Chapter 3. Freeform managed server environment
You can deploy a freeform server environment that includes several different pods running Process Server. These Process Servers can run different services for staging or production purposes. You can add and remove servers as necessary at any time.
You start deploying a freeform managed server environment by deploying Business Central Monitoring and one managed Process Server. You can use Business Central Monitoring to monitor and, when necessary, manage the execution of services on Process Servers. This environment does not include Smart Router.
You can also deploy additional managed Process Servers. Each Process Server can be separately scaled as necessary.
On a managed Process Server, no services are initially loaded. Use Business Central Monitoring or the REST API of the Process Server to deploy and undeploy processes on the server.
You must provide a Maven repository with the processes (KJAR files) that you want to deploy on the servers. Your integration process must ensure that the required versions of the processes are uploaded to the Maven repository. You can use Business Central in a development environment to create the processes and upload them to the Maven repository.
Each Process Server uses a database server. Usually, the database servers also run in pods, although you can set up a Process Server to use an external database server.
You can also deploy immutable Process Servers in the same namespace. You can use Business Central Monitoring to view monitoring information for all Process Servers in the environment, including immutable servers. For instructions about deploying immutable Process Servers, see Deploying a Red Hat Process Automation Manager immutable server environment on Red Hat OpenShift Container Platform.
3.1. Deploying monitoring and a single Process Server for a freeform environment
To start deploying a freeform environment, deploy Business Central Monitoring and a single managed Process Server, which uses a PostgreSQL database server in a pod. No services are loaded on the Process Server. Use Business Central Monitoring to deploy and undeploy services on the server.
You can then add more Process Servers as necessary.
3.1.1. Starting configuration of the template for monitoring and a single Process Server
To deploy Business Central Monitoring and a single managed Process Server, use the rhpam76-managed.yaml
template file.
Procedure
-
Download the
rhpam-7.6.0-openshift-templates.zip
product deliverable file from the Software Downloads page of the Red Hat Customer Portal. -
Extract the
rhpam76-managed.yaml
template file. Use one of the following methods to start deploying the template:
-
To use the OpenShift Web UI, in the OpenShift application console select Add to Project
Import YAML / JSON and then select or paste the rhpam76-managed.yaml
file. In the Add Template window, ensure Process the template is selected and click Continue. To use the OpenShift command line console, prepare the following command line:
oc new-app -f <template-path>/rhpam76-managed.yaml -p BUSINESS_CENTRAL_HTTPS_SECRET=businesscentral-app-secret -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value
In this command line, make the following changes:
-
Replace
<template-path>
with the path to the downloaded template file. -
Use as many
-p PARAMETER=value
pairs as needed to set the required parameters.
-
Replace
-
To use the OpenShift Web UI, in the OpenShift application console select Add to Project
Next steps
Set the parameters for the template. Follow the steps in Section 3.1.2, “Setting required parameters for monitoring and a single Process Server” to set common parameters. You can view the template file to see descriptions for all parameters.
3.1.2. Setting required parameters for monitoring and a single Process Server
When configuring the template to deploy Business Central Monitoring and a single managed Process Server, you must set the following parameters in all cases.
Prerequisites
- You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.
Procedure
Set the following parameters:
-
Business Central Monitoring Server Keystore Secret Name (
BUSINESS_CENTRAL_HTTPS_SECRET
): The name of the secret for Business Central, as created in Section 2.3, “Creating the secrets for Business Central”. -
KIE Server Keystore Secret Name (
KIE_SERVER_HTTPS_SECRET
): The name of the secret for Process Server, as created in Section 2.2, “Creating the secrets for Process Server”. -
Business Central Monitoring Server Certificate Name (
BUSINESS_CENTRAL_HTTPS_NAME
): The name of the certificate in the keystore that you created in Section 2.3, “Creating the secrets for Business Central”. -
Business Central Monitoring Server Keystore Password (
BUSINESS_CENTRAL_HTTPS_PASSWORD
): The password for the keystore that you created in Section 2.3, “Creating the secrets for Business Central”. -
KIE Server Certificate Name (
KIE_SERVER_HTTPS_NAME
): The name of the certificate in the keystore that you created in Section 2.2, “Creating the secrets for Process Server”. -
KIE Server Keystore Password (
KIE_SERVER_HTTPS_PASSWORD
): The password for the keystore that you created in Section 2.2, “Creating the secrets for Process Server”. -
Application Name (
APPLICATION_NAME
): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and Process Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. -
Enable KIE server global discovery (
KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED
): Set this parameter totrue
if you want Business Central Monitoring to discover all Process Servers with theOpenShiftStartupStrategy
in the same namespace. By default, Business Central Monitoring discovers only Process Servers that are deployed with the same value of theAPPLICATION_NAME
parameter as Business Central Monitoring itself. -
Maven repository URL (
MAVEN_REPO_URL
): A URL for a Maven repository. You must upload all the processes (KJAR files) that are to be deployed on any Process Servers in your environment into this repository. -
Maven repository ID (
MAVEN_REPO_ID
): An identifier for the Maven repository. The default value isrepo-custom
. -
Maven repository username (
MAVEN_REPO_USERNAME
): The user name for the Maven repository. -
Maven repository password (
MAVEN_REPO_PASSWORD
): The password for the Maven repository. -
KIE Server Mode (
KIE_SERVER_MODE
): In therhpam76-managed.yaml
template the default value isPRODUCTION
. InPRODUCTION
mode, you cannot deploySNAPSHOT
versions of KJAR artifacts on the Process Server and cannot change versions of an artifact in an existing container. To deploy a new version withPRODUCTION
mode, create a new container on the same Process Server. To deploySNAPSHOT
versions or to change versions of an artifact in an existing container, set this parameter toDEVELOPMENT
. -
ImageStream Namespace (
IMAGE_STREAM_NAMESPACE
): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace isopenshift
. If you have installed the image streams file, the namespace is the name of the OpenShift project.
-
Business Central Monitoring Server Keystore Secret Name (
You can set the following user names and passwords. By default, the deployment automatically generates the passwords.
-
KIE Admin User (
KIE_ADMIN_USER
) and KIE Admin Password (KIE_ADMIN_PWD
): The user name and password for the administrative user. If you want to use the Business Central Monitoring to control or monitor any Process Servers other than the Process Server deployed by the same template , you must set and record the user name and password. -
KIE Server User (
KIE_SERVER_USER
) and KIE Server Password (KIE_SERVER_PWD
): The user name and password that a client application can use to connect to any of the Process Servers.
-
KIE Admin User (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.
3.1.3. Configuring pod replica numbers for monitoring and a single Process Server
When configuring the template to deploy Business Central Monitoring and a single managed Process Server, you can set the initial number of replicas for Process Server and Business Central Monitoring.
Prerequisites
- You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.
Procedure
To configure the numbers of replicas, set the following parameters:
-
Business Central Monitoring Container Replicas (
BUSINESS_CENTRAL_MONITORING_CONTAINER_REPLICAS
): The number of replicas that the deployment initially creates for Business Central Monitoring. If you do not want to use a high-availability configuration for Business Central Monitoring, set this number to 1. -
KIE Server Container Replicas (
KIE_SERVER_CONTAINER_REPLICAS
): The number of replicas that the deployment initially creates for Process Server.
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.
3.1.4. Configuring access to a Maven mirror in an environment without a connection to the public Internet for monitoring and a single Process Server
When configuring the template to deploy Business Central Monitoring and a single managed Process Server, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.6, “Preparing a Maven mirror repository for offline use”.
Prerequisites
- You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.
Procedure
To configure access to the Maven mirror, set the following parameters:
-
Maven mirror URL (
MAVEN_MIRROR_URL
): The URL for the Maven mirror repository that you set up in Section 2.6, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment. Maven mirror of (
MAVEN_MIRROR_OF
): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting themirrorOf
value, see Mirror Settings in the Apache Maven documentation. The default value isexternal:*
. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.-
If you configure an external Maven repository (
MAVEN_REPO_URL
), changeMAVEN_MIRROR_OF
to exclude the artifacts in this repository from the mirror, for example,external:*,!repo-custom
. Replacerepo-custom
with the ID that you configured inMAVEN_REPO_ID
. -
If you configure a built-in Business Central Maven repository (
BUSINESS_CENTRAL_MAVEN_SERVICE
), changeMAVEN_MIRROR_OF
to exclude the artifacts in this repository from the mirror:external:*,!repo-rhpamcentr
. -
If you configure both repositories, change
MAVEN_MIRROR_OF
to exclude the artifacts in both repositories from the mirror:external:*,!repo-rhpamcentr,!repo-custom
. Replacerepo-custom
with the ID that you configured inMAVEN_REPO_ID
.
-
If you configure an external Maven repository (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.
3.1.5. Setting parameters for RH-SSO authentication for monitoring and a single Process Server
If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy Business Central Monitoring and a single managed Process Server.
Do not configure LDAP authentication and RH-SSO authentication in the same deployment.
Prerequisites
- A realm for Red Hat Process Automation Manager is created in the RH-SSO authentication system.
User names and passwords for Red Hat Process Automation Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Process Automation Manager roles and users. The following users are required in order to set the parameters for the environment:
-
An administrative user with the
kie-server,rest-all,admin
roles. This user can administer and use the environment. Process Servers use this user to authenticate with Business Central Monitoring. -
A server user with the
kie-server,rest-all,user
roles. This user can make REST API calls to the Process Server. Business Central Monitoring uses this user to authenticate with Process Servers.
-
An administrative user with the
- Clients are created in the RH-SSO authentication system for all components of the Red Hat Process Automation Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Process Automation Manager deployment can create the clients. However, this option provides less detailed control over the environment.
- You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.
Procedure
-
Set the
KIE_ADMIN_USER
andKIE_ADMIN_PASSWORD
parameters of the template to the user name and password of the administrative user that you created in the RH-SSO authentication system. -
Set the
KIE_SERVER_USER
andKIE_SERVER_PASSWORD
parameters of the template to the user name and password of the server user that you created in the RH-SSO authentication system. Set the following parameters:
-
RH-SSO URL (
SSO_URL
): The URL for RH-SSO. -
RH-SSO Realm name (
SSO_REALM
): The RH-SSO realm for Red Hat Process Automation Manager. -
RH-SSO Disable SSL Certificate Validation (
SSO_DISABLE_SSL_CERTIFICATE_VALIDATION
): Set totrue
if your RH-SSO installation does not use a valid HTTPS certificate.
-
RH-SSO URL (
Complete one of the following procedures:
If you created the clients for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:
-
Business Central Monitoring RH-SSO Client name (
BUSINESS_CENTRAL_SSO_CLIENT
): The RH-SSO client name for Business Central Monitoring. -
Business Central Monitoring RH-SSO Client Secret (
BUSINESS_CENTRAL_SSO_SECRET
): The secret string that is set in RH-SSO for the client for Business Central Monitoring. -
KIE Server RH-SSO Client name (
KIE_SERVER_SSO_CLIENT
): The RH-SSO client name for Process Server. -
KIE Server RH-SSO Client Secret (
KIE_SERVER_SSO_SECRET
): The secret string that is set in RH-SSO for the client for Process Server.
-
Business Central Monitoring RH-SSO Client name (
To create the clients for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:
-
Business Central Monitoring RH-SSO Client name (
BUSINESS_CENTRAL_SSO_CLIENT
): The name of the client to create in RH-SSO for Business Central Monitoring. -
Business Central Monitoring RH-SSO Client Secret (
BUSINESS_CENTRAL_SSO_SECRET
): The secret string to set in RH-SSO for the client for Business Central Monitoring. -
KIE Server RH-SSO Client name (
KIE_SERVER_SSO_CLIENT
): The name of the client to create in RH-SSO for Process Server. -
KIE Server RH-SSO Client Secret (
KIE_SERVER_SSO_SECRET
): The secret string to set in RH-SSO for the client for Process Server. -
RH-SSO Realm Admin Username (
SSO_USERNAME
) and RH-SSO Realm Admin Password (SSO_PASSWORD
): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Process Automation Manager. You must provide this user name and password in order to create the required clients.
-
Business Central Monitoring RH-SSO Client name (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.
After completing the deployment, review the URLs for components of Red Hat Process Automation Manager in the RH-SSO authentication system to ensure they are correct.
3.1.6. Setting parameters for LDAP authentication for monitoring and a single Process Server
If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy Business Central Monitoring and a single managed Process Server.
Do not configure LDAP authentication and RH-SSO authentication in the same deployment.
Prerequisites
You created user names and passwords for Red Hat Process Automation Manager in the LDAP system. For a list of the available roles, see Chapter 4, Red Hat Process Automation Manager roles and users. As a minimum, in order to set the parameters for the environment, you created the following users:
-
An administrative user with the
kie-server,rest-all,admin
roles. This user can administer and use the environment. -
A server user with the
kie-server,rest-all,user
roles. This user can make REST API calls to the Process Server.
-
An administrative user with the
- You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.
Procedure
In the LDAP service, create all user names in the deployment parameters. If you do not set any of the parameters, create users with the default user names. The created users must also be assigned to roles:
-
KIE_ADMIN_USER
: default user nameadminUser
, roles:kie-server,rest-all,admin
KIE_SERVER_USER
: default user nameexecutionUser
, roleskie-server,rest-all,guest
For the user roles that you can configure in LDAP, see Roles and users.
-
Set the
AUTH_LDAP*
parameters of the template. These parameters correspond to the settings of theLdapExtended
Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Process Automation Manager roles. To enable LDAP role mapping, set the following parameters:
-
RoleMapping rolesProperties file path (
AUTH_ROLE_MAPPER_ROLES_PROPERTIES
): The fully qualified path name of a file that defines role mapping, for example,/opt/eap/standalone/configuration/rolemapping/rolemapping.properties
. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.3, “(Optional) Providing the LDAP role mapping file”. -
RoleMapping replaceRole property (
AUTH_ROLE_MAPPER_REPLACE_ROLE
): If set totrue
, mapped roles replace the roles defined on the LDAP server; if set tofalse
, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting isfalse
.
-
RoleMapping rolesProperties file path (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.
3.1.7. Enabling Prometheus metric collection for monitoring and a single Process Server
If you want to configure your Process Server deployment to use Prometheus to collect and store metrics, enable support for this feature in Process Server at deployment time.
Prerequisites
- You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.
Procedure
To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED
) parameter to false
.
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.
For instructions about configuring Prometheus metrics collection, see Managing and monitoring Process Server.
3.1.8. Completing deployment of the template for monitoring and a single Process Server
After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.
Procedure
Depending on the method that you are using, complete the following steps:
In the OpenShift Web UI, click Create.
-
If the
This will create resources that may have security or project behavior implications
message appears, click Create Anyway.
-
If the
- Complete the command line and press Enter.
3.2. Deploying an additional managed Process Server for a freeform environment
You can add a managed Process Server to a freeform environment. This server can use a PostgreSQL or MySQL database server in a pod or an external database server.
Deploy the server in the same project as the Business Central Monitoring deployment.
The Process Server loads services from a Maven repository.
The server starts with no loaded services. Use Business Central Monitoring or the REST API of the Process Server to deploy and undeploy services on the server.
3.2.1. Starting configuration of the template for an additional managed Process Server
To deploy an additional managed Process Server, use one of the following template files:
-
rhpam76-kieserver-postgresql.yaml
to use a PostgreSQL pod for persistent storage. Use this template unless you have a specific reason to use another template. -
rhpam76-kieserver-mysql.yaml
to use a MySQL pod for persistent storage. rhpam76-kieserver-externaldb.yaml
to use an external database server for persistent storage.ImportantThe standard Process Server image for an external database server includes drivers for MySQL and PostgreSQL external database servers. If you want to use another database server, you must build a custom Process Server image. For instructions, see Section 2.4, “Building a custom Process Server extension image for an external database”.
Procedure
-
Download the
rhpam-7.6.0-openshift-templates.zip
product deliverable file from the Software Downloads page of the Red Hat Customer Portal. - Extract the required template file.
Use one of the following methods to start deploying the template:
-
To use the OpenShift Web UI, in the OpenShift application console select Add to Project
Import YAML / JSON and then select or paste the <template-file-name>.yaml
file. In the Add Template window, ensure Process the template is selected and click Continue. To use the OpenShift command line console, prepare the following command line:
oc new-app -f <template-path>/<template-file-name>.yaml -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value
In this command line, make the following changes:
-
Replace
<template-path>
with the path to the downloaded template file. -
Replace
<template-file-name>
with the name of the template file. -
Use as many
-p PARAMETER=value
pairs as needed to set the required parameters.
-
Replace
-
To use the OpenShift Web UI, in the OpenShift application console select Add to Project
Next steps
Set the parameters for the template. Follow the steps in Section 3.2.2, “Setting required parameters for an additional managed Process Server” to set common parameters. You can view the template file to see descriptions for all parameters.
3.2.2. Setting required parameters for an additional managed Process Server
When configuring the template to deploy an additional managed Process Server, you must set the following parameters in all cases.
Prerequisites
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
Set the following parameters:
-
KIE Server Keystore Secret Name (
KIE_SERVER_HTTPS_SECRET
): The name of the secret for Process Server, as created in Section 2.2, “Creating the secrets for Process Server”. -
KIE Server Certificate Name (
KIE_SERVER_HTTPS_NAME
): The name of the certificate in the keystore that you created in Section 2.2, “Creating the secrets for Process Server”. -
KIE Server Keystore Password (
KIE_SERVER_HTTPS_PASSWORD
): The password for the keystore that you created in Section 2.2, “Creating the secrets for Process Server”. -
Application Name (
APPLICATION_NAME
): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and Process Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. You can deploy several applications using the same template into the same project, as long as you use different application names. Also, the application name determines the name of the server configuration (server template) that the Process Server joins on Business Central Monitoring. If you are deploying several Process Servers, you must ensure each of the servers has a different application name. -
Maven repository URL (
MAVEN_REPO_URL
): A URL for a Maven repository. You must upload all the processes (KJAR files) that are to be deployed on the Process Server into this repository. -
Maven repository ID (
MAVEN_REPO_ID
): An identifier for the Maven repository. The default value isrepo-custom
. -
Maven repository username (
MAVEN_REPO_USERNAME
): The user name for the Maven repository. -
Maven repository password (
MAVEN_REPO_PASSWORD
): The password for the Maven repository. -
KIE Server Mode (
KIE_SERVER_MODE
): In therhpam76-kieserver-*.yaml
templates the default value isPRODUCTION
. InPRODUCTION
mode, you cannot deploySNAPSHOT
versions of KJAR artifacts on the Process Server and cannot change versions of an artifact in an existing container. To deploy a new version withPRODUCTION
mode, create a new container on the same Process Server. To deploySNAPSHOT
versions or to change versions of an artifact in an existing container, set this parameter toDEVELOPMENT
. -
ImageStream Namespace (
IMAGE_STREAM_NAMESPACE
): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace isopenshift
. If you have installed the image streams file, the namespace is the name of the OpenShift project.
-
KIE Server Keystore Secret Name (
You can set the following user name and password. By default, the deployment automatically generates the password.
-
KIE Server User (
KIE_SERVER_USER
) and KIE Server Password (KIE_SERVER_PWD
): The user name and password that a client application can use to connect to any of the Process Servers.
-
KIE Server User (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
3.2.3. Configuring the image stream namespace for an additional managed Process Server
If you created image streams in a namespace that is not openshift
, you must configure the namespace in the template.
If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.
Prerequisites
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
If you installed an image streams file according to instructions in Section 2.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE
) parameter to the name of your OpenShift project.
3.2.4. Configuring information about a Business Central Monitoring instance for an additional managed Process Server
To enable a connection from the Business Central Monitoring instance that you deployed to the Process Server, you must configure information about the Business Central Monitoring instance.
Prerequisites
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
Set the following parameters:
-
KIE Admin User (
KIE_ADMIN_USER
) and KIE Admin Password (KIE_ADMIN_PWD
): The user name and password for the administrative user. These values must be the same as theKIE_ADMIN_USER
andKIE_ADMIN_PWD
settings for the Business Central Monitoring. If the Business Central Monitoring uses RH-SSO or LDAP authentication, these values must be a user name and password configured in the authentication system with an administrator role for the Business Central Monitoring. -
Name of the Business Central service (
BUSINESS_CENTRAL_SERVICE
): The OpenShift service name for the Business Central Monitoring.
-
KIE Admin User (
Ensure that the following settings are set to the same value as the same settings for the Business Central Monitoring:
-
Maven repository URL (
MAVEN_REPO_URL
): A URL for the external Maven repository from which services must be deployed. -
Maven repository username (
MAVEN_REPO_USERNAME
): The user name for the Maven repository. -
Maven repository password (
MAVEN_REPO_PASSWORD
): The password for the Maven repository.
-
Maven repository URL (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
3.2.5. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an additional managed Process Server
When configuring the template to deploy an additional managed Process Server, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.6, “Preparing a Maven mirror repository for offline use”.
Prerequisites
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
To configure access to the Maven mirror, set the following parameters:
-
Maven mirror URL (
MAVEN_MIRROR_URL
): The URL for the Maven mirror repository that you set up in Section 2.6, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment. Maven mirror of (
MAVEN_MIRROR_OF
): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting themirrorOf
value, see Mirror Settings in the Apache Maven documentation. The default value isexternal:*
. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.-
If you configure an external Maven repository (
MAVEN_REPO_URL
), changeMAVEN_MIRROR_OF
to exclude the artifacts in this repository from the mirror, for example,external:*,!repo-custom
. Replacerepo-custom
with the ID that you configured inMAVEN_REPO_ID
. -
If you configure a built-in Business Central Maven repository (
BUSINESS_CENTRAL_MAVEN_SERVICE
), changeMAVEN_MIRROR_OF
to exclude the artifacts in this repository from the mirror:external:*,!repo-rhpamcentr
. -
If you configure both repositories, change
MAVEN_MIRROR_OF
to exclude the artifacts in both repositories from the mirror:external:*,!repo-rhpamcentr,!repo-custom
. Replacerepo-custom
with the ID that you configured inMAVEN_REPO_ID
.
-
If you configure an external Maven repository (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
3.2.6. Setting parameters for RH-SSO authentication for an additional managed Process Server
If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an additional managed Process Server.
Do not configure LDAP authentication and RH-SSO authentication in the same deployment.
Prerequisites
- A realm for Red Hat Process Automation Manager is created in the RH-SSO authentication system.
User names and passwords for Red Hat Process Automation Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Process Automation Manager roles and users. The following users are required in order to set the parameters for the environment:
-
An administrative user with the
kie-server,rest-all,admin
roles. This user can administer and use the environment. Process Servers use this user to authenticate with Business Central Monitoring. -
A server user with the
kie-server,rest-all,user
roles. This user can make REST API calls to the Process Server. Business Central Monitoring uses this user to authenticate with Process Servers.
-
An administrative user with the
- Clients are created in the RH-SSO authentication system for all components of the Red Hat Process Automation Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Process Automation Manager deployment can create the clients. However, this option provides less detailed control over the environment.
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
-
Set the
KIE_ADMIN_USER
andKIE_ADMIN_PASSWORD
parameters of the template to the user name and password of the administrative user that you created in the RH-SSO authentication system. -
Set the
KIE_SERVER_USER
andKIE_SERVER_PASSWORD
parameters of the template to the user name and password of the server user that you created in the RH-SSO authentication system. Set the following parameters:
-
RH-SSO URL (
SSO_URL
): The URL for RH-SSO. -
RH-SSO Realm name (
SSO_REALM
): The RH-SSO realm for Red Hat Process Automation Manager. -
RH-SSO Disable SSL Certificate Validation (
SSO_DISABLE_SSL_CERTIFICATE_VALIDATION
): Set totrue
if your RH-SSO installation does not use a valid HTTPS certificate.
-
RH-SSO URL (
Complete one of the following procedures:
If you created the client for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:
-
Business Central Monitoring RH-SSO Client name (
BUSINESS_CENTRAL_SSO_CLIENT
): The RH-SSO client name for Business Central Monitoring. -
KIE Server RH-SSO Client name (
KIE_SERVER_SSO_CLIENT
): The RH-SSO client name for Process Server. -
KIE Server RH-SSO Client Secret (
KIE_SERVER_SSO_SECRET
): The secret string that is set in RH-SSO for the client for Process Server.
-
Business Central Monitoring RH-SSO Client name (
To create the clients for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:
-
KIE Server RH-SSO Client name (
KIE_SERVER_SSO_CLIENT
): The name of the client to create in RH-SSO for Process Server. -
KIE Server RH-SSO Client Secret (
KIE_SERVER_SSO_SECRET
): The secret string to set in RH-SSO for the client for Process Server. -
RH-SSO Realm Admin Username (
SSO_USERNAME
) and RH-SSO Realm Admin Password (SSO_PASSWORD
): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Process Automation Manager. You must provide this user name and password in order to create the required clients.
-
KIE Server RH-SSO Client name (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
After completing the deployment, review the URLs for components of Red Hat Process Automation Manager in the RH-SSO authentication system to ensure they are correct.
3.2.7. Setting parameters for LDAP authentication for an additional managed Process Server
If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an additional managed Process Server.
Do not configure LDAP authentication and RH-SSO authentication in the same deployment.
Prerequisites
You created user names and passwords for Red Hat Process Automation Manager in the LDAP system. For a list of the available roles, see Chapter 4, Red Hat Process Automation Manager roles and users. As a minimum, in order to set the parameters for the environment, you created the following users:
-
An administrative user with the
kie-server,rest-all,admin
roles. This user can administer and use the environment. -
A server user with the
kie-server,rest-all,user
roles. This user can make REST API calls to the Process Server.
-
An administrative user with the
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
In the LDAP service, create all user names in the deployment parameters. If you do not set any of the parameters, create users with the default user names. The created users must also be assigned to roles:
-
KIE_ADMIN_USER
: default user nameadminUser
, roles:kie-server,rest-all,admin
KIE_SERVER_USER
: default user nameexecutionUser
, roleskie-server,rest-all,guest
For the user roles that you can configure in LDAP, see Roles and users.
-
Set the
AUTH_LDAP*
parameters of the template. These parameters correspond to the settings of theLdapExtended
Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Process Automation Manager roles. To enable LDAP role mapping, set the following parameters:
-
RoleMapping rolesProperties file path (
AUTH_ROLE_MAPPER_ROLES_PROPERTIES
): The fully qualified path name of a file that defines role mapping, for example,/opt/eap/standalone/configuration/rolemapping/rolemapping.properties
. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.3, “(Optional) Providing the LDAP role mapping file”. -
RoleMapping replaceRole property (
AUTH_ROLE_MAPPER_REPLACE_ROLE
): If set totrue
, mapped roles replace the roles defined on the LDAP server; if set tofalse
, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting isfalse
.
-
RoleMapping rolesProperties file path (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
3.2.8. Setting parameters for using an external database server for an additional managed Process Server
If you are using the rhpam76-kieserver-externaldb.yaml
template to use an external database server for the Process Server, complete the following additional configuration when configuring the template to deploy an additional managed Process Server.
Prerequisites
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
Set the following parameters:
KIE Server External Database Driver (
KIE_SERVER_EXTERNALDB_DRIVER
): The driver for the server, depending on the server type:-
mysql
-
postgresql
-
mariadb
-
mssql
-
db2
-
oracle
-
sybase
-
-
KIE Server External Database User (
KIE_SERVER_EXTERNALDB_USER
) and KIE Server External Database Password (KIE_SERVER_EXTERNALDB_PWD
): The user name and password for the external database server -
KIE Server External Database URL (
KIE_SERVER_EXTERNALDB_URL
): The JDBC URL for the external database server KIE Server External Database Dialect (
KIE_SERVER_EXTERNALDB_DIALECT
): The Hibernate dialect for the server, depending on the server type:-
org.hibernate.dialect.MySQL5InnoDBDialect
(used for MySQL and MariaDB) -
org.hibernate.dialect.PostgreSQL82Dialect
-
org.hibernate.dialect.SQLServer2012Dialect
(used for MS SQL) -
org.hibernate.dialect.DB2Dialect
-
org.hibernate.dialect.Oracle10gDialect
-
org.hibernate.dialect.SybaseASE157Dialect
-
-
KIE Server External Database Host (
KIE_SERVER_EXTERNALDB_SERVICE_HOST
): The host name of the external database server -
KIE Server External Database Port (
KIE_SERVER_EXTERNALDB_SERVICE_PORT
): The port number of the external database server -
KIE Server External Database name (
KIE_SERVER_EXTERNALDB_DB
): The database name to use on the external database server -
JDBC Connection Checker class (
KIE_SERVER_EXTERNALDB_CONNECTION_CHECKER
): The name of the JDBC connection checker class for the database server. Without this information, a database server connection cannot be restored after it is lost, for example, if the database server is rebooted. -
JDBC Exception Sorter class (
KIE_SERVER_EXTERNALDB_EXCEPTION_SORTER
): The name of the JDBC exception sorter class for the database server. Without this information, a database server connection cannot be restored after it is lost, for example, if the database server is rebooted.
If you created a custom image for using an external database server other than MySQL or PostgreSQL, as described in Section 2.4, “Building a custom Process Server extension image for an external database”, set the following parameters:
-
Drivers Extension Image (
EXTENSIONS_IMAGE
): The ImageStreamTag definition of the extension image, for example,jboss-kie-db2-extension-openshift-image:11.1.4.4
-
Drivers ImageStream Namespace (
EXTENSIONS_IMAGE_NAMESPACE
): The namespace to which you uploaded the extension image, for example,openshift
or your project namespace.
-
Drivers Extension Image (
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
3.2.9. Enabling Prometheus metric collection for an additional managed Process Server
If you want to configure your Process Server deployment to use Prometheus to collect and store metrics, enable support for this feature in Process Server at deployment time.
Prerequisites
- You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.
Procedure
To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED
) parameter to false
.
Next steps
If necessary, set additional parameters.
To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.
For instructions about configuring Prometheus metrics collection, see Managing and monitoring Process Server.
3.2.10. Completing deployment of the template for an additional managed Process Server
After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.
Procedure
Depending on the method that you are using, complete the following steps:
In the OpenShift Web UI, click Create.
-
If the
This will create resources that may have security or project behavior implications
message appears, click Create Anyway.
-
If the
- Complete the command line and press Enter.
3.3. (Optional) Providing the LDAP role mapping file
If you configure the AUTH_ROLE_MAPPER_ROLES_PROPERTIES
parameter, you must provide a file that defines the role mapping. Mount this file on all affected deployment configurations.
Procedure
Create the role mapping properties file, for example,
my-role-map
. The file must contain entries in the following format:ldap_role = product_role1, product_role2...
For example:
admins = kie-server,rest-all,admin
Create an OpenShift configuration map from the file by entering the following command:
oc create configmap ldap-role-mapping --from-file=<new_name>=<existing_name>
Replace
<new_name>
with the name that the file is to have on the pods (it must be the same as the name specified in theAUTH_ROLE_MAPPER_ROLES_PROPERTIES
file) and<existing_name>
with the name of the file that you created. Example:oc create configmap ldap-role-mapping --from-file=rolemapping.properties=my-role-map
Mount the configuration map on every deployment configuration that is configured for role mapping.
The following deployment configurations can be affected in this environment:
Replace
myapp
with the application name. Sometimes, several Process Server deployments can be present under different application names.For every deployment configuration, run the command:
oc set volume dc/<deployment_config_name> --add --type configmap --configmap-name ldap-role-mapping --mount-path=<mapping_dir> --name=ldap-role-mapping
Replace
<mapping_dir>
with the directory name (without file name) set in theAUTH_ROLE_MAPPER_ROLES_PROPERTIES
parameter, for example,/opt/eap/standalone/configuration/rolemapping
.