Sample values.yaml file
You can create and customize the values.yaml file by referring to the default values.yaml while installing PEM Standard using Certified Container.
image:
name: "cp.icr.io/cp/ibm-pem/pem" #Provide the value in double quotes
tag: "6.2.4" #Specify the tag name
pullPolicy: #Specify the image pull policy
pullSecret: "" #Provide the pull secret name
arch: amd64 #Specify the architecture (amd64, s390x)
## Set the value to true in order to accept the application license
## https://www14.software.ibm.com/cgi-bin/weblap/lap.pl?li_formnum=L-AZZP-8HTUVZ
license: false # Set true to accept the license agreement
envType: "prod" #Specify the environment type for the product . If it is a production environment, specify "prod". If it is a non-production environment, specify "nonprod". The default value is "prod".
global:
networkPolicies:
ingress:
enabled: false # Set true to configure ingress network policies
egress:
enabled: true # Set to true to configure egress network policies
customPolicies: # For communication with external applications, configure custom egress network policy by uncommenting the below section and configuring required toSelectors
#- name:
# toSelectors:
# - namespaceSelector:
# matchLabels:
# name: my-source-namespace
# podSelector:
# matchLabels:
# app.kubernetes.io/name: my-consumer-pod
# - podSelector:
# matchLabels:
# role: frontend
# - ipBlock:
# cidr: <IP Address>/<block size>
# except:
# - <IP Address>/<block size>
# ports:
# - protocol: TCP
# port: <port no>
# endPort: <end port no>
serviceAccountName: ibm-pem-sa #specify the service account name which has required permissions
timezone:
configmapname: #specify the timezone configmap
volumeClaims:
resources:
enabled: true #if enabled persistent volume will be used
capacity: 100Mi #Specify the resources persistent volume capacity
storageclass: slow #Specify the storage class
subpath:
dbdrivers: dbdrivers #specify the directory for dbdrivers inside a persistent volume for resources with required permissions
wmq: wmq #specify the directory for wmq jars inside a persistent volume for resources with required permissions
sso: sso #specify the directory for sso jars inside a persistent volume for resources with required permissions
ssomigrator: ssomigrator #specify the directory for ssomigrator data files inside a persistent volume for resources with required permissions
pcm: pcm #specify the directory for pcm jars inside a persistent volume for resources with required permissions
logs:
enabled: true #Specify the values to true or false based on requriement
subpath:
migrator: migrator #specify the directory for migrator logs inside a persistent volume for logs with required permissions
dbutils: dbutil #specify the directory for dbutils logs inside a persistent volume for logs with required permissions
pem: pem #specify the directory for pem logs inside a persistent volume for logs with required permissions
pp: pp #specify the directory for pp logs inside a persistent volume for logs with required permissions
pr: pr #specify the directory for pr logs inside a persistent volume for logs with required permissions
apigateway: apigateway #specify the directory for apigateway logs inside a persistent volume for logs with required permissions
ssoMigrator: ssomigration #specify the directory for ssoMigrator logs inside a persistent volume for logs with required permissions
purge: purge #specify the directory for purge logs inside a persistent volume for logs with required permissions
agent: agent #specify the directory for agent logs inside a persistent volume for logs with required permissions
pcmProd: PCM_prod #specify the directory for pcmProd logs inside a persistent volume for logs with required permissions
pcmNonProd: PCM_nonProd #specify the directory for pcmNonProd logs inside a persistent volume for logs with required permissions
capacity: 1Gi #Specify the logs persistent volume capacity
storageclass: #Specify the storage class
accessModes:
- ReadWriteMany #Specify the access mode for the persistent volume
test:
image:
repository: 'cp.icr.io/cp' #Specify the image repository
name: 'opencontent-common-utils' #Specify the image name
tag: '1.1.67' #Specify the image tag
pullPolicy: 'IfNotPresent' #Specify the image pull policy
pullSecret: "ibm-entitlement-key" #Specify the image pull secret name
dbsetup:
enabled: false #If it is first installation specify the values true
upgrade: true #If it is upgrade Specify the values to true
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "250m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "4Gi" #Specify the maximimum memory a pod can utilize
cpu: "500m" #Specify the maximimum cpu a pod can utilize
ephemeral-storage: "3Gi" #Specify the maximimum ephemeral-storage a pod can utilize
setupfile:
passphrasesecret: #Specify the passphrase secret name
migrator:
default_sponsor: true #Set the value is true to onboard the default sponsor.
## For more information about configuring the properties of certified container,
#refer to
#https://www.ibm.com/docs/en/spems/6.2.4?topic=prerequisites-configuring-certified-container
## LICENSE
## Setting this value to true enables you to accept the licenses and start
#the docker container. Valid values are true and false.
accept_license: true #Valid values are true or false
## SUBSCRIPTION MONITOR
## Specify the host and the port details for proxy server, which enables you
#to connect to the subscription monitor.
#proxy_host: #Provide your network's forward proxy machine's host name or IP.
#proxy_port: #Provide your network's forward proxy's port.
#proxy_user_name: #Provide your network's forward proxy's user name. If the proxy does not require authentication, leave the field blank.
#proxy_password: #Provide the secret name
#proxy_protocol:
customer_id: ## Specify the customer ID. Ensure that the customer ID that you specify matches with your Bluemix ID that you have registered to download IBM PEM image
## DATABASE AND SSL PROPERTIES THAT ARE COMMON TO ALL THE APPLICATIONS
db_type: #Specify the database type which you are using either DB2 or Oracle or mssql.
## Enable or disable the SSL connection for master and testmode database
#schemas. Valid values are true and false and the default value is set to
#false.
ssl_connection: #Set the value to true if your using SSL connection between the application servers and database
# Specify the database details for the master schema.
#These propertiesenable you to start the following pods: IBM PEM, PartnerRepository, Partner Provisioner, Purge, Migrator,and DBUtils. ,
db_port: #specify the port
db_host: #specify the host
db_name: #Specify the DATABASE Name
db_schema: #Specify the Schema name
db_user: #Specify the DB username
db_password: #Specify the secret
db_driver: #Specify the corresponding driver details for oracle or DB2 or mssql depnding on the db_type that is selected. For example, for oracle, set the values of db_driver to oracle.jdbc.OracleDriver. For DB2, set com.ibm.db2.jcc.DB2Driver. For mssql, set com.microsoft.sqlserver.jdbc.SQLServerDriver.
## DB CONNECTION MANAGER DETAILS. COMMON FOR IBM PEM, PARTNER REPOSITORY &
#PARTNER PROVISIONER
#If you do not specify the size, a default value of 500 is set.
db_max_pool_size: 500 # Specify the maximum pool size of the master schema's database connection.
## Specify the minimum pool size of the master schema's database connection.
#If you do not specify the size, a default value of 5 is set.
db_min_pool_size: 5
#If you do not specify the time, a default value of 1440m is set. Here, m refers tominutes.
db_aged_timeout: 1440m # Specify the maximum time after which the physical connection is discarded by pool maintenance of the master schema's database connection.
#. If you do not specify the idle time, a default value of 1440m is
#set. Here m refers to minutes.
db_max_idle_time: 1440m # Specify the maximum idle time for the master schema's database connection
db_sslProtocol: # Specify the DB2 or MSSQL TLS version,If you do not specify the protocol, a default value of TLSv1.2 is set.
## Specify the keystore/truststore file name containing the public
#certificate and password of the master schema's database. The
#keystore/truststore (.jks file) has to be copied in the <mount
#location>/resources/security folder.
db_sslTrustStoreName: #specify the truststore name
db_sslTrustStoresecret: #Provide the secret name
db_sslTrustStorePassword: #Provide the password secret name
## Specify the database details for the test mode schema. These properties
#enable you to start the following docker containers: IBM PEM, Partner
#Provisioner, Migrator, Master key regenerator, and DBUtils.
db_mssql_hostNameInCertificate: #Specify the host name to be used in validating the SQL Server TLS/SSL certificate, if hostname used in place of db_host ip then we do not have to provide the value for *_db_mssql_hostNameInCertificate (or not a mandatory field if we provide the hostname in the db_host property)
db_mssql_sslProtocol: # DEPRECATED, Specify MSSQL TLS version, if db_sslProtocol value is empty then db_mssql_sslProtocol is used in mssql dbType
db_mssql_encrypt: # Specify encryption type based on encryption policy configured on MSSQL server. #Allowed Values are : strict , true, false
testmode_db_port: ## Specify the database details for the test mode schema. These properties enable you to start the following docker containers: IBM PEM, Partner Provisioner, Migrator, Master key regenerator, and DBUtils. Specify the port
testmode_db_host: # Specify the database host
testmode_db_name: #Specify the Database Name
testmode_db_schema: #Specify the Database Schema
testmode_db_user: # Specify the databse user name
testmode_db_password: #Provide the secret name
testmode_db_driver: #Specify the database driver Name
## TESTMODE DB CONNECTION MANAGER DETAILS. COMMON FOR IBM PEM, PARTNER
#REPOSITORY & PARTNER PROVISIONER
## Specify the maximum pool size of the test mode schema's database
#connection. If you do not specify the size, a default value of 500 is set.
testmode_db_max_pool_size: 500 # Specify the maximum number of database pool connections.
## Specify the minimum pool size of the test mode schema's database
#connection. If you do not specify the size, a default value of 5 is set.
testmode_db_min_pool_size: 5 #Specify the minimum number of database pool connections.
## Specify the maximum time after which the physical connection is discarded
#by pool maintenance of the testmode schema's database connection. If you do
#not specify the time, a default value of 1440m is set. Here, m refers to
#minutes.
testmode_db_aged_timeout: 1440m #Specify the interval in minutes before a physical connection is discarded.
## Specify the maximum idle time for the test mode schema's database
#connection. If you do not specify the idle time, a default value of 1440m is
#set. Here m refers to minutes.
testmode_db_max_idle_time: 1440m #Specify the interval in minutes after which an unused or idle connection is discarded.
testmode_db_sslProtocol: # Specify the DB2 or MSSQL TLS version for testmode,If you do not specify the protocol, a default value of TLSv1.2 is set.
## Specify the keystore/truststore file name containing the public
#certificate and password of the testmode schema's database.
testmode_db_sslTrustStoreName: #Specify the SSL Keystore file name for the test mode database schema.
testmode_db_sslTrustStoresecret: #Specify the SSL Keystore secret for the test mode database schema.
testmode_db_sslTrustStorePassword: #Provide the secret name
testmode_db_mssql_hostNameInCertificate: #Specify the host name to be used in validating the SQL Server TLS/SSL certificate, if hostname used in place of db_host ip then we do not have to provide the value for *_db_mssql_hostNameInCertificate (or not a mandatory field if we provide the hostname in the db_host property)
testmode_db_mssql_sslProtocol: # DEPRECATED, Specify MSSQL TLS version for testmode, if testmode_db_sslProtocol value is empty then testmode_db_mssql_sslProtocol is used in mssql dbType.
testmode_db_mssql_encrypt: # Specify encryption type for testmode based on encryption policy configured on MSSQL server. #Allowed Values are : strict , true, false
ingress:
enabled: true
controller: "nginx" #Specify the ingress controller
annotations: {} #(Optional). If required, specify additional annotations for the specific ingress controller in key:value pairs
security:
runAsUser: 1011 #specify the custom user to run the container
supplementalGroups:
- 555
fsGroup: 1011 #specify the custom group to run the container
setupfile:
servers:
ssl_protocol: #Specify the protocol for ECC certificate support.
enabled_ciphers: #Specify the ciphers for ECC certificate support.
enableConsoleLogs: #Specify true or false for enabling or disabling logging in console
provisioner_request_listener_max_concurrency: #Specify the number of concurrent provisioning requests that should be processed. The default value is 10.
provisioner_response_listener_max_concurrency: #Specify the number of concurrent provisioning responses that should be processed. The default value is 10.
skipHostnameVerificationForHosts: #Specify the hostnames that should be ignored during hostname verification in the Liberty Server.
ssoSeas:
enable: false #set the property to true to enable ssl connection
truststoreName: #Specify the secret name for truststorefile
truststoreSecret: #Provide the secret name
truststorePassword: #specify the secret name for truststore password
truststoreAlias: #Specify the alias of SEAS's public certificate within the truststore
truststoreType: #Specify the SEAS truststore type.
keystoreName: #Specify the secret name for keystore file
keystoreSecret: #Provide the secret name
keystorePassword: #specify the secret name for keystore password
keystoretype: #Specify the SEAS keystore type.
keystoreAlias: #Specify the SEAS keystore alias
ssomigration:
enable: false #if enabled resources volume must be enabled to generate data files
migrationAction: #specify the action to be performed by the migrator EXPORT MIGRATE REPORT
sponsorContext: #specify the sponsor which wanted to be migrated
orgDataFilename: #specify the name of file to be genarated for sponsor for export or as a input file for migration
userDataFilename: #specify the name of file to be genarated for users for export or as a input file for migration
log_level: "INFO" #Specify the log level, either FINE, INFO, or SEVERE.
log_file_max_size: #Specify the file size limit, in MB for each log file.
log_file_count: #Specify the number of log files.
masterKeyRegenerator:
enable: false #Set the property to true to enable master key regenerator
passphraseOldSecret: #Specify the secret for old passphrase
passphraseNewSecret: #Specify the secret for new passphrase
pem:
enable: true #set to true to install IBM PEM
replicas: 1 #choose number of pods to be deployed
resources:
requests:
memory: "4Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "8Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: "4Gi" #Specify the maximimum ephemeral-storage a pod can utilize
autoscaling:
enabled: false #set to true if autoscaling of pods to be allowed
minReplicas: 1 #set the mimimun number of pods
maxReplicas: 2 #set the maximum number of pods to be scaled up
targetCPUUtilizationPercentage: 85 #set the limit of cpu utilization for autoscaling
readinessProbe:
initialDelaySeconds: 10 #set the initial delay to start readiness testing of pod in seconds
periodSeconds: 60 #set the time interval to perdorm readiness checks
livenessProbe:
initialDelaySeconds: 60 #set the initial delay to start liveness testing of pod in seconds
timeoutSeconds: 30
periodSeconds: 60 #set the time interval to perdorm liveness checks
successThreshold: 1
failureThreshold: 3
hostname: #specify the route dns host to access IBM PEM if not set default hostname will be generated
ingress:
tls:
secretName: #Specify the tls certificate secret for the hostname
route:
timeout: #Specify the timeout for the route. The default value is '60s'.
tls:
termination: reencrypt #Specify TLS termination types for serving certificates for securing the route. PEM currently supports reencrypt termination only.
insecureEdgeTerminationPolicy: None #Specify policy for traffic on insecure schemes like HTTP.
setupfile:
servers:
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options: # Specify the list of JVM options for the servers, and separated by space.
keystore_password: #Specify the secret name
keystore_alias: #Specify the private key's alias within the keystore.
keystore_filename: #Specify the secret name and key inside secret has to be same as secret name
# The default value is 100 MB.
max_file_size: 100 # Specify the maximum size for the server log file in MB.
max_files: 20 # Specify the maximum number of server log files. The default value is 20.
console_log_level: INFO ## Specify the console log level. For example, "INFO".
trace_specification: "*: info" ## Specify the trace specification. The default value is "*: info".
pp:
enable: true #set to true to install Partner Provisioner
replicas: 1 #choose number of pods to be deployed
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "4Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: "4Gi" #Specify the maximimum ephemeral-storage a pod can utilize
autoscaling:
enabled: false #set to true if autoscaling of pods to be allowed
minReplicas: 1 #set the mimimun number of pods
maxReplicas: 2 #set the maximum number of pods to be scaled up
targetCPUUtilizationPercentage: 85 #set the limit of cpu utilization for autoscaling
readinessProbe:
initialDelaySeconds: 10 #set the initial delay to start readiness testing of pod in seconds
periodSeconds: 60 #set the time interval to perdorm readiness checks
livenessProbe:
initialDelaySeconds: 60 #set the initial delay to start liveness testing of pod in seconds
timeoutSeconds: 30
periodSeconds: 60 #set the time interval to perdorm liveness checks
successThreshold: 1
failureThreshold: 3
hostname: #specify the route dns host to access Partner Provisioner if not set default hostname will be generated
ingress:
tls:
secretName: #Specify the tls certificate secret for the hostname
route:
timeout: #Specify the timeout for the route. The default value is '30s'.
tls:
termination: reencrypt #Specify TLS termination types for serving certificates for securing the route. PEM currently supports reencrypt termination only.
insecureEdgeTerminationPolicy: None #Specify policy for traffic on insecure schemes like HTTP.
setupfile:
servers:
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options: ## Specify the list of JVM options for the servers, and separated by space.
## Specify the server details that are common for IBM PEM, Partner
#Repository, and Partner Provisioner. The keystore file (.jks file) has to be
#copied in the <mount location>/resources/security folder.
#Provide the secret name
keystore_password: #Specify the secret name
keystore_alias: #Specify the private key's alias within the keystore.
keystore_filename: #Specify the secret name and key inside secret has to be same as secret name
max_file_size: 100 # Specify the maximum size for the server log file in MB. The default value is 100 MB.
max_files: 20 # Specify the maximum number of server log files. The default value is 20.
console_log_level: INFO ## Specify the console log level. For example, "INFO".
trace_specification: "*: info" ## Specify the trace specification. The default value is "*: info".
## JMS PROPERTIES FOR PARTNER PROVISIONER & PARTNER REPOSITORY
## Enables the Java Messaging Service (JMS) feature that is common for
#Partner Repository and Partner Provisioner.
## TO ENABLE JMS FOR PARTNER REPOSITORY
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## TO ENABLE JMS FOR PARTNER PROVISIONER
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For embedded server use enableJmsFeatures: "embdServerAndClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## For more information, refer to Configuring the properties of Setup.cfg
#file topic in the product documentation.
enable_jms_features: embdServerAndClientOnly
## Specify the embedded JMS queue details that are common for Partner
#Repository and Partner Provisioner.
provisioner_request_queue: PEM_request #Specify the request queue name, which is used for communication between PEM Partner Provisioner and PEM Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components.
provisioner_response_queue: PEM_response #Specify the response queue name, which is used for communication between PEM Partner Provisioner and PEM Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components.
remote_server_ssl: false #Specify true for SSL (BootstrapSecureMessaging) and false for non-SSL (BootstrapBasicMessaging).
remote_server_host: #service hostname of jms service releasename-pp-jms-service.namespace.domain.com
remote_server_port: 80 #Specify the exposed JMS port number while deploying Partner Provisioner as a JMS server.
pr:
enable: true #set to true to install Partner Repository
replicas: 1 #choose number of pods to be deployed
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "4Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: "4Gi" #Specify the maximimum ephemeral-storage a pod can utilize
autoscaling:
enabled: false #set to true if autoscaling of pods to be allowed
minReplicas: 1 #set the mimimun number of pods
maxReplicas: 2 #set the maximum number of pods to be scaled up
targetCPUUtilizationPercentage: 85 #set the limit of cpu utilization for autoscaling
readinessProbe:
initialDelaySeconds: 10 #set the initial delay to start readiness testing of pod in seconds
periodSeconds: 60 #set the time interval to perdorm readiness checks
livenessProbe:
initialDelaySeconds: 60 #set the initial delay to start liveness testing of pod in seconds
timeoutSeconds: 30
periodSeconds: 60 #set the time interval to perdorm liveness checks
successThreshold: 1
failureThreshold: 3
hostname: #specify the route dns host to access Partner Provisioner if not set default hostname will be generated
ingress:
tls:
secretName: #Specify the tls certificate secret for the hostname
route:
timeout: #Specify the timeout for the route. The default value is '30s'.
tls:
termination: reencrypt #Specify TLS termination types for serving certificates for securing the route. PEM currently supports reencrypt termination only.
insecureEdgeTerminationPolicy: None #Specify policy for traffic on insecure schemes like HTTP.
setupfile:
servers:
## Specify the list of JVM options for the servers, and separated by space.
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options: ## Specify the list of JVM options for the servers, and separated by space.
keystore_password: #Specify the secret name
keystore_alias: #Specify the private key's alias within the keystore.
keystore_filename: #Specify the secret name and key inside secret has to be same as secret name
# The default value is 100 MB.
max_file_size: 100 # Specify the maximum size for the server log file in MB.
max_files: 20 # Specify the maximum number of server log files. The default value is 20.
console_log_level: INFO ## Specify the console log level. For example, "INFO".
trace_specification: "*: info" ## Specify the trace specification. The default value is "*: info".
## JMS PROPERTIES FOR PARTNER PROVISIONER & PARTNER REPOSITORY
## Enables the Java Messaging Service (JMS) feature that is common for
#Partner Repository and Partner Provisioner.
## TO ENABLE JMS FOR PARTNER REPOSITORY
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## TO ENABLE JMS FOR PARTNER PROVISIONER
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For embedded server use enableJmsFeatures: "embdServerAndClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## For more information, refer to Configuring the properties of Setup.cfg
#file topic in the product documentation.
enable_jms_features: embdClientOnly
## Specify the embedded JMS queue details that are common for Partner
#Repository and Partner Provisioner.
provisioner_request_queue: PEM_request #Specify the request queue name, which is used for communication between PEM Partner Provisioner and PEM Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components.
provisioner_response_queue: PEM_response #Specify the response queue name, which is used for communication between PEM Partner Provisioner and PEM Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components.
remote_server_ssl: false #Specify true for SSL (BootstrapSecureMessaging) and false for non-SSL (BootstrapBasicMessaging).
remote_server_host: #service hostname of jms service releasename-pr-jms-service.namespace.domain.com
remote_server_port: 80 #Specify the exposed JMS port number while deploying Partner Provisioner as a JMS server.
## If you are using WebSphere MQ (WMQ) as your JMS service provider, specify
#the WMQ details that are common for Partner Repository and Partner
#Provisioner.
wmq:
channel: #Specify the WebSphere MQ channel name
connection_name_list: #Specify the WebSphere MQ connection list separated by comma. For example, 9.89.31.226 (19443), 9.77.53.126 (17286). This example is valid for a WebSphere MQ setup with HA (High Availability).For WMQ without HA, it can be a single <host_name or IP>:<port_number>.
queue_manager: #Specify the WebSphere MQ queue manager.
username: #Specify the WebSphere MQ user name.
password: #Provide the secret name
wmq_provisioner_request_queue_manager: #Specify the WebSphere MQ request queue manager.
wmq_provisioner_response_queue_manager: #Specify the WebSphere MQ response queue manager.
wmq_provisioner_request_queue_name: #Specify the WebSphere MQ request queue name.
wmq_provisioner_response_queue_name: #Specify the WebSphere MQ response queue name.
ssl_cipher_suite: #Specify a valid SSL cipher suite.If SSL is enabled on the WebSphere MQ connection channel, provide the SSL cipher suite corresponding to the SSL cipher specifications configured on the WebSphere MQ connection channel.
purge:
enable: false #set to true to run Purge utility
schedule: "0 9 * * 1"
resources:
requests:
memory: "0.5Gi" #specify the memory request as needed
cpu: "100m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "1Gi" #specify the maximimum memory a pod can utilize
cpu: "500m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: "3Gi" #Specify the maximimum ephemeral-storage a pod can utilize
setupfile:
purge:
name: #Specify the purge tool name.This property prevents two users who specify the same purge name from purging the records simultaneously. This property is mandatory. So, ensure that the value is not blank.
number_of_purge_days: 180 #Specify the number of retention days before the current date for which the records need to be purged. Only those records that qualify are purged. For example, if you specify 60 days, records that are present before 60 days from the current date and satisfy the purge criteria are purged.
purge_count: 1 #Specify the number of records to be purged in a batch. IMPORTANT: Please do not modify this value.
sponsor_context: ## Specify the Sponsor context or * where * takes all the sponsors in the system
no_of_db_connections: 50 ## Specify the maximum number of pooled connections allowed for the
resource_to_purge: SPONSOR ## Default value for resource_to_purge is set to . For more information, refer to Configuring the properties of Setup.cfg
resource_to_purge_key: ## Specify the resource key for Sponsor / Sponsor user / Partner / Partner user / Third party processor / Third party processor user.
purge_strategy: ARCHIVE # To enable purge, purge_strategy: "DELETE". This will only delete data from source database. To enable archive, purge_strategy: "ARCHIVE". This will delete data from source database and copies to target database.
purge_strategy_data_scope: DELETED_DATA #Scope for purge strategy <ALL_DATA/DELETED_DATA>. Specify the strategy to delete or archive only the deleted data or all data of the resource.
## Enable or disable the source database and target database schemas are
#same or not. Valid values are true and false and the default value is set to
#true.
target_db_is_same_as_source_db: false #Enable or disable the option to set the same source and target database schemas.
target_no_of_db_connections: 50 #Specify the maximum number of pooled connections that are allowed to the target database from the Purge tool.
## DATABASE AND SSL PROPERTIES FOR PURGE TARGET DATABASE, This properties
#need to configure only
target_db_port: #Specify the database port
target_db_host: #Specify the database host
target_db_name: #Specify the database name
target_db_schema: #Specify the database schema
target_db_user: #Specify the database user
target_db_password: #Specify database secret
target_db_driver: #Specify the database driver
target_ssl_connection: false #Enable or disable the SSL connection for purge target database schema. Valid values are true and false and the default value is set to false.
target_db_sslProtocol: # Specify the DB2 or MSSQL TLS version for purge target db,If you do not specify the protocol, a default value of TLSv1.2 is set.
target_db_sslTrustStoreName: #Specify the keystore/truststore file name that contains the public certificate of the target purge database schema.
target_db_sslTrustStoreSecret: #Specify the keystore/truststore secret name.
target_db_sslTrustStorePassword: #Specify the keystore/truststore password secret name
target_db_mssql_hostNameInCertificate: #Specify the host name to be used in validating the SQL Server TLS/SSL certificate, if hostname used in place of db_host ip then we do not have to provide the value for *_db_mssql_hostNameInCertificate (or not a mandatory field if we provide the hostname in the db_host property)
target_db_mssql_sslProtocol: # DEPRECATED, Specify MSSQL TLS version for purge target db, if target_db_sslProtocol value is empty then target_db_mssql_sslProtocol is used when mssql dbType.
target_db_mssql_encrypt: # Specify encryption type for purge target db based on encryption policy configured on MSSQL server. #Allowed Values are : strict , true, false
target_db_type: ## Specify the type of purge target database, either DB2 or oracle os mssql.
jvm_options: ## Specify the list of JVM options for purge separated by space.
java_util_logging_file_handler_level: INFO ## Specify the log level, either FINE, INFO, or SEVERE.
java_util_logging_file_handler_limit: ## Specify the file size limit, in MB for each log file.
java_util_logging_file_handler_count: ## Specify the number of log files.
agent:
replicas: 1 #choose number of pods to be deployed
enable: false #set to true to run the scan agent
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "4Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: "3Gi" #Specify the maximimum ephemeral-storage a pod can utilize
setupfile:
agent:
## AGENT
type: ## Specify the type of agent, scanagent or certificateupdate. If you want to run both Scan Agent and certificate update, specify both the value separated by commas. For example, "scanagent,certificateupdate".
jvm_options: ## Specify the list of JVM options for the scan agent separated by space.
antivirus_server_host: ## Set the host or IP of the antivirus server.
antivirus_server_port: ## Enter a port number of the antivirus server.
no_of_db_connections: 50 ## Specify the maximum number of pooled connections allowed to the database. The default value is 50.
retry_interval_in_sec: 21600 ## Specify the time interval between retries for connection failure with antivirus server. and accepts only numeric values.
max_retry_count: 1460 ## Specify the maximum number of times the agent must retry scanning a file, in case the scan fails for some reason. and accepts only numeric values.
com_ibm_vch_identity_security_limit: 100 ## Specify the limit, in MB for each log file.
com_ibm_vch_identity_security_level: INFO ## Specify the log level, either FINE, INFO, or SEVERE.
com_ibm_vch_identity_security_count: 20 ## Specify the number of log file counts.
scan_extensibility_class: ## Specify the class to enable antivirus extensibility.
gateway:
enable: true #set to true to install API Gateway
replicas: 1 #choose number of pods to be deployed
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: "2Gi" #Specify the ephemeral-storage request as needed
limits:
memory: "4Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: "4Gi" #Specify the maximimum ephemeral-storage a pod can utilize
readinessProbe:
initialDelaySeconds: 10 #set the initial delay to start readiness testing of pod in seconds
periodSeconds: 60 #set the time interval to perdorm readiness checks
livenessProbe:
initialDelaySeconds: 60 #set the initial delay to start liveness testing of pod in seconds
timeoutSeconds: 30
periodSeconds: 60 #set the time interval to perdorm liveness checks
successThreshold: 1
failureThreshold: 3
hostname: #specify the route dns host to access gateway IMPORTANT in order to enable api this property must be set
ingress:
tls:
secretName: #Specify the tls certificate secret for the hostname
route:
timeout: #Specify the timeout for the route. The default value is '30s'.
tls:
termination: reencrypt #Specify TLS termination types for serving certificates for securing the route. PEM currently supports reencrypt termination only.
insecureEdgeTerminationPolicy: None #Specify policy for traffic on insecure schemes like HTTP.
setupfile:
servers:
jvm_options: ## Specify the list of JVM options for the servers, and separated by space. For example, jvm_options: "-Xms4g -Xmx4g".
keystore_password: #Specify the secret name
keystore_alias: #Specify the private key's alias within the keystore.
keystore_filename: #Specify the secret name and key inside secret has to be same as secret name
max_file_size: 100 # Specify the maximum size for the server log file in MB.
max_files: 20 # Specify the maximum number of server log files. The default value is 20.
console_log_level: INFO ## Specify the console log level. For example, "INFO".
trace_specification: "*: info" ## Specify the trace specification. The default value is "*: info".
gateway:
## GATEWAY
##Enter the list of allowed cors origins in a comma separated fashion i.e. <origin1>,<origin2>,..
cors_allowedOrigins: "*"
## Enter the list of containers available for each service in a comma
#separated fashion [https://<host1>:<port1>,https://<host2>:<port2>,...]
pem_servers: #Specify the PEM service URL. PEM service is created with following name format: <release_name>-pem-service and port as 80. Example value: https://my-release-pem-service:80 where my-release is the release name. This field is important to specify a list of PEM containers to which API calls are sent by the Gateway. If more than one container address is specified, then the Gateway load balances.
pr_servers: #Specify the PR service URL. PR service is created with following name format: <release_name>-pr-service and port as 80. Example value: https://my-release-pr-service:80 where my-release is the release name. This field is important to specify a list of PR containers to which API calls are sent by the Gateway. If more than one container address is specified, then the Gateway load balances.
max_file_size: #This value sets the limit to the size of the file that is uploaded via Gateway.
max_request_size: #This value sets the limit to the size of request that is uploaded via Gateway.
hostname_validation_required: true #This flag is provided to enable/disable certificate hostname validation for API Gateway.
truststore_filename: #Specify the secret name for SSL truststore file name for the API Gateway server to communicate with PEM and PR. Key inside secret has to be same as secret name
truststore_type: #Specify the SSL truststore file type. For example, JKS.
truststore_alias: #Specify the alias of server's public certificate within the truststore.
truststore_password: #Specify the secret name for server's truststore password.
ratelimit:
limit_for_period: 45 # The maximum number of requests allowed within each limit_for_period. The default value is set to 45.
limit_refresh_period: 60 # The interval(in seconds) at which the rate limit is reset. The default value is set to 60.
timeout_duration: 5 # The maximum time(in seconds) a request will wait if the rate limit is exceeded before failing or timing out. The default value is set to 5.
communitymanager:
install: true
image:
repository: "cp.icr.io/cp/ibm-pem/pem_cm" #Specify the repository
pullPolicy: Always #Specify te image pull policy
tag: "6.2.4" #Specify the tag name
pullSecret: #Provide the pull secret name
prod:
enable: true #If you are want to proceed for prod pcm installation then you have to mention it as true or else false
setupfile:
time_zone: UTC #Deafult value is UTC; Specify the timezone EX:America/New_York (Country/city)
max_file_length: 10 #Default is 10 MB max file size allowed to view
edit_and_upload: true #false to disable/hide edit and upload button in file transfer search screen
jvmoptions: "-Dspring.datasource.hikari.maximum-pool-size=60" #Additional jvm arguments based on requirement Do not change the default.
acceptLicence: true #We should make accept-license should be true for pcm installation
cm:
color: black #This will enable the black theme in UI, PCM colores. red, green, grey, yellow, black
cmSecret: ibm-pem-cm-secret-prod #Provide the password secret
logo_location: #logo.png #uncomment logo.png if you want to use custom logo mount logo.png file as config map
protocol:
disallowed_special_characters: "!@#:$%^&*()+?,<>{}[]|;\"'/\\" #We need to add the special characters in double quotes, by default <> are restricted and make sure escape characters are being handled properly
ssl_enabled_protocols: TLSv1.2,TLSv1.3 # Enabled SSL/TLS protocols for the server
ssl_ciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA #List of supported cipers, can be modified according to the your ssl certificates
spring:
datasource:
url: "" # Specify the database url example for jdbc:oracle:thin:@localhost:1521/XE
username: #Specify the database user naem
driver_class_name: #Specify the dirver class name
ssl:
enabled: false #Specify it as true id database connection is ssl enabled
trust_store: #truststore name
trustStoreSecret: #secret for keystore
jpa:
database_platform: com.pe.pcm.config.database.dialect.Oracle12cExtendedDialect #dialect value based on the database default will be oracle
# database_platform: com.pe.pcm.config.database.dialect.Oracle12cExtendedDialect #Default value
mail:
host: #smtp hostname
port: #SMTP port
username: #Specify the username exmaple: username@compnay.com
from: from_mailid@company.com #Specify the from mail id.
app_contact_mail: app_contact_mailid@company.com #Application contact email which will be used in mail signature
mail_signature: "Community Manager Portal support team." #Email signature
properties:
mail:
smtp:
auth: true #If you want to send a mail with ssl authentication then make it as true or elase false
starttls:
enable: true #If you want to send a mail with ssl authentication then make it as true or else false
jwt:
secretkey: #Specify the jwt token
sterling_b2bi:
connectivity:
api:
baseUrl: #Sterling b2bi api base url
username: #Sterling b2bi username
password: #pull secret name
user:
cmks_validation: false #Set this value to true to integrate PCM with B2Bi
cmks: #provide app-secret name reference STERLING_SYSTEM_PASSPHRASE
username: b2bapi_username #Sterling b2bi username used to integrate CM and B2B
baseUrl: #Specify the B2B restapi url with port
b2bi_api:
active: true #This will say whether B2Bi API available or not
auth_host: #This tag will accept key Value pair here we need to configure the External user User Hostname as key and order as value
host1: #multiple hosts can be added
name: "[SEAS Authentication]" #Sterling integrator authentication host name
value: 1
#host2:
# name:
# value:
as2: #true : If AS2 API Available in B2Bi APIs and if you want to use it from CM
active: false
cd:
net_map_name: nonprodCD #Specify the netmap name used in B2B
proxy:
internal: # This info will be used to create Node in Internal Proxy when CM creates B2Bi_CONNECT_DIRECT
server_host: #Specify the server host
server_port: 1364
secure_plus_option: ENABLED #Specify the secure plus option ENABLED | DISABLED
ca_cert: #cacert to be used if secure plus is enabled
system_certificate: B2BHttp #Specify the systemcertificate
security_protocol: TLS 1.2 #Specify the TLS version
cipher_suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA #Sppecify the cipher suite
external: # This info will be used to create Node in External Proxy when CM creates B2Bi_CONNECT_DIRECT
server_host: #Specify the CD host
server_port: 1364 #Specify the Server port
secure_plus_option: ENABLED #Specify the secure plus option ENABLED | DISABLED
ca_cert: #cacert to be used if secure plus is enabled
system_certificate: B2BHttp #Specify the systemcertificate
security_protocol: TLS 1.2 #Specify the TLS version
cipher_suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA #Sppecify the cipher suite
ssp: #IBM SSP API Configuration
active: false #if we have SSP APIs enable then make it as true or else false
api:
username: ssp_user #User name to authenticate the API
baseUrl: #Provide Base URL of the SSP API
adapters: #Profiles Default Adapters Details Configuration
ftpServerAdapterName: CM_FTPServerAdapter #Specify the respective adapter name
ftpsClientAdapterName: FTP Client Adapter #Specify the respective adapter name
ftpClientAdapterName: CDServrAdapter #Specify the respective adapter name
ftpsServerAdapterName: CM_FTPS_ServerAdapter #Specify the respective adapter name
sftpServerAdapterName: CM_SFTPServerAdapter #Specify the respective adapter name
sftpClientAdapterName: CM_SFTPClientAdapter #Specify the respective adapter name
as2ServerAdapterName: CM_AS2ServerAdapter #Specify the respective adapter name
as2ClientAdapterName: CM_AS2ClientAdapter #Specify the respective adapter name
as2HttpClientAdapter: HTTPClientAdapter #Specify the respective adapter name
cdClientAdapterName: CM_CDClientAdapter #Specify the respective adapter name
httpServerAdapterName: CM_HTTPServerSync #Specify the respective adapter name
httpsServerAdapterName: CM_HTTPSServerSync #Specify the respective adapter name
mqAdapterName: CM_MQAdapter #Specify the respective adapter name
wsServerAdapterName: CM_HTTPSServerSync #Specify the respective adapter name
fsAdapter: CMFileSystem #Specify the respective adapter name
sfgSftpClientAdapterName: CM_SFTPClientAdapter #Specify the respective adapter name
sfgSftpServerAdapterName: CM_SFTPServerAdapter #Specify the respective adapter name
sfgFtpClientAdapterName: CM_FTPClientAdapter #Specify the respective adapter name
sfgFtpServerAdapterName: CM_FTPServerAdapter #Specify the respective adapter name
sfgFtpsClientAdapterName: CM_FTPSClientAdapter #Specify the respective adapter name
sfgFtpsServerAdapterName: CM_FTPS_ServerAdapter #Specify the respective adapter name
pem:
remote:
server:
enabled: false #enable to use pem key
pem_key: #Provide the pemKey
pemKeySecret: #secret for pemkey
base_directory:
path: #Provide the base directory path
session_timeout: 5000 #Time in milliseconds
datasource:
url: jdbc:oracle:thin:@DBHostname:1521/DBName #Datbase url example jdbc:oracle:thin:@DBHostname:1521/DBName
username: USERNAME #Specify the database username
driver_class_name: oracle.jdbc.driver.OracleDriver #Provide db driver class name Ex: oracle.jdbc.driver.OracleDriver
api_ws:
active: true #Specify true to use pem rollout api
base_url: #specify the url
username: #PEM sponsor username
file:
archive:
pgp:
enabled: false #enable to use pgp key
private_key: #provide the pgp key name
privateKeySecret: #specify the pgp secret
ssomigration:
enable: false #enbale to start the migration
data:
action: EXPORT #Actions: EXPORT, MIGRATE, REPORT
file_name: pcm_user #File name which will be used in EXPORT, MIGRATE, and REORT Actions
loggerLevel: INFO #set the value to generate logs accepted values INFo , ERROR, DEBUG
saml:
enabled: false
ssourl: #provide the SAML 2.0 Single Sign On(SSO) URL
idp:
metadata: #provide SAML2.0 metadata file name
registrationid: pcm #provide saml 2.0 application registration id
idpgroupsrolemapper: pcmsuperadmin-super_admin,pcmadmin-admin,cmonboarder-on_boarder #provide your saml group vs pcm role (-), idp role name should not have special characters (-).
defaultrole: super_admin #default role for sso user
jwt:
secretkey: yeWAgVDfb$!MFn@MCJVN7uqkznHbDLR# #provide the jwt secret key
sessionexpire: 60 #provide your application session expiry in minutes
sso_ssp_seas:
enable: false
ssp:
logout_endpoint: /Signon/logout.html #SSP Logout endpoint ,default value is : /Signon/logout.html
user_header_name: SM_USER #User header name config in SSP, default value is : SM_USER
token_cookie_name: SSOTOKEN #Token cookie name config in SSP, default value is : SSOTOKENS
seas:
auth_profile: communityManager #Authentication Profile Name in SEAS
host: SEAS_Host #SEAS Host Name
port: SEAS_Port #SEAS Port
ssl:
enabled: false #SSL enable or not in SEAS
trust_store:
name: keystore.p12 #SEAS truststore file name
secretName: #secret for truststore
alias: seasssl_sso #SEAS truststore alias
type: PKCS12 #SEAS truststore type
key_store:
name: keystore.p12 #SEAS keystore file name
secretName: #secret for truststore
alias: community_manager #SEAS keystore alias
type: PKCS12 #SEAS keystore type
user_request:
user: #Custom properties config in SEAS
email: email #Email property name config in SEAS
role: role #Role property name config in SEAS
first_name: firstName #FirstName property name config in SEAS
last_name: lastName #LastName property name config in SEAS
phone: phone #Phone property name config in SEAS
external_id: externalId #FirstName property name config in SEAS
preferred_language: prefferedLanguage #Language property name config in SEAS(Optional)
user_roles: #LDAP roles mapping to PCM (CM Role - LDAP Role)
super_admin: superAdmin #specify the ldap role name for super_admin
admin: admin #specify the ldap role name for super_admin
on_boarder: creator #specify the ldap role name for admin
business_admin: bAdmin #specify the ldap role name for on_boarder
business_user: bUser #specify the ldap role name for business_user
data_processor: processor #specify the ldap role name for data_processor
data_processor_restricted: processorRes #specify the ldap role name for data_processor_restricted
file_processor: #Specify the ldap role name for file_processor
business_admin_dpr: #Specify the ldap role name for business_admin_dpr
role_delimiter: #Specify the ldap role name for role delimiter
oauth2:
enable: false #Set true/false to enable/disable oauth for send-email api.
token_url: "" #Specify the token url for ms oauth token generation ex:https://login.microsoftonline.com/e16b23a5-6e25-4446-993c-d19c0wqedqwff803/oauth2/token
grant_type: client_credentials #grant type can be password or client_credentials
client_id: #Specify the app registered client id
client_secret: #Specify the secret name for the client secret used for app registration
username: #Specify the username used to create the app registration
cmks: #Specify the secret name for user account password used for app registration
scope: openid #Specify the scope used for app registration.
resource:
token:
response_parser: access_token #Specify the response-parser used for app registration.
prefix: Bearer #Specify the prefix used for app registration.
header: Authorization #Specify the header name used for app registration.
replicacount: 1 #specify the number of pods to be deployed
autoscaling:
enabled: false #set to true if autoscaling of pods to be allowed
minReplicas: 1 #set the mimimun number of pods
maxReplicas: 2 #set the maximum number of pods to be scaled up
targetCPUUtilizationPercentage: 85 #set the limit of cpu utilization for autoscaling
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: 2Gi
limits:
memory: "4Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: 3Gi
readinessProbe:
initialDelaySeconds: 10 #set the initial delay to start readiness testing of pod in seconds
periodSeconds: 60 #set the time interval to perdorm readiness checks
livenessProbe:
initialDelaySeconds: 60 #set the initial delay to start liveness testing of pod in seconds
timeoutSeconds: 30
periodSeconds: 60 #set the time interval to perdorm liveness checks
successThreshold: 1
failureThreshold: 3
hostname: #specify the route dns host to access Partner Provisioner if not set default hostname will be generated
route:
timeout: #specify the route timeout. the default value is '30s'
ingress:
tls:
secretName: #define the ingress secret
archive:
enable: false #set to true to enable persistent volume for archive
pvcname: #Specify the pvc name of the b2bi documents shared pvc
path: /ibm/b2bi/install/documents #Default path for B2B documents change it if using different path
nonprod:
enable: false #set to true to deploy non prod pcm
setupfile:
time_zone: UTC #Default value is UTC; Specify the timezone EX:America/New_York (Country/city)
max_file_length: 10 #Default is 10 MB max file size allowed to view
edit_and_upload: true #false to disable/hide edit and upload button in file transfer search screen
jvmoptions: "-Dspring.datasource.hikari.maximum-pool-size=60" #Additional jvm arguments based on requirement Do not change the default.
acceptLicence: true #We should make accept-license should be true for pcm installation
cm:
color: black #This will enable the black theme in UI, PCM colores. red, green, grey, yellow, black
cmSecret: #Provide the password secret
logo_location: #logo.png #uncomment logo.png if you want to use custom logo mount logo.png file as config map
protocol:
disallowed_special_characters: "!@#:$%^&*()+?,<>{}[]|;\"'/\\" #We need to add the special characters in double quotes, by default <> are restricted and make sure escape characters are being handled properly
ssl_enabled_protocols: TLSv1.2,TLSv1.3 # Enabled SSL/TLS protocols for the server
ssl_ciphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA #List of supported cipers, can be modified according to the your ssl certificates
spring:
datasource:
url: "" # Specify the database url example for jdbc:oracle:thin:@localhost:1521/XE
username: #Specify the database user naem
driver_class_name: #Specify the dirver class name
ssl:
enabled: false #Specify it as true id database connection is ssl enabled
trust_store: #truststore name
trustStoreSecret: #secret for keystore
jpa:
database_platform: com.pe.pcm.config.database.dialect.Oracle12cExtendedDialect #dialect value based on the database default will be oracle
mail:
host: #smtp hostname
port: #SMTP port
username: #Specify the username exmaple: username@compnay.com
from: from_mailid@company.com #Specify the from mail id.
app_contact_mail: app_contact_mailid@company.com #Application contact email which will be used in mail signature
mail_signature: "Community Manager Portal support team." #Email signature
properties:
mail:
smtp:
auth: true #If you want to send a mail with ssl authentication then make it as true or elase false
starttls:
enable: true #If you want to send a mail with ssl authentication then make it as true or else false
jwt:
secretkey: #Specify the jwt token
sterling_b2bi:
connectivity:
api:
baseUrl: #Sterling b2bi api base url
username: #Sterling b2bi username
password: #pull secret name
user:
cmks_validation: false #Set this value to true to integrate PCM with B2Bi
cmks: #provide app-secret name reference STERLING_SYSTEM_PASSPHRASE
username: b2bapi_username #Sterling b2bi username used to integrate CM and B2B
baseUrl: #Specify the B2B restapi url with port
b2bi_api:
active: true #This will say whether B2Bi API available or not
auth_host: #This tag will accept key Value pair here we need to configure the External user User Hostname as key and order as value
host1: #multiple hosts can be added
name: "[SEAS Authentication]" #Sterling integrator authentication host name
value: 1
#host2:
# name:
# value:
as2: #true : If AS2 API Available in B2Bi APIs and if you want to use it from CM
active: false
cd:
net_map_name: nonprodCD #Specify the netmap name used in B2B
proxy:
internal: # This info will be used to create Node in Internal Proxy when CM creates B2Bi_CONNECT_DIRECT
server_host: #Specify the server host
server_port: 1364
secure_plus_option: ENABLED #Specify the secure plus option ENABLED | DISABLED
ca_cert: #cacert to be used if secure plus is enabled
system_certificate: B2BHttp #Specify the systemcertificate
security_protocol: TLS 1.2 #Specify the TLS version
cipher_suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA #Sppecify the cipher suite
external: # This info will be used to create Node in External Proxy when CM creates B2Bi_CONNECT_DIRECT
server_host: #Specify the CD host
server_port: 1364 #Specify the Server port
secure_plus_option: ENABLED #Specify the secure plus option ENABLED | DISABLED
ca_cert: #cacert to be used if secure plus is enabled
system_certificate: B2BHttp #Specify the systemcertificate
security_protocol: TLS 1.2 #Specify the TLS version
cipher_suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA #Sppecify the cipher suite
ssp: #IBM SSP API Configuration
active: false #if we have SSP APIs enable then make it as true or else false
api:
username: ssp_user #User name to authenticate the API
baseUrl: #Provide Base URL of the SSP API
adapters: #Profiles Default Adapters Details Configuration
ftpServerAdapterName: CM_FTPServerAdapter #Specify the respective adapter name
ftpsClientAdapterName: FTP Client Adapter #Specify the respective adapter name
ftpClientAdapterName: CDServrAdapter #Specify the respective adapter name
ftpsServerAdapterName: CM_FTPS_ServerAdapter #Specify the respective adapter name
sftpServerAdapterName: CM_SFTPServerAdapter #Specify the respective adapter name
sftpClientAdapterName: CM_SFTPClientAdapter #Specify the respective adapter name
as2ServerAdapterName: CM_AS2ServerAdapter #Specify the respective adapter name
as2ClientAdapterName: CM_AS2ClientAdapter #Specify the respective adapter name
as2HttpClientAdapter: HTTPClientAdapter #Specify the respective adapter name
cdClientAdapterName: CM_CDClientAdapter #Specify the respective adapter name
httpServerAdapterName: CM_HTTPServerSync #Specify the respective adapter name
httpsServerAdapterName: CM_HTTPSServerSync #Specify the respective adapter name
mqAdapterName: CM_MQAdapter #Specify the respective adapter name
wsServerAdapterName: CM_HTTPSServerSync #Specify the respective adapter name
fsAdapter: CMFileSystem #Specify the respective adapter name
sfgSftpClientAdapterName: CM_SFTPClientAdapter #Specify the respective adapter name
sfgSftpServerAdapterName: CM_SFTPServerAdapter #Specify the respective adapter name
sfgFtpClientAdapterName: CM_FTPClientAdapter #Specify the respective adapter name
sfgFtpServerAdapterName: CM_FTPServerAdapter #Specify the respective adapter name
sfgFtpsClientAdapterName: CM_FTPSClientAdapter #Specify the respective adapter name
sfgFtpsServerAdapterName: CM_FTPS_ServerAdapter #Specify the respective adapter name
pem:
remote:
server:
enabled: false #enable to use pem key
pem_key: #Provide the pemKey
pemKeySecret: #secret for pemkey
base_directory:
path: #Provide the base directory path
session_timeout: 5000 #Time in milliseconds
datasource:
url: jdbc:oracle:thin:@DBHostname:1521/DBName #Datbase url example jdbc:oracle:thin:@DBHostname:1521/DBName
username: USERNAME #Specify the database username
driver_class_name: oracle.jdbc.driver.OracleDriver #Provide db driver class name Ex: oracle.jdbc.driver.OracleDriver
api_ws:
active: true #Specify true to use pem rollout api
base_url: #specify the url
username: #PEM sponsor username
file:
archive:
pgp:
enabled: false #enable to use pgp key
private_key: #provide the pgp key name
privateKeySecret: #specify the pgp secret
ssomigration:
enable: false #enbale to start the migration
data:
action: EXPORT #Actions: EXPORT, MIGRATE, REPORT
file_name: pcm_user #File name which will be used in EXPORT, MIGRATE, and REORT Actions
loggerLevel: INFO #set the value to generate logs accepted values INFo , ERROR, DEBUG
saml:
enabled: false
ssourl: #provide the SAML 2.0 Single Sign On(SSO) URL
idp:
metadata: #provide SAML2.0 metadata file name
registrationid: pcm #provide saml 2.0 application registration id
idpgroupsrolemapper: pcmsuperadmin-super_admin,pcmadmin-admin,cmonboarder-on_boarder #provide your saml group vs pcm role (-), idp role name should not have special characters (-).
defaultrole: super_admin #default role for sso user
jwt:
secretkey: yeWAgVDfb$!MFn@MCJVN7uqkznHbDLR# #provide the jwt secret key
sessionexpire: 60 #provide your application session expiry in minutes
sso_ssp_seas:
enable: false
ssp:
logout_endpoint: /Signon/logout.html #SSP Logout endpoint ,default value is : /Signon/logout.html
user_header_name: SM_USER #User header name config in SSP, default value is : SM_USER
token_cookie_name: SSOTOKEN #Token cookie name config in SSP, default value is : SSOTOKENS
seas:
auth_profile: communityManager #Authentication Profile Name in SEAS
host: SEAS_Host #SEAS Host Name
port: SEAS_Port #SEAS Port
ssl:
enabled: false #SSL enable or not in SEAS
trust_store:
name: keystore.p12 #SEAS truststore file name
secretName: #secret for truststore
alias: seasssl_sso #SEAS truststore alias
type: PKCS12 #SEAS truststore type
key_store:
name: keystore.p12 #SEAS keystore file name
secretName: #secret for truststore
alias: community_manager #SEAS keystore alias
type: PKCS12 #SEAS keystore type
user_request:
user: #Custom properties config in SEAS
email: email #Email property name config in SEAS
role: role #Role property name config in SEAS
first_name: firstName #FirstName property name config in SEAS
last_name: lastName #LastName property name config in SEAS
phone: phone #Phone property name config in SEAS
external_id: externalId #FirstName property name config in SEAS
preferred_language: prefferedLanguage #Language property name config in SEAS(Optional)
user_roles: #LDAP roles mapping to PCM (CM Role - LDAP Role)
super_admin: superAdmin #specify the ldap role name for super_admin
admin: admin #specify the ldap role name for super_admin
on_boarder: creator #specify the ldap role name for admin
business_admin: bAdmin #specify the ldap role name for on_boarder
business_user: bUser #specify the ldap role name for business_user
data_processor: processor #specify the ldap role name for data_processor
data_processor_restricted: processorRes #specify the ldap role name for data_processor_restricted
file_processor: #Specify the ldap role name for file_processor
business_admin_dpr: #Specify the ldap role name for business_admin_dpr
role_delimiter: #Specify the ldap role name for role delimiter
oauth2:
enable: false #Set true/false to enable/disable oauth for send-email api.
token_url: "" #Specify the token url for ms oauth token generation ex:https://login.microsoftonline.com/e16b23a5-6e25-4446-993c-d19c0wqedqwff803/oauth2/token
grant_type: client_credentials #grant type can be password or client_credentials
client_id: #Specify the app registered client id
client_secret: #Specify the secret name for the client secret used for app registration
username: #Specify the username used to create the app registration
cmks: #Specify the secret name for user account password used for app registration
scope: openid #Specify the scope used for app registration.
resource:
token:
response_parser: access_token #Specify the response-parser used for app registration.
prefix: Bearer #Specify the prefix used for app registration.
header: Authorization #Specify the header name used for app registration.
replicacount: 1 #specify the number of pods to be deployed
autoscaling:
enabled: false #set to true if autoscaling of pods to be allowed
minReplicas: 1 #set the mimimun number of pods
maxReplicas: 2 #set the maximum number of pods to be scaled up
targetCPUUtilizationPercentage: 85 #set the limit of cpu utilization for autoscaling
resources:
requests:
memory: "2Gi" #specify the memory request as needed
cpu: "1000m" #specify the cpu cores request as needed
ephemeral-storage: 2Gi
limits:
memory: "4Gi" #specify the maximimum memory a pod can utilize
cpu: "2000m" #specify the maximimum cpu a pod can utilize
ephemeral-storage: 3Gi
readinessProbe:
initialDelaySeconds: 30 #set the initial delay to start readiness testing of pod in seconds
periodSeconds: 90 #set the time interval to perdorm readiness checks
livenessProbe:
initialDelaySeconds: 90 #set the initial delay to start liveness testing of pod in seconds
timeoutSeconds: 60
periodSeconds: 180 #set the time interval to perdorm liveness checks
successThreshold: 1
failureThreshold: 3
hostname: #specify the route dns host to access Partner Provisioner if not set default hostname will be generated
route:
timeout: #specify the route timeout. the default value is '30s'
ingress:
tls:
secretName: #define the ingress secret
archive:
enable: false #set to true to enable persistent volume for archive
pvcname: #Specify the pvc name of the b2bi documents shared pvc
path: /ibm/b2bi/install/documents #Default path for B2B documents change it if using different path