Chapter 2. Preparing to deploy Red Hat Process Automation Manager in your OpenShift environment

Before deploying Red Hat Process Automation Manager in your OpenShift environment, you must complete several tasks. You do not need to repeat these tasks if you want to deploy additional images, for example, for new versions of processes or for other processes.

2.1. Ensuring your environment is authenticated to the Red Hat registry

To deploy Red Hat Process Automation Manager components of Red Hat OpenShift Container Platform, you must ensure that OpenShift can download the correct images from the Red Hat registry.

OpenShift must be configured to authenticate with the Red Hat registry using your service account user name and password. This configuration is specific for a namespace, and if operators work, the configuration is already completed for the openshift namespace.

However, if the image streams for Red Hat Process Automation Manager are not found in the openshift namespace or if the operator is configured to update Red Hat Process Automation Manager to a new version automatically, the operator needs to download images into the namespace of your project. You must complete the authentication configuration for this namespace.

Procedure

  1. Ensure you are logged in to OpenShift with the oc command and that your project is active.
  2. Complete the steps documented in Registry Service Accounts for Shared Environments. You must log in to Red Hat Customer Portal to access the document and to complete the steps to create a registry service account.
  3. Select the OpenShift Secret tab and click the link under Download secret to download the YAML secret file.
  4. View the downloaded file and note the name that is listed in the name: entry.

  5. Run the following commands: 

    oc create -f <file_name>.yaml
oc secrets link default <secret_name> --for=pull
oc secrets link builder <secret_name> --for=pull

    Replace <file_name> with the name of the downloaded file and <secret_name> with the name that is listed in the name: entry of the file.

2.2. Creating the secrets for Process Server

OpenShift uses objects called secrets to hold sensitive information such as passwords or keystores. For more information about OpenShift secrets, see What is a secret in the OpenShift documentation.

In order to provide HTTPS access, Process Server uses an SSL certificate. The deployment can create a sample secret automatically. However, in production environments you must create an SSL certificate for Process Server and provide it to your OpenShift environment as a secret.

Procedure

  1. Generate an SSL keystore with a private and public key for SSL encryption for Process Server. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.

    Note

    In a production environment, generate a valid signed certificate that matches the expected URL for Process Server.

  2. Save the keystore in a file named keystore.jks.
  3. Record the name of the certificate. The default value for this name in Red Hat Process Automation Manager configuration is jboss.
  4. Record the password of the keystore file. The default value for this name in Red Hat Process Automation Manager configuration is mykeystorepass.

  5. Use the oc command to generate a secret named kieserver-app-secret from the new keystore file: 

    $ oc create secret generic kieserver-app-secret --from-file=keystore.jks

2.3. Creating the secrets for Business Central

In order to provide HTTPS access, Business Central uses an SSL certificate. The deployment can create a sample secret automatically. However, in production environments you must create an SSL certificate for Business Central and provide it to your OpenShift environment as a secret.

Do not use the same certificate and keystore for Business Central and Process Server.

Procedure

  1. Generate an SSL keystore with a private and public key for SSL encryption for Business Central. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.

    Note

    In a production environment, generate a valid signed certificate that matches the expected URL for Business Central.

  2. Save the keystore in a file named keystore.jks.
  3. Record the name of the certificate. The default value for this name in Red Hat Process Automation Manager configuration is jboss.
  4. Record the password of the keystore file. The default value for this name in Red Hat Process Automation Manager configuration is mykeystorepass.

  5. Use the oc command to generate a secret named businesscentral-app-secret from the new keystore file: 

    $ oc create secret generic businesscentral-app-secret --from-file=keystore.jks

2.4. Creating the secrets for Smart Router

In order to provide HTTPS access, Smart Router uses an SSL certificate. The deployment can create a sample secret automatically. However, in production environments you must create an SSL certificate for Smart Router and provide it to your OpenShift environment as a secret.

Do not use the same certificate and keystore for Smart Router as the ones used for Process Server or Business Central.

Procedure

  1. Generate an SSL keystore with a private and public key for SSL encryption for Smart Router. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.

    Note

    In a production environment, generate a valid signed certificate that matches the expected URL for Smart Router.

  2. Save the keystore in a file named keystore.jks.
  3. Record the name of the certificate. The default value for this name in Red Hat Process Automation Manager configuration is jboss.
  4. Record the password of the keystore file. The default value for this name in Red Hat Process Automation Manager configuration is mykeystorepass.

  5. Use the oc command to generate a secret named smartrouter-app-secret from the new keystore file: 

    $ oc create secret generic smartrouter-app-secret --from-file=keystore.jks

2.5. Changing GlusterFS configuration

You must check whether your OpenShift environment uses GlusterFS to provide permanent storage volumes. If it uses GlusterFS, to ensure optimal performance of Business Central, you must tune your GlusterFS storage by changing the storage class configuration.

Procedure

  1. To check whether your environment uses GlusterFS, enter the following command: 

    oc get storageclass

    In the results, check whether the (default) marker is on the storage class that lists glusterfs. For example, in the following output the default storage class is gluster-container, which does list glusterfs: 

    NAME              PROVISIONER                       AGE
gluster-block     gluster.org/glusterblock          8d
gluster-container (default) kubernetes.io/glusterfs 8d

    If the result has a default storage class that does not list glusterfs or if the result is empty, you do not need to make any changes. In this case, skip the rest of this procedure.

  2. To save the configuration of the default storage class into a YAML file, enter the following command: 

    oc get storageclass <class-name> -o yaml >storage_config.yaml

    Replace <class-name> with the name of the default storage class. Example: 

    oc get storageclass gluster-container -o yaml >storage_config.yaml

  3. Edit the storage_config.yaml file:

    1. Remove the lines with the following keys:

      • creationTimestamp
      • resourceVersion
      • selfLink
      • uid

    2. If you are planning to use Business Central only as a single pod, without high-availability configuration, on the line with the volumeoptions key, add the following options: 

      features.cache-invalidation on
performance.nl-cache on

      For example:

      volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, performance.nl-cache on

    3. If you are planning to use Business Central in a high-availability configuration, on the line with the volumeoptions key, add the following options: 

      features.cache-invalidation on
nfs.trusted-write on
nfs.trusted-sync on
performance.nl-cache on
performance.stat-prefetch off
performance.read-ahead off
performance.write-behind off
performance.readdir-ahead off
performance.io-cache off
performance.quick-read off
performance.open-behind off
locks.mandatory-locking off
performance.strict-o-direct on

      For example:

      volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, nfs.trusted-write on, nfs.trusted-sync on, performance.nl-cache on, performance.stat-prefetch off, performance.read-ahead off, performance.write-behind off, performance.readdir-ahead off, performance.io-cache off, performance.quick-read off, performance.open-behind off, locks.mandatory-locking off, performance.strict-o-direct on

  4. To remove the existing default storage class, enter the following command: 

    oc delete storageclass <class-name>

    Replace <class-name> with the name of the default storage class. Example: 

    oc delete storageclass gluster-container

  5. To re-create the storage class using the new configuration, enter the following command: 

    oc create -f storage_config.yaml

2.6. Preparing a Maven mirror repository for offline use

If your Red Hat OpenShift Container Platform environment does not have outgoing access to the public Internet, you must prepare a Maven repository with a mirror of all the necessary artifacts and make this repository available to your environment.

Note

You do not need to complete this procedure if your Red Hat OpenShift Container Platform environment is connected to the Internet.

Prerequisites

  • A computer that has outgoing access to the public Internet is available.

Procedure

  1. Prepare a Maven release repository to which you can write. The repository must allow read access without authentication. Your OpenShift environment must have access to this repository. You can deploy a Nexus repository manager in the OpenShift environment. For instructions about setting up Nexus on OpenShift, see Setting up Nexus. Use this repository as a separate mirror repository.

    Alternatively, if you use a custom external repository (for example, Nexus) for your services, you can use the same repository as a mirror repository.

  2. On the computer that has an outgoing connection to the public Internet, complete the following steps:

    1. Download the latest version of the Offliner tool.
    2. Download the rhpam-7.5.1-offliner.txt product deliverable file from the Software Downloads page of the Red Hat Customer Portal.

    3. Enter the following command to use the Offliner tool to download the required artifacts: 

      java -jar offliner-<version>.jar -r https://maven.repository.redhat.com/ga/ -r https://repo1.maven.org/maven2/ -d /home/user/temp rhpam-7.5.1-offliner.txt

      Replace /home/user/temp with an empty temporary directory and <version> with the version of the Offliner tool that you downloaded. The download can take a significant amount of time.

    4. Upload all artifacts from the temporary directory to the Maven mirror repository that you prepared. You can use the Maven Repository Provisioner utility to upload the artifacts.

  3. If you developed services outside Business Central and they have additional dependencies, add the dependencies to the mirror repository. If you developed the services as Maven projects, you can use the following steps to prepare these dependencies automatically. Complete the steps on the computer that has an outgoing connection to the public Internet.

    1. Create a backup of the local Maven cache directory (~/.m2/repository) and then clear the directory.
    2. Build the source of your projects using the mvn clean install command.

    3. For every project, enter the following command to ensure that Maven downloads all runtime dependencies for all the artifacts generated by the project: 

      mvn -e -DskipTests dependency:go-offline -f /path/to/project/pom.xml --batch-mode -Djava.net.preferIPv4Stack=true

      Replace /path/to/project/pom.xml with the correct path to the pom.xml file of the project.

    4. Upload all artifacts from the local Maven cache directory (~/.m2/repository) to the Maven mirror repository that you prepared. You can use the Maven Repository Provisioner utility to upload the artifacts.