Enabling full text search

You can customize IBM® Business Automation Workflow to enable full text search, either for Runtime or for Authoring.

To learn more about potential implications associated with the enabled full text search, see also Full text search implications.

Enabling full text search for Runtime

Customize IBM Business Automation Workflow Runtime to enable full text search.

Procedure

  1. To enable full text search, update the baw_configuration section in your custom resource (CR). 
    baw_configuration:
- name: instancename
  full_text_search: 
    enable: true
  2. To locate the full text search index in an OpenSearch instance that is deployed as part of Business Automation Workflow on containers, make sure that you configured shared_configuration.sc_optional_components: opensearch in your CR.
    For more information about OpenSearch options, see Referencing your own Elasticsearch or Opensearch cluster External link opens a new window or tab.
  3. To use your own external Elasticsearch or OpenSearch:
    1. Add a new network policy for Elasticsearch or OpenSearch as shown in the following example. See Connecting endpoints to external services over TLS External link opens a new window or tab. 
      kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: bastudio-allow-external-os
  namespace: <namespace>
spec:
  podSelector:
    matchLabels:
      com.ibm.cp4a.networking/egress-external-app-component: BAW
  egress:
    - ports:
        - protocol: TCP
          port: <ElasticSearch/Opensearch port>
      to:
        - ipBlock:
          cidr: <ElasticSearch/Opensearch IP address>
      Then, update your CR. The following example shows an external OpenSearch.
      baw_configuration:
    elasticsearch:
      ## Required only when you want to use external Elasticsearch or OpenSearch for "data collector and data indexer" function. Endpoint of external Elasticearch or OpenSearch, such as: https://<external_es_host>:<external_es_port>.
      endpoint: ""
      ## Required only when you want to use external Elasticsearch or OpenSearch for "data collector and data indexer" function. The external Elasticsearch or OpenSearch administrative secret that contains the keys: username and password.
      admin_secret_name: ""
    2. If you want to connect to Elasticsearch or OpenSearch using an SSL/TLS connection, create an external Elasticsearch or OpenSearch TLS certificate and add it to the trustlist. See the instructions in IBM Business Automation Workflow Runtime and Workstream Services parameters External link opens a new window or tab.
  4. Apply the updated Business Automation Workflow CR.

Enabling full text search for Authoring

Customize IBM Business Automation Workflow Authoring to enable full text search.

Procedure

To enable full text search, you have two options: Use the OpenSearch instance that is deployed as part of Business Automation Workflow on containers, or use your own external Elasticsearch or OpenSearch.

  1. To use an OpenSearch instance that is deployed as part of Business Automation Workflow on containers, make sure that you enable the data collector and data indexer by configuring shared_configuration.sc_optional_components: pfs in your custom resource (CR).
    For more information about OpenSearch options, see Using OpenSearch provided by IBM Cloud Pak® foundational services External link opens a new window or tab.
  2. To use your own external Elasticsearch or OpenSearch:
    1. Add a new network policy for Elasticsearch or OpenSearch as shown in the following example. See the information about network policies in Configuring cluster security External link opens a new window or tab. 
      kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: bastudio-allow-external-os
  namespace: <namespace>
spec:
  podSelector:
    matchLabels:
      com.ibm.cp4a.networking/egress-external-app-component: BAS
  egress:
    - ports:
        - protocol: TCP
          port: <ElasticSearch/Opensearch port>
      to:
        - ipBlock:
          cidr: <ElasticSearch/Opensearch IP address>
      Then, update your CR. The following example shows an external OpenSearch without authentication.
      
  workflow_authoring_configuration:
    elasticsearch:
      endpoint: http://<external_es_host>:<external_es_port
    2. If your external Elasticsearch or OpenSearch has authentication enabled, create an administrator secret following the instructions in IBM Business Automation Workflow Authoring parameters External link opens a new window or tab.
      Then, add the admin_secret_name parameter in the CR. The following example shows an external OpenSearch with authentication.
      
  workflow_authoring_configuration:
    elasticsearch:
      endpoint: https://<external_es_host>:<external_es_port>
      admin_secret_name: external-es-secret
    3. If you want to connect to Elasticsearch or OpenSearch using an SSL/TLS connection, create an external Elasticsearch or OpenSearch TLS certificate and add it to the trustlist. See the instructions in Connecting endpoints to external services over TLS External link opens a new window or tab.
    4. To customize the external search, see the external Elasticsearch or OpenSearch parameters listed in IBM Business Automation Workflow Authoring parameters External link opens a new window or tab.
  3. Apply the updated Business Automation Workflow Authoring CR.

Full text search implications

When you enable the full text search, be also aware of some potential user experience and performance implications during high user load.

  • When full text search is enabled, Process Federation Server, either embedded or external, is used as backend. As CometD notifications are not available in federated environments, Process Portal refreshes the task list automatically at a default interval of 60 seconds. If you observe a performance impact, you can adjust the default value of the com.ibm.bpm.portal.federatedRefreshInterval mashup property as needed. For more information, see Configuring mashup custom properties.
  • When the task list is processed for task assignment, the system needs the list of groups that users belong to in order to filter the tasks to return, which increases the number of requests to the server. For example, the filter can retrieve all the tasks assigned to a given user and all the unclaimed tasks that are available to the groups that the user is a member of. To avoid retrieving the group list on every request, you can configure the userGroupCheckInterval Process Federation Server property, which controls the duration between the requests to refresh the user's cached group information. Assigning a value to the userGroupCheckInterval configuration property can bring some relief to the platform-identity-management pods. For more information, see Configuration properties for the Process Federation Server index.
    For example, you can declare a Liberty configDropin with the following content. In the example, all the properties remain unchanged except userGroupCheckInterval, which is increased from 5 minutes (300s) to 10 minutes (600s). You can adjust the value as needed.
    <?xml version="1.0" encoding="UTF-8"?>
<server description="IBM Process Federation Server">
  <!-- REST API CONFIGURATION -->
  <ibmPfs_restConfig
      userGroupCheckInterval="600s"
      systemStatusCheckInterval="${env.PFS_REST_SYSTEM_STATUS_INTERVAL}"
      bdFieldsCheckInterval="${env.PFS_REST_BD_FIELDS_INTERVAL}"
      checkOwnerExist="${env.PFS_REST_CHECK_OWNER_EXIST}"
      scimUrl="${env.PFS_REST_SCIM_URL}"
      scimUsername="${PFS_REST_SCIM_USERNAME}"
      scimPassword="${PFS_REST_SCIM_PASSWORD}"
      scimTokenUrl="${env.PFS_REST_SCIM_TOKEN_URL}"
      scimConnectTimeout="${env.PFS_REST_SCIM_CONNECT_TIMEOUT}"
      scimReadTimeout="${env.PFS_REST_SCIM_READ_TIMEOUT}"
      scimCheckURLSpoofing="${env.PFS_REST_SCIM_CHECK_URL_SPOOFING}"
  />
</server>