IBM Business Automation Workflow on containers parameters

Edit online

Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-01-20 10:38

Containers:
Each container image needs a set of values for its configuration parameters to create a Kubernetes deployment.

For IBM Business Automation Workflow on containers parameters, see IBM Business Automation Workflow Runtime and Workstream Services parameters.

Note: Ignore any parameters for Workstream Services, integrated Business Automation Insights, and FIPS. These are not included in stand-alone IBM Business Automation Workflow. However, you can configure your IBM Business Automation Workflow deployment with the IBM Business Automation Insights Extension to use the IBM Business Automation Machine Learning Server or to emit your business events.

There are other parameters that you can configure for IBM Business Automation Workflow on containers. The following tables list the configurable parameters and their default values. All properties are mandatory, unless they have a default value or are explicitly optional. Although the containers might seem to install correctly when some parameters are omitted, this configuration is not supported.

Elasticsearch or OpenSearch parameters
User Management Services (UMS) configuration parameters
Business Automation Insights Extension configuration parameters
Intelligent Task Prioritization configuration parameters

Elasticsearch or OpenSearch parameters

The following table lists the parameters for configuring Elasticsearch (now OpenSearch) in Process Federation Server. Earlier versions used Elasticsearch but now OpenSearch is used. The change does not affect the usage.

Table 1. Elasticsearch or OpenSearch configuration parameters (elasticsearch_configuration)
Parameter name	Description	Example values	Required
es_image.repository	OpenSearch image. By default, the path points to the URL and location in the IBM Entitled Registry. The default value is `<path>/pfs-elasticsearch-prod` where `<path>` is `cp.icr.io/cp/cp4a/baw/`. If `sc_image_repository` has a value, the path is that value.	`<path>/pfs-elasticsearch-prod`	No
es_image.tag	OpenSearch image tag. If you want to use a specific image version, you can override the default tag or digest.	`24.0.0`	No
es_image.pull_policy	OpenSearch image pull policy. The default value is `IfNotPresent`.	`IfNotPresent`, `Always`	No
replicas	Number of initial OpenSearch pods. The default value is `1`.	`1`	No
service_type	How the HTTPS endpoint service should be published. The default value is `ClusterIP`.	`ClusterIP`	No
external_port	Port to which the OpenSearch server HTTPS endpoint will be exposed externally. This parameter is relevant only if `pfs_configuration.elasticsearch.service_type` is set to NodePort.		No
admin_secret_name	The OpenSearch administrative secret that contains the following keys: `.htpasswd`: A file listing the users and associated passwords that are allowed to authenticate. `username`: The name of a user referenced in the .htpasswd file. Process Federation Server pods use this user to connect to OpenSearch. `password`: The password of the user provided through the username key. Process Federation Server uses this password to connect to OpenSearch.		No
anti_affinity	Whether Kubernetes may (soft) or must not (hard) deploy OpenSearch pods onto the same node. The default value is `hard`.	`hard`, `soft`	No
service_account	Name of a service account to use. If `elasticsearch_configuration.privileged` is set to true, then this service account must allow running privileged containers. If not provided, `CUSTOM_RESOURCE_NAME-ibm-pfs-es-service-account` is used.	`CUSTOM_RESOURCE_NAME-ibm-pfs-es-service-account`	Yes
privileged	When set to true, a privileged container is created to run the appropriate sysctl commands so that the node that is running the pods can disable swapping and increase the limit on the number of open file descriptors. The default value is `false`.	`false`	No
probe_initial_delay	Initial delay for liveness and readiness probes of OpenSearch pods. The default value is `90`.	`90`	No
heap_size	JVM heap size to allocate to each OpenSearch pod. The default value is `1024m`.	`1024m`	No
monitor_enabled	Specify whether to use the built-in monitoring capability. The default value is `false`.	`false`	No
resources.limits.memory	Maximum memory (including JVM heap and file system cache) to allocate to each OpenSearch pod. The default value is `2Gi`.	`2Gi`	No
resources.limits.cpu	Maximum amount of CPU to allocate to each OpenSearch pod. The default value is `1000m`.	`1000m`	No
resources.requests.memory	Minimum memory required (including JVM heap and file system cache) to start an OpenSearch pod. The default value is `1Gi`.	`1Gi`	No
resources.requests.cpu	Minimum amount of CPU required to start an OpenSearch pod. The default value is `100m`.	`100m`	No
storage.persistent	Whether to enable persistent OpenSearch storage for Process Federation Server. Set to false for non-production or trial-only deployment. The default value is `true`.	`true`	No
storage.use_dynamic_provisioning	Set to true to use GlusterFS or another dynamic storage provisioner. The default value is `true`.	`true`	No
storage.size	Minimum resource quantity. The default value is `10Gi`.	`10Gi`	No
storage.storage_class	Storage class name for OpenSearch persistent storage. In production, configure the persistent volumes storing OpenSearch data to use block storage instead of file storage. For more details about block and file storage, see Object vs. File vs. Block Storage: What’s the Difference?		No
snapshot_storage.enabled	Set to true for production deployment. The default value is `false`.	`false`	No
snapshot_storage.use_dynamic_provisioning	Set to true to use GlusterFS or another dynamic storage provisioner. The default value is `true`.	`true`	No
snapshot_storage.size	Minimum resource quantity. The default value is `30Gi`.	`30Gi`	No
snapshot_storage.storage_class_name	Storage class name for OpenSearch persistent storage. The default value is `shared_configuration.storage_configuration. sc_fast_file_storage_classname`.	`shared_configuration.storage_configuration. sc_fast_file_storage_classname`	No
snapshot_storage.existing_claim_name	By default, a new PVC is to be created. Specify an existing claim here if one is available.		No

User Management Services (UMS) configuration parameters

Containers:
Following are the configuration parameters for the User Management Services (UMS) on Kubernetes.

UMS data source parameters

Most UMS data source configuration parameters are optional, the following parameters are required:

datasource_configuration.dc_ums_datasource.dc_ums_oauth_type
If the OAuth database type is db2 or oracle then the following parameters are also required:
- datasource_configuration.dc_ums_datasource.dc_ums_oauth_host
- datasource_configuration.dc_ums_datasource.dc_ums_oauth_port
- datasource_configuration.dc_ums_datasource.dc_ums_oauth_name
datasource_configuration.dc_ums_datasource.dc_ums_teamserver_type
If the teams database type is db2 then the following parameters are also required:
- datasource_configuration.dc_ums_datasource.dc_ums_teamserver_host
- datasource_configuration.dc_ums_datasource.dc_ums_teamserver_port
- datasource_configuration.dc_ums_datasource.dc_ums_teamserver_name

Table 2. UMS data source configuration parameters for the `datasource_configuration.dc_ums_datasource` section
Parameter	Description	Default/Example values	Required
`dc_ums_oauth_type`	The type of OAuth database. Important: Derby can only be used for test scenarios. It will not work in scenarios with more than one UMS pod. All data is lost when the pod is restarted.	`derby` `db2` `oracle` `sqlserver` `postgresql`	Yes
`dc_ums_oauth_host`	The host name of the OAuth database. It must be an accessible address, such as an IP, hostname, or Kubernetes service name.		If the OAuth database is `db2` or `oracle`.
`dc_ums_oauth_port`	The OAuth database port number.	`50000`	If the OAuth database is `db2` or `oracle`.
`dc_ums_oauth_name`	The name of the OAuth database.	`UMSDB`
`dc_ums_oauth_schema`	For Oracle databases, the schema name must be the user name of the database.		Can be specified if a schema was created.
`dc_ums_oauth_oracle_service_name`	If you connect to an Oracle Real Application Clusters (RAC) environment using Single Client Access Name (SCAN), configure the database service name in addition to the name of the Oauth database.		If you connect to an Oracle Real Application Clusters (RAC) environment using Single Client Access Name (SCAN).
`dc_ums_oauth_ssl`	Specify `true` if SSL will be used to secure the OAuth database connection.	The default value is `false`	If SSL will be used to secure the OAuth database connection.
`dc_ums_oauth_ssl_secret_name`	The name of the SSL secret.	`ibm-dba-ums-db2-cacert`	If SSL will be used to secure the OAuth database connection.
`dc_ums_oauth_driverfiles`	If you are using a database of type other than Db2® or derby, copy the driver files to the connected persistent volume (PV). Use the property `spec.ums_configuration.existing_claim_name` to point to the PV claim. During the deployment Operator picks up the driver files and configures the connection to the database	`db2jcc4.jar db2jcc_license_cu.jar`. Note: Db2 driver files are loaded automatically, only provide Oracle driver files if you are using Oracle.	If you are using a database of type other than Db2 or derby.
`dc_ums_oauth_alternate_hosts`	Only specify alternate OAuth database hosts if the OAuth database type is set to `db2HADR`.		If the OAuth database type is set to `db2HADR`.
`dc_ums_oauth_alternate_ports`	Only specify alternate OAuth database ports if the OAuth database type is set to `db2HADR`.		If the OAuth database type is set to `db2HADR`.
`dc_ums_teamserver_type`	The type of UMS Teams database. Important: Derby can only be used for test scenarios. It will not work in scenarios with more than one UMS pod. All data is lost when the pod is restarted.	`derby` `db2` `oracle` `sqlserver` `postgresql`	Yes
`dc_ums_teamserver_host`	The host name of the UMS Teams `db2` database.		If the UMS Teams database is `db2`.
`dc_ums_teamserver_port`	The UMS Teams `db2` database port.	`50000`	If the UMS Teams database is `db2`.
`dc_ums_teamserver_name`	The name of the UMS Teams database.	`UMSTEAMSDB`	If the UMS Teams database is `db2`.
`dc_ums_teamserver_schema`	Can be specified if a schema was created. For Oracle databases, the schema name must be the user name of the database.		Can be specified if a schema was created.
`dc_ums_teamserver_oracle_service_name`	If you connect to an Oracle Real Application Clusters (RAC) environment using Single Client Access Name (SCAN), configure the database service name in addition to the name of the UMS Teams database.		If you connect to an Oracle Real Application Clusters (RAC) environment using Single Client Access Name (SCAN).
`dc_ums_teamserver_ssl`	Specify `true` if SSL is be used to secure the UMS Teams database connection.	The default value is `false.`	If SSL is used to secure the UMS Teams database connection.
`dc_ums_teamserver_ssl_secret_name`	If SSL is used to secure the UMS Teams database connection, specify the name of the SSL secret.	`ibm-dba-ums-db2-cacert`	If SSL is used to secure the UMS Teams database connection.
`dc_ums_teamserver_driverfiles`	During the deployment Operator picks up the driver files and configures the connection to the UMS Teams database	`db2jcc4.jar db2jcc_license_cu.jar`.	No
`dc_ums_teamserver_alternate_hosts`	Only specify alternate UMS Teams database hosts if the UMS Teams database type is set to `db2HADR`.		If the UMS Teams database type is set to `db2HADR`
`dc_ums_teamserver_alternate_ports`	Only specify alternate UMS Teams database ports if the UMS Teams database type is set to `db2HADR`.		If the UMS Teams database type is set to `db2HADR`

UMS configuration parameters

Containers:
Configuration parameters for User Management Services (UMS). These are specified in the section ums_configuration.

Most configuration parameters are optional, only two parameters are required:

ums_configuration.images.ums.repository: The repository from where the UMS image is pulled.
ums_configuration.images.ums.tag: The UMS image tag.

Table 3. UMS configuration parameters for the `ums_configuration` section
Parameter	Description	Default/Example values	Required
`existing_claim_name`	The name of the Persistent Volume Claim for JDBC drivers and custom binaries.		No
`existing_claim_name_logstore`	The existing PVC for UMS logs, FFDC and access logs.		No
`use_custom_jdbc_drivers`	If the JDBC driver offered over `shared_configuration.sc_drivers_url` or the default JDBC drivers from ICP4BA should not be used, set this to true, so that the JDBC driver is read from the PV set as `existing_claim_name`. For more information on the `shared_configuration.sc_drivers_URL`, see Preparing customized versions of JDBC drivers.	The default value is `false`.	No
`dedicated_pods`	Specifies whether the UMS capabilities each run in dedicated pods. To run the UMS capabilities `sso`, `scim`, and `teamserver` in separate pods, use the value `true`. To run all UMS capabilities in one pod, use the value `false`.	In an enterprise deployment the default value is `true`. In a demo deployment, the default value is `false`.	No
`pod_disruption_budget.min_available` If you are not using dedicated pods locate the parameter in the `ums_configuration` section. If you are using dedicated pods you must specify the parameter for each UMS capability's pod separately within the `ums_configuration`, for example: `ums_configuration.sso.pod_disruption_budget.min_available` `ums_configuration.scim.pod_disruption_budget.min_available` `ums_configuration.teamserver.pod_disruption_budget.min_available`	Specifies the minimum number of pods that are available for the pod disruption budget.	The default value is `1`
`replica_count`	The number of pod replicas running by default.	The default value is `2`.	No
`backwards_compatibility_routes`	From 21.0.2, UMS uses the following pattern for host names: `ums-<suffix> ums-sso-<suffix> ums-teams-<suffix> ums-profiles-<suffix>` If you are upgrading and want routes to be created for backwards compatibility using the previously defined host names and certificates, set this to `true`. The old hostname pattern was: `ums.<suffix> ums-sso.<suffix> ums-teams.<suffix> ums-profiles.<suffix>`	The default value is `false`.	No
`service_type`	The type to expose the service as, for example, `Route` for external access or `NodePort` for internal tests.	The default value is `Route`.	No
`iam.delegation_enabled`	Specifies whether authentication is delegated to the Common Services Identity Access Management (IAM).	On OCP and ROKS, the default value is `true`. Otherwise, the default is `false`.	No
`iam.namespace`	The namespace where IAM is installed.	The default value is `ibm-common-services`.	No
`hostname`	The name of the host where the User Management Service will run.	If not specified, `hostname` is generated from `shared_configuration.sc_deployment_hostname_suffix`.	No
`port`	The port that will be used to access the User Management Service, for example, 443 when using SSL.	The default value is `443`.	No
`images.ums.repository`	The repository from where the UMS image is pulled.	If the repository `sc_image_repository` is available, it is used as the default. Otherwise, `cp.icr.io/cp/cp4a/ums/ums` is used as the default value.	Yes
`images.ums.tag`	The UMS image tag.	If the repository `sc_image_repository` is available, it is used as the default. Otherwise, if the current repository in not `cp.icr.io`, the current version is used as the default, for example `21.0.2`. Otherwise, if the repository `cp.icr.io` is used, the image digest is used as the default value.	No
`admin_secret_name`	The name of the secret that was generated for the UMS secret and database secret.	If not specified, the secret `ibm-dba-ums-secret` must be created.	No
`external_tls_secret_name`	Enables SSL with an existing certificate for the `ums-route` route. If this is set this is used rather than using `shared_configuration.external_tls_certificate_secret`.	If this is not set, the default is to use `shared_configuration. external_tls_certificate_secret`, but if that is also not set, then no external TLS certificate is used.	No
`external_tls_ca_secret_name`	Certificate Authority (CA) used to sign the external TLS secret. If you don't want to provide a CA to sign the external TLS certificate, leave this empty, then .	The default is not to use a CA to sign the external TLS certificate.	No
`external_tls_teams_secret_name`	A secret that specifies the TLS certificate that represents the hostname or a common hostname suffix of the `ums-teams-route` route that your clients will use to connect to UMS. If this is set this is used rather than using `shared_configuration.external_tls_certificate_secret`.	If this is not set, the default is to use `shared_configuration. external_tls_certificate_secret`, but if that is also not set, then no external TLS certificate is used.	No
`external_tls_scim_secret_name`	A secret that specifies the TLS certificate that represents the hostname or a common hostname suffix of the `ums-scim-route` route that your clients will use to connect to UMS. If this is set this is used rather than using `shared_configuration.external_tls_certificate_secret`.	If this is not set, the default is to use `shared_configuration. external_tls_certificate_secret`, but if that is also not set, then no external TLS certificate is used.	No
`external_tls_sso_secret_name`	A secret that specifies the TLS certificate that represents the hostname or a common hostname suffix of the `ums-sso-route` route that your clients will use to connect to UMS. If this is set this is used rather than using `shared_configuration.external_tls_certificate_secret`.	If this is not set, the default is to use `shared_configuration. external_tls_certificate_secret`, but if that is also not set, then no external TLS certificate is used.	No
`oauth.client_manager_group`	The full DN of an LDAP group that is authorized to manage OIDC clients, in addition to the primary admin from the admin secret.		No
`oauth.token_manager_group`	The full DN of an LDAP group that is authorized to manage tokens, in addition to the primary admin from the admin secret.		No
`oauth.access_token_lifetime`	The lifetime of OAuth access_tokens.	The default value is `7200s`.	No
`oauth.app_token_lifetime`	The lifetime of app-tokens.	The default value is `366d`.	No
`oauth.app_password_lifetime`	The lifetime of app-passwords.	The default value is `366d`.	No
`oauth.app_token_or_password_limit`	The maximum number of app-tokens or app-passwords per client.	The default value is `100`.	No
`oauth.client_secret_encoding`	The encoding / encryption when storing client secrets in the OAuth database.	The default value is `xor` for compatibility. Recommended value is `PBKDF2WithHmacSHA512`.	No
`custom_secret_name`	The name of the existing secret for sensitive Liberty configuration, specified in XML format.		No
For UMS `resources`, `autoscaling`, `custom_xml`, and `logs.trace_specification`: If you are not using dedicated pods locate them in the `ums_configuration` section. If you are using dedicated pods you must specify each UMS capability's pod separately within the `ums_configuration`, for example: `ums_configuration.sso` `ums_configuration.scim` `ums_configuration.teamserver`	Kubernetes controls resources such as CPU and memory using requests and limits mechanisms. Requests are what the container is guaranteed to get. Limits make sure a container never goes above a certain value. A limit value cannot be lower than the corresponding request value. If you are not using dedicated pods for UMS capabilities (`ums_configuration.dedicated_pods` = `false`) you can specify `resources`, `autoscaling`, `custom_xml`, and `logs.trace_specification` for `ums_configuration`. If you are using dedicated pods for UMS capabilities (`ums_configuration.dedicated_pods` = `true`), you can specify `resources`, `autoscaling`, `custom_xml`, and `logs.trace_specification` for each UMS capability: `sso`, `scim`, and `teamserver`.	The default values are listed in the following rows.	No
If you are not using dedicated pods: `resources.limits.cpu` If you are using dedicated pods: `sso.resources.limits.cpu` `scim.resources.limits.cpu` `teamserver.resources.limits.cpu`	The maximum CPU limit.	The default value is `500m`.	No
If you are not using dedicated pods: `resources.limits.memory` If you are using dedicated pods: `sso.resources.limits.memory` `scim.resources.limits.memory` `teamserver.resources.limits.memory`	The maximum memory limit.	The default value is `512Mi`.	No
If you are not using dedicated pods: `resources.limits.ephemeral_storage` If you are using dedicated pods: `sso.resources.limits.ephemeral_storage` `scim.resources.limits.ephemeral_storage` `teamserver.resources.ephemeral_storage`	The maximum ephemeral storage limit.	The default value is `500Mi`.	No
If you are not using dedicated pods: `resources.requests.cpu` If you are using dedicated pods: `sso.resources.requests.cpu` `scim.resources.requests.cpu` `teamserver.resources.requests.cpu`	The minimum CPU.	The default value is `200m`.	No
If you are not using dedicated pods: `resources.requests.memory` If you are using dedicated pods: `sso.resources.requests.memory` `scim.resources.requests.memory` `teamserver.resources.requests.memory`	The minimum memory.	The default value is `256Mi`.	No
If you are not using dedicated pods: `resources.requests.ephemeral_storage` If you are using dedicated pods: `sso.resources.requests.ephemeral_storage` `scim.resources.requests.ephemeral_storage` `teamserver.requests.ephemeral_storage`	The minimum ephemeral storage limit.	The default value is `500Mi`.	No
If you are not using dedicated pods: `autoscaling.enabled` If you are using dedicated pods: `sso.autoscaling.enabled` `scim.autoscaling.enabled` `teamserver.autoscaling.enabled`	If `true`, pods are automatically scaled within the specified range.	The default value is `true`.	No
If you are not using dedicated pods: `autoscaling.min_replicas` If you are using dedicated pods: `sso.autoscaling.min_replicas` `scim.autoscaling.min_replicas` `teamserver.autoscaling.min_replicas`	The minimum number of replicas for autoscaling.	The default value is `2`.	No
If you are not using dedicated pods: `autoscaling.max_replicas` If you are using dedicated pods: `sso.autoscaling.max_replicas` `scim.autoscaling.max_replicas` `teamserver.autoscaling.max_replicas`	The maximum number of replicas for autoscaling.	The default value is `5`.	No
If you are not using dedicated pods: `autoscaling.target_average_utilization` If you are using dedicated pods: `sso.autoscaling.target_average_utilization` `scim.autoscaling.target_average_utilization` `teamserver.autoscaling.target_average_utilization`	The average CPU utilization for autoscaling. When the average utilization exceeds this target, then new pods are created.	The default value is `98`.	No
`use_custom_binaries`	Specify if any custom binaries are used.	The default value is `false`.	No
`custom_secret_name`	The name of the existing secret for sensitive Liberty configuration, specified in XML format.		No
If you are not using dedicated pods: `custom_xml` If you are using dedicated pods: `sso.custom_xml` `scim.custom_xml` `teamserver.custom_xml`	Custom configuration settings (optional, multi-line value). For LDAP configuration use `spec.ldap_configuration` parameters.		No
`logs.console_format`	The format of the UMS logs console.	The default value is `json`.	No
`logs.console_log_level`	The log level for the UMS logs console.	The default value is `INFO`.	No
`logs.console_source`	UMS logs console source.	The default value is `message,trace,accessLog,ffdc,audit`.	No
`logs.trace_format`	The format of the UMS logs trace.	The default value is `ENHANCED`.	No
`logs.max_files`	The maximum number of log files to use.	The default value is `2`.	No
`logs.max_file_size`	The maximum size of the log files in MB.	The default value is `20`.	No
If you are not using dedicated pods: `logs.trace_specification` If you are using dedicated pods: `sso.logs.trace_specification` `scim.logs.trace_specification` `teamserver.logs.trace_specification`	The UMS logs trace specification.	The default value is `*=info`.	No
`teamserver.admingroup`	The full DN of an LDAP group that is authorized to administer UMS Teams.	For the IBM Automation® Document Processing demo pattern, the default is `cn=ADPEnvironmentOwners,dc=example,dc=org`. For all other demo patterns, the default is `cn=TeamsAdmins,dc=example,dc=org`. For all enterprise (non-demo) patterns, there is no default.	No

UMS advanced parameters

Containers:
Configuration parameters for User Management Services (UMS).

Using these optional advanced UMS configuration parameters is described in the following sections:

Updating parameters if you do not have dedicated pods for UMS services enabled
Updating parameters if you have dedicated pods for UMS services enabled
UMS database JDBC connect pool sizes
UMS Health host/port, logging, and certificate checking
UMS Teams certificate checking

Updating parameters if you do not have dedicated pods for UMS services enabled

Because all UMS services run together in shared pods, you must use the ums_configuration.custom_xml property in the Custom Resource file to overwrite the default values of any of the advanced parameters. For example:

ums_configuration:
  custom_xml: |
    <server>
      <variable name="Parameter_Name" value="Value"/>
    </server>

Updating parameters if you have dedicated pods for UMS services enabled

Because each UMS service runs in its own pod, to overwrite the default values of any of these advanced parameters you must specify the custom_xml property for the appropriate UMS service pods separately in the Custom Resource file. For example:

ums_configuration:

  sso:
    custom_xml: |
      <server>
        <variable name="Parameter_Name" value="Value" />
      </server>

  scim:
    custom_xml: |
      <server>
        <variable name="Parameter_Name" value="Value" />
      </server>

  teamserver:
    custom_xml: |
      <server>
        <variable name="Parameter_Name" value="Value" />
      </server>

Important: Not all parameters apply to all pods. If you have dedicated pods, refer to the "Valid for pods" columns in the following tables to see which pods each parameter can be specified for.

UMS database JDBC connect pool sizes

You can configure the following database parameters:

Table 4. Optional UMS database advanced configuration parameters
Parameter Name	Description	Valid for pods	Default value
`ums.oauthdb.maxPoolSize`	The maximum size of the pool of UMS JDBC connections can be tuned to better utilize the CPU of the UMS SSO pod.	`sso`	`100`
`ums.oauthdb.minPoolSize`	The minimum size of the pool of UMS JDBC connections can be tuned to better utilize the CPU of the UMS SSO server pod.	`sso`	`2`
`ums.tsdb.maxPoolSize`	The maximum size of the pool of UMS JDBC connections can be tuned to better utilize the CPU of the UMS Teams server pod.	`teamserver`	`100`
`ums.tsdb.minPoolSize`	The minimum size of the pool of UMS JDBC connections can be tuned to better utilize the CPU of the UMS Teams server pod.	`teamserver`	`2`

UMS Health host/port, logging, and certificate checking

To configure UMS Health, you can use the following advanced parameters for all pods:

Table 5. Optional UMS Health advanced configuration parameters
Parameter Name	Description	Valid for pods	Default value
`ums.health.useLocalHostAndPort`	Specifies whether local host and local port are used instead of server host and server port if the health modules are automatically detected or the URLs of modules do not specify host and port explicitly. This setting can be needed if a reverse proxy or load balancer is used. By default, server host and server port are used in this case, that is, the load balancer or reverse poxy address, or in general, the same host and port the original request was sent to. This setting only has an effect if the fallback host and port is not specified.	All pods	`false`
`ums.health.fallbackHostAndPort`	The fallback host and port are used when the health modules are automatically detected or the URLs of modules do not specify host and port explicitly. If the fallback host and port is not specified, either the server host and server port or the local host and local port are used in the case, depending on the `useLocalHostAndPort` setting.	All pods	`https://127.0.0.1:9443`
`ums.health.logHealthFailuresOnStartup`	Specifies whether on server startup, all failing results of health calls are logged as warnings. This logging stops when the first health call returns success. This feature can help to analyze situations when the server fails to start.	All pods	`true`
`ums.health.disableCNCheck`	Configures whether the common name verification of server SSL certificates is disabled. This allows UMS to connect to an OpenID Connect provider with an SSL certificate that does not match its host name.	All pods	`false`
`ums.health.disableCertificateCheck`	Configures whether the certificate verification is disabled. This allows connection to an OpenID Connect provider whose certificate is not in the truststore.	All pods	`false`

UMS Teams certificate checking

You can configure the following advanced parameters:

Table 6. Optional UMS Teams advanced configuration parameters
Parameter Name	Description	Valid for pods	Default Value
`ums.teams.registration.disableCNCheck`	Configures whether the common name verification of server SSL certificates is disabled. This allows UMS Teams to connect to an OpenID Connect provider with an SSL certificate that does not match its host name.	`sso` and `teamserver`	`false`
`ums.teams.registration.disableCertificateCheck`	Configures whether the certificate verification is disabled. This allows UMS Teams to connect to an OpenID Connect provider whose certificate is not in the truststore.	`sso` and `teamserver`	`false`
`ums.teams.scim.disableCNCheck`	Configures whether the common name verification of server SSL certificates is disabled. This allows UMS Teams to connect to a SCIM server with an SSL certificate that does not match its host name.	`teamserver`	`false`
`ums.teams.scim.disableCertificateCheck`	Configures whether the certificate verification is disabled. This allows UMS Teams to connect to a SCIM server whose certificate is not in the truststore.	`teamserver`	`false`

Business Automation Insights Extension configuration parameters

The following parameters are for the Kafka client that is required for enabling the event emitters.

Table 7. Kafka configuration parameters (Kafka)
Parameter name	Description
secret_name	The name of the Kubernetes secret that contains the Kafka username, password and SSL server certificate in base64-encoded strings. If you are enabling an event emitter, this parameter is required.
topic	The name of the topic in the Kafka cluster that is sent business events. The default value is `'icp4ba-bai-ingress'`.
bootstrap_servers	A comma-separated list of hosts and ports that connect to the Kafka cluster. The hosts and ports are in the format `host:port`. If you are enabling an event emitter, this parameter is required.
dynamic_generate_connection_info	When integrating the Business Automation Insights server with its pod deployed alongside the Intelligent Task Prioritization server pod in the same project, setting this parameter to `true` triggers automatic retrieval of Kafka connection information. This information then replaces any existing connection values. When the parameter is set to `false`, the operator relies on the provided connection information, irrespective of whether the Business Automation Insights server pod and the Intelligent Task Prioritization server pod share the same project. The default value is `False`

Intelligent Task Prioritization configuration parameters

The following table lists the parameters for configuring Intelligent Task Prioritization on IBM Business Automation Workflow on containers. All parameters are required if you want to enable Intelligent Task Prioritization. For additional parameters that you can use, see Intelligent Task Prioritization configuration parameters.

Table 8. Intelligent Task Prioritization configuration parameters (intelligent_task_prioritization)
Parameter name	Description
search_engine.endpoint	The search engine endpoint URL that connects to the search engine cluster. The parameter is in the format `https://hostname:port`. You can omit the port value when the value is `443`. For example: `endpoint: "https://iaf-system-es-bai.apps.bai.cp.fyre.ibm.com:443"`
search_engine.secret_name	The name of the Kubernetes secret that holds the username, password and SSL server certificate that is required for connecting to the search engine server. All values in the secret must be in base64-encoded strings.
search_engine.dynamic_generate_connection_info	When integrating the Business Automation Insights server with its pod deployed alongside the Intelligent Task Prioritization server pod in the same project, setting this parameter to `true` triggers automatic retrieval of search engine connection information. This information then replaces any existing connection values. When the parameter is set to `false`, the operator relies on the provided connection information, irrespective of whether the Business Automation Insights server pod and the Intelligent Task Prioritization server pod share the same project. The default value is `False`