Deploy PEM Partner Provisioner

As a prerequisite, configure the files that are present in your Mount directory.

For more information, see Configuring the files in Mount directory.

Attention:
  • As PEM Portal is running on SSL, before deploying PEM Portal, ensure to create and use the SSL certificate. Provide the SSL certificate in a jks file to enable PEM Portal to load the certificate.
  • For secure HTTPS communication, avoid using self-signed or unsecured certificates. Always use certificates from a trusted Certificate Authority (CA) to ensure data integrity and security.

To deploy PEM Partner Provisioner, run the following command:

  • Docker:
    docker run --name="<container name>" --add-host=<host_name>:<IP address> -v <path to mount files>:/opt/IBM/Resources -v <path to logs>:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p <host_name or IP>:<SSL exposed port number>:9443 -dt <image name>:<version>
  • Podman:
    podman run --name="<container name>" --add-host=<host_name>:<IP address> -v <path to mount files>:/opt/IBM/Resources -v <path to logs>:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p <host_name or IP>:<SSL exposed port number>:9443 -dt <image name>:<version>
where, --add-host is optional.
Note: Enter the appropriate parameter values within the angle (<>) brackets.
Important: As the application name is case-sensitive, you must enter the application name in the same case as provided in the run command. For example, application="PP" is invalid.
Here,
  • <container name> - refers to the user-defined container name.

    If you again use the container with the same name, the docker engine reports that the container with the same name is already in use. In such a situation, you can either delete the container by running the command, docker/podman rm <container name> or use a different container name.

  • <path to mount files> - provide the absolute path of the directory where the mount files are extracted. For the contents of the mount directory, see Mount Directory structure.
  • --add-host=<host_name>:<IP address> - Can add other hosts into the /etc/hosts file of the container by using one or more --add-host flags.
  • -v /etc/localtime:/opt/IBM/localtime:ro - synchronizes the container's time zone with the host machine's time zone.
  • <path to logs> - this is the absolute path of the directory in your host machine that is mounted into the container's log path.
  • <host_name or IP> - provide the host name or the IP address where the container is running.
  • <SSL exposed port number> - the exposed SSL (https) port number for the application.
  • <image name>:<version> - refers to the image name and version of the image that is downloaded from the repository and used to deploy the application.
  • If you configure an API with a hostname, the API call from PEM Partner Repository or PEM Partner Provisioner fails as the application running inside the docker/podman container cannot resolve the hostname. To resolve the hostname, add the hostname mapping by adding --add-host=<host_name>:<IP address> in the docker/podman run command, delete the old container, and create a new container by running the updated docker/podman run command.
  • If the firewall is activated, add all the ports that are used in the Docker/Podman run command to the host machine's firewall. For example, to open the port 19443 in the host machine, run the command: firewall-cmd --zone=public --add-port=19443/tcp. The port 19443 gets added to the host machine's firewall.

Sample run command

  • Docker:
    docker run --name="PP_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/pp:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p host_name:19443:9443 -dt registry.ng.bluemix.net/gold/pem:3.5.16
  • Podman:
    podman run --name="PP_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/pp:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p host_name:19443:9443 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.
If you are using embedded JMS, and based on your deployment model, if PEM Partner Provisioner acts as a JMS server, add -p <host_name or IP>:<exposed JMS port number>:<JMS port> to the run command.

Here, <exposed JMS port number> refers to the exposed JMS port number on which the embedded JMS is running and <JMS port> refers to SSL port, which is 7286 or non-SSL port number, which is 7276.

Sample run command for SSL port

  • Docker:
    docker run --name="PP_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/pp:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p host_name:19443:9443 -p host_name:17286:7286 -dt registry.ng.bluemix.net/gold/pem:3.5.16
  • Podman:
    podman run --name="PP_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/pp:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p host_name:19443:9443 -p host_name:17286:7286 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.

Sample run command for non-SSL port

  • Docker:
    docker run --name="PP_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/pp:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p host_name:19443:9443 -p host_name:17286:7276 -dt registry.ng.bluemix.net/gold/pem:3.5.16
  • Podman:
    podman run --name="PP_Image" --add-host=<host_name>:<IP address> -v /home/MountResource/:/opt/IBM/Resources -v /home/logs/pp:/opt/IBM/PEM_PR_PP_servers/usr/servers/pp/logs -v /etc/localtime:/opt/IBM/localtime:ro -e application="pp" -p host_name:19443:9443 -p host_name:17286:7276 -dt registry.ng.bluemix.net/gold/pem:3.5.16
Note: Here, --add-host is optional.
Ensure to specify the exposed JMS port in the Setup.cfg file for the servers.remote_server_port property. This is because, the embedded JMS port is hosted by PEM Partner Provisioner that runs on either SSL or non-SSL port that needs to be exposed for any external client connections such as PEM Partner Repository. Therefore, expose the SSL or non-SSL port on an exposed JMS port, for example, 17286 while running PEM Partner Repository and PEM Partner Provisioner.

Log files

Log files help in analyzing and debugging the errors. You can find the log files in the logs directory. For PEM Partner Provisioner-specific error messages, see the PPServer_messages.log file. For trace-level log, IBM Support can contact and assist you in enabling the trace-level log.

Note: If you have not deleted or archived the existing container logs directory, after deploying PEM Partner Provisioner, the existing logs are rolled over, and the new container logs are created.

Verifying the Docker/Podman run command

To verify whether the Docker/Podman run command is successful, run:
docker logs <container name>
or 
podman logs <container name>
The following messages are displayed:
License accepted successfully.
Starting server pp.
Server pp started with process ID 77.
Note: Look for the specific message that indicates the run command is successful. Log in to PEM Partner Provisioner by entering https://<ip:port>/<sponsorContext>/login in any supported browser.

The URL can be different based on your deployment option. For more details about the URL, see URL for accessing IBM PEM and APIs.

Ensure that the PEM Partner Provisioner log in screen is

Configuring the properties of Setup.cfg file

Configure the following properties:
  • accept_license
  • proxy_host
  • proxy_port
  • customer_id
  • db_type
  • ssl_connection
  • db_port
  • db_host
  • db_name
  • db_schema
  • db_user
  • db_password
  • db_driver
  • db_max_pool_size
  • db_min_pool_size
  • db_aged_timeout
  • db_max_idle_time
  • db_sslTrustStoreName
  • db_sslTrustStorePassword
  • testmode_db_port
  • testmode_db_host
  • testmode_db_name
  • testmode_db_schema
  • testmode_db_user
  • testmode_db_password
  • testmode_db_driver
  • testmode_db_max_pool_size
  • testmode_db_min_pool_size
  • testmode_db_aged_timeout
  • testmode_db_max_idle_time
  • testmode_db_sslTrustStoreName
  • testmode_db_sslTrustStorePassword
  • servers.jvm_options
  • servers.keystore_password
  • servers.keystore_alias
  • servers.keystore_filename
  • servers.max_file_size
  • servers.max_files
  • servers.console_log_level
  • servers.trace_specification
  • servers.enable_jms_features
  • servers.provisioner_request_queue
  • servers.provisioner_response_queue
  • servers.remote_server_ssl
  • servers.remote_server_host
  • servers.remote_server_port
  • servers.channel
  • servers.connection_name_list
  • servers.queue_manager
  • servers.username
  • servers.password
  • servers.wmq_provisioner_request_queue_manager
  • servers.wmq_provisioner_response_queue_manager
  • servers.wmq_provisioner_request_queue_name
  • servers.wmq_provisioner_response_queue_name
  • servers.ssl_cipher_suite
Important: To establish a connection to IBM subscription verification system, you must configure proxy_host and proxy_port.