This section describes how to install the components required to host and manage deployed Business Services in the runtime environment:
- BAMOE Management Console
-
for monitoring and administration,
- BAMOE MCP Server
-
to enable AI agents to connect to Business Services.
The Runtime environment Helm chart
The recommended way of installing BAMOE Management Console and BAMOE MCP Server is to install the pre-configured Helm charts for the BAMOE offering that you have purchases licenses for, IBM Decision Manager Open Edition or IBM Process Automation Manager Open Edition:
-
pamoe-9.5.0-runtime-environment-helm-chart
-
dmoe-9.5.0-runtime-environment-helm-chart
These Helm charts include the necessary licensing annotations and do not require any manual configuration, as was the case in previous releases. Required annotations are injected into all deployed containers, ensuring accurate license tracking from deployment, and simplifying the installation process. The charts are pre-configured with the correct product IDs, product names, and metrics for each BAMOE offering.
The charts integrate Management Console configuration via Helm parameters, enabling centralized configuration in a single values.yaml, version-controlled settings, and automatic conversion to environment variables during deployment, eliminating manual configuration, see Configuration reference for Runtime Helm Charts
Each Dev Helm chart contains two sub-charts:
-
management_console: BAMOE Management Console application for monitoring and managing process instances, available via quay.io/bamoe/management-console@9.5.0-ibm-0005
-
mcp_server: BAMOE MCP Server contains the Model Context Protocol server enabling AI agents to invoke Business Services, available via quay.io/bamoe/mcp-server:9.5.0-ibm-0005
The only difference between the PAMOE and DMOE Dev environment Helm chart is the License Service annotations which contain different productID and productName. All sub-charts receive License Service annotations automatically through the global configuration of the parent chart. The annotations are applied to every pod deployment,
ensuring complete license tracking coverage for all BAMOE containers.
The BAMOE Runtime Helm charts are architecture-agnostic and work for both:
-
Linux/s390x architecture which runs on the IBM Z platform
-
Linux/x86_64 architecture
All BAMOE container images are available as multi-architecture images on Quay.io, and the host machine architecture is automatically resolved when you pull the container images. You can use the following command to specify a platform if required:
`docker pull --platform linux/s390x quay.io/bamoe/management-console:{IMAGE_VERSION}`
If you prefer to install the Runtime environment components individually using OpenShift CLI and Docker this can be done using the same container images.
For more information on the product distribution see What’s New → Download Documentation.
Installing the Runtime Environment Helm chart (recommended)
The Helm chart provides a simple way to deploy BAMOE Management Console and BAMOE MCP Server in Kubernetes, OpenShift, and Minikube with pre-configured licensing depending on your licensed product (see License Guide). For more information on using the Helm tool, see Helm Docs.
Choose the required helm chart based on your licensed product:
-
pamoe-9.5.0-runtime-environment-helm-chart
-
dmoe-9.5.0-runtime-environment-helm-chart
OpenShift Install
To install on OpenShift, first get the default OpenShift domain for your routes using the following command:
oc get ingresses.config cluster --output jsonpath={.spec.domain}
You can then install the Helm chart with the following commands:
helm pull oci://quay.io/bamoe/dmoe-runtime-environment-helm-chart --version=9.5.0-ibm-0005 --untar
helm install my-bamoe-runtime-environment ./dmoe-runtime-environment-helm-chart --values ./dmoe-runtime-environment-helm-chart/values-openshift.yaml --set global.openshiftRouteDomain="<YOUR_OCP_ROUTE_DOMAIN>"
Replace dmoe-runtime-environment-helm-chart with pamoe-runtime-environment-helm-chart when using IBM Process Automation Manager Open Edition, and replace <YOUR_OCP_ROUTE_DOMAIN>` with your OpenShift Route domain.
You can customize the installation name by replacing my-bamoe-runtime-environment with your preferred name.
Generic Kubernetes install
To install BAMOE Management Console directly on a Kubernetes cluster, you will need to get the default Kubernetes cluster domain for your Ingress (see Kubernetes Documentation for more information). This can vary depending on your cluster configuration.
Once you have the domain information, you can run the following helm commands:
helm pull oci://quay.io/bamoe/dmoe-runtime-environment-helm-chart --version=9.5.0-ibm-0005 --untar
helm install my-bamoe-runtime-environment ./dmoe-runtime-environment-helm-chart --values ./dmoe-runtime-environment-helm-chart/values-kubernetes.yaml --set global.kubernetesClusterDomain="<YOUR_KUBERNETES_CLUSTER_DOMAIN>" --set global.kubernetesIngressClass="<YOUR_KUBERNETES_INGRESS_CLASS>"
Where you replace dmoe-runtime-environment-helm-chart with pamoe-runtime-environment-helm-chart if you are working with IBM Process Automation Manager Open Edition, <YOUR_KUBERNETES_CLUSTER_DOMAIN> with the domain of your cluster and <YOUR_KUBERNETES_INGRESS_CLASS> with the ingress class of your cluster.
You can customize the installation name by replacing my-bamoe-runtime-environment with your preferred name.
Minikube install
To install BAMOE Management Console Helm chart on a Minikube cluster, you will need:
Once you have the domain information, you can run the following helm commands to do a Minikube specific install:
helm pull oci://quay.io/bamoe/dmoe-runtime-environment-helm-chart --version=9.5.0-ibm-0005 --untar
helm install my-bamoe-runtime-environment ./dmoe-runtime-environment-helm-chart --values ./dmoe-runtime-environment-helm-chart/values-minikube-nginx.yaml
Where dmoe-runtime-environment-helm-chart is replaced by pamoe-runtime-environment-helm-chart if you are working with IBM Process Automation Manager Open Edition.
Uninstalling the chart
To uninstall the bamoe-management-console deployment:
helm uninstall bamoe-management-console
MCP Server
The BAMOE MCP Server is deployed and configured by default during the Runtime environment installation.
You can disable the installation of the MCP Server in the Helm chart deployment using this command:
helm install my-bamoe-runtime-environment ./dmoe-runtime-environment-helm-chart --set mcp.server.enabled=false
To run the BAMOE MCP Server, complete the setup and launch the server image in a Docker environment using the following command:
docker run -it --rm \
-p 8084:8080 \
--name mcp-server \
-e MCP_SERVER_OPENAPI_URLS=<your_business_services_OpenAPIv3_path> \
quay.io/bamoe/mcp-server:9.5.0-ibm-0005
Passing Environment variables
This chart uses default environmental variables from values.yaml file. You can override the variables by passing them through the command line. See Runtime Helm Chart configuration reference for all options.
helm install my-bamoe-runtime-environment ./dmoe-runtime-environment-helm-chart --set management_console.image.registry=quay.io
Where dmoe-runtime-environment-helm-chart is replaced by pamoe-runtime-environment-helm-chart if you are working with IBM Process Automation Manager Open Edition.
Deploy directly on OpenShift (using oc CLI)
If you have an OpenShift cluster and are authenticated through the oc CLI tool, follow these steps to deploy the BAMOE Management Console. Note that you will need to add licensing annotations manually if you follow this procedure rather than using the Dev Helm chart.
|
Note
|
Labeling the resources is optional, but it will make organizing and identifying your deployed resources significantly easier. |
-
Create the Deployment
oc new-app quay.io/bamoe/management-console:9.5.0-ibm-0005 --name=bamoe-management-console-app -
Expose the Service
This will create an OpenShift *Route* so the {MANAGEMENT_CONSOLE} can be accessed externally.oc create route edge --service=bamoe-management-console-app -
Optionally add labels to easily identify the resources.
oc label services/bamoe-management-console-app app.kubernetes.io/part-of=bamoe-management-console-app oc label routes/bamoe-management-console-app app.kubernetes.io/part-of=bamoe-management-console-app oc label deployments/bamoe-management-console-app app.kubernetes.io/part-of=bamoe-management-console-app oc label deployments/bamoe-management-console-app app.openshift.io/runtime=js -
Configure Environment Variables
You can configure the {MANAGEMENT_CONSOLE} by using the environment variables in the Deployment:oc set env deployment/bamoe-management-console-app <ENV_VAR>="<VALUE>"NoteFor a list of environment variables, check the Available Environment Variables section.
Running locally with Docker
Note that you will need to add licensing annotations manually if you follow this procedure rather than using the Dev Helm chart.
Start the container with:
docker run -p <EXTERNAL_PORT>:8080 quay.io/bamoe/management-console:9.5.0-ibm-0005
If necessary, pass the environment variables with the -e flag:
docker run -p <EXTERNAL_PORT>:8080 -e <ENV_VAR>="<VALUE>" quay.io/bamoe/management-console:9.5.0-ibm-0005
The BAMOE Management Console will be running at http://localhost:<EXTERNAL_PORT>;
Configuring Runtime containers with Passthrough Transport Layer Security (TLS)
BAMOE container images can now optionally serve traffic directly over HTTPS using a TLS certificate and a key provided by the customer. This enables end-to-end encryption between the user browser and the container on OpenShift, through a passthrough Route. By default TLS not active and your existing deployment behavior is maintained.
In the Runtime environment the following containers support this:
| Container | Certificate environment variable | Key environment variable |
|---|---|---|
Management Console |
|
|
MCP Server |
|
|
When both variables are set, the container serves HTTPS on port 8443 (Management Console, MCP Server). When the variables are unset, the container behaves exactly as before, serving HTTP only.
The matching Helm subcharts for each container expose a new tls block that wires this up automatically:
tls:
enabled: false # set to true to turn on in-container TLS
secretName: "" # name of an existing kubernetes.io/tls Secret (required when enabled)
mountPath: /etc/tls
certPath: /etc/tls/tls.crt
keyPath: /etc/tls/tls.key
httpsPort: 8443
When tls.enabled=true, the chart mounts the TLS Secret into the container, sets the TLS environment variables, exposes the HTTPS port on the Service, and the OpenShift Route is configured for Passthrough termination using openshiftRoute.tls.termination=passthrough.
When installing through the Helm chart the procedure is:
-
Create a Kubernetes TLS Secret in the target namespace:
oc create secret tls bamoe-tls \ --cert=path/to/tls.crt \ --key=path/to/tls.key -
In the Helm values file for the BAMOE component, enable TLS and reference the Secret:
tls: enabled: true secretName: bamoe-tls openshiftRoute: enabled: true tls: termination: passthrough insecureEdgeTerminationPolicy: Redirect -
Run
helm install(orhelm upgrade) as usual.
The Secret must be of type kubernetes.io/tls and contain both tls.crt and tls.key keys. If tls.enabled=true is set without a secretName, the chart aborts with a clear error message before reaching the cluster.
Available Environment Variables
| Name | Description | Default |
|---|---|---|
|
Management Console app name. |
BAMOE Management Console |
|
OpenID Connect client ID for connecting to Identity Providers. |
bamoe-management-console |
|
OpenID Connect default scopes. |
openid email profile |
|
OpenID Connect default audience. |
Empty |
|
List of Business Services automatically connected to the BAMOE Management Console. |
Empty |
|
Base path used for all routes. |
Empty |
|
Set to |
Empty |
Configuration reference for Runtime Helm Charts
The following table lists the configurable parameters of the BAMOE Runtime Environment chart and their default values.
Global Configuration
Key |
Type |
Default |
Description |
global.ingressSource |
string |
"" |
Which ingress source is being used (none/"minikube"/"kubernetes"/"openshift") For NOTES generation only |
global.kubernetesClusterDomain |
string |
"" |
If using Minikube or Kubernetes, set the cluster domain |
global.kubernetesIngressClass |
string |
"" |
If using Minikube or Kubernetes, set the Ingress class (i.e: nginx) |
global.openshiftRouteDomain |
string |
"" |
If using OpenShift Routes, set the Route domain |
global.chargedProductValues.productID |
string |
"46b14c7f2f894218a7879b3f6416024f" (DMOE) / "72984f114b54496a8a44be139154a988" (PAMOE) |
Product ID for License tracking |
global.chargedProductValues.productMetric |
string |
"VIRTUAL_PROCESSOR _CORE" |
Product metric for License tracking |
global.chargedProductValues.productName |
string |
"IBM Decision Manager Open Edition" (DMOE) / "IBM Process Automation Manager Open Edition" (PAMOE) |
Product name for License tracking |
nameOverride |
string |
"" |
Overrides chart name |
fullnameOverride |
string |
"" |
Overrides chart full name |
Management Console Configuration
| Key | Type | Default | Description |
|---|---|---|---|
management_console.enabled |
bool |
TRUE |
Enable or disable Management Console installation |
management_console.name |
string |
"management-console" |
Component name |
management_console.appNameOverride |
string |
"" |
Overrides the deployed application name |
MCP Server Configuration
| Key | Type | Default | Description |
|---|---|---|---|
mcp_server.enabled |
bool |
TRUE |
Enable or disable MCP Server installation |
mcp_server.name |
string |
"mcp-server" |
The MCP Server application name |
mcp_server.env |
object |
{} |
Env variables for BAMOE MCP Server deployment |
BAMOE Management Console pre-configured Business Services connections
The BAMOE Management Console supports a pre-defined list of Business Services that will be automatically connected when opening the application in the browser for the first time.
This is achieved by configuring the RUNTIME_TOOLS_MANAGEMENT_CONSOLE_MANAGED_BUSINESS_SERVICES environment variable (or the management-console.managedBusinessServices value in the Helm chart) with a list of the specifications for the desired Business Services in the following format:
{
"name": "string",
"businessServiceUrl": "string",
"clientId": "string", // Optional
"scope": "string", // Optional
"audience": "string" // Optional
}
Where:
-
name: is the alias given to the Business Service in the BAMOE Management Console; [required]
-
businessServiceUrl: the URL of the Business Service, where the API is served from; [required]
-
clientId: is the Client ID used during OIDC authentication. Needs to be set only if the Identity Provider used by the Business Service needs an OIDC Client ID different from the one defined by the
RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_IDenvironment variable; [optional] -
scope: space-separated list of the scopes used during OIDC authentication. Needs to be set only if the Identity Provider used by the Business Service needs a list of scopes different from the one defined by the
RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPESenvironment variable; [optional] -
audience: is the Audience parameter used during OIDC authentication. Needs to be set only if the Identity Provider used by the Business Service requires a value different from the one defined by the
RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_AUDIENCEenvironment variable. [optional]
Example:
[
{
"name": "My Business Service 1",
"businessServiceUrl": "http://my-business-service-1.url",
},
{
"name": "My Business Service 2",
"businessServiceUrl": "http://my-business-service-2.url",
"clientId": "custom-client-id",
"scope": "custom scopes for openid",
"audience": "business-service-audience"
},
...
]
Serving the BAMOE Management Console from a custom subpath
By default, the BAMOE Management Console is served from the root path (/) on its web server, either when running directly from the container image or deployed to a Kubernetes/OpenShift cluster. This means that the web application is served through an URL that looks like https://my.domain.com/.
In some cases, you may want to serve the application from a subpath for example, /bamoe-management-console, with the final URL looking like https://my.domain.com/bamoe-management-console.
To achieve this, the BAMOE Management Console container image accepts two environment variables that are used to configure the subpath:
-
RUNTIME_TOOLS_MANAGEMENT_CONSOLE_BASE_PATH: The target subpath where the web application will be served from (for example,
/bamoe-management-console). Empty by default, which means that the web application is served from the root (/) path. Obs.: The subpath should not include the leading/. -
RUNTIME_TOOLS_MANAGEMENT_CONSOLE_USE_APACHE_HTTPD_BASE_PATH_ALIAS: Whether or not the Apache HTTP Server should define an
Aliasin the/etc/httpd/conf/httpd.confinside the container image during runtime. The alias will look like:Alias /$RUNTIME_TOOLS_MANAGEMENT_CONSOLE_BASE_PATH /var/www/html.
There are two different scenarios for running the BAMOE Management Console: behind a reverse proxy (be it an Ingress in a Kubernetes cluster, a Route in an OpenShift cluster, or an Nginx instance in a Docker Compose, for example) or served directly from the container image (by running it via Docker locally, for example).
Behind a reverse proxy (Kubernetes / OpenShift / Nginx)
In this scenario, only the RUNTIME_TOOLS_MANAGEMENT_CONSOLE_BASE_PATH environment variable needs to be set, while RUNTIME_TOOLS_MANAGEMENT_CONSOLE_USE_APACHE_HTTPD_BASE_PATH_ALIAS should remain empty or set to "false".
If you are installing by using the Helm chart, this can be set by using the management-console.applicationSubpath value and appending --set management-console.applicationSubpath=your-subpath to the helm install command.
But if installed by using the oc CLI, the Deployment resource can be updated with oc set env deployment/bamoe-management-console-app RUNTIME_TOOLS_MANAGEMENT_CONSOLE_BASE_PATH=your-subpath.
Container image running locally using Docker
In this case, if running on a different port is not an option, both environment variables need to be set. RUNTIME_TOOLS_MANAGEMENT_CONSOLE_BASE_PATH with the subpath value and RUNTIME_TOOLS_MANAGEMENT_CONSOLE_USE_APACHE_HTTPD_BASE_PATH_ALIAS with "true".
Example:
docker run -d -p 8080:8080 -e RUNTIME_TOOLS_MANAGEMENT_CONSOLE_BASE_PATH=bamoe-management-console -e RUNTIME_TOOLS_MANAGEMENT_CONSOLE_USE_APACHE_HTTPD_BASE_PATH_ALIAS=true quay.io/bamoe/management-console:9.5.0-ibm-0005