Configuring PCM Installation

This topic provides steps to configure IBM PEM Community Manager.

1. Place the following files in the MountFiles directory.
   • application.yml
   • keystore.jks (if SSL is enabled)
2. Download Java Database Connectivity (JDBC) drivers for DB2, MSSQL, or Oracle, depending on your database, and place them in the MountFiles directory.
3. Create an archive subdirectory in the MountFiles directory.
4. Mount the MountFiles directory.
5. Configure application.yml, which is used to configure PCM.
   1. Modify application.yml to point to the appropriate database, SMTP server, PEM instance, and IBM Sterling B2B Integrator instance.
   2. Secure the passwords application.yml with the Java utility in the PCM container, using the AES 256 algorithm:
      • Docker:

        Docker run –it –rm –e TEXT=<text to encrypt> -e APP=encrypt pem_cm:6.2.4

        For example:

        java -jar pem-cm-enc-1.0.0.jar Expl0re

        The following output is displayed:

        Docker run –it –rm –e TEXT=Expl0re -e APP=encrypt pem_cm:6.2.4
        Output: 
        ENC(cKtfzpIvwNdvHP+8QdHYiQ==)

        In this example, output is the encrypted version of the passphrase Expl0re.

        Note: The pass-enc-1.0.0.jar is located in IBMPEMCM_Dockerv6.1 folder outside the container in the provided package.
      • Podman:

        Podman run –it –rm –e TEXT=<text to encrypt> -e APP=encrypt pem_cm:6.2.4

        For example:

        java -jar pem-cm-enc-1.0.0.jar Expl0re

        The following output is displayed:

        Podman run –it –rm –e TEXT=Expl0re -e APP=encrypt pem_cm:6.2.4
        Output: 
        ENC(cKtfzpIvwNdvHP+8QdHYiQ==)

        In this example, output is the encrypted version of the passphrase Expl0re.

        Note: The pass-enc-1.0.0.jar is located in IBMPEMCM_Podmanv6.1 folder outside the container in the provided package.
6. Accept PCM license. Set the value as follows:

   accept-license: true

7. Configure the PCM theme color:

   cm
     color: black# Available Themes: red, green, grey, yellow, black
     #api-connect-enabled: true #This should not be released to precisely
     protocol:
       disallowed-special-characters: "!@#:$%^&*()+?,<>{}[]|;\"'/\\" #We need to add the special characters in double quotes, 
       by default <> are restricted and make sure escape characters are being handled properly

8. Configure the authentication password for stopping the PCM container from an API:

   cmks: ENC (cKtfzpIvwNdvHP+8QdHYiQ==)

9. Configure the Apache JServ Protocol (AJP), PCM header, and ports:

   server:  
     ajp:
       enabled: false #true, for cluster deployments 
       port: 8585

10. Set Liquibase to true. The following example illustrates the configuration for an Oracle database:

    spring: 
      jackson: 
        time-zone: UTC #Configure the SI server time in region format America/Chicago or America/New_York (Country/Region) only if not following UTC.
      liquibase: 
        enabled: true
      datasource:
        type: com.zaxxer.hikari.HikariDataSource 
        url: jdbc:oracle:thin:@hostname:1521/ORCL 
        username: #Database username
        driver-class-name: oracle.jdbc.driver.OracleDriver 
      hikari:
        connection-timeout: 60000
        maximum-pool-size: 60 
        auto-commit: false 
      jpa:
        show_sql: true
        open-in-view: false
        database-platform: com.pe.pcm.config.database.dialect.Oracle10gExtendedDialect 
        properties:
          id:
            new_generator_mappings: true 
      hibernate:
        naming:
          physical-strategy: com.pe.pcm.config.database.PhysicalNamingStrategy

    Note: The liquibase parameter must be set to true at all times, regardless of a fresh installation or an upgrade.
11. Configure the database connection to be used by IBM Sterling B2B Integrator.
    Examples:

    • Oracle:

      com.pe.pcm.config.database.dialect.Oracle10gExtendedDialect
      ##ORACLE
      ## i.URL : jdbc:oracle:thin:@HostName:1521/SID (ex= jdbc:oracle:thin:@localhost:1521/XE)
      ## ii.DRIVER : oracle.jdbc.driver.OracleDriver
      ## iii.USERNAME : dbUserName
      ## iv.DATABASE_PLATFORM : com.pe.pcm.config.database.dialect.Oracle10gExtendedDialect (For 12c :
      com.pe.pcm.config.database.dialect.Oracle12cExtendedDialect)
      ## v.DATABASE : oracle

    • MSSQL:

      ##b.MSSQL
      ## i.URL : jdbc:sqlserver://HostName;databaseName=DbName (ex= jdbc:sqlserver://localhost;databaseName=TestDB)
      ## ii.DRIVER : com.microsoft.sqlserver.jdbc.SQLServerDriver
      ## iii.USERNAME : dbUserName
      ## iv.DATABASE_PLATFORM : org.hibernate.dialect.SQLServer2012Dialect
      #org.hibernate.dialect.SQLServerDialect (for lower) (Part of application.wml)

      Note: Hibernate converts all upper case to lower or vice-versa.
    • DB2:

      ## v.DATABASE : sql_server
      ##c.DB2
      ## i.URL : jdbc:db2://HostName:Port/DbName (ex= jdbc:db2://localhost:50000/TestDB)
      ## ii.DRIVER : com.ibm.db2.jcc.DB2Driver
      ## iii.USERNAME : dbUserName
      ## iv.DATABASE_PLATFORM : com.pe.pcm.config.database.dialect.DB2ExtendedDialect
      ## v.DATABASE : db2

12. Configure SMTP to send email notifications when IBM PEM Standard activities are executed:

     mail:
       host: #smtp host name
       port: 587 #smtp port
       username: #username
       cmks: # SMTP password
       from: # from email address
       app-contact-mail: # contact email address
       mail-signature: IBM Partner Engagement Manager Community Manager Portal support team. 
       properties:
         mail: 
           smtp:
             auth: true 
             starttls: 
               enable: true 
             ssl:
               trust: "*"
     thymeleaf:

13. Configure PCM UI and API authentication. APIs can authenticate using basic authentication, SiteMinder, JSON web tokens (JWT), or Security Assertion Markup Language (SAML):

    login:
      sm: # Site minder PCM UI, API authentication 
        enable: false 
        param-name: SM_USER
      max-false-attempts: 5 # Max false attempts allowed by Application
      reset-false-attempts: 5 #minutes, user will be reset after 5 min.
    #Execute the following command to generate the JWT secret key
    #> openssl rand -base64 32
    jwt: #PCM UI and API authentication
      secretkey: #Specify the JWT secret key
      session-expire: 60 # Minutes
    saml: # SAML PCM UI and API authentication setup 
      jwt: 
        secret-key: #Specify the JWT secret key
        session-expire: 60 # Minutes 
      idp: 
        metadata: D:\jks\FederationMetadata.xml #Provide the IDP metadata file
        entity-id: PcmEntityIdp 
      scheme: https # PCM protocol name. 
      host: # Application host.
      url: 
        client: https://hostname:7080 #Provide the Application Access URL 
        entity: https:// hostname:7080 #Provide the Application Access URL
      ssl: # configure SAML SSL
        key-store: D:\jks\localhost-keystore.jks
        key-cmks: pass@localhost 
        store-cmks: store@localhost 
        key-alias: pcm-localhost

14. Optional: SAML Configuration for Single Sign-On (SSO).
    JWT Configuration:

    saml:
      sso-url: https://trial-9976564.okta.com/app/trial-9976564_pcmdev_1/exk8vrtwbsSlfTdQ0697/sso/saml #https://dev-37961581.okta.com/app/dev-37961581_pcmlocal_1/exk5x8pgqakiU5Tup5d7/sso/saml #https://dev-37961581.okta.com/app/dev-37961581_pcmdev_1/exk5x8ncbuaHtPyRE5d7/sso/saml
      idp:
        metadata: C:\IDPConfigs\pcm-local-okta-metadata.xml
        registration-id: pcm
      idp-groups-role-mapper: madmin_app3538395-super_admin,mmin_app3538395-admin,metl_cmonboarder_app3538395-on_boarder,meadmin_app3538395-business_admin,metl_cmb3538395-business_user,messor_app3538395-data_processor,mcessorrestricted_app3538395-data_processor_restricted,metl_cmfileoperator_app3538395-file_operator
      default-role: super_admin
      jwt:
        secret-key: #Specify the JWT secret key
        session-expire: 60 # Minutes

    Where,

    • SSO URL: The URL where users are redirected for SSO authentication.
    • Identity Provider (IdP):
      • Metadata: Location of the metadata file containing information about the identity provider.
      • Registration ID: Identifier for the registration with the identity provider.
    • IDP Groups to Role Mapper: Mapping of IdP groups to application roles “,” (comma) separated and each role is hyphen separated as follows: <idp_role1-pcm_role1>, <idp_role2-pcm_role2>, and so on.
    • Default Role: The default role assigned to users if no specific role is provided
    • Secret Key: The secret key used for signing JWT tokens.
    • Session Expiration: Expiry time for JWT tokens in minutes.
15. Configure connection properties for IBM Sterling B2B Integrator and IBM Sterling File Gateway:

    sterling-b2bi: 
      core-bp:
        inbound: CM_MailBox_GET_RoutingRule_Inbound # Inbound Mailbox bootstrap BP
        outbound: CM_MailBox_GET_RoutingRule_Outbound # Outbound Mailbox bootstrap BP
      user:
        cmks:	# Password from IBM Sterling B2B Integrator security.properties file
        cmks-validation: true # Set value to true ensure proper functionality of PCM API's
        cmks-validation-profile: CM_Profile # Profile created in IBM Sterling B2B Integrator to match the password; the profile should be an SFTP profile. Set the value of the profile as Expl@re
      connectivity: #To perform Test Connection, Archive Reprocess and Known Host Key Grab, configure the connectivity details
      api:
      baseUrl: http://<B2Bi server IP>:<http server adapter port>/ 
      username: {username}
      password: {password}
    
    b2bi-api: #IBM B2Bi API Config
      active: true #true: if we are using B2B APIs api:
      auth-host: #User host order in SI
        '[SEAS Authentication]': 1
      api: # IBM B2Bi rest API Config Details
        username: cm_user #username to login to B2B APIs
        cmks: password  #password to login to B2B APIs
        baseUrl: http://hostname:port/B2BAPIs/svc #host and port of B2B APIs 
      b2bi-sfg-api: #IBM B2B API with SFG
        active: true
        community-name: #SFG Community Name
      sfg-api: #IBM V6 SFG API config
        active: true
        api: #IBM SFG API Config Details
          username: #username to login to SFG APIs
          cmks: #password to login to SFG APIs
          baseUrl: http://35.173.166.147:8154/sfgapis #host and port of SFG APIs
      as2: #true : If AS2 API Available in B2Bi APIs and if you want to use it from CM
        active: true

16. Configure IBM PEM Standard to work with ConnectDirect, using the net-map-name value as the ConnectDirect name:

    cd:
    net-map-name: Test_CD

    Note: The following items should be left blank if ConnectDirect is not used:

    
    proxy:   
      internal:
        server-host: 10.0.0.1
        server-port: 1364
        secure-plus-option: ENABLED 
        ca-cert: CA_cd_0099
        system-certificate: B2BHttp 
        security-protocol: TLS 1.2 
        cipher-suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 
      external: 
        server-host: 10.0.0.1
        server-port: 1364
        secure-plus-option: ENABLED 
        ca-cert: CA_cd_0099 
        system-certificate: B2BHttp
        security-protocol: TLS 1.2
        cipher-suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

17. Enable IBM Sterling Secure Proxy (SSP):

    ssp: # provide SSP API end point information 
      active: true 
      api:
        username: user cmks: password
        baseUrl: https://hostname:port/sspcmrest/sspcm/rest

18. Configure adapters using the adapter names created when PCM artifacts were imported. If communication adapters are already configured for IBM Sterling B2B Integrator, update values to reflect current settings:

    adapters: #Profiles Default Adapters Details Configuration
      ftpServerAdapterName: PragmaFTPServerAdapter
      ftpClientAdapterName: FTP Client Adapter
      ftpsServerAdapterName: Pragma_FTPS_ServerAdapter
      ftpsClientAdapterName: FTP Client Adapter
      sftpServerAdapterName: Pragma_SFTPServerAdapter
      sftpClientAdapterName: Pragma_SFTPClientAdapter
      as2ServerAdapterName: Pragma_AS2ServerAdapter
      as2ClientAdapterName: Pragma_AS2ClientAdapter
      as2HttpClientAdapter: HTTPClientAdapter
      cdClientAdapterName: Pragma_CDClientAdapter
      httpServerAdapterName: Pragma_HTTPServerSync
      httpsServerAdapterName: Pragma_HTTPSServerSync
      mqAdapterName: Pragma_MQAdapter
      wsServerAdapterName: Pragma_HTTPSServerSync
      fsAdapter: PragmaFileSystem
      sfgSftpClientAdapterName: Pragma_SFTPClientAdapter
      sfgSftpServerAdapterName: Pragma_SFTPServerAdapter
      sfgFtpClientAdapterName: Pragma_FTPClientAdapter
      sfgFtpServerAdapterName: PragmaFTPServerAdapter
      sfgFtpsClientAdapterName: Pragma_FTPSClientAdapter
      sfgFtpsServerAdapterName: Pragma_FTPS_ServerAdapter

19. Configure PCM data flows. Data flows are routing rules processed by an inbound or outbound transaction based on Manage File Transfer (MFT), or file content using type maps from IBM Sterling B2B Integrator:

    duplicate:
       mft: false # Managed file transfer setup to allow duplicates 
       docHandling: false # Document handling setup to allow duplicates

20. Set the default time range, max file length, and edit and upload for PCM UI file transfer search screen. The following example shows the default values for the required parameters:

    file-transfer:
       search:
         edit-and-upload: false #provide false for disabling/hiding edit and upload button in file transfer search in UI when viewing a file
         time-range: 24 #Hours, Time range in File Transfer search screen in UI
         max-file-length: 20 #Default is 10 MB max file size allowed to view

21. Configure external database API integration:

    pem: #Configure external database integration
      remote:
        server:
          pem-key: #Provide the absolute path of remote server pem-key(if server is in aws we have to provide pem key of the server)
          base-directory:
            path: #Provide the base directory path
          session-timeout: 5000 #Time in milliseconds(can be increased based on database connectivity speed)
      datasource: #External database details to connect VIA API
        url: jdbc:<host:port>/ORCL
        username: PCM_UAT #PEM Database username
        cmks: password #PEM Database password
        driver-class-name: oracle.jdbc.driver.OracleDriver #Database driver class name oracle/mssql/db2(based on DB driver will be chnaged)
      api-ws: #PEM API Configurations
        active: true #Default value is true (if it is set to false we cannot connect to pem)
        base-url: https://<host:port>/pemws/sponsors/<sponsorname>
        username: # PEM API username
        cmks: password # PEM API user password

22. Enable file decryption in the PCM file transfer search screen, ensuring that files are encrypted using the IBM Sterling B2B Integrator key.
    Note: PCM rules Source File Archive and Destination File Archive should be updated to use the same algorithm.

    file:
      archive:
        scheduler: #Scheduler to call the Delete script which can delete the files from source 
                   #file and destination file archive according to the file age configured in 
                   #PCM UI
          cron:  #Cron setup
          delete-files-job:
            active: false #it will enable or disable the filejob scheduler which will delete 
                          #the files in filesystem
            script-file-loc: #Absolute path of Delete script file
        pgp:
          private-key: #Absolute path of PGP public key which will be used while decrypting 
                       #PCM files set in the source file and destination file archive rules 
                       #with encryption on
          cmks: #PGP key passphrase
        aes:
          secret-key: # Key for decrypting the PCM files set in the source file and 
                      # destination file archive rules with encryption on
          salt: #Salt value for decrypting the PCM files set in the source file and 
                #destination file archive rules with encryption on

23. Configure SSO with SSP and SEAS.

    sso-ssp-seas:
      ssp:
        logout-endpoint: #SSP Logout endpoint ,default value is : /Signon/logout.html
        user-header-name: #User header name config in SSP, default value is : SM_USER
        token-cookie-name: #Token cookie name config in SSP, default value is : SSOTOKEN
      seas:
        auth-profile: #Authentication Profile Name in SEAS
        host:  #SEAS Host Name
        port:  #SEAS Port
        ssl:
          enabled: false #SSL enable or not in SEAS
          protocol:  #SEAS Protocol (Optional)
          cipher-suits:  #SEAS Cipher Suits (Optional)
          trust-store:
            name: #SEAS truststore file name (Absolute path)
            cmks: #SEAS truststore password
            alias: #SEAS truststore alias
            type: #SEAS truststore type
          key-store:
            name: #keystore file name (Absolute path)
            cmks: #keystore password.
            alias: #keystore alias
            type: #keystore type
      user-request:
        user: #Custom properties config in SEAS
          email: email #Email property name config in SEAS
          role: role #Role property name config in SEAS
          first-name: firstName #FirstName property name config in SEAS
          last-name: lastName #LastName property name config in SEAS
          phone: phone #Phone property name config in SEAS
          external-id: externalId #FirstName property name config in SEAS
          preferred-language: preferredLanguage #Language property name config in SEAS(Optional)
        user-roles: #LDAP roles mapping to PCM (CM Role - LDAP Role)
          super_admin: #LDAP user super admin role name
          admin: #LDAP user admin role name
          on_boarder: #LDAP user onboarder role name
          business_admin: #LDAP user business admin role name
          business_user: #LDAP user business user role name
          data_processor: #LDAP user data processor role name
          data_processor_restricted: #LDAP user dataprocessor restricted admin role name
          file_processor: #LDAP user fileprocessor role name
          business_admin_dpr: #LDAP user business_admin_dpr role name
        role-delimiter: #LDAP role name to assign more than one roles to PCM

24. Setting up Microsoft OAuth for send-email API.
    You can enable or disable Microsoft OAuth authorization for send-email API and configure the details in the application.yml file under OAuth 2.0 indentation. This will authenticate the send-email request with OAuth, and then send the email once the token is validated successfully.
    The following parameters must be configured for authenticating email requests using OAuth 2.0:

    oauth2:
          enable: true #we can enable or disable oauth for send-email api by giving true or false
          token-url: https://login.microsoftonline.com/e16b3we5-6e25-4446-99443c-d19c0eb0f803/oauth2/token #token url for ms oauth token generation
          grant-type: client_credentials #grant type can be password or client_credentials
          client-id: #app registered client id
          client-secret: #app registered client secret
          username: pem_standard #username used to create the app registration
          cmks: Kos00495 #user account password used for app registration
          scope: openid #default
          resource:
               token:
                response-parser: access_token
                prefix: Bearer
                header: Authorization
         file-transfer: #configure the max-file-length 
           search:
             time-range: 24 #Hours, Time range in File Transfer search screen in UI
             max-file-length: #Default is 10 MB max file size allowed to view