISTRY/dbserver:$SOURCETAG
+ - USERID=26
+
+ odm-decisionserverconsole:
+ image: $TARGETREGISTRY/odm-decisionserverconsole:$TARGETTAG
+ build:
+ context: ./
+ dockerfile: ./Dockerfile
+ args:
+ - SOURCEIMAGE=$SOURCEREGISTRY/odm-decisionserverconsole:$SOURCETAG
+ - USERID=1001
+
+ odm-decisionrunner:
+ image: $TARGETREGISTRY/odm-decisionrunner:$TARGETTAG
+ build:
+ context: ./
+ dockerfile: ./Dockerfile
+ args:
+ - SOURCEIMAGE=$SOURCEREGISTRY/odm-decisionrunner:$SOURCETAG
+ - USERID=1001
+
+ odm-decisionserverruntime:
+ image: $TARGETREGISTRY/odm-decisionserverruntime:$TARGETTAG
+ build:
+ context: ./
+ dockerfile: ./Dockerfile
+ args:
+ - SOURCEIMAGE=$SOURCEREGISTRY/odm-decisionserverruntime:$SOURCETAG
+ - USERID=1001
+
+ odm-decisioncenter:
+ image: $TARGETREGISTRY/odm-decisioncenter:$TARGETTAG
+ build:
+ context: ./
+ dockerfile: ./Dockerfile
+ args:
+ - SOURCEIMAGE=$SOURCEREGISTRY/odm-decisioncenter:$SOURCETAG
+ - USERID=1001
+
\ No newline at end of file
diff --git a/databases/postgresql/data-8.12.next.dump b/databases/postgresql/data-8.12.next.dump
index c30cb936..31bb5283 100644
Binary files a/databases/postgresql/data-8.12.next.dump and b/databases/postgresql/data-8.12.next.dump differ
diff --git a/decisioncenter/Dockerfile b/decisioncenter/Dockerfile
index 36b214c5..f025def4 100755
--- a/decisioncenter/Dockerfile
+++ b/decisioncenter/Dockerfile
@@ -29,7 +29,7 @@ RUN chmod -R a+x $SCRIPT && \
if [ ! -f /config/resources/postgres* ]; then $SCRIPT/installPostgres.sh; fi
# Decision Center
-RUN mkdir -p $APPS
+RUN mkdir -p $APPS && apt-get update && apt-get install unzip
COPY ./teamserver/applicationservers/WLP*/teamserver-dbdump.war $APPS/
COPY ./teamserver/applicationservers/WLP*/decision*.war $APPS/
@@ -51,7 +51,7 @@ ENV ODMVERSION $ODMVERSION
USER root
ENV SCRIPT /script
COPY $ODMDOCKERDIR/common/script $ODMDOCKERDIR/wlp* /opt/wlppackage/
-RUN mkdir $SCRIPT && mv /opt/wlppackage/*.sh $SCRIPT && $SCRIPT/installFeatures.sh && chmod a+x $SCRIPT/*.sh
+RUN mkdir $SCRIPT && mv /opt/wlppackage/*.sh $SCRIPT && $SCRIPT/installFeatures.sh && chmod a+x $SCRIPT/*.sh && touch /opt/ibm/wlp/usr/servers/defaultServer/keystore.xml
COPY --chown=1001:0 $ODMDOCKERDIR/decisioncenter/config /config
COPY --chown=1001:0 $ODMDOCKERDIR/decisioncenter/script $SCRIPT
COPY --chown=1001:0 $ODMDOCKERDIR/common/config /config
@@ -61,10 +61,10 @@ COPY --chown=1001:0 $ODMDOCKERDIR/common/config/jvm/jvm.options /config/configDr
COPY --chown=1001:0 $ODMDOCKERDIR/common/security/ltpa.keys /config/resources/security/ltpa.keys
COPY --chown=1001:0 $ODMDOCKERDIR/common/security/keystore.jks /config/security/keystore.jks
COPY --chown=1001:0 $ODMDOCKERDIR/common/security/truststore.jks /config/security/truststore.jks
-COPY --chown=1001:0 $ODMDOCKERDIR/common/resources/ibm-public.crt /config/resources/ibm-public.crt
COPY --chown=1001:0 $ODMDOCKERDIR/common/drivers /config/resources
-RUN chmod -R 777 /config
+RUN openssl s_client -connect www.ibm.com:443 < /dev/null 2>/dev/null | openssl x509 -outform pem > /config/resources/ibm-public.crt && chown 1001:0 /config/resources/ibm-public.crt && \
+chmod -R 777 /config
RUN sed -i 's|# Pass on to the real server run|. /script/rundc.sh|' /opt/ibm/helpers/runtime/docker-server.sh && $SCRIPT/generateVersionFile.sh
FROM ${FROMLIBERTY}
diff --git a/decisioncenter/config/OdmOidcProviders.json b/decisioncenter/config/OdmOidcProviders.json
index 189600c0..c0e92f7a 100644
--- a/decisioncenter/config/OdmOidcProviders.json
+++ b/decisioncenter/config/OdmOidcProviders.json
@@ -10,6 +10,7 @@
"logoutURL": "OPENID_LOGOUT_URL",
"clientId": "OPENID_CLIENT_ID",
"clientSecret": "OPENID_CLIENT_SECRET",
+ "clientAssertionAliasName": "OPENID_CLIENT_ASSERTION_ALIAS_NAME",
"name": "OPENID_PROVIDER"
}
]
diff --git a/decisioncenter/config/httpSessionHttp.xml b/decisioncenter/config/httpSessionHttp.xml
index 8579ea61..7c1a8a9e 100644
--- a/decisioncenter/config/httpSessionHttp.xml
+++ b/decisioncenter/config/httpSessionHttp.xml
@@ -3,7 +3,7 @@
useContextRootAsCookiePath="true"
invalidateOnUnauthorizedSessionRequestException="true"
invalidationTimeout="8h"/>
-
+
diff --git a/decisioncenter/config/httpSessionHttps.xml b/decisioncenter/config/httpSessionHttps.xml
index b7a5f33d..00bb2bc3 100644
--- a/decisioncenter/config/httpSessionHttps.xml
+++ b/decisioncenter/config/httpSessionHttps.xml
@@ -5,7 +5,7 @@
invalidationTimeout="8h"
cookieSecure="true"
cookieHttpOnly="true"/>
-
+
-
+
diff --git a/decisionserver/config/httpSessionHttps.xml b/decisionserver/config/httpSessionHttps.xml
index ac4505d1..84cc2456 100644
--- a/decisionserver/config/httpSessionHttps.xml
+++ b/decisionserver/config/httpSessionHttps.xml
@@ -5,7 +5,7 @@
invalidationTimeout="8h"
cookieSecure="true"
cookieHttpOnly="true"/>
-
+
/{e cat /config/basicAuth.xml\n}' web.xml
if [ -s "/config/auth/runtimeWebSecurity.xml" ]
then
- echo "/config/auth/runtimeWebSecurity.xml found then replace oidc auth by basic auth on decision server runtime"
- sed -i 's|webSecurity|'runtimeWebSecurity'|g' /config/server.xml
- unset OPENID_CONFIG
- echo "OPENID_CONFIG : $OPENID_CONFIG"
+ if [ ! -d "/config/apps/res.war" ]
+ then
+ echo "/config/auth/runtimeWebSecurity.xml found then replace oidc auth by basic auth on decision server runtime"
+ sed -i 's|webSecurity|'runtimeWebSecurity'|g' /config/server.xml
+ unset OPENID_CONFIG
+ echo "OPENID_CONFIG : $OPENID_CONFIG"
+ else
+ echo "/config/auth/runtimeWebSecurity.xml found in the RES container. Do nothing."
+ fi
fi
diff --git a/odm-azuread.yml b/odm-azuread.yml
new file mode 100755
index 00000000..ee4c542f
--- /dev/null
+++ b/odm-azuread.yml
@@ -0,0 +1,175 @@
+version: '3'
+services:
+ dbserver:
+ image: $REPOSITORY/dbserver:$ODMVERSION
+ build:
+ context: ../
+ dockerfile: ./${ODMDOCKERDIR}/databases/postgresql/Dockerfile
+ args:
+ - ODMDOCKERDIR=$ODMDOCKERDIR
+ - ODMDBVERSION=$ODMDBVERSION
+ - ODMVERSION=$ODMVERSION
+ - CP4BAVERSION=$CP4BAVERSION
+ - FROMDOCKERBUILD=$FROMDOCKERBUILD
+ - FROMPOSTGRES=$FROMPOSTGRES
+ - POSTGRESUID=$POSTGRESUID
+ user: "$POSTGRESUID:$POSTGRESUID"
+ ports:
+ - 5432:5432
+ environment:
+ - POSTGRES_USER=odmusr
+ - POSTGRES_PASSWORD=odmpwd
+ - POSTGRES_DB=odmdb
+ - PGDATA=/var/lib/postgresql/data
+# - SAMPLE=true
+# Uncomment this line to persist your data. Note that on OSX you need to share this
+# current directory in the Preference menu -> File Sharing menu.
+# volumes:
+# - ./pgdata:/pgdata
+
+ odm-decisionserverconsole:
+ image: $REPOSITORY/$PREFIXIMAGE-decisionserverconsole:$ODMVERSION
+ build:
+ context: ../
+ dockerfile: ./${ODMDOCKERDIR}/decisionserver/decisionserverconsole/Dockerfile
+ args:
+ - ODMDOCKERDIR=$ODMDOCKERDIR
+ - ODMVERSION=$ODMVERSION
+ - CP4BAVERSION=$CP4BAVERSION
+ - FROMLIBERTY=$FROMLIBERTY
+ - FROMDOCKERBUILD=$FROMDOCKERBUILD
+ - FROMLIBERTYBUILD=$FROMLIBERTY
+ links:
+ - dbserver
+ depends_on:
+ - dbserver
+ environment:
+ - ENABLE_TLS=true
+ - OPENID_MODE=PKCE
+ - OPENID_CONFIG=true
+ - OPENID_SERVER_URL=https://login.microsoftonline.com/90df2ccb-9053-40b8-9518-cc8835f62f7f
+ - OPENID_PROVIDER=azuread
+ - OPENID_CLIENT_ID=ee3b4617-c283-4a37-bca0-d81569a911f2
+ - OPENID_ALLOWED_DOMAINS=login.microsoftonline.com
+ ports:
+ - 9080:9080
+ - 1883:1883
+ - 9843:9443
+ volumes:
+ - ${PWD}/azuread/openIdWebSecurity.xml:/config/auth/openIdWebSecurity.xml
+ - ${PWD}/azuread/openIdParameters.properties:/config/auth/openIdParameters.properties
+ - ${PWD}/azuread/webSecurity.xml:/config/auth/webSecurity.xml
+# - ${PWD}/testprivatecertvolume:/config/security/private-cert-volume
+ - ${PWD}/testpubliccertvolume:/config/security/trusted-cert-volume
+
+ odm-decisionrunner:
+ image: $REPOSITORY/$PREFIXIMAGE-decisionrunner:$ODMVERSION
+ build:
+ context: ../
+ dockerfile: ./${ODMDOCKERDIR}/decisionserver/decisionrunner/Dockerfile
+ args:
+ - ODMDOCKERDIR=$ODMDOCKERDIR
+ - ODMVERSION=$ODMVERSION
+ - CP4BAVERSION=$CP4BAVERSION
+ - FROMLIBERTY=$FROMLIBERTY
+ - FROMDOCKERBUILD=$FROMDOCKERBUILD
+ - FROMLIBERTYBUILD=$FROMLIBERTY
+ links:
+ - dbserver
+ - odm-decisionserverconsole
+ depends_on:
+ - dbserver
+ - odm-decisionserverconsole
+ ports:
+ - 9070:9080
+ - 9743:9443
+ environment:
+ - ENABLE_TLS=true
+ - OPENID_CONFIG=true
+ - OPENID_MODE=PKCE
+ - OPENID_SERVER_URL=https://login.microsoftonline.com/90df2ccb-9053-40b8-9518-cc8835f62f7f
+ - OPENID_PROVIDER=azuread
+ - OPENID_CLIENT_ID=ee3b4617-c283-4a37-bca0-d81569a911f2
+ - OPENID_ALLOWED_DOMAINS=login.microsoftonline.com
+ - RES_URL=https://odm-decisionserverconsole:9443/res
+ volumes:
+ - ${PWD}/azuread/openIdWebSecurity.xml:/config/auth/openIdWebSecurity.xml
+ - ${PWD}/azuread/openIdParameters.properties:/config/auth/openIdParameters.properties
+ - ${PWD}/azuread/webSecurity.xml:/config/auth/webSecurity.xml
+ - ${PWD}/azuread/AzureADProvider.json:/config/auth/OdmOidcProviders.json
+# - ${PWD}/testprivatecertvolume:/config/security/private-cert-volume
+ - ${PWD}/testpubliccertvolume:/config/security/trusted-cert-volume
+
+ odm-decisionserverruntime:
+ image: $REPOSITORY/$PREFIXIMAGE-decisionserverruntime:$ODMVERSION
+ build:
+ context: ../
+ dockerfile: ./${ODMDOCKERDIR}/decisionserver/decisionserverruntime/Dockerfile
+ args:
+ - ODMDOCKERDIR=$ODMDOCKERDIR
+ - ODMVERSION=$ODMVERSION
+ - CP4BAVERSION=$CP4BAVERSION
+ - FROMLIBERTY=$FROMLIBERTY
+ - FROMLIBERTYBUILD=$FROMLIBERTY
+ - FROMDOCKERBUILD=$FROMDOCKERBUILD
+ environment:
+ - DECISIONSERVERCONSOLE_NAME=odm-decisionserverconsole
+ - ENABLE_TLS=true
+ - OPENID_CONFIG=true
+ - OPENID_MODE=PKCE
+ - OPENID_SERVER_URL=https://login.microsoftonline.com/90df2ccb-9053-40b8-9518-cc8835f62f7f
+ - OPENID_PROVIDER=azuread
+ - OPENID_CLIENT_ID=ee3b4617-c283-4a37-bca0-d81569a911f2
+ - OPENID_ALLOWED_DOMAINS=login.microsoftonline.com
+ links:
+ - dbserver
+ - odm-decisionserverconsole
+ depends_on:
+ - dbserver
+ - odm-decisionserverconsole
+ ports:
+ - 9090:9080
+ - 9943:9443
+ volumes:
+ - ${PWD}/azuread/openIdWebSecurity.xml:/config/auth/openIdWebSecurity.xml
+ - ${PWD}/azuread/openIdParameters.properties:/config/auth/openIdParameters.properties
+ - ${PWD}/azuread/webSecurity.xml:/config/auth/webSecurity.xml
+ - ${PWD}/azuread/AzureADProvider.json:/config/auth/OdmOidcProviders.json
+# - ${PWD}/testprivatecertvolume:/config/security/private-cert-volume
+ - ${PWD}/testpubliccertvolume:/config/security/trusted-cert-volume
+
+ odm-decisioncenter:
+ image: $REPOSITORY/$PREFIXIMAGE-decisioncenter:$ODMVERSION
+ build:
+ context: ../
+ dockerfile: ./${ODMDOCKERDIR}/decisioncenter/Dockerfile
+ args:
+ - ODMDOCKERDIR=$ODMDOCKERDIR
+ - ODMVERSION=$ODMVERSION
+ - CP4BAVERSION=$CP4BAVERSION
+ - FROMLIBERTY=$FROMLIBERTY
+ - FROMDOCKERBUILD=$FROMDOCKERBUILD
+ - FROMLIBERTYBUILD=$FROMLIBERTY
+ links:
+ - dbserver
+ depends_on:
+ - dbserver
+ environment:
+ - JVM_ARGS="-Xmx14000m"
+ - ENABLE_TLS=true
+ - OPENID_CONFIG=true
+ - OPENID_MODE=PKCE
+ - OPENID_SERVER_URL=https://login.microsoftonline.com/90df2ccb-9053-40b8-9518-cc8835f62f7f
+ - OPENID_PROVIDER=azuread
+ - OPENID_CLIENT_ID=ee3b4617-c283-4a37-bca0-d81569a911f2
+ - OPENID_ALLOWED_DOMAINS=login.microsoftonline.com
+ ports:
+ - 9060:9060
+ - 9643:9453
+ volumes:
+ - ${PWD}/azuread/openIdWebSecurity.xml:/config/auth/openIdWebSecurity.xml
+ - ${PWD}/azuread/openIdParameters.properties:/config/auth/openIdParameters.properties
+ - ${PWD}/azuread/webSecurity.xml:/config/auth/webSecurity.xml
+ - ${PWD}/azuread/AzureADProvider.json:/config/auth/OdmOidcProviders.json
+# - ${PWD}/testprivatecertvolume:/config/security/private-cert-volume
+ - ${PWD}/testpubliccertvolume:/config/security/trusted-cert-volume
diff --git a/standalone/Dockerfile b/standalone/Dockerfile
index a6b236fd..754c20e5 100644
--- a/standalone/Dockerfile
+++ b/standalone/Dockerfile
@@ -7,7 +7,7 @@ ENV ODMDOCKERDIR $ODMDOCKERDIR
ENV SCRIPT /script
ENV APPS /config/apps
ENV THIRDPARTY /thirdpartylib
-RUN apk add --no-cache ca-certificates
+RUN apt-get update && apt-get install unzip
COPY ${ODMDOCKERDIR}/decisioncenter/script ${ODMDOCKERDIR}/standalone/script ${ODMDOCKERDIR}/common/script ${ODMDOCKERDIR}/common/features ${SCRIPT}/
COPY ./executionserver/ /executionserver/
@@ -52,7 +52,6 @@ COPY ./teamserver/applicationservers/WLP*/decision*.war ${APPS}/
RUN set -ex; \
${SCRIPT}/extractApp.sh decisioncenter.war; \
- ${SCRIPT}/extractApp.sh decisionmodel.war; \
${SCRIPT}/extractApp.sh decisioncenter-api.war; \
mkdir -p ${APPS}/decisioncenter.war/WEB-INF/classes/config
diff --git a/standalone/config/httpSession.xml b/standalone/config/httpSession.xml
index 3b03f47e..3c7a188c 100644
--- a/standalone/config/httpSession.xml
+++ b/standalone/config/httpSession.xml
@@ -5,7 +5,7 @@
cookieName="odmdev_RELEASE_NAME"
invalidateOnUnauthorizedSessionRequestException="true"
invalidationTimeout="8h" />
-
+
diff --git a/standalone/dockerhub/full-description.md b/standalone/dockerhub/full-description.md
index 61dc9908..eef06401 100644
--- a/standalone/dockerhub/full-description.md
+++ b/standalone/dockerhub/full-description.md
@@ -21,7 +21,7 @@ docker pull icr.io/cpopen/odm-k8s/odm
- **Maintained by**: IBM ODM Team.
- **Supported architectures**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64))
- `amd64`, `ppc64le`, `s390x`
+ `amd64`, `ppc64le`, `s390x`, `arm64`
- **Source of this description**:
https://github.com/ODMDev/odm-ondocker/tree/master/standalone/dockerhub
@@ -30,7 +30,8 @@ docker pull icr.io/cpopen/odm-k8s/odm
- **Rule Designer development environment for ODM developers**:
Available from the [Eclipse marketplace](https://marketplace.eclipse.org/content/ibm-operational-decision-manager-developers-v-812x-rule-designer)
- Use [IDE 2022-06 R (4.24) Modeling Tools Packages](https://www.eclipse.org/downloads/packages/release/2022-06/r). The update site is https://raw.githubusercontent.com/ODMDev/ruledesigner/8.12.0.0/p2
+ Use [IDE 2022-06 R (4.24) Modeling Tools Packages](https://www.eclipse.org/downloads/packages/release/2022-06/r). The update site is https://raw.githubusercontent.com/DecisionsDev/ruledesigner/8.12.0/p2
+
- **Sample projects**: