Chapter 3. Authoring or managed server environment

You can deploy an environment for creating and modifying services using Business Central and for running them in Decision Servers managed by Business Central. This environment consists of Business Central and one or more Decision Servers.

You can use Business Central both to develop services and to deploy them to one or several Decision Servers. For example, you can deploy test versions of services to one Decision Server and production versions to another Decision Server.

To avoid accidentally deploying wrong versions to a production Decision Server, you can create separate environments to author services (authoring environment) and to manage deployment of production services (managed server environment). You can use a shared external Maven repository between these environments, so that services developed in the authoring environment are available in the managed server environment. However, the procedures to deploy these environments are the same.

Depending on your needs, you can deploy either a single or high-availability (HA) Business Central. A single Business Central pod is not replicated; only a single copy of Business Central is used. In an HA Business Central deployment, you can scale Business Central.

An HA Business Central provides maximum reliability and responsiveness for authoring services, but has higher memory and storage requirements and also requires support for persistent volumes with ReadWriteMany mode.

Important

In Red Hat Decision Manager 7.4, high-availability Business Central functionality is for Technology Preview only. For more information on Red Hat Technology Preview features, see Technology Preview Features Scope.

You can scale Decision Server pods as necessary in any version of the authoring or managed server environment.

To deploy an authoring or managed server environment, first deploy the single or high-availability Business Central and a single Decision Server using the authoring template.

To add additional Decision Servers, you can deploy the Decision Server template in the same project.

3.1. Deploying an authoring environment

You can use OpenShift templates to deploy a single or high-availability authoring environment. This environment consists of Business Central and a single Decision Server.

3.1.1. Starting configuration of the template for an authoring environment

If you want to deploy a single authoring environment, use the rhdm74-authoring.yaml template file.

If you want to deploy a high-availability authoring environment, use the rhdm74-authoring-ha.yaml template file.

Procedure

  1. Download the rhdm-7.4.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the required template file.

  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the <template-file-name>.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.

    • To use the OpenShift command line console, prepare the following command line: 

      oc new-app -f <template-path>/&lt;template-file-name&gt;.yaml -p DECISION_CENTRAL_HTTPS_SECRET=decisioncentral-app-secret -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Replace <template-file-name> with the name of the template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 3.1.2, “Setting required parameters for an authoring environment” to set common parameters. You can view the template file to see descriptions for all parameters.

3.1.2. Setting required parameters for an authoring environment

When configuring the template to deploy an authoring environment, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

  2. You can set the following user names and passwords. By default, the deployment automatically generates the passwords.

    • KIE Admin User (KIE_ADMIN_USER) and KIE Admin Password (KIE_ADMIN_PWD): The user name and password for the administrative user. If you want to use the Business Central to control or monitor any Decision Servers other than the Decision Server deployed by the same template , you must set and record the user name and password.
    • KIE Server User (KIE_SERVER_USER) and KIE Server Password (KIE_SERVER_PWD): The user name and password that a client application can use to connect to any of the Decision Servers.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

3.1.3. Configuring the image stream namespace for an authoring environment

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

  1. If you installed an image streams file according to instructions in Section 2.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.
  2. If you are deploying a high-availability authoring environment and installed an image streams file for AMQ scaledown controller image streams according to instructions in Section 2.2, “Ensuring the availability of AMQ scaledown controller image streams for a high-availability deployment”, set the AMQ Scaledown Controller ImageStream Namespace (AMQ_SCALEDOWN_CONTROLLER_IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

3.1.4. Setting an optional Maven repository for an authoring environment

When configuring the template to deploy an authoring environment, if you want to place the built KJAR files into an external Maven repository, you must set parameters to access the repository.

Prerequisites

Procedure

To configure access to a custom Maven repository, set the following parameters:

  • Maven repository URL (MAVEN_REPO_URL): The URL for the Maven repository.
  • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
  • Maven repository username (MAVEN_REPO_USERNAME): The username for the Maven repository.
  • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

Important

To export or push Business Central projects as KJAR artifacts to the external Maven repository, you must also add the repository information in the pom.xml file for every project. For information about exporting Business Central projects to an external repository, see Packaging and deploying a Red Hat Decision Manager project.

3.1.5. Specifying credentials to access the built-in Maven repository for an authoring environment

When configuring the template to deploy an authoring environment, if you want to use the Maven repository that is built into Business Central and to connect additional Decision Servers to the Business Central, you must configure credentials for accessing this Maven repository. You can then use these credentials to configure the Decision Servers.

Also, if you are configuring RH-SSO or LDAP authentication, you must set the credentials for the built-in Maven repository to a username and password configured in RH-SSO or LDAP. This setting is required so that the Decision Server can access the Maven repository.

Prerequisites

Procedure

To configure credentials for the built-in Maven repository, set the following parameters:

  • Username for the Maven service hosted by Business Central (DECISION_CENTRAL_MAVEN_USERNAME): The user name for the built-in Maven repository.
  • Password for the Maven service hosted by Business Central (DECISION_CENTRAL_MAVEN_PASSWORD): The password for the built-in Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

3.1.6. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an authoring environment

When configuring the template to deploy an authoring environment, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.5, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 2.5, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.
  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*,!repo-rhdmcentr; with this value, Maven retrieves artifacts from the built-in Maven repository of Business Central directly and retrieves any other required artifacts from the mirror. If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

3.1.7. Specifying the Git hooks directory for an authoring environment

You can use Git hooks to facilitate interaction between the internal Git repository of Business Central and an external Git repository.

If you want to use Git hooks, you must configure a Git hooks directory.

Prerequisites

Procedure

To configure a Git hooks directory, set the following parameter:

  • Git hooks directory (GIT_HOOKS_DIR): The fully qualified path to a Git hooks directory, for example, /opt/kie/data/git/hooks. You must provide the content of this directory and mount it at the specified path. For instructions about providing and mounting the Git hooks directory using a configuration map or a persistent volume, see Section 3.2, “(Optional) Providing the Git hooks directory”.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

3.1.8. Setting parameters for RH-SSO authentication for an authoring environment

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an authoring environment.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Decision Manager is created in the RH-SSO authentication system.

  • User names and passwords for Red Hat Decision Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Decision Manager roles and users. The following users are required in order to set the parameters for the environment:

    • An administrative user with the kie-server,rest-all,admin roles. This user can administer and use the environment. Decision Servers use this user to authenticate with Business Central.
    • A server user with the kie-server,rest-all,user roles. This user can make REST API calls to the Decision Server. Business Central uses this user to authenticate with Decision Servers.
  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Decision Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Decision Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for an authoring environment”.

Procedure

  1. Set the KIE_ADMIN_USER and KIE_ADMIN_PASSWORD parameters of the template to the user name and password of the administrative user that you created in the RH-SSO authentication system.
  2. Set the KIE_SERVER_USER and KIE_SERVER_PASSWORD parameters of the template to the user name and password of the server user that you created in the RH-SSO authentication system.

  3. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Decision Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.

  4. Complete one of the following procedures:

    1. If you created the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central.
      • Business Central RH-SSO Client Secret (DECISION_CENTRAL_SSO_SECRET): The secret string that is set in RH-SSO for the client for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for Decision Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for Decision Server.

    2. To create the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The name of the client to create in RH-SSO for Business Central.
      • Business Central RH-SSO Client Secret (DECISION_CENTRAL_SSO_SECRET): The secret string to set in RH-SSO for the client for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for Decision Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for Decision Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Decision Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

After completing the deployment, review the URLs for components of Red Hat Decision Manager in the RH-SSO authentication system to ensure they are correct.

3.1.9. Setting parameters for LDAP authentication for an authoring environment

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an authoring environment.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. In the LDAP service, create all user names in the deployment parameters. If you do not set any of the parameters, create users with the default user names. The created users must also be assigned to roles:

    • KIE_ADMIN_USER: default user name adminUser, roles: kie-server,rest-all,admin

    • KIE_SERVER_USER: default user name executionUser, roles kie-server,rest-all,guest

      For the user roles that you can configure in LDAP, see Roles and users.

  2. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Decision Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.4, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

3.1.10. Enabling Prometheus metric collection for an authoring environment

If you want to configure your Decision Server deployment to use Prometheus to collect and store metrics, enable support for this feature in Decision Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an authoring environment”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring Decision Server.

3.1.11. Completing deployment of the template for an authoring environment

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

3.2. (Optional) Providing the Git hooks directory

If you configure the GIT_HOOKS_DIR parameter, you must provide a directory of Git hooks and must mount this directory on the Business Central deployment.

The typical use of Git hooks is interaction with an upstream repository. To enable Git hooks to push commits into an upstream repository, you must also provide a secret key that corresponds to a public key configured on the upstream repository.

Procedure

  1. If interaction with an upstream repository using SSH authentication is required, complete the following steps to prepare and mount a secret with the necessary files:

    1. Prepare the id_rsa file with a private key that matches a public key stored in the repository.
    2. Prepare the known_hosts file with the correct name, address, and public key for the repository.

    3. Create a secret with the two files using the oc command, for example: 

      oc create secret git-hooks-secret --from-file=id_rsa=id_rsa --from-file=known_hosts=known_hosts

    4. Mount the secret in the SSH key path of the Business Central deployment, for example: 

      oc set volume dc/<myapp>-rhdmcentr --add --type secret --secret-name git-hooks-secret --mount-path=/home/jboss/.ssh --name=ssh-key

      Replace <myapp> with the application name that you set when configuring the template.

  2. Create the Git hooks directory. For instructions, see the Git hooks reference documentation.

    For example, a simple Git hooks directory can provide a post-commit hook that pushes the changes upstream. If the project was imported into Business Central from a repository, this repository remains configured as the upstream repository. Create a file named post-commit with permission values 755 and the following content: 

    git push

  3. Supply the Git hooks directory to the Business Central deployment. You can use a configuration map or a persistent volume.

    1. If the Git hooks consist of one or several fixed script files, use a configuration map. Complete the following steps:

      1. Change into the Git hooks directory that you have created.

      2. Create an OpenShift configuration map from the files in the directory. Run the following command: 

        oc create configmap git-hooks --from-file=<file_1>=<file_1> --from-file=<file_2>=<file_2> ...

        Replace file_1, file_2, and so on with Git hook script file names. Example: 

        oc create configmap git-hooks --from-file=post-commit=post-commit

      3. Mount the configuration map on the Business Central deployment in the path that you have configured: 

        oc set volume dc/<myapp>-rhdmcentr --add --type configmap --configmap-name git-hooks  --mount-path=<git_hooks_dir> --name=git-hooks

        Replace <myapp> with the application name that was set when configuring the template and <git_hooks_dir> is the value of GIT_HOOKS_DIR that was set when configuring the template.

    2. If the Git hooks consist of long files or depend on binaries, such as executable or KJAR files, use a persistence volume. You must create a persistent volume, create a persistent volume claim and associate the volume with the claim, transfer files to the volume, and mount the volume in the myapp-rhdmcentr deployment configuration (replace myapp with the application name). For instructions about creating and mounting persistence volumes, see Using persistent volumes. For instructions about copying files onto a persistent volume, see Transferring files in and out of containers.

  4. Wait a few minutes, then review the list and status of pods in your project. Because Business Central does not start until you provide the Git hooks directory, the Decision Server might not start at all. To see if it has started, check the output of the following command: 

    oc get pods

    If a working Decision Server pod is not present, start it: 

    oc rollout latest dc/<myapp>-kieserver

    Replace <myapp> with the application name that was set when configuring the template.

3.3. Deploying an additional managed Decision Server for an authoring or managed environment

You can deploy an additional managed Decision Server to an authoring or managed environment. Deploy the server in the same project as the Business Central deployment.

The Decision Server loads services from a Maven repository. You must configure the server to use either the Business Central built-in repository or an external repository.

The server starts with no loaded services. Use Business Central or the REST API of the Decision Server to deploy and undeploy services on the server.

3.3.1. Starting configuration of the template for an additional managed Decision Server

To deploy an additional managed Decision Server, use the rhdm74-kieserver.yaml template file.

Procedure

  1. Download the rhdm-7.4.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the rhdm74-kieserver.yaml template file.

  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the rhdm74-kieserver.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.

    • To use the OpenShift command line console, prepare the following command line: 

      oc new-app -f <template-path>/rhdm74-kieserver.yaml -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 3.3.2, “Setting required parameters for an additional managed Decision Server” to set common parameters. You can view the template file to see descriptions for all parameters.

3.3.2. Setting required parameters for an additional managed Decision Server

When configuring the template to deploy an additional managed Decision Server, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

    • KIE Server Keystore Secret Name (KIE_SERVER_HTTPS_SECRET): The name of the secret for Decision Server, as created in Section 2.3, “Creating the secrets for Decision Server”.
    • KIE Server Certificate Name (KIE_SERVER_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 2.3, “Creating the secrets for Decision Server”.
    • KIE Server Keystore Password (KIE_SERVER_HTTPS_PASSWORD): The password for the keystore that you created in Section 2.3, “Creating the secrets for Decision Server”.
    • Application Name (APPLICATION_NAME): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and Decision Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. You can deploy several applications using the same template into the same project, as long as you use different application names. Also, the application name determines the name of the server configuration (server template) that the Decision Server joins on Business Central. If you are deploying several Decision Servers, you must ensure each of the servers has a different application name.
    • KIE Server Mode (KIE_SERVER_MODE): In the rhdm74-kieserver.yaml template the default value is PRODUCTION. In PRODUCTION mode, you cannot deploy SNAPSHOT versions of KJAR artifacts on the Decision Server and cannot change versions of an artifact in an existing container. To deploy a new version with PRODUCTION mode, create a new container on the same Decision Server. To deploy SNAPSHOT versions or to change versions of an artifact in an existing container, set this parameter to DEVELOPMENT.
    • ImageStream Namespace (IMAGE_STREAM_NAMESPACE): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace is openshift. If you have installed the image streams file, the namespace is the name of the OpenShift project.

  2. You can set the following user name and password. By default, the deployment automatically generates the password.

    • KIE Server User (KIE_SERVER_USER) and KIE Server Password (KIE_SERVER_PWD): The user name and password that a client application can use to connect to any of the Decision Servers.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.3.9, “Completing deployment of the template for an additional managed Decision Server”.

3.3.3. Configuring the image stream namespace for an additional managed Decision Server

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

If you installed an image streams file according to instructions in Section 2.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

3.3.4. Configuring information about a Business Central instance for an additional managed Decision Server

If you want to enable a connection from a Business Central instance in the same namespace to the Decision Server, you must configure information about the Business Central instance.

Prerequisites

Procedure

  1. Set the following parameters:

    • KIE Admin User (KIE_ADMIN_USER) and KIE Admin Password (KIE_ADMIN_PWD): The user name and password for the administrative user. These values must be the same as the KIE_ADMIN_USER and KIE_ADMIN_PWD settings for the Business Central. If the Business Central uses RH-SSO or LDAP authentication, these values must be a user name and password configured in the authentication system with an administrator role for the Business Central.
    • Name of the Business Central service (DECISION_CENTRAL_SERVICE): The OpenShift service name for the Business Central.

  2. Configure access to the Maven repository from which the server must load services. You must configure the same repository that the Business Central uses.

    • If the Business Central uses its own built-in repository, set the following parameters:

      • Name of the Maven service hosted by Business Central (DECISION_CENTRAL_MAVEN_SERVICE): The OpenShift service name for the Business Central.
      • Username for the Maven service hosted by Business Central (DECISION_CENTRAL_MAVEN_USERNAME): The user name for the built-in Maven repository of the Business Central. Enter the user name that you configured for the Business Central as DECISION_CENTRAL_MAVEN_USERNAME.
      • Password to access the Maven service hosted by Business Central (DECISION_CENTRAL_MAVEN_PASSWORD): The password for the built-in Maven repository of the Business Central. Enter the password that you configured for the Business Central as DECISION_CENTRAL_MAVEN_PASSWORD.

    • If you configured the Business Central to use an external Maven repository, set the following parameters:

      • Maven repository URL (MAVEN_REPO_URL): A URL for the external Maven repository that Business Central uses.
      • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
      • Maven repository username (MAVEN_REPO_USERNAME): The username for the Maven repository.
      • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.3.9, “Completing deployment of the template for an additional managed Decision Server”.

3.3.5. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an additional managed Decision Server

When configuring the template to deploy an additional managed Decision Server, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.5, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 2.5, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.

  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.

    • If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.
    • If you configure a built-in Business Central Maven repository (BUSINESS_CENTRAL_MAVEN_SERVICE), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror: external:*,!repo-rhdmcentr.
    • If you configure both repositories, change MAVEN_MIRROR_OF to exclude the artifacts in both repositories from the mirror: external:*,!repo-rhdmcentr,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.3.9, “Completing deployment of the template for an additional managed Decision Server”.

3.3.6. Setting parameters for RH-SSO authentication for an additional managed Decision Server

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an additional managed Decision Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Decision Manager is created in the RH-SSO authentication system.
  • User names and passwords for Red Hat Decision Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Decision Manager roles and users. In order to set the parameters for the environment, an administrative user with the kie-server,rest-all,admin roles is required. The default user name for this user is adminUser. This user can administer and use the environment.
  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Decision Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Decision Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 3.3.1, “Starting configuration of the template for an additional managed Decision Server”.

Procedure

  1. Set the KIE_ADMIN_USER and KIE_ADMIN_PASSWORD parameters of the template to the user name and password of the administrative user that you created in the RH-SSO authentication system.

  2. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Decision Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.

  3. Complete one of the following procedures:

    1. If you created the client for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for Decision Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for Decision Server.

    2. To create the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for Decision Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for Decision Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Decision Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.3.9, “Completing deployment of the template for an additional managed Decision Server”.

After completing the deployment, review the URLs for components of Red Hat Decision Manager in the RH-SSO authentication system to ensure they are correct.

3.3.7. Setting parameters for LDAP authentication for an additional managed Decision Server

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an additional managed Decision Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. In the LDAP service, create all user names in the deployment parameters. If you do not set any of the parameters, create users with the default user names. The created users must also be assigned to roles:

    • KIE_ADMIN_USER: default user name adminUser, roles: kie-server,rest-all,admin

    • KIE_SERVER_USER: default user name executionUser, roles kie-server,rest-all,guest

      For the user roles that you can configure in LDAP, see Roles and users.

  2. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Decision Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.4, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.3.9, “Completing deployment of the template for an additional managed Decision Server”.

3.3.8. Enabling Prometheus metric collection for an additional managed Decision Server

If you want to configure your Decision Server deployment to use Prometheus to collect and store metrics, enable support for this feature in Decision Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.3.9, “Completing deployment of the template for an additional managed Decision Server”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring Decision Server.

3.3.9. Completing deployment of the template for an additional managed Decision Server

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

3.4. (Optional) Providing the LDAP role mapping file

If you configure the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, you must provide a file that defines the role mapping. Mount this file on all affected deployment configurations.

Procedure

  1. Create the role mapping properties file, for example, my-role-map. The file must contain entries in the following format: 

    ldap_role = product_role1, product_role2...

    For example: 

    admins = kie-server,rest-all,admin

  2. Create an OpenShift configuration map from the file by entering the following command: 

    oc create configmap ldap-role-mapping --from-file=<new_name>=<existing_name>

    Replace <new_name> with the name that the file is to have on the pods (it must be the same as the name specified in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES file) and <existing_name> with the name of the file that you created. Example: 

    oc create configmap ldap-role-mapping --from-file=rolemapping.properties=my-role-map

  3. Mount the configuration map on every deployment configuration that is configured for role mapping.

    The following deployment configurations can be affected in this environment:

    • myapp-rhdmcentr: Business Central
    • myapp-kieserver: Decision Server

    Replace myapp with the application name. Sometimes, several Decision Server deployments can be present under different application names.

    For every deployment configuration, run the command: 

     oc set volume dc/<deployment_config_name> --add --type configmap --configmap-name ldap-role-mapping --mount-path=<mapping_dir> --name=ldap-role-mapping

    Replace <mapping_dir> with the directory name (without file name) set in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, for example, /opt/eap/standalone/configuration/rolemapping .