Option 2: Installing a production deployment in the OpenShift console

Operator lifecycle manager (OLM) helps you to install, update, and manage the lifecycle of all operators and services that are deployed in OpenShift® clusters.

Before you begin

  1. If you created an air gap environment, you must complete the steps in Option 2: Preparing your cluster for an air-gapped (offline) deployment before you install the operator. In other cases, complete the steps in Option 1: Preparing your cluster for an online deployment.
  2. Then follow the relevant steps to prepare the patterns that you want to install. For more information, see Preparing your chosen capabilities.
    Note: If you cannot run the cp4a-prerequisites.sh script and you want to use an external Postgres DB (PostgreSQL or EDB Postgres) for the Cloud Pak foundational services, then you must create the required Secret and ConfigMap in the target CP4BA deployment namespace. For more information, see Setting up an external PostgreSQL database server for IM External link opens a new window or tab and Configuring an external PostgreSQL database for Zen External link opens a new window or tab.
    The custom Secret and ConfigMap for the external Postgres DB must use the following names for the CP4BA operator to detect them.
    • ibm-zen-metastore-edb-secret
    • ibm-zen-metastore-edb-cm
  3. Log in to your OCP or ROKS cluster.
  4. If you used the All namespaces option to install the Cloud Pak operator, switch to the project that you created for your CP4BA deployment. For example, cp4ba-project.
  5. In the Installed Operators view, verify the status of the IBM Cloud Pak for Business Automation operator installation reads succeeded, and verify the deployment by checking all the pods are running.
Warning: If your target cluster is ROKS classic and the worker nodes rebooted, then you must synchronize the time on each of the worker nodes before you deploy the CP4BA custom resource. To synchronize the times on the worker nodes, run the following command from a connected client:
oc get no -l node-role.kubernetes.io/worker --no-headers -o name | xargs -I {} --  oc debug {} -- chroot /host sh -c 'systemctl restart chronyd'

About this task

Operator lifecycle manager is part of the Operator Framework External link opens a new window or tab, which is an open source toolkit that is designed to manage Kubernetes applications in an effective, automated, and scalable way.

IBM provides operators to OpenShift in the form of a catalog. The catalog is added to an OpenShift cluster and appears in the OpenShift Operator Hub.

Procedure

  1. Use the operator instance to apply a custom resource by clicking CP4BA deployment > Create Instance.
  2. In the Form View of the deployment editor, enter the values for everything that you want to include in your deployment.
    1. Enter a Name, or use the default icp4adeploy.
    2. Enter the appVersion 25.0.0.
    3. Accept the License by setting the value to true.
    4. Set Deployment Type to production.
    5. Open the Shared Configuration section and enter values for the following parameters. For more information about the shared parameters, see Shared configuration parameters.
      Table 1. Shared configuration parameters
      Shared configuration parameter Value
      Purchased CP4BA license Set to production or non-production.
      Platform Set to OCP or ROKS.
      root_ca_secret The default is icp4a-root-ca.
      sc_drivers_url Necessary if you want to use your own JDBC drivers and/or need to provide ICCSAP drivers. Provide the URL of the accessible web server on which the compressed JDBC driver files and ICCSAP driver files are packaged.

      For example, http://hostname:8888/jdbc.zip.

      For more information, see Optional: Preparing customized versions of JDBC drivers and ICCSAP libraries.
      external_tls_certificate_secret Set to the name of the secret that is used to store a wildcard certificate (and concatenated signers) to be used by all routes. If the value is empty, all external routes are signed with root_ca_secret.
      Content initialization Enable or disable ECM (FNCM) and BAN initialization.
      IM Settings If you do not want to use cpadmin for the default_admin_username parameter, provide a non-default admin user the IBM Identity Management (IM) foundational service.
      Content verification Enable or disable the ECM (FNCM) and BAN verification.
      Trusted certificate list If the root certificate authority (CA) key of the external service is not signed by the operator root CA key, provide the TLS certificate of the external service to the component's truststore.

      If the secret does not exist, then a self-signed signer certificate is generated. For more information, see Providing the root CA certificate.

      Important: If you choose to use self-signed certificates, certain features of the product might not work as expected because of modern browser restrictions that are related to self-signed certificates. A browser blocks any redirect to a site that uses a certificate that is not signed by a root CA that is trusted by the browser. This can result in access issues for business applications.
      Profile Size Set the profile that you want to use for your deployment. The default is small.

      For a small-sized deployment, the size of the Cloud Pak foundational services instance is set to starterset.

      For a deployment that includes cpe and the profile size is set to medium or large, then the size of the Cloud Pak foundational services instance is set to medium. If your deployment does not include cpe, then the size of the Cloud Pak foundational services instance is set to small.

      Note: If you select any of the content, workflow, workstreams, workflow-workstreams, or document_processing capabilities or cpe is added to either sc_optional_components or ecm_configuration, then cpe is installed.

      The setting of the Cloud Pak foundational services profile occurs at installation. If you change the CP4BA deployment profile, it does not change the Cloud Pak foundational services CR. You must update the Cloud Pak foundational services CR independently.

      To determine the real size that is needed for Cloud Pak foundational services, do proper performance testing with your intended workload and modify the CR of the services to the correct size. If you modify the CRs in the OCP Console, you are warned that they are managed by another resource. When you save your changes the CP4BA operators accept the updates.

      The same applies to an EDB Postgres instance. If you install a CP4BA deployment with EDB Postgres, the CP4BA operator creates an EDB Postgres deployment with the size and number of replicas that match the CP4BA profile size. However, if you change the profile size of the CP4BA deployment after the installation, the sizing of the EDB Postgres is not updated to match the new profile. Update the EDB Postgres CR independently.
      Tip: Use the following command to edit the EDB Postgres deployment post-installation.
      oc edit cluster postgres-cp4ba

      To update the size, increase the instances parameter. The following example sets the instances parameter to 2.

      spec:
  affinity:
    podAntiAffinityType: preferred
  bootstrap:
    initdb:
      database: app
      encoding: UTF8
      localeCType: C
      localeCollate: C
      owner: app
  certificates:
    serverCASecret: icp4adeploy-pg-custom-ssl-secret
    serverTLSSecret: icp4adeploy-pg-custom-ssl-secret
  enablePDB: true
  enableSuperuserAccess: true
  failoverDelay: 0
  imageName: icr.io/cpopen/edb/postgresql:14.17-5.15.0@sha256:99589ee11b50af8ed6355a5f9c2272ce1fc7f9a13e80fda8eda5883a332782a3
  imagePullSecrets:
  - name: ibm-entitlement-key
  instances: 2
  logLevel: info
  maxSyncReplicas: 0
  minSyncReplicas: 0
      Enable sample network policies generation for CP4BA To create sample network policies from the CP4BA capability templates, set the value to true. For more information, see Configuring cluster security.
      Purchased FNCM license If you set IBM FileNet®® Content Manager (FNCM) to true, set the value to production, non-production, user, concurrent-user, or authorized-user. Otherwise, leave the value empty.
      Purchased BAW license If you set IBM Business Automation Workflow to true, set the value to production, non-production, or user. Otherwise, leave the value empty.
      Storage configuration Select a file-based dynamic storage class and a block storage class from the list that is installed in your cluster for each of the storage class fields: Slow storage for production, Medium storage for production, Fast storage for production, and Block storage.
      Admin user The default administrator user for Application/Workflow/Workstreams. After you enter the value, you can skip the setting for Studio, Applications, and Workflow/Workstreams configuration. Designate an existing LDAP user for the Studio/Application Engine playback server or Application Engine or Workflow/Workstreams admin user.
      Note: To use Application Engine or Application Engine playback server, this user ID must be in the IBM Business Automation Navigator administrator role, as specified in appLoginUsername in the Navigator secret. This user must also belong to the Business Teams admin group or the Business Teams Administrators team. Otherwise, follow the instructions in Completing post-deployment tasks for Application Engine to add it to the Navigator administrator role and Teams server admin group.
      Enable/disable FIPS The default FIPS mode is false.
    6. Select the capabilities that you want to include.
      Tip: If you do not want to include a capability, leave the value as false. For more information about the capabilities and their dependencies, see Capabilities for production deployments.
      • FileNet Content Manager
      • Business Automation Application
      • Workflow Process Service Authoring
      • Operational Decision Manager
      • Automation Decision Services
      • Automation Document Processing

        Select Automation Document Processing Runtime for a runtime environment.

        Automation Document Processing does not support Linux® on IBM Z® (s390x) and Linux on Power® (ppc64le) architecture.

      • Automation Workflow/Workstream Services (a) Workflow Authoring (b) Workflow Runtime

        Select (b) Workflow Runtime to install Automation Workstream Services with Business Automation Workflow or Workstreams only.

    7. Select the optional components that you want to include. Optional components are available based on the capability that you select.
      • FileNet Content Manager
        • Business Automation Insights
        • Content Search Services
        • IBM Content Management Interoperability Services
        • IBM Task Manager
        • IBM Enterprise Records
        • IBM Content Collector for SAP
      • Business Automation Application
        • Application Designer
        • Enable Data Persistence
      • Business Automation Workflow Process Service Authoring
        • Business Automation Insights
        • Data Collector and Data Indexer
        • Exposed OpenSearch Services
      • Operational Decision Manager
        • Decision Center
        • Decision Runner
        • Decision Server Runtime
        • Business Automation Insights
      • Automation Decision Services
        • Automation Decision Services Designer
        • Automation Decision Services Runtime
      • Automation Document Processing
        • Content Search Services
        • IBM Content Management Interoperability Services
        • IBM Task Manager
        • Automation Document Processing Runtime
      • Automation Workflow/Workstream Services (workflow_authoring)
        • Business Automation Insights
        • Data Collector and Data Indexer
        • Exposed Kafka Services
      • Automation Workflow/Workstream Services (workflow_runtime)
        • Business Automation Insights
        • Exposed Kafka Services
        • Exposed OpenSearch
    8. Open the Advanced Configuration section, enter valid values for the LDAP Configuration, Database Configuration, Initialization Configuration, Business Automation Studio Configuration, Application Engine Configuration, Decision Management Configuration, Automation Decision Services Configuration, Enterprise Content Management Configuration, Document Processing Engine Configuration, and Workflow Authoring Configuration. Then enter valid values for the parameters of the selected capabilities in the list. For more information about configuring each capability in the YAML View, see Checking and completing your custom resource.
      Note: You can change the Enable to use Postgres option from false to true for each of the capability components that need a database. enable edb
      Restriction:
      • Due to a limitation in the Form View, the field values are not validated. Make sure that you enter all the required fields with a correct value.
      • Due to a limitation in the Form View, for some capabilities the database server fields such as the server name, port, and SSL secret are not hidden when EDB Postgres is enabled. When EDB Postgres is enabled for a component, then ignore the database fields if they are displayed.
      • Due to a limitation in the Form View, the User and Group Filter configurations show all the LDAP types whichever LDAP (MSAD/TDS/Ping) is selected.
      • Due to a limitation in the Form View, the repo_service_url parameter in IBM FileNet Content Manager is still visible when IBM Automation Document Processing (ADP) runtime is set to false. You do not need to set a value for this configuration parameter if you do not want to include ADP.
      • If you only want to install ADP, the Business Automation Studio Configuration appears in Advanced configuration of the Form View due to a limitation. Ignore the Studio and Playback parameters as these are not needed. Before you click Create, remove the bastudio_configuration section in the YAML view.
      • If you want to configure GraphQL for the Enterprise Content Management capability, add a verification configuration, or add missing parameters for the initialization configuration, switch to the YAML view and add the parameters in the CR file.
      Note: You can copy and paste parameters from the custom resource templates in the YAML View and edit the parameters. Go to the relevant folder in cert-kubernetes/descriptors/patterns to find all the templates. For more information about downloading cert-kubernetes, see Preparing a client to connect to the cluster. You can edit the CR file in the editor, but it is best if you have the CR complete and verified before you save your changes in the editor. For example, go to http://www.yamllint.com/ External link opens a new window or tab to verify the contents of your file.

      If you want to use a local image registry, add the sc_image_repository parameter to point to the URL of the local registry. 

      shared_configuration:
   sc_image_repository: myimageregistry.com/project_name
   ...
   storage_configuration:

      For more information about the olm_ configuration parameters, see Business Automation configuration parameters for Operator Hub. You can add and remove parameters in the YAML View. You can switch between the Form View and the YAML View to complete your configuration.

      If you choose the Workflow pattern, the Business Automation Insights configuration is always added, even if you don't select the optional Business Automation Insights component.

  3. When you are ready, click Create.

    The page switches to the CP4BA deployment tab, where you can watch the Status. Verify that the deployment is running.

  4. You can click the deployment name (icp4adeploy), and go to the Conditions section at the bottom of the page to see the status updates and any messages.

    You can also click the YAML tab to monitor the state of the selected capabilities.

Results

If EDB Postgres is used

If you selected EDB Postgres as the database, the CP4BA operator creates an EDB Cluster customer resource for the EDB instance (postgres-cp4ba), and sets the authentication to the instance to use sslmode=verify-ca. The postgres-cp4ba instance hosts the CP4BA capabilities, and runs in a single pod (postgres-cp4ba-1). Multiple pods can be created by scaling up. A secret (postgres-cp4ba-app) is created that contains access information to the EDB cluster.

For each database that the operator creates in the EDB Postgres instance, it has a corresponding entry in the pg_hba.conf file for the database user to have access to it. For example, the user gcdusr, has access to the database gcddb.

The operator also generates the client certificate {{ meta.name }}-pg-client-cert-secret for the users to authenticate. The secret contains the following keys:
  • clientkey.pem
  • clientcert.pem
  • serverca.pem
  • sslmode

The EDB Postgres instance is not accessible outside of the cluster. To view the database in the EDB Postgres instance, use the following command.

oc rsh postgres-cp4ba-1 -n <project-name>

From inside the EDB Postgres instance, you can run the psql command. By using the terminal-based front end to PostgreSQL you can type in queries interactively, issue them to PostgreSQL, and see the query results. For more information, see psql External link opens a new window or tab.

psql -U postgres

If Content services user-based license is used

If the sc_deployment_fncm_license parameter is set to concurrent-user or authorized-user, the CP4BA operator installs the following resources to report user metrics to IBM License Service.

  • A sidecar collector that collects the metrics from the runtime and sends these records to a derby database. The collector includes a LSCollector.conf file that contains the derby JDBC URL. For more information about the CPE License Service Collector container (lscollector), see Content Platform Engine parameters.
  • A deployment that is named <meta.name>-lsreporter-content-deploy reports user metrics, stored by the sidecar collector, in a Derby database. For more information about the Reporter container (lsreporter), see FNCM License Service Reporter parameters.

    This deployment includes a service that is named <meta.name>-derby-content-svc, which runs in the lsreporter pod to facilitate the connection to the Derby database. The Derby server is SSL enabled with basic authentication. For more information, see Starting the server with SSL/TLS External link opens a new window or tab. When the SSL mode is set to basic, the server accepts only SSL encrypted connections. The derby credentials are stored in the secret ibm-fncm-secret as derbyPassword and derbyUsername. If the keys are not in the secret, the operator uses the default values.

    Note: If you want to change the password, you must change the value in the secret. An update to the password triggers a restart of the reporter and the collector.

What to do next

How to access the capability services

A ConfigMap is created in the namespace to provide the cluster-specific details to access the services and applications. Components that are successfully deployed have URLs in the ConfigMap. If any components failed, the URLs are not included. The ConfigMap name is prefixed with the deployment name (default is icp4adeploy). You can find the ConfigMap containing the routes information by clicking Workloads > ConfigMaps and then searching for the string "cp4ba-access-info".

ConfigMaps

The contents of the ConfigMap depends on the components that are included. Each component has one or more URLs.

<component1> URL: <RouteUrlToAccessComponent1>  
<component2> URL: <RouteUrlToAccessComponent2>
Note: The bastudio-access-info section provides access information for the Cloud Pak dashboard (Zen UI) and Business Automation Studio, which is installed by several patterns including Business Automation Workflow. The included URLs and credentials can be used to access the applications designers of the installed components.

When all the containers are running, you can access the services.

Tip: If you want or need to update values in a deployment that you made in the Form View, you must edit the deployment in the YAML View. You can edit true or false values in the Form View, but the other parameters need to be done in the YAML View. You can access the custom resource from the YAML tab, or by clicking Actions > Edit ICP4ACluster.

YAML view

Business Automation Studio leverages the IBM Cloud Pak® Platform UI (Zen UI) to provide a role-based user interface for all Cloud Pak capabilities. Capabilities are dynamically available in the UI based on the role of the user that logs in. You can find the URL for the Zen UI by clicking Networking > Routes and looking for the name cpd, or by running the following command.

oc get route |grep "^cpd"

You have two options to log in, Enterprise LDAP and IBM provided credentials (cpadmin only). To log in to the Admin Hub to configure the LDAP, then click IBM provided credentials (cpadmin only). You can get the details for the IBM-provided cpadmin user by getting the contents of the platform-auth-idp-credentials secret in the namespace used for the CP4BA deployment. 

oc -n <namespace> get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' | base64 -d && echo

If you want to log in using the configured LDAP, then click Enterprise LDAP and enter the cp4admin user and the password in the cp4ba-access-info ConfigMap. The cp4admin user has access to Business Automation Studio features.

If you want to add more users, you need to log in with the Zen UI administrator. The kubeadmin user in the Red Hat OpenShift authentication and the IBM-provided cpadmin user have the Zen UI administrator role.

You can change the default password at any time. For more information, see Changing the cluster administrator password External link opens a new window or tab.

After you created a CP4BA deployment, the operator automatically connects your LDAP to IAM. The users and groups you defined in your LDAP are now available via IAM.

At this point, you must associate your users and groups to Zen roles to be able to use them in all the CP4BA applications. IBM Automation® has four roles defined: Automation Administrator, Automation Analyst, Automation Developer, and Automation Operator. For more information, see Roles and permissions External link opens a new window or tab.

Log in to the Common Web UI External link opens a new window or tab to get the IBM Cloud Pak console route and admin's password. Use the Platform UI (Zen) External link opens a new window or tab to create a group for your CP4BA Developers, and add your LDAP users and groups to this group. You then need to assign the Zen group with the Automation Developer role.

Note: If you included multiple capabilities from FileNet Content Manager (FNCM), Automation Document Processing (ADP), and Business Automation Application (BAA) in your CP4BA deployment, then use the Navigator for CP4BA heading in the cp4ba-access-info ConfigMap and the custom resource status fields to find the route URL for Business Automation Navigator.

If you included FileNet Content Manager (FNCM) without the other capabilities, then use the Navigator for FNCM heading in the cp4ba-access-info ConfigMap and the custom resource status fields to find the route URL for Business Automation Navigator.

To enable logs and monitoring add the wanted YAML to the CR in the YAML view. For example, the following parameters provide custom setting for the content pattern.

  monitoring_configuration:
    collectd_disable_host_monitoring: false
    collectd_interval: 10
    collectd_plugin_write_graphite_host: localhost
    collectd_plugin_write_graphite_port: 2003
    collectd_plugin_write_prometheus_port: 9103
    mon_enable_plugin_mbean: true
    mon_enable_plugin_pch: true
    mon_metrics_writer_option: 4
  logging_configuration: 
    mon_log_parse: true
    mon_log_shipper_option: "1"
    mon_log_service_endpoint: example.com:9200
    private_logging_enabled: false
    logging_type: default
    mon_log_path: /path_to_extra_log
  ecm_configuration:
    cpe:
      logging_enabled: true
      monitor_enabled: true
    css:
      logging_enabled: true
      monitor_enabled: true
    graphql:
      logging_enabled: true
      monitor_enabled: true
    cmis:
      logging_enabled: true
      monitor_enabled: true
    es:
      logging_enabled: true
      monitor_enabled: true
Tip: Run the post-installation script on your cluster to further validate your deployment. For more information, see Recommended: Validating your production deployment.

Some capabilities need you to follow post-deployment steps. For more information, see Completing post-installation tasks.