Question & Answer
Question
I am unable to login when accessing the ODM console (Decision Center, Rule Execution Server) through the WebSEAL reverse proxy, but I am able to login successfully accessing directly the WebSphere Application Server. How to configure ODM to allow login when using the reverse proxy? I am unable to login the RES console after updating to a new fixpack (e.g. 8.5.1.1) implementing a referrer check, how can I configure the ODM RES console to allow login through a reverse proxy?
Cause
A referrer check, possibly newly introduced through a product fix, may be preventing users from login in when a reverse proxy such as WebSEAL is used to access the ODM console.
This problem may happen in particular when the "TLS termination" mode is enabled on the reverse proxy.
This problem may happen in particular when the "TLS termination" mode is enabled on the reverse proxy.
Answer
Option 1 - Use IBM HTTP Server (IHS)
Option 2 - Disable the referrer check
A second option is to disable the referrer check from the ODM Console.
For ODM Decision Center Enterprise Console please follow instructions in Decision Center and WebSEAL.
For the Decision Center Business Console comment out in decisioncenter.war/WEB-INF/web.xml the section:
For the ODM RES console similarly comment out in jrules-res-management.war/WEB-INF/web.xml:
Option 3 - Implement a custom referrer check
A third option is to disable the ODM referrer check as per the instructions above and add a custom referrer check implementation as per the instructions in Sample custom security filter for Decision Center or Decision Server consoles
The first recommendation when faced with a referrer check issue with ODM on WebSphere Application Server is to follow the security hardening guidelines that typically advocate the use of IHS as the web server (see WebSphere Application Server security).
When configuring the plugin, make sure to uncheck "Remove special headers" as per the screen shot below:
Option 2 - Disable the referrer check
A second option is to disable the referrer check from the ODM Console.
For ODM Decision Center Enterprise Console please follow instructions in Decision Center and WebSEAL.
For the Decision Center Business Console comment out in decisioncenter.war/WEB-INF/web.xml the section:
<filter-mapping>
<filter-name>securityCheckPointFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> For the ODM RES console similarly comment out in jrules-res-management.war/WEB-INF/web.xml:
<filter-mapping>
<filter-name>CSRFValidationFilter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>Option 3 - Implement a custom referrer check
A third option is to disable the ODM referrer check as per the instructions above and add a custom referrer check implementation as per the instructions in Sample custom security filter for Decision Center or Decision Server consoles
Option 4 - For ODM 8.10.x
To configure Security checks in Business Console use the Java system properties:
com.ibm.rules.decisioncenter.check-referer : set to false to disable the check
com.ibm.rules.decisioncenter.url-form-check-exclusion-patterns: pattern to be excluded from any check
com.ibm.rules.decisioncenter.referer-check-url-exclusion-patterns:
com.ibm.rules.decisioncenter.referer-check-url-exclusion-patterns:
Using a pattern like this in either of those filters should help:
[{"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6;8.5;8.0;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
10 June 2020
UID
swg21684689