Configuration parameters for the FTM solutions

These parameters can be used in the custom resource for your FTM solution. Unless otherwise indicated, the parameters are configured in the spec structure in the YAML.

The password properties in the following table are optional when you create the instance for your FTM solution. If you choose not to define values for these properties, the operator generates a default password with the characteristics that are described in the table. The table also shows the secrets where the FTM operator stores the passwords that it generates.

Define values for these properties in one or more secrets. Point to those secrets in the FTM custom resource. If you place the values directly in the custom resource, or if the operator generates default passwords, the values are placed in new secrets per the following table. However, if these secrets are later deleted, the operator cannot re-create them and the values cannot be recovered.

Table 1. Default passwords
Credential Custom resource property Secret name and key Default password
Application password spec.config.security.password
  • The secret name is <ftm-instance>-ftm-store.
  • The secret key is fxhpassword.
The default password is a random string that is 15 characters long.
Keystore password spec.config.security.keyStorePassword
  • The secret name is <ftm-instance>-ftm-store.
  • The secret key is keystore.
The default password is a random string that is 15 characters long.
Truststore password spec.config.security.trustStorePassword
  • The secret name is <ftm-instance>-ftm-store.
  • The secret key is truststore.
The default password is a random string that is 15 characters long.
The following sections show more parameters that are available for the FTM solutions.
Note: The section names are the names of the parameters in the YAML. Unless otherwise indicated, the parameters are configured in the spec structure in the YAML.

version

Table 2. Configuration parameters for the FTM solutions
Parameter name Description
version The version of FTM to deploy.

account

Table 3. Configuration parameters for account
Parameter name Description
account.imagePullPolicy The policy to use for pulling images. For more information, see the Kubernetes documentation.
account.imagePullSecrets The list of secrets to use for pulling images.
account.serviceAccountName The name of the service account to use for the FTM pods. If this parameter is not specified, the default service account is used.
account.supplementalGroups A list of groups applied to the first process run in each container, in addition to the container’s primary GID. If this parameter is not specified, no groups are added to any container.

config.database

If TLS is configured for Db2®, provide the location of the Db2 TLS certificate in the FTM custom resource during deployment. If TLS is not enabled for Db2, omit the certificate parameters in the custom resource. For more information about configuring TLS for Db2, see the IBM® Db2 documentation.

Table 4. Configuration parameters for the databases
Parameter name Description
authentication The authentication method to use for the database. The default value is SERVER_ENCRYPT.
autoConfig.enable This parameter must be set to false.
certificate The certificate authority for the database (ca.crt). This optional parameter can reference a secret or configmap that contains the certificate value.
certificate.valueFrom.secretKeyRef.name The name of the secret that contains the TLS certificate to use for Db2.
certificate.valueFrom.secretKeyRef.key The name of the key in the secret that contains the certificate file.
database The name of the database to use. For example, FTMDB.
enableTLS This parameter is used to enable communication to the database over TLS. The default value is true.
host The hostname or IP address of the database server.
password The password for the database. This optional parameter can reference a secret or configmap that contains the password value.
port The port number to use to connect to the database. The default value is 50000.
schema The schema name of the database to use. For example, FTM.
username The username to use for the database. The default value is db2inst1.

config.instance

Table 5. Configuration parameters for the instance
Parameter name Description
config.instance.solution The FTM solution to deploy. The operator deploys the appropriate pods.
The solutions are shown in the following list.
  • dp-mp
  • hvp-mp
  • cps-mp

config.mq

To enable TLS communication for IBM MQ incoming traffic, configure it in the FTM custom resource during deployment. You need to provide the TLS certificate for IBM MQ and the cipher specification. If you do not want to enable TLS for IBM MQ, omit its certificate parameter in the custom resource.

Table 6. Configuration parameters for IBM MQ
Parameter name Description
config.mq.adminPassword The password for the IBM MQ queue manager.
config.mq.adminUser The username to use for the IBM MQ queue manager. The default value is admin.
config.mq.availabilityType The type of availability to use. The values for this parameter are shown in the following list.
SingleInstance
A single pod is used. This value is the default.
NativeHA
Native high availability replication is used.
config.mq.certifcate.ca The text of the certificate authority or a reference to a secret.
config.mq.certificate.certificate The text of the certificate or a reference to a secret.
config.mq.certificate.key The text of the key or a reference to a secret.
config.mq.certificate.secretName The name of the secret that contains the certificate, key, and certificate authority.
config.mq.certificateLabel The SSLCertificateLabel for the IBM MQ endpoint policy that is used by the IBM App Connect Enterprise integration servers. The default value is aceKeyStore.
config.mq.channel The queue manager channel that applications use to communicate with IBM MQ. The default value is QMLDAP.SVRCONN.
config.mq.cipherSpec The cipher specification for the IBM MQ queue manager. The default value is TLS_RSA_WITH_AES_128_CBC_SHA256.
config.mq.cipherSuite The cipher suite for the IBM MQ queue manager. The default value is SSL_RSA_WITH_AES_128_CBC_SHA256.
config.mq.enableConfigJob This parameter must be set to false.
config.mq.enableTLS This parameter is used to enable communication to IBM MQ over TLS. The default value is true.
config.mq.host The hostname or IP address of the IBM MQ server.
config.mq.logFilePages  
config.mq.password The password that the FTM applications use to connect to IBM MQ. This parameter can reference a secret or a configmap that has the password.
config.mq.port The TCP port number for the IBM MQ server.
config.mq.queueManagerName The name of the IBM MQ queue manager channel.
config.mq.restPort The TCP port number for the IBM MQ REST API. The default value is 9443.
config.mq.username The username that the FTM applications use to connect to IBM MQ.

config.security

Table 7. Configuration parameters for security
Parameter name Description
config.security.password The password for the FTM instance.
config.security.enableTLS This parameter is used to enable TLS for FTM applications. The default value is true.
config.security.keyStorePassword The password to use to access the keystore for FTM.
config.security.trustStorePassword The password to use to access the truststore for FTM.
config.security.mtls.label The label of the certificate to use for mTLS. Mutual TLS is enabled by specifying this parameter. Omit this parameter from the custom resource to disable mTLS.
config.security.certificate.ca The text of the certificate authority or a reference to a secret.
config.security.certificate.certificate The text of the certificate or a reference to a secret.
config.security.certificate.key The text of the key or a reference to a secret.
config.security.certificate.secretName The name of the secret that contains the certificate, key, and certificate authority.
config.security.additionalCertificates A list of certificates that can be mounted to the FTM pods. The certificates can be specified as list of SecretKeyRef parameters with the name of the secret and the key. Omit this additionalCertificates parameter if you do not have more certificates for the pods.
config.security.additionalApplicationPasswords You can specify other usernames and passwords that the FTM applications need to use. For example, credentials for a shared archive server.
config.security.networkPolicy.dnsPort The port number for the Red Hat® OpenShift® DNS service. The default is 5353.
config.security.networkPolicy.egress Egress rules that apply to all the deployed pods. You need to add rules to allow connections to an external database or to an instance of IBM MQ.
config.security.networkPolicy.ingress Ingress rules that apply only to pods in the yellow network zone.

config.security.mtls

IBM MQ must be enabled for TLS before you can enable mutual TLS (mTLS). To disable mTLS, omit the config.security.mtls.label parameter from the FTM custom resource when you are deploying FTM.

Table 8. Configuration parameters for mTLS
Parameter name Description
config.security.mtls.label The label of the certificate to use for mTLS. Mutual TLS is enabled by specifying this parameter. Omit this parameter from the custom resource to disable mTLS.

config.security.oidc

Table 9. Configuration parameters for OIDC
Parameter name Description
config.security.oidc.oAuth2ClientID The client ID for the OAuth 2 client.
config.security.oidc.oAuth2Issuer The OAuth 2 issuer.
config.security.oidc.oAuth2DiscoveryEndpoint The discovery endpoint of OAuth 2.
config.security.oidc.oAuth2IntrospectionURL The URL for token introspection in OAuth 2.
config.security.oidc.oAuth2Scope The scope of the OAuth 2 request.
config.security.oidc.userNameAttribute The attribute in the token to use as the username.
config.security.oidc.jwkSetURI The URI for retrieving the JSON Web Key Set (JWKS) for verifying JWT signatures.
config.security.oidc.jwtIssuerURI The URI identifying the JWT issuer.
config.security.oidc.oAuth2ClientSecret The secret for OAuth 2 client.

config.ui

Table 10. Configuration parameters for the FTM user interface
Parameter name Description
config.ui.domain The external URL for the user interface.
config.ui.ewsService The URL for the EWS service.
config.ui.externalComponents The host and IIOP port numbers for all the components that are external to the user interface.

config.ui.externalComponents

Table 11. Configuration parameters for the FTM user interface external components
Parameter name Description
config.ui.externalComponents.approvalsEngine.host
config.ui.externalComponents.approvalsEngine.port
The host and IIOP port number for the Approvals engine.
config.ui.externalComponents.businessRulesEngine.host
config.ui.externalComponents.businessRulesEngine.port
The host and IIOP port number for the Business Rules engine.
config.ui.externalComponents.businessRulesManager.host
config.ui.externalComponents.businessRulesManager.port
The host and IIOP port number for Business Rules Manager.
config.ui.externalComponents.businessRulesServer.host
config.ui.externalComponents.businessRulesServer.port
The host and IIOP port number for Business Rules Server.
config.ui.externalComponents.distributionEngine.host
config.ui.externalComponents.distributionEngine.port
The host and IIOP port number for the Distribution engine.
config.ui.externalComponents.gatewayEngine.host
config.ui.externalComponents.gatewayEngine.port
The host and IIOP port number for the Gateway engine.
config.ui.externalComponents.nocEngine.host
config.ui.externalComponents.nocEngine.port
The host and IIOP port number for the NOC Management engine.
config.ui.externalComponents.riskEngine.host
config.ui.externalComponents.riskEngine.port
The host and IIOP port number for the Risk engine.
config.ui.externalComponents.rtpEngine.host
config.ui.externalComponents.rtpEngine.port
The host and IIOP port number for the Real Time Payments engine.
config.ui.externalComponents.servicesEngine.host
config.ui.externalComponents.servicesEngine.port
The host and IIOP port number for the Services Framework engine.
config.ui.externalComponents.settlementEngine.host
config.ui.externalComponents.settlementEngine.port
The host and IIOP port number for the Settlement engine.
config.ui.externalComponents.vettingEngine.host
config.ui.externalComponents.vettingEngine.port
The host and IIOP port number for the Vetting engine.

init

For more information about these parameters, see the Kubernetes documentation.

Table 12. Configuration parameters for init containers
Parameter name Description
init.default.initContainers A list of the init containers to be added to every FTM pod. If you do not want to use these init containers for every pod, you can configure which pods to exclude.
init.default.exclude A list of the FTM pods that you don't want to add the default init containers to.
init.workloads.initContainers A list of init containers to be added to specific FTM pods only.
init.workloads.name The names of the FTM pods to add this list of workload init containers to.

license

Table 13. Configuration parameters for the license
Parameter name Description
license.accept Accept the license for FTM. The allowed values are true or false.
license.use Specify how this deployment of FTM is to be used. The allowed values are shown in the following list.
Production
This value indicates that the deployment is a production environment.
NonProduction
This value indicates that the deployment is a nonproduction environment.
Developer
This value indicates that the deployment is a development environment.
license.value or license.valueFrom Provide the license key in Base64 encoding. These parameters are optional.

resources

You can specify one or more resources in the FTM custom resource. For more information about these parameters, see the Kubernetes documentation.

Table 14. Configuration parameters for resource allocation
Parameter name Description
resources[].name The name of the resource.
resources[].containers The container configuration to use for this resource.
resources[].containers.[<name of the container>].securityContext The security context that needs to be set for a specific container. The name of the container variable indicates where to specify the real name of the container that you want to configure the security context for. For more information on the fields that are supported for a container security context, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container.
resources[].containers.[<name of the container>].volumeMounts The list of volume mounts to add for a specific container. The name of the container variable indicates where to specify the real name of the container that you want to configure the volume mounts for. For more information about how to specify volume mounts for supported volumes, see https://kubernetes.io/docs/concepts/storage/volumes/.
resources[].replica The number of replicas for the resource.
resources[].maxReplicas The maximum number of replicas that can be created for this resource. The default is 1.
resources[].securityContext The security context that needs to be set for the resource. For more information on the fields that are supported for a pod security context, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
resources[].scheduling.affinity The scheduling affinity for the resource.
resources[].scheduling.tolerations The tolerations for the resource.
resources[].scheduling.topologySpreadConstraint The topology spread constraints for the resource.
resources[].volumes[] A list of volumes to attach to the resource. For more information about the volumes that are supported, see https://kubernetes.io/docs/concepts/storage/volumes/.
The following example shows you how to set a custom security context so that the FTM pods run with a particular user ID and group ID.
spec:
  resources:
  - name: default
    securityContext:
      runAsUser: 1000
      runAsGroup: 5000
      supplementalGroups: [0]

The FTM pods need to be configured with a supplemental group ID of 0 to access files in the containers owned by that group.

By default, the pods in Red Hat OpenShift run with a restricted Security Context Constraint (SCC) and cannot run with a custom user ID or group ID. If you set a custom user ID and group ID for the FTM pods, the FTM instance needs to run with a service account. This service account needs to have access to an SCC with the needed privileges. You can configure this service account by using the service account name parameter in the custom resource. For more information about the account configuration parameters, see Table 3.

The following example shows you how to enable custom volume mounts and environment variables for all FTM containers. It adds a configmap as a volume to the /etc/config-custom folder in all the containers. Also, the environment variables that are defined in the default resource in the container that is named default are applied to all FTM containers.
spec:
  resources:
  - containers:
      default:
        env:
          - name: MYENVVAR
            value: myvalue
        volumeMounts:
        - name: config-vol
          mountPath: /etc/config-custom
    name: default
    volumes:
    - name: config-vol
      configMap:
        name: custom-config
The following example shows you how to enable custom volume mounts for a specific container. It adds a configmap as a volume to the /etc/config-custom folder in a user interface container.
spec:
  resources:
  - containers:
      ftm-ui-js:
        volumeMounts:
        - name: config-vol
          mountPath: /etc/config-custom
    name: ftm-ui
    volumes:
    - name: config-vol
      configMap:
        name: custom-config

scheduling

For more information about these parameters, see the Kubernetes documentation.

Table 15. Configuration parameters for the scheduling constraints for the FTM pods
Parameter name Description
scheduling.affinity The scheduling affinity for the pods.
scheduling.tolerations The tolerations for the pods.
scheduling.topologySpreadConstraint The topology spread constraints for the pods.

storage

Table 16. Configuration parameters for storage
Parameter name Description
storage.claimName Specify the name of the PersistentVolumeClaim to use for this storage. If you specify this parameter, do not specify the storage.spec parameter. This parameter is optional.
storage.default.spec.accessModes Specify a list of the access modes that the storage needs to have. The list needs to contain the ReadWriteMany parameter.
storage.default.spec.resources.requests.storage The minimum amount of storage that the volume needs to have.
storage.default.spec.storageClassName The name of the storage class to use for the persistent volumes.
storage.spec Specify the PersistentVolumeClaimSpec template for the storage. If you specify this parameter, the storage.claimName parameter is not used. This parameter is optional. For more information, see the Kubernetes documentation.