Customizing Business Automation Workflow Runtime to connect to Workflow Center on premise

Using Business Automation Workflow on containers, you can establish and work with IBM® Workflow Center running on a traditional runtime environment.

Before you begin

Cluster security must allow Business Automation Workflow runtime to perform an outgoing connection to the Workflow Center on premise. For more information, see Configuring cluster security.

About this task

Business Automation Workflow on containers can connect to a Workflow Center if you configure the workflow_center section of the custom resource (CR) YAML file.

Procedure

Create a TLS secret in the operator by using the root certificate authority certificate of Workflow Center so that it can be recognized as a trusted server:

  1. Extract the Workflow Center root SSL certificate.
    1. In the Workflow Center WebSphere® administrative console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
    2. Select the root certificate and click Extract.
    3. Name the file. For example, name the file WorkflowCenter.cert.
    4. For the data type, select Base64-encoded ASCII data.
    5. Click Apply. From the message, note where the certificate is stored on the file system.
  2. Copy the file and create the secret:
    1. Copy the certificate from step 1 to Business Automation Workflow Runtime.
    2. On the Business Automation Workflow runtime environment, run the following oc command to create a secret:
      oc create secret generic baw-tls-secret --from-file=tls.crt=/root/WorkflowCenter.cert
    3. Add this secret to the trust list section of the Business Automation Workflow CR file, for example
      baw_configuration:
      - name: instance1
        tls:
         tls_trust_list: [baw-tls-secret]
  3. Create a new secret that will hold the username and password of the Workflow Center administrator.
    1. On the Business Automation Workflow runtime environment, create a new secret called ibm-baw-wc-secret in the adminSecrets4operator-ctnrs.yaml file. You add the following content into adminSecrets4operator-ctnrs.yaml file. This secret will contain the credentials of an administrator for Workflow Center, for example
      apiVersion: v1
      kind: Secret
      metadata:
        name: ibm-baw-wc-secret
      type: Opaque
      stringData:
        username: deadmin
        password: deadmin
    2. Apply the adminSecrets4operator-ctnrs.yaml file to the runtime environment:
      oc apply -f ./adminSecrets4operator-ctnrs.yaml
  4. Update the following parameters in the workflow_center section of the Business Automation Workflow CR YAML file to apply changes to your deployment environment, for example
      baw_configuration:
      - name: instance1
        workflow_center:
         url: "https://<Workflow Center host name>:<Workflow Center port>/ProcessCenter"
         secret_name: "ibm-baw-wc-secret"
         heartbeat_interval: 30
    After these steps, Business Automation Workflow Runtime appears on the Servers page for Workflow business automations.
  5. So that the Workflow Center recognizes Business Automation Workflow Runtime as a trusted server, complete these steps:
    1. Extract the Cloud Pak for Business Automation operator root CA certificate and copy it to your Workflow Center located server. For instructions, see Exporting the root CA certificate.
    2. Extract the router-ca certificate of Business Automation Workflow Runtime:
      oc get secret router-ca -n openshift-ingress-operator -o template --template='{{ index .data "tls.crt" }}' | base64 --decode > routercaPS.crt
    3. In the Workflow Center WebSphere administrative console click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.
    4. Click Add and enter your-path/zenRootCA.crt, your-path/csRootCA.crt, and your-path/routercaPS.crt that you get from the previous steps.
    5. Click OK to add the certificate.