Configuration parameters for the FTM solutions
These parameters can be used in the custom resource for your FTM solution. Unless otherwise indicated, the parameters are configured in the spec structure in the YAML.
The password properties in the following table are optional when you create the instance for your FTM solution. If you choose not to define values for these properties, the operator generates a default password with the characteristics that are described in the table. The table also shows the secrets where the FTM operator stores the passwords that it generates.
Define values for these properties in one or more secrets. Point to those secrets in the FTM custom resource. If you place the values directly in the custom resource, or if the operator generates default passwords, the values are placed in new secrets per the following table. However, if these secrets are later deleted, the operator cannot re-create them and the values cannot be recovered.
Credential | Custom resource property | Secret name and key | Default password |
---|---|---|---|
Application password | spec.config.security.password |
|
The default password is a random string that is 15 characters long. |
Keystore password | spec.config.security.keyStorePassword |
|
The default password is a random string that is 15 characters long. |
Truststore password | spec.config.security.trustStorePassword |
|
The default password is a random string that is 15 characters long. |
version
Parameter name | Description |
---|---|
version | The version of FTM to deploy. |
account
Parameter name | Description |
---|---|
account.imagePullPolicy | The policy to use for pulling images. For more information, see the Kubernetes documentation. |
account.imagePullSecrets | The list of secrets to use for pulling images. |
account.serviceAccountName | The name of the service account to use for the FTM pods. If this parameter is not specified, the default service account is used. |
account.supplementalGroups | A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If this parameter is not specified, no groups are added to any container. |
config.database
If TLS is configured for Db2®, provide the location of the Db2 TLS certificate in the FTM custom resource during deployment. If TLS is not enabled for Db2, omit the certificate parameters in the custom resource. For more information about configuring TLS for Db2, see the IBM® Db2 documentation.
Parameter name | Description |
---|---|
authentication | The authentication method to use for the database. The default value is
SERVER_ENCRYPT . |
autoConfig.enable | This parameter must be set to false. |
certificate | The certificate authority for the database (ca.crt). This optional parameter can reference a secret or configmap that contains the certificate value. |
certificate.valueFrom.secretKeyRef.name | The name of the secret that contains the TLS certificate to use for Db2. |
certificate.valueFrom.secretKeyRef.key | The name of the key in the secret that contains the certificate file. |
database | The name of the database to use. For example, FTMDB . |
enableTLS | This parameter is used to enable communication to the database over TLS. The default value is true. |
host | The hostname or IP address of the database server. |
password | The password for the database. This optional parameter can reference a secret or configmap that contains the password value. |
port | The port number to use to connect to the database. The default value is 50000. |
schema | The schema name of the database to use. For example, FTM . |
username | The username to use for the database. The default value is db2inst1 . |
config.instance
Parameter name | Description |
---|---|
config.instance.solution | The FTM solution to deploy. The operator deploys the appropriate pods. The
solutions are shown in the following list.
|
config.mq
To enable TLS communication for IBM MQ incoming traffic, configure it in the FTM custom resource during deployment. You need to provide the TLS certificate for IBM MQ and the cipher specification. If you do not want to enable TLS for IBM MQ, omit its certificate parameter in the custom resource.
Parameter name | Description |
---|---|
config.mq.adminPassword | The password for the IBM MQ queue manager. |
config.mq.adminUser | The username to use for the IBM MQ queue manager. The default value is
admin . |
config.mq.availabilityType | The type of availability to use. The values for this parameter are shown in the following list.
|
config.mq.certifcate.ca | The text of the certificate authority or a reference to a secret. |
config.mq.certificate.certificate | The text of the certificate or a reference to a secret. |
config.mq.certificate.key | The text of the key or a reference to a secret. |
config.mq.certificate.secretName | The name of the secret that contains the certificate, key, and certificate authority. |
config.mq.certificateLabel | The SSLCertificateLabel for the IBM MQ endpoint policy that is
used by the IBM App Connect Enterprise integration servers. The default value is
aceKeyStore . |
config.mq.channel | The queue manager channel that applications use to communicate with IBM MQ. The
default value is QMLDAP.SVRCONN . |
config.mq.cipherSpec | The cipher specification for the IBM MQ queue manager. The default value is
TLS_RSA_WITH_AES_128_CBC_SHA256 . |
config.mq.cipherSuite | The cipher suite for the IBM MQ queue manager. The default value is
SSL_RSA_WITH_AES_128_CBC_SHA256 . |
config.mq.enableConfigJob | This parameter must be set to false. |
config.mq.enableTLS | This parameter is used to enable communication to IBM MQ over TLS. The default value is true. |
config.mq.host | The hostname or IP address of the IBM MQ server. |
config.mq.logFilePages | |
config.mq.password | The password that the FTM applications use to connect to IBM MQ. This parameter can reference a secret or a configmap that has the password. |
config.mq.port | The TCP port number for the IBM MQ server. |
config.mq.queueManagerName | The name of the IBM MQ queue manager channel. |
config.mq.restPort | The TCP port number for the IBM MQ REST API. The default value is 9443. |
config.mq.username | The username that the FTM applications use to connect to IBM MQ. |
config.security
Parameter name | Description |
---|---|
config.security.password | The password for the FTM instance. |
config.security.enableTLS | This parameter is used to enable TLS for FTM applications. The default value is true. |
config.security.keyStorePassword | The password to use to access the keystore for FTM. |
config.security.trustStorePassword | The password to use to access the truststore for FTM. |
config.security.mtls.label | The label of the certificate to use for mTLS. Mutual TLS is enabled by specifying this parameter. Omit this parameter from the custom resource to disable mTLS. |
config.security.certificate.ca | The text of the certificate authority or a reference to a secret. |
config.security.certificate.certificate | The text of the certificate or a reference to a secret. |
config.security.certificate.key | The text of the key or a reference to a secret. |
config.security.certificate.secretName | The name of the secret that contains the certificate, key, and certificate authority. |
config.security.additionalCertificates | A list of certificates that can be mounted to the FTM pods. The certificates can be specified as list of SecretKeyRef parameters with the name of the secret and the key. Omit this additionalCertificates parameter if you do not have more certificates for the pods. |
config.security.additionalApplicationPasswords | You can specify other usernames and passwords that the FTM applications need to use. For example, credentials for a shared archive server. |
config.security.networkPolicy.dnsPort | The port number for the Red Hat® OpenShift® DNS service. The default is 5353. |
config.security.networkPolicy.egress | Egress rules that apply to all the deployed pods. You need to add rules to allow connections to an external database or to an instance of IBM MQ. |
config.security.networkPolicy.ingress | Ingress rules that apply only to pods in the yellow network zone. |
config.security.mtls
IBM MQ must be enabled for TLS before you can enable mutual TLS (mTLS). To disable mTLS, omit the config.security.mtls.label parameter from the FTM custom resource when you are deploying FTM.
Parameter name | Description |
---|---|
config.security.mtls.label | The label of the certificate to use for mTLS. Mutual TLS is enabled by specifying this parameter. Omit this parameter from the custom resource to disable mTLS. |
config.security.oidc
Parameter name | Description |
---|---|
config.security.oidc.oAuth2ClientID | The client ID for the OAuth 2 client. |
config.security.oidc.oAuth2Issuer | The OAuth 2 issuer. |
config.security.oidc.oAuth2DiscoveryEndpoint | The discovery endpoint of OAuth 2. |
config.security.oidc.oAuth2IntrospectionURL | The URL for token introspection in OAuth 2. |
config.security.oidc.oAuth2Scope | The scope of the OAuth 2 request. |
config.security.oidc.userNameAttribute | The attribute in the token to use as the username. |
config.security.oidc.jwkSetURI | The URI for retrieving the JSON Web Key Set (JWKS) for verifying JWT signatures. |
config.security.oidc.jwtIssuerURI | The URI identifying the JWT issuer. |
config.security.oidc.oAuth2ClientSecret | The secret for OAuth 2 client. |
config.ui
Parameter name | Description |
---|---|
config.ui.domain | The external URL for the user interface. |
config.ui.ewsService | The URL for the EWS service. |
config.ui.externalComponents | The host and IIOP port numbers for all the components that are external to the user interface. |
config.ui.externalComponents
Parameter name | Description |
---|---|
config.ui.externalComponents.approvalsEngine.host
config.ui.externalComponents.approvalsEngine.port |
The host and IIOP port number for the Approvals engine. |
config.ui.externalComponents.businessRulesEngine.host
config.ui.externalComponents.businessRulesEngine.port |
The host and IIOP port number for the Business Rules engine. |
config.ui.externalComponents.businessRulesManager.host
config.ui.externalComponents.businessRulesManager.port |
The host and IIOP port number for Business Rules Manager. |
config.ui.externalComponents.businessRulesServer.host
config.ui.externalComponents.businessRulesServer.port |
The host and IIOP port number for Business Rules Server. |
config.ui.externalComponents.distributionEngine.host
config.ui.externalComponents.distributionEngine.port |
The host and IIOP port number for the Distribution engine. |
config.ui.externalComponents.gatewayEngine.host
config.ui.externalComponents.gatewayEngine.port |
The host and IIOP port number for the Gateway engine. |
config.ui.externalComponents.nocEngine.host
config.ui.externalComponents.nocEngine.port |
The host and IIOP port number for the NOC Management engine. |
config.ui.externalComponents.riskEngine.host
config.ui.externalComponents.riskEngine.port |
The host and IIOP port number for the Risk engine. |
config.ui.externalComponents.rtpEngine.host
config.ui.externalComponents.rtpEngine.port |
The host and IIOP port number for the Real Time Payments engine. |
config.ui.externalComponents.servicesEngine.host
config.ui.externalComponents.servicesEngine.port |
The host and IIOP port number for the Services Framework engine. |
config.ui.externalComponents.settlementEngine.host
config.ui.externalComponents.settlementEngine.port |
The host and IIOP port number for the Settlement engine. |
config.ui.externalComponents.vettingEngine.host
config.ui.externalComponents.vettingEngine.port |
The host and IIOP port number for the Vetting engine. |
init
For more information about these parameters, see the Kubernetes documentation.
Parameter name | Description |
---|---|
init.default.initContainers | A list of the init containers to be added to every FTM pod. If you do not want to use these init containers for every pod, you can configure which pods to exclude. |
init.default.exclude | A list of the FTM pods that you don't want to add the default init containers to. |
init.workloads.initContainers | A list of init containers to be added to specific FTM pods only. |
init.workloads.name | The names of the FTM pods to add this list of workload init containers to. |
license
Parameter name | Description |
---|---|
license.accept | Accept the license for FTM. The allowed values are true or
false . |
license.use | Specify how this deployment of FTM is to be used. The allowed values are shown
in the following list.
|
license.value or license.valueFrom | Provide the license key in Base64 encoding. These parameters are optional. |
resources
You can specify one or more resources in the FTM custom resource. For more information about these parameters, see the Kubernetes documentation.
Parameter name | Description |
---|---|
resources[].name | The name of the resource. |
resources[].containers | The container configuration to use for this resource. |
resources[].containers.[<name of the container>].securityContext | The security context that needs to be set for a specific container. The name of the container variable indicates where to specify the real name of the container that you want to configure the security context for. For more information on the fields that are supported for a container security context, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container. |
resources[].containers.[<name of the container>].volumeMounts | The list of volume mounts to add for a specific container. The name of the container variable indicates where to specify the real name of the container that you want to configure the volume mounts for. For more information about how to specify volume mounts for supported volumes, see https://kubernetes.io/docs/concepts/storage/volumes/. |
resources[].replica | The number of replicas for the resource. |
resources[].maxReplicas | The maximum number of replicas that can be created for this resource. The default is 1. |
resources[].securityContext | The security context that needs to be set for the resource. For more information on the fields that are supported for a pod security context, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod. |
resources[].scheduling.affinity | The scheduling affinity for the resource. |
resources[].scheduling.tolerations | The tolerations for the resource. |
resources[].scheduling.topologySpreadConstraint | The topology spread constraints for the resource. |
resources[].volumes[] | A list of volumes to attach to the resource. For more information about the volumes that are supported, see https://kubernetes.io/docs/concepts/storage/volumes/. |
spec:
resources:
- name: default
securityContext:
runAsUser: 1000
runAsGroup: 5000
supplementalGroups: [0]
The FTM pods need to be configured with a supplemental group ID of 0 to access files in the containers owned by that group.
By default, the pods in Red Hat OpenShift run with a restricted Security Context Constraint (SCC) and cannot run with a custom user ID or group ID. If you set a custom user ID and group ID for the FTM pods, the FTM instance needs to run with a service account. This service account needs to have access to an SCC with the needed privileges. You can configure this service account by using the service account name parameter in the custom resource. For more information about the account configuration parameters, see Table 3.
default
resource in the container that is named default
are
applied to all FTM containers. spec:
resources:
- containers:
default:
env:
- name: MYENVVAR
value: myvalue
volumeMounts:
- name: config-vol
mountPath: /etc/config-custom
name: default
volumes:
- name: config-vol
configMap:
name: custom-config
spec:
resources:
- containers:
ftm-ui-js:
volumeMounts:
- name: config-vol
mountPath: /etc/config-custom
name: ftm-ui
volumes:
- name: config-vol
configMap:
name: custom-config
scheduling
For more information about these parameters, see the Kubernetes documentation.
Parameter name | Description |
---|---|
scheduling.affinity | The scheduling affinity for the pods. |
scheduling.tolerations | The tolerations for the pods. |
scheduling.topologySpreadConstraint | The topology spread constraints for the pods. |
storage
Parameter name | Description |
---|---|
storage.claimName | Specify the name of the PersistentVolumeClaim to use for this storage. If you specify this parameter, do not specify the storage.spec parameter. This parameter is optional. |
storage.default.spec.accessModes | Specify a list of the access modes that the storage needs to have. The list needs to contain the ReadWriteMany parameter. |
storage.default.spec.resources.requests.storage | The minimum amount of storage that the volume needs to have. |
storage.default.spec.storageClassName | The name of the storage class to use for the persistent volumes. |
storage.spec | Specify the PersistentVolumeClaimSpec template for the storage. If you specify this parameter, the storage.claimName parameter is not used. This parameter is optional. For more information, see the Kubernetes documentation. |