Configuring the Container

The values.yaml file within the Helm Charts contains all the essential application configurations.

Refer to the tables below for a detailed list of configurable parameters for the IBM-PEM-Standard chart.

Table 1. Image Parameters
Parameter Default value Description Mandatory?
image.name "cp.icr.io/cp/ibm-pem/pem" Specify the image name in double quotes with leading repository. Yes
image.tag "6.3.0" Specify the tag name. Yes
image.pullPolicy null Specify the pull policy for the image. No
image.pullSecret "" Specify the pull secret name. No
arch amd64 Specify the architecture. Valid values are:
  • amd64
  • s390x
 Yes
license false Specify true to accept the license agreement. Valid values are true and false. Yes
envType "prod" Specify the environment type (production/non-production) for the product. Valid values are "prod" and "non-prod". Yes
global.networkPolicies.ingress.enabled true Specify true to configure ingress network policies. Valid values are true and false. Yes
global.networkPolicies.egress.enabled true Specify true to configure egress network policies. Valid values are true and false. Yes
global.networkPolicies.egress.customPolicies null For communication with external applications. For more information, see Custom Policies Template. No
serviceAccountName null Specify the service account name which has required permissions. Yes
timezone.configmapname true Specify the timezone configmap. For more information, see Command to create a configmap. Yes
Additional notes:
Note: Use the following template for Custom Policies while configuring the global.networkPolicies.egress.customPolicies parameter:
customPolicies:
#- name:
# toSelectors:
# - namespaceSelector:
# matchLabels:
# name: my-source-namespace
# podSelector:
# matchLabels:
# app.kubernetes.io/name: my-consumer-pod
# - podSelector:
# matchLabels:
# role: frontend
# - ipBlock:
# cidr: <IP Address>/<block size>
# except:
# - <IP Address>/<block size>
# ports:
# - protocol: TCP
# port: <port no>
# endPort: <end port no>
Note: Run the following command to create a timezone configmap:
  • Kubernetes: 
    kubectl create configmap <configmap-name> --from-file=/etc/localtime
  • OpenShift:
    oc create configmap <configmap-name> --from-file=/etc/localtime
Where, <configmap-name> is the name of the configmap.
Table 2. Volume Claims Parameters
Parameter Default value Description Mandatory?
volumeClaims.resources.enabled true Specify true to enable persistent volume. Valid values are true and false. Yes
volumeClaims.resources.useDynamicProvisioning true
To enable dynamic PVC creation, set:
  • DynamicProvisioning: true
  • existingClaim: ""
To enable manual PVC creation, set:
  • useDynamicProvisioning: false
  • existingClaim: "manual-pvc-name"
Yes
volumeClaims.resources.existingClaim "" Specify the name of the pre-created PVC. If left blank, skips the creation of PVC. Yes, if volumeClaims.resources.useDynamicProvisioning is set to false.
volumeClaims.resources.capacity "100Mi" Specify the requested storage capacity for resources PVC. Yes
volumeClaims.resources.storageclass "slow" Storage class for resources PVC. Yes
volumeClaims.resources.subpath.dbdrivers dbdrivers Specify the directory for dbdrivers inside a persistent volume for resources with required permissions. Yes
volumeClaims.resources.subpath.wmq MQ Specify the directory for MQ jars inside a persistent volume for resources with required permissions. Yes
volumeClaims.resources.subpath.sso sso Specify the directory for SSO jars inside a persistent volume for resources with required permissions. Yes
volumeClaims.resources.subpath.ssomigrator ssomigrator Specify the directory for ssomigrator data files inside a persistent volume for resources with required permissions. Yes
volumeClaims.resources.subpath.pcm pcm Specify the directory for pcm jars inside a persistent volume for resources with required permissions. Yes
volumeClaims.logs.enabled true Specify true or false based on requirement. The logs directory and all sub-directories must have the 755 permission to read and execute for accessing all MountFiles by the pemuser (id:1011) container.

Specify false if using logs on console.

 Yes
volumeClaims.logs.useDynamicProvisioning true
To enable dynamic PVC creation, set:
  • DynamicProvisioning: true
  • existingClaim: ""
To enable manual PVC creation, set:
  • useDynamicProvisioning: false
  • existingClaim: "manual-pvc-name"
Yes
volumeClaims.logs.existingClaim "" Specify the name of the pre-created PVC. If left blank, skips the creation o PVC. Yes, if volumeClaims.logs.useDynamicProvisioning is set to false.
volumeClaims.logs.subpath.migrator "migrator" Specify the directory for migrator logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.dbutils "dbutil" Specify the directory for DBUtilis logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.pem "pem" Specify the directory for PEM logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.pp "pp" Specify the directory for PP logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.pr "pr" Specify the directory for PR logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.apigateway "apigateway" Specify the directory for apigateway logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.ssoMigrator "ssomigration" Specify the directory for ssoMigrator logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.purge "purge" Specify the directory for purge logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.agent "agent" Specify the directory for agent logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.pcmProd "PCM_prod" Specify the directory for pcmProd logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.subpath.pcmNonProd "PCM_nonProd" Specify the directory for pcmNonProd logs inside a persistent volume for logs with required permissions. Yes
volumeClaims.logs.capacity "1Gi" Specify the requested storage capacity for logs PVC. Yes, if volumeClaims.logs.enabled is set to true.
volumeClaims.logs.storageclass null Specify the storage class for logs PVC. Yes, if volumeClaims.logs.enabled is set to true.
volumeClaims.logs.accessModes ["ReadWriteMany"] Specify the access mode for logs PVC. Yes, if volumeClaims.logs.enabled is set to true.
Table 3. Test Image Parameters
Parameter Default value Description Mandatory?
test.image.repository "cp.icr.io/cp" Specify the repository for the test image repository. Yes
test.image.name "opencontent-common-utils" Specify the image name for the test image repository. Yes
test.image.tag "1.1.11" Specify the test image tag. Yes
test.image.pullPolicy "IfNotPresent" Specify the test image pull policy. No
test.image.pullSecret "ibm-entitlement-key" Specify the test image pull secret name. No
Table 4. Database Setup Parameters
Parameter Default value Description Mandatory?
dbSetup.enabled false Specify true for first time installation. Valid values are true and false. Yes
dbSetup.upgrade true Specify true for upgrades. Valid values are true and false. Yes
dbSetup.resources.requests.memory "2Gi" Specify the requested memory for database Setup job. Yes
dbSetup.resources.requests.CPU "250m" Specify the requested CPU for database Setup job. Yes
dbSetup.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required. Yes
dbSetup.resources.limits.memory "4Gi" Specify the memory limit for database setup job. Yes
dbSetup.resources.limits.CPU "500m" Specify the CPU limit for the database setup job. Yes
dbSetup.resources.limits.ephemeral-storage "3Gi" Specify the maximum ephemeral-storage a pod can utilize. Yes
dbSetup.Setupfile.passphrasesecret null Specify the PEM application secret name. Yes
dbSetup.Setupfile.migrator.default_sponsor true Specify true to onboard default Sponsor. Valid values are true and false. Yes, if you choose to onboard the default Sponsor.
dbSetup.Setupfile.accept_license true Specify true to accept the database license agreement. Valid values are true and false. Yes
dbSetup.Setupfile.proxy_host null Specify your network's forward proxy machine's host name or IP. No
dbSetup.Setupfile.proxy_port null Specify your network's forward proxy's port. No
dbSetup.Setupfile.proxy_user_name null Specify your network's forward proxy's user name. If the proxy does not require authentication, leave the field blank. No
dbSetup.Setupfile.proxy_password null Specify the proxy secret name. No
dbSetup.Setupfile.proxy_protocol null Specify the database proxy protocol. Yes
dbSetup.Setupfile.customer_id null Specify the customer ID. Yes
dbSetup.Setupfile.db_type null Specify the database type being used to set up the application. Valid values are DB2, oracle, mssql. Yes
dbSetup.Setupfile.ssl_connection null Specify the value to true if you are using an SSL connection between the application servers and database. Valid values are true and false. Yes
dbSetup.Setupfile.db_port null Specify the database port. Yes
dbSetup.Setupfile.db_host null Specify the database host. Yes
dbSetup.Setupfile.db_name null Specify the database name. Yes
dbSetup.Setupfile.db_schema null Specify the database schema name. Yes
dbSetup.Setupfile.db_user null Specify the database username. Yes
dbSetup.Setupfile.db_password null Specify the database secret name. Yes
dbSetup.Setupfile.db_driver null Specify the corresponding driver details for oracle or DB2 depending on the db_tpe that is selected For example,
  • For Oracle, Set the value of db_driver to oracle.jdbc.OracleDriver.
  • For DB2, Set the value of db_driver to com.ibm.db2.jcc.DB2Driver.
  • For MSSQL Server, Set the value of db_driver to com.microsoft.sqlserver.jdbc.SQLServerDriver.
 Yes
dbSetup.Setupfile.db_max_pool_size 500 Specify the maximum pool size of the master schema's database connection. Yes
dbSetup.Setupfile.db_min_pool_size 5 Specify the minimum pool size of the master schema's database connection. Yes
dbSetup.Setupfile.db_aged_timeout "1440m" Specify the maximum time after which the physical connection is discarded by pool maintenance of the master schema's database connection. Yes
dbSetup.Setupfile.db_max_idle_time "1440m" Specify the maximum idle time for the master schema's database connection. Yes
dbSetup.Setupfile.db_sslProtocol TLSv1.2 Specify the DB2 or MSSQL TLS version. If unspecified, the default value is used. Possible values are TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. No
dbSetup.Setupfile.db_sslTrustStoreName null Specify the truststore name. No
dbSetup.Setupfile.db_sslTrustStoresecret null Specify the secret name. No
dbSetup.Setupfile.db_sslTrustStorePassword null Specify the password secret name. No
dbSetup.Setupfile.db_mssql_hostNameInCertificate null Specify the hostname used in validating the SQL Server's TLS/SSL certificate.
Note: This is not a mandatory field. You must Specify the hostname in the db_mssql_hostNameInCertificate property only if you have not specified the hostname in the db_host property.
No
dbSetup.Setupfile.db_mssql_sslProtocol TLSv1.2 Specify the TLS protocol version to be considered for the SSL handshake. Possible values are TLSv1, TLSv1.1, and TLSv1.2. No
dbSetup.Setupfile.db_mssql_encrypt null Specify encryption based on encryption policy configured on MSSQL server. Valid values are strict, true, false. No
Table 5. Database Setup Testmode Parameteres
Parameter Default value Description Mandatory?
dbSetup.Setupfile.testmode_db_port null Specify the port number. No
dbSetup.Setupfile.testmode_db_host null Specify the database host. Yes
dbSetup.Setupfile.testmode_db_name null Specify the database name. Yes
dbSetup.Setupfile.testmode_db_schema null Specify the database schema. Yes
dbSetup.Setupfile.testmode_db_user null Specify the database user name. Yes
dbSetup.Setupfile.testmode_db_password null Specify the database secret name. Yes
dbSetup.Setupfile.testmode_db_driver null Specify the database driver name. Yes
dbSetup.Setupfile.testmode_db_max_pool_size 500 Specify the maximum number of database pool connections. Yes
dbSetup.Setupfile.testmode_db_min_pool_size 5 Specify the minimum number of database pool connections. Yes
dbSetup.Setupfile.testmode_db_aged_timeout "1440m" Specify the interval (in minutes) before a physical connection is discarded. Yes
dbSetup.Setupfile.testmode_db_max_idle_time "1440m" Specify the interval in minutes after which an unused or idle connection is discarded. Yes
dbSetup.Setupfile.testmode_db_sslProtocol TLSv1.2 Specify the DB2 or MSSQL TLS version for testmode. If unspecified, the default value is used. Possible values are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. No
dbSetup.Setupfile.testmode_db_sslTrustStoreName null Specify the SSL Keystore file name for the test mode database schema. No
dbSetup.Setupfile.testmode_db_sslTrustStoresecret null Specify the SSL Keystore secret for the test mode database schema. No
dbSetup.Setupfile.testmode_db_sslTrustStorePassword null Specify the secret name. No
dbSetup.Setupfile.testmode_db_mssql_hostNameInCertificate null Specify the hostname used in validating the SQL Server's TLS/SSL certificate.
Note: This is not a mandatory field. You must Specify the hostname in the testmode_db_mssql_hostNameInCertificate property only if you have not specified the hostname in the testmode_db_host property.
No
dbSetup.Setupfile.testmode_db_mssql_sslProtocol TLSv1.2 Specify the TLS protocol version to be considered for the SSL handshake. Possible values are TLSv1, TLSv1.1, and TLSv1.2.
Important: Deprecated property. This property is used only if testmode_db_sslProtocol value is undeclared and db_type is configured with MSSQL.
 No
dbSetup.Setupfile.testmode_db_mssql_encrypt null Specify encryption based on encryption policy configured on MSSQL server. Valid values are strict, true, false. No
Table 6. Ingress Parameters (Kubernetes only)
Parameter Default value Description Mandatory?
ingress.enabled true Specify true to enable external access for PEM using ingress. No
ingress.controller "nginx" Specify the ingress controller. No
ingress.annotations Null Optional. If required, specify additional annotations for the specific ingress controller in key:value pairs. No
Table 7. Security Parameters
Parameter Default value Description Mandatory?
security.runAsUser 1011 Specify the custom user to run the container. Yes
security.supplementalGroups [555] Specify supplemental groups for shared storage. Yes
security.fsGroup 1011 Specify the custom group to run the container. Yes
Table 8. Setup File Parameters
Parameter Default value Description Mandatory?
Setupfile.servers.ssl_protocol null Specify the SSL protocol required to use the Elliptical Curve (EC) certificates. PEM supports Elliptical Curve (EC) certificates using the SSL_TLSv2 and TLSv1.2 protocols only. No
Setupfile.servers.enabled_ciphers null Specify a solitary cipher or space-delimited list of ciphers to use for the encrypted SSL communication. PEM supports all relevant ciphers supported by the IBM JDK. This parameter is required to use the Elliptical Curve (EC) certificates. No
Setupfile.servers.enableConsoleLogs null Specify true to print the log messages to stout and stderr streams.
Specify false to write the log message into the configured log files.		 No
Setupfile.servers.provisioner_request_listener_max_concurrency 10 Specify the number of concurrent provisioning requests to be processed. No
Setupfile.servers.provisioner_response_listener_max_concurrency 10 Specify the number of concurrent provisioning responses to be processed No
Setupfile.servers.skipHostnameVerificationForHosts null Specify the hostnames that should be ignored during hostname verification in the Liberty Server. No
Table 9. Single Sign-On (SSO) Sterling External Authentication Server (SEAS) Parameters
Parameter Default value Description Mandatory?
ssoSeas.enable false Specify true to enable ssl connection. Valid values are true and false. Yes
ssoSeas.truststoreName null Specify the secret field within the truststore secret. No
ssoSeas.truststoreSecret null Specify the truststore secret name. No
ssoSeas.truststorePassword null Specify the secret name for truststore password. No
ssoSeas.truststoreAlias null Specify the SEAS truststore alias. No
ssoSeas.truststoreType null Specify the SEAS truststore type. No
ssoSeas.keystoreName null Specify the secret field within the keystore secret. No
ssoSeas.keystoreSecret null Specify the keystore secret name. No
ssoSeas.keystorePassword null Specify the secret name for the keystore password. No
ssoSeas.keystoretype null Specify the SEAS keystore type. No
ssoSeas.keystoreAlias null Specify the SEAS keystore alias. No
Table 10. SSO Migration Parameters
Parameter Default value Description Mandatory?
ssomigration.enable false If Specify true, resources volume must be enabled to generate data files. Valid values are true and false. Yes
ssomigration.migrationAction null Specify the action to be performed by the migrator EXPORT MIGRATE REPORT. No
ssomigration.sponsorContext null Specify the Sponsor required to be migrated. No
ssomigration.orgDataFilename null Specify the name of the file to be generated for Sponsor either for export or as an input file for migration. No
ssomigration.userDataFilename null Specify the name of file to be generated for users either for export or as an input file for migration No
ssomigration.log_level INFO Specify the log level. Possible values are FINE, INFO, or SEVERE. Yes
ssomigration.log_file_max_size None Specify the file size limit in MB for each log file. No
ssomigration.log_file_count None Specify the number of log files. No
Table 11. Master Key Regenerator Parameters
Parameter Default value Description Mandatory?
masterKeyRegenerator.enable False Specify the property to true to enable Master Key re-generator. Valid values are true and false. Yes
masterKeyRegenerator.passphraseOldSecret None Specify the secret for the old passphrase. No
masterKeyRegenerator.passphraseNewSecret None Specify the secret for the new passphrase. No
Table 12. Partner Engagement Manager (PEM) Parameters
Parameter Default value Description Mandatory?
pem.enable true Specify true to install Partner Engagement Manager. Valid values are true and false. Yes
pem.replicas 1 Specify the number of pods to be deployed. Yes
pem.resources.requests.memory "2Gi" Specify the memory request as required. Yes
pem.resources.requests.CPU "250m" Specify the CPU cores request as required. Yes
pem.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required. Yes
pem.resources.limits.memory "4Gi" Specify the maximum memory a pod can utilize. Yes
pem.resources.limits.CPU "500m" Specify the maximum CPU a pod can utilize. Yes
pem.resources.limits.ephemeral-storage "4Gi" Specify the maximum ephemeral-storage a pod can utilize. Yes
pem.autoscaling.enabled false Specify true if autoscaling of pods to be allowed. Valid values are true and false. Yes
pem.autoscaling.minReplicas 1 Specify the minimum number of pods. Yes, if autoscaling is enabled.
pem.autoscaling.maxReplicas 2 Specify the maximum number of pods to be scaled up. Yes, if autoscaling is enabled.
pem.autoscaling.targetCPUUtilizationPercentage 85 Specify the target CPU utilization for autoscaling. Yes, if autoscaling is enabled.
pem.readinessProbe.initialDelaySeconds 10 Specify the initial delay to start readiness testing of pod in seconds. Yes
pem.readinessProbe.periodSeconds 60 Specify the time interval to perform readiness checks. Yes
pem.livenessProbe.initialDelaySeconds 60 Specify the initial delay to start liveness testing of pod in seconds. Yes
pem.livenessProbe.timeoutSeconds 30 Specify the liveness probe timeout in seconds. Yes
pem.livenessProbe.periodSeconds 60 Specify the time interval to perform liveness checks. Yes
pem.livenessProbe.successThreshold 1 Specify the succes threshold for liveness probe. Yes
pem.livenessProbe.failureThreshold 3 Specify the failure threshold for liveness probe. Yes
pem.hostname null Specify the route DNS host to access IBM PEM. If not specified, default hostname will be generated. No
pem.ingress.tls.secretName null Specify the TLS certificate secret for the PEM hostname. Yes
pem.route.timeout '60s' Specify the timeout for the route. Yes
pem.route.tls.termination reencrypt Specify TLS termination type for serving certificates for securing the route. PEM currently supports only re-encrypt termination. Yes
pem.route.tls.insecureEdgeTerminationPolicy None Specify the policy for traffic on insecure schemes like HTTP. Yes
pem.Setupfile.servers.jvm_options "-Xms4g -Xmx4g"

null

 Specify the list of JVM options for the servers, and separated by space. No
pem.Setupfile.servers.keystore_password null Specify the PEM application secret name containing keystore password. Yes
pem.Setupfile.servers.keystore_alias null Specify the secret alias within the keystore secret file. Yes
pem.Setupfile.servers.keystore_filename null Specify the secret name for keystore file.
Note: The name of the secret must match the name of the key stored inside of it.
Yes
pem.Setupfile.servers.max_file_size 100 Specify the maximum size for the server log file in MB. Yes
pem.Setupfile.servers.max_files 20 Specify the maximum number of server log files. The default value is 20. Yes
pem.Setupfile.servers.console_log_level "INFO" Specify the console log level. For example, "INFO". Yes
pem.Setupfile.servers.trace_specification "*: info" Specify the trace specification. The default value is "*: info". Yes
Table 13. PEM Partner Provisioner (PP) Parameters
Parameter Default value Description Mandatory?
pp.enable true Specify true to install Partner Provisioner. Valid values are true and false. Yes
pp.replicas 1 Specify the number of pods to be deployed. Yes
pp.resources.requests.memory "2Gi" Specify the memory request as required. Yes
pp.resources.requests.CPU "250m" Specify the CPU cores request as required. Yes
pp.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required. Yes
pp.resources.limits.memory "4Gi" Specify the maximum memory a pod can utilize. Yes
pp.resources.limits.CPU "500m" Specify the maximum CPU a pod can utilize. Yes
pp.resources.limits.ephemeral-storage "4Gi" Specify the maximum ephemeral-storage a pod can utilize. Yes
pp.autoscaling.enabled false Specify true to allow autoscaling of pods. Valid values are true and false. Yes
pp.autoscaling.minReplicas 1 Specify the minimum number of pods to be scaled up. Yes, if autoscaling is enabled.
pp.autoscaling.maxReplicas 2 Specify the maximum number of pods to be scaled up. Yes, if autoscaling is enabled.
pp.autoscaling.targetCPUUtilizationPercentage 85 Specify the target CPU utilization for autoscaling. Yes, if autoscaling is enabled.
pp.readinessProbe.initialDelaySeconds 10 Specify the initial delay to start readiness testing of pod in seconds. Yes
pp.readinessProbe.periodSeconds 60 Specify the time interval to perform readiness checks. Yes
pp.livenessProbe.initialDelaySeconds 60 Specify the initial delay to start liveness testing of pod in seconds. Yes
pp.livenessProbe.timeoutSeconds 30 Specify the liveness probe timeout in seconds. Yes
pp.livenessProbe.periodSeconds 60 Specify the time interval to perform liveness checks. Yes
pp.livenessProbe.successThreshold 1 Specify the liveness probe success threshold. Yes
pp.livenessProbe.failureThreshold 3 Specify the liveness probe fail threshold. Yes
pp.hostname null Specify the route DNS host to access Partner Provisioner. If not specified, default hostname will be generated. No
pp.ingress.tls.secretName null Specify the TLS certificate secret for the PP hostname. Yes
pp.route.timeout '30s' Specify the timeout for the route. No
pp.route.tls.termination reencrypt Specify TLS termination types for serving certificates for securing the route. PEM currently supports only re-encrypt termination. Yes
pp.route.tls.insecureEdgeTerminationPolicy None Specify policy for traffic on insecure schemes like HTTP. Yes
pp.Setupfile.servers.jvm_options "-Xms4g -Xmx4g"

null

 Specify the list of JVM options for the servers, and separated by space. No
pp.Setupfile.servers.keystore_password null Specify the PEM application secret name containing the keystore password. Yes
pp.Setupfile.servers.keystore_alias null Specify the secret alias within the keystore secret file. Yes
pp.Setupfile.servers.keystore_filename null Specify the secret name for keystore file.
Note: The name of the secret must match the name of the key stored inside of it.
Yes
pp.Setupfile.servers.max_file_size 100 Specify the maximum size for the server log file in MB. Yes
pp.Setupfile.servers.max_files 20 Specify the maximum number of server log files. The default value is 20. Yes
pp.Setupfile.servers.console_log_level "INFO" Specify the console log level. For example, "INFO". Yes
pp.Setupfile.servers.trace_specification "*: info" Specify the trace specification. The default value is "*: info". Yes
pp.Setupfile.servers.enable_jms_features "embdServerAndClientOnly" Specify the embedded JMS queue details that are common for Partner Repository (PR) and Partner Provisioner (PP). Yes
pp.Setupfile.servers.provisioner_request_queue "PEM_request" Specify the request queue name, which is used for communication between PEM Partner Provisioner and PEM Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components. Yes
pp.Setupfile.servers.provisioner_response_queue "PEM_response" Specify the response queue name, which is used for communication between PEM Partner Provisioner and PEM Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components. Yes
pp.Setupfile.servers.remote_server_ssl false Specify true for SSL (BootstrapSecureMessaging) and false for non-SSL (BootstrapBasicMessaging). No
pp.Setupfile.servers.remote_server_host null Specify service hostname of JMS service releasename-pp-jms-service.namespace.domain.com No
pp.Setupfile.servers.remote_server_port 80 Specify the exposed JMS port number while deploying Partner Provisioner as a JMS server. Yes
Table 14. PEM Partner Repository (PR) Parameters
Parameter Default value Description Mandatory?
pr.enable true Specify true to install Partner Repository. Valid values are true and false. Yes
pr.replicas 1 Specify the number of pods to be deployed. Yes
pr.resources.requests.memory "2Gi" Specify the memory request as required. Yes
pr.resources.requests.CPU "250m" Specify the CPU cores request as required. Yes
pr.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required. Yes
pr.resources.limits.memory "4Gi" Specify the maximum memory a pod can utilize. Yes
pr.resources.limits.CPU "500m" Specify the maximum CPU a pod can utilize. Yes
pr.resources.limits.ephemeral-storage "4Gi" Specify the maximum ephemeral-storage a pod can utilize. Yes
pr.autoscaling.enabled false Specify true to allow autoscaling of pods. Valid values are true and false. Yes
pr.autoscaling.minReplicas 1 Specify the minimum number of pods to be scaled up. Yes, if autoscaling is enabled.
pr.autoscaling.maxReplicas 2 Specify the maximum number of pods to be scaled up. Yes, if autoscaling is enabled.
pr.autoscaling.targetCPUUtilizationPercentage 85 Specify the limit of CPU utilization for autoscaling. Yes, if autoscaling is enabled.
pr.readinessProbe.initialDelaySeconds 10 Specify the initial delay to start readiness testing of pod in seconds. Yes
pr.readinessProbe.periodSeconds 60 Specify the time interval to perform readiness checks. Yes
pr.livenessProbe.initialDelaySeconds 60 Specify the initial delay to start liveness testing of pod in seconds. Yes
pr.livenessProbe.timeoutSeconds 30 Specify the liveness probe timeout in seconds. Yes
pr.livenessProbe.periodSeconds 60 Specify the time interval to perform liveness checks. Yes
pr.livenessProbe.successThreshold 1 Specify the success threshold for liveness probe. Yes
pr.livenessProbe.failureThreshold 3 Specify the failure threshold for liveness probe. Yes
pr.hostname null Specify the route DNS host to access Partner Provisioner. If not specified, the default hostname will be generated. Yes
pr.ingress.tls.secretName null Specify the TLS certificate secret for the PR hostname. Yes
pr.route.timeout '30s' Specify the timeout for the route. Yes
pr.route.tls.termination reencrypt Specify TLS termination types for serving certificates for securing the route. PEM currently supports only reencrypt termination. Yes
pr.route.tls.insecureEdgeTerminationPolicy None Specify policy for traffic on insecure schemes like HTTP. Yes
pr.Setupfile.servers.jvm_options "-Xms4g -Xmx4g" Specify the list of JVM options for the servers, and separated by space. No
pr.Setupfile.servers.keystore_password null Specify the application secret name containing the keystore password. Yes
pr.Setupfile.servers.keystore_alias null Specify the secret alias within the keystore secret file. Yes
pr.Setupfile.servers.keystore_filename null Specify the secret name for the keystoe file.
Note: The name of the secret must match the name of the key stored inside of it.
 Yes
pr.Setupfile.servers.max_file_size 100 Specify the maximum size for the server log file in MB. Yes
pr.Setupfile.servers.max_files 20 Specify the maximum number of server log files. The default value is 20. Yes
pr.Setupfile.servers.console_log_level "INFO" Specify the console log level. For example, "INFO". Yes
pr.Setupfile.servers.trace_specification "*: info" Specify the trace specification. The default value is "*: info". Yes
pr.Setupfile.servers.enable_jms_features "embdClientOnly" Specify the embedded JMS queue details that are common for Partner Repository and Partner Provisioner. Yes
pr.Setupfile.servers.provisioner_request_queue "PEM_request" Specify the request queue name, which is used for communication between Partner Provisioner and Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components. Yes
pr.Setupfile.servers.provisioner_response_queue "PEM_response" Specify the response queue name, which is used for communication between Partner Provisioner and Partner Repository using embedded JMS. Ensure that the queue name is same for both the service components. Yes
pr.Setupfile.servers.remote_server_ssl false Specify true for SSL (BootstrapSecureMessaging) and false for non-SSL (BootstrapBasicMessaging). Yes
pr.Setupfile.servers.remote_server_host null Specify the service hostname of the JMS service service releasename-pr-jms-service.namespace.domain.com. Yes
pr.Setupfile.servers.remote_server_port 80 Specify the exposed JMS port number while deploying Partner Repository as a JMS server. Yes
Table 15. IBM MQ (MQ) Parameters
Parameter Default value Description Mandatory?
wmq.channel null Specify the IBM MQ channel name. No
wmq.connection_name_list null Specify the IBM MQ connection list separated by comma. For example, 9.89.31.226 (19443), 9.77.53.126 (17286). This example is valid for an IBM MQ Setup with High Availability (HA). For MQ without HA, it can be a single <host_name or IP>:<port_number>. No
wmq.queue_manager null Specify the IBM MQ queue manager. No
wmq.username null Specify the IBM MQ user name. No
wmq.password null Specify the IBM MQ secret name. No
wmq.wmq_provisioner_request_queue_manager null Specify the IBM MQ request queue manager. No
wmq.wmq_provisioner_response_queue_manager null Specify the IBM MQ response queue manager. No
wmq.wmq_provisioner_request_queue_name null Specify the IBM MQ request queue name. No
wmq.wmq_provisioner_response_queue_name null Specify the IBM MQ response queue name. No
wmq.ssl_cipher_suite null Specify a valid SSL cipher suite. If SSL is enabled on the IBM MQ connection channel, Specify the SSL cipher suite corresponding to the SSL cipher specifications configured on the IBM MQ connection channel. No
Table 16. Purge Parameters
Parameter Default value Description Mandatory?
purge.enable false Specify true to run the Purge utility. Valid values are true and false. Yes
purge.schedule "0 9 * * 1" Specify the Cron expression for purge schedule. Yes
purge.resources.requests.memory "2Gi" Specify the memory request as required. Yes
purge.resources.requests.CPU "250m" Specify the CPU cores request as required Yes
purge.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required. Yes
purge.resources.limits.memory "4Gi" Specify the maximum memory a pod can utilize. Yes
purge.resources.limits.CPU "500m" Specify the maximum CPU a pod can utilize. Yes
purge.resources.limits.ephemeral-storage "3Gi" Specify the maximum ephemeral-storage a pod can utilize Yes
purge.Setupfile.purge.name null Specify the purge tool name. This property prevents two users who Specify the same purge name from purging the records simultaneously. This property is mandatory. So, ensure that the value is not blank. Yes
purge.Setupfile.purge.number_of_purge_days 180 Specify the number of retention days before the current date for which the records need to be purged. Only those records that qualify are purged. For example, if you Specify 60 days, records that are present before 60 days from the current date and satisfy the purge criteria are purged. Yes
purge.Setupfile.purge.purge_count 1 Specifies the number of records to be purged in a batch.
Important: Do not modify the default value.
 Yes
purge.Setupfile.purge.sponsor_context null Specify the Sponsor context or an asterisk (*). Where, * takes all the Sponsors in the system. No
purge.Setupfile.purge.no_of_db_connections 50 Specify the maximum number of pooled connections allowed for the Yes
purge.Setupfile.purge.resource_to_purge "SPONSOR" Specify the resource for which you want to purge.
  • Sponsor - purge.resource_to_purge="SPONSOR".
  • Sponsor user - purge.resource_to_purge="SPONSOR_USER".
  • Partner - purge.resource_to_purge="PARTNER"
  • Third party processor - purge.resource_to_purge="TPP" .
  • Third party processor user - purge.resource_to_purge="TPP_USER" .
  • Partner user - purge.resource_to_purge="PARTNER_USER"
 Yes
purge.Setupfile.purge.resource_to_purge_key null Specify the resource key for Sponsor/Sponsor user/Partner/Partner user/Third party processor/Third party processor user. Yes
purge.Setupfile.purge.purge_strategy "ARCHIVE" To enable purge, specify DELETE. This will only delete data from source database.
To enable archive, specify ARCHIVE. This will delete data from source database and copies to target database.		 Yes
purge.Setupfile.purge.target_db_is_same_as_source_db false Specify true if source database and target database schemas are the same. Else, Specify false. Yes
purge.Setupfile.purge.target_no_of_db_connections 50 Specify the maximum number of pooled connections that are allowed to the target database from the Purge tool. Yes
purge.Setupfile.purge.target_db_port null Specify the database port. Yes
purge.Setupfile.purge.target_db_host null Specify the database host. Yes
purge.Setupfile.purge.target_db_name null Specify the database name. Yes
purge.Setupfile.purge.target_db_schema null Specify the database schema. Yes
purge.Setupfile.purge.target_db_user null Specify the database user. Yes
purge.Setupfile.purge.target_db_password null Specify database secret.  
purge.Setupfile.purge.target_db_driver null Specify the database driver. Yes
purge.Setupfile.purge.target_ssl_connection false Specify true to enable the SSL connection for purge target database schema. Valid values are true and false. Valid values are true and false. Yes
purge.Setupfile.purge.target_db_sslProtocol TLSv1.2 Specify the DB2 or MSSQL TLS version for purge target database. If not specified, default value is used. Valid values are TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. Yes
purge.Setupfile.purge.target_db_sslTrustStoreName null Specify the keystore/truststore file name that contains the public certificate of the target purge database schema. No
purge.Setupfile.purge.target_db_sslTrustStoreSecret null Specify the keystore/truststore secret name. No
purge.Setupfile.purge.target_db_sslTrustStorePassword null Specify the keystore name containing the keystore/truststore password. No
purge.Setupfile.purge.target_db_mssql_hostNameInCertificate null Specify the hostname used in validating the SQL Server's TLS/SSL certificate.
Note: This is not a mandatory field. You must Specify the hostname in the target_db_mssql_hostNameInCertificate property only if you have not specified the hostname in the target_db_host property.
No
purge.Setupfile.purge.target_db_mssql_sslProtocol TLSv1.2 Specify the TLS protocol version to be considered for the SSL handshake. Possible values are TLSv1, TLSv1.1, and TLSv1.2.
Important: Deprecated property. This property is used only if target_db_sslProtocol value is undeclared and db_type is configured with MSSQL.
 No
purge.Setupfile.purge.target_db_type null Specify the type of purge target database. Valid values are DB2, oracle, mssql. Yes
purge.Setupfile.purge.jvm_options null Specify the list of JVM options for purge separated by space. No
purge.Setupfile.purge.java_util_logging_file_handler_level "INFO" Specify the log level. Valid values are FINE, INFO, SEVERE. Yes
purge.Setupfile.purge.java_util_logging_file_handler_limit null Specify the file size limit (in MB) for each log file. Yes
purge.Setupfile.purge.java_util_logging_file_handler_count null Specify the number of log files. Yes
Table 17. Agent parameters
Parameter Default value Description Mandatory
agent.replicas 1 Specify the number of pods to be deployed. Yes
agent.enable false Specify true to run the scan agent. Valid values are true and false. Yes
agent.resources.requests.memory "2Gi" Specify the memory request as required. Yes
agent.resources.requests.CPU "1000m" Specify the CPU cores request as required. Yes
agent.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required Yes
agent.resources.limits.memory "4Gi" Specify the maximum memory a pod can utilize. Yes
agent.resources.limits.CPU "2000m" Specify the maximum CPU cores a pod can utilize. Yes
agent.resources.limits.ephemeral-storage "3Gi" Specify the maximum ephemeral-storage a pod can utilize Yes
agent.Setupfile.agent.type null Specify the type of agent. Valid values are scanagent, certificateupdate.
If you want to run both Scan Agent and Certificate Update, specify both the values separated by commas. For example, scanagent,certificateupdate.		 Yes
agent.Setupfile.agent.jvm_options null Specify the list of JVM options for the scan agent separated by space. No
agent.Setupfile.agent.antivirus_server_host null Specify the host or IP of the antivirus server. Yes
agent.Setupfile.agent.antivirus_server_port null Specify the port number of the antivirus server. Yes
agent.Setupfile.agent.no_of_db_connections 50 Specify the maximum number of pooled connections allowed to the database. Yes
agent.Setupfile.agent.retry_interval_in_sec 21600 Specify the time interval between retries for connection failure with anti-virus server. and accepts only numeric values. Yes
agent.Setupfile.agent.max_retry_count 1460 Specify the maximum number of times the agent must retry scanning a file, in case the scan fails. Yes
agent.Setupfile.agent.com_ibm_vch_identity_security_limit 100 Specify the limit (in MB) for each log file. Yes
agent.Setupfile.agent.com_ibm_vch_identity_security_level "INFO" Specify the log level. Valid values are FINE, INFO, SEVERE. Yes
agent.Setupfile.agent.com_ibm_vch_identity_security_count 20 Specify the number of log file counts. Yes
agent.Setupfile.agent.scan_extensibility_class null Specify the class to enable anti-virus extensibility. No
Table 18. API Gateway Parameters
Parameter Default value Description Mandatory?
gateway.enable true Specify true to install API Gateway. Valid values are true and false. Yes
gateway.replicas 1 Specify the number of pods to be deployed. Yes
gateway.resources.requests.memory "2Gi" Specify the memory request as required. Yes
gateway.resources.requests.CPU "1000m" Specify the CPU cores request as required. Yes
gateway.resources.requests.ephemeral-storage "2Gi" Specify the ephemeral-storage request as required. Yes
gateway.resources.limits.memory "4Gi" Specify the maximum memory a pod can utilize. Yes
gateway.resources.limits.CPU "2000m" Specify the maximum CPU a pod can utilize. Yes
gateway.resources.limits.ephemeral-storage "4Gi" Specify the maximum ephemeral-storage a pod can utilize. Yes
gateway.readinessProbe.initialDelaySeconds 10 Specify the initial delay to start readiness testing of pod in seconds. Yes
gateway.readinessProbe.periodSeconds 60 Specify the time interval to perform readiness checks. Yes
gateway.livenessProbe.initialDelaySeconds 60 Specify the initial delay to start liveness testing of pod in seconds. Yes
gateway.livenessProbe.timeoutSeconds 30 Specify the timeout for liveness probe (in seconds). Yes
gateway.livenessProbe.periodSeconds 60 Specify the time interval to perform liveness checks Yes
gateway.livenessProbe.successThreshold 1 Specify the success threshold for liveness probe. Yes
gateway.livenessProbe.failureThreshold 3 Specify the failure threshold for liveness probe. Yes
gateway.hostname null Specify the route DNS host to access gateway.
Important: This property must be specified a value to enable APIs.
Yes
gateway.ingress.tls.secretName null Specify the TLS certificate secret for the Gateway hostname. Yes
gateway.route.timeout '30s' Specify the timeout for the route. Yes
gateway.route.tls.termination reencrypt Specify TLS termination types for serving certificates for securing the route. PEM currently supports only re-encrypt termination. Yes
gateway.route.tls.insecureEdgeTerminationPolicy None Specify policy for traffic on insecure schemes like HTTP. No
gateway.Setupfile.servers.jvm_options null Specify the list of JVM options for the servers, and separated by space. For example, jvm_options: "-Xms4g -Xmx4g". Yes
gateway.Setupfile.servers.keystore_password null Specify the secret name containing the keystore password. Yes
gateway.Setupfile.servers.keystore_alias null Specify the secret alias within the keystore file. Yes
gateway.Setupfile.servers.keystore_filename null Specify the secret name for the keystore file.
Note: The name of the secret must match the name of the key stored inside of it.
 Yes
gateway.Setupfile.servers.max_file_size 100 Specify the maximum size for the server log file (in MB). Yes
gateway.Setupfile.servers.max_files 20 Specify the maximum number of server log files. Yes
gateway.Setupfile.servers.console_log_level "INFO" Specify the console log level. For example, "INFO". Yes
gateway.Setupfile.servers.trace_specification "*: info" Specify the trace specification. The default value is "*: info". Yes
gateway.Setupfile.gateway.cors_allowedOrigins "*" Specify the list of allowed cors origins as comma separated values. For example, <origin1>,<origin2>. Yes
gateway.Setupfile.gateway.pem_servers null Specify the PEM service URL. PEM service is created with the name format as <release_name>-pem-service and the port as 80. For example, Specify https://my-release-pem-service:80, where my-release is the release name.
This field is important to Specify a list of PEM containers to which API calls are sent by the Gateway. If more than one container address is specified, then the Gateway load balances.		 Yes
gateway.Setupfile.gateway.pr_servers null Specify the PR service URL. PR service is created with the name format as <release_name>-pr-service, and the port as 80. For example, Specify https://my-release-pr-service:80 where my-release is the release name.
This field is important to Specify a list of PR containers to which API calls are sent by the Gateway. If more than one container address is specified, then the Gateway load balances.		 Yes
gateway.Setupfile.gateway.max_file_size null Specify the limit of the file size uploaded via Gateway. No
gateway.Setupfile.gateway.max_request_size null Specify the limit of the size of request uploaded via Gateway. No
gateway.Setupfile.gateway.hostname_validation_required true Specify true to enable certificate hostname validation for API Gateway. Valid values are true and false. Yes
gateway.Setupfile.gateway.truststore_filename null Specify the secret name for SSL truststore file name for the API Gateway server to communicate with PEM and PR.
Note: The name of the secret must match the name of the key stored inside of it.
 No
gateway.Setupfile.gateway.truststore_type null Specify the SSL truststore file type. For example, JKS. No
gateway.Setupfile.gateway.truststore_alias null Specify the alias of the server's public certificate within the truststore. No
gateway.Setupfile.gateway.truststore_password null Specify the secret name for the server's truststore password. No
limit_for_period 45 The maximum number of requests allowed within each limit_for_period. No
limit_refresh_period 60 The interval (in seconds) at which the rate limit is reset. No
timeout_duration 5 The maximum time (in seconds) a request will wait if the rate limit is exceeded before failing or timing out. No