Chapter 3. Freeform managed server environment

You can deploy a freeform server environment that includes several different pods running Process Server. These Process Servers can run different services for staging or production purposes. You can add and remove servers as necessary at any time.

You start deploying a freeform managed server environment by deploying Business Central Monitoring and one managed Process Server. You can use Business Central Monitoring to monitor and, when necessary, manage the execution of services on Process Servers. This environment does not include Smart Router.

You can also deploy additional managed Process Servers. Each Process Server can be separately scaled as necessary.

On a managed Process Server, no services are initially loaded. Use Business Central Monitoring or the REST API of the Process Server to deploy and undeploy processes on the server.

You must provide a Maven repository with the processes (KJAR files) that you want to deploy on the servers. Your integration process must ensure that the required versions of the processes are uploaded to the Maven repository. You can use Business Central in a development environment to create the processes and upload them to the Maven repository.

Each Process Server uses a database server. Usually, the database servers also run in pods, although you can set up a Process Server to use an external database server.

You can also deploy immutable Process Servers in the same namespace. You can use Business Central Monitoring to view monitoring information for all Process Servers in the environment, including immutable servers. For instructions about deploying immutable Process Servers, see Deploying a Red Hat Process Automation Manager immutable server environment on Red Hat OpenShift Container Platform.

3.1. Deploying monitoring and a single Process Server for a freeform environment

To start deploying a freeform environment, deploy Business Central Monitoring and a single managed Process Server, which uses a PostgreSQL database server in a pod. No services are loaded on the Process Server. Use Business Central Monitoring to deploy and undeploy services on the server.

You can then add more Process Servers as necessary.

3.1.1. Starting configuration of the template for monitoring and a single Process Server

To deploy Business Central Monitoring and a single managed Process Server, use the rhpam76-managed.yaml template file.

Procedure

  1. Download the rhpam-7.6.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the rhpam76-managed.yaml template file.

  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the rhpam76-managed.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.

    • To use the OpenShift command line console, prepare the following command line: 

      oc new-app -f <template-path>/rhpam76-managed.yaml -p BUSINESS_CENTRAL_HTTPS_SECRET=businesscentral-app-secret -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 3.1.2, “Setting required parameters for monitoring and a single Process Server” to set common parameters. You can view the template file to see descriptions for all parameters.

3.1.2. Setting required parameters for monitoring and a single Process Server

When configuring the template to deploy Business Central Monitoring and a single managed Process Server, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

    • Business Central Monitoring Server Keystore Secret Name (BUSINESS_CENTRAL_HTTPS_SECRET): The name of the secret for Business Central, as created in Section 2.3, “Creating the secrets for Business Central”.
    • KIE Server Keystore Secret Name (KIE_SERVER_HTTPS_SECRET): The name of the secret for Process Server, as created in Section 2.2, “Creating the secrets for Process Server”.
    • Business Central Monitoring Server Certificate Name (BUSINESS_CENTRAL_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 2.3, “Creating the secrets for Business Central”.
    • Business Central Monitoring Server Keystore Password (BUSINESS_CENTRAL_HTTPS_PASSWORD): The password for the keystore that you created in Section 2.3, “Creating the secrets for Business Central”.
    • KIE Server Certificate Name (KIE_SERVER_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 2.2, “Creating the secrets for Process Server”.
    • KIE Server Keystore Password (KIE_SERVER_HTTPS_PASSWORD): The password for the keystore that you created in Section 2.2, “Creating the secrets for Process Server”.
    • Application Name (APPLICATION_NAME): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and Process Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts.
    • Enable KIE server global discovery (KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED): Set this parameter to true if you want Business Central Monitoring to discover all Process Servers with the OpenShiftStartupStrategy in the same namespace. By default, Business Central Monitoring discovers only Process Servers that are deployed with the same value of the APPLICATION_NAME parameter as Business Central Monitoring itself.
    • Maven repository URL (MAVEN_REPO_URL): A URL for a Maven repository. You must upload all the processes (KJAR files) that are to be deployed on any Process Servers in your environment into this repository.
    • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
    • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
    • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.
    • KIE Server Mode (KIE_SERVER_MODE): In the rhpam76-managed.yaml template the default value is PRODUCTION. In PRODUCTION mode, you cannot deploy SNAPSHOT versions of KJAR artifacts on the Process Server and cannot change versions of an artifact in an existing container. To deploy a new version with PRODUCTION mode, create a new container on the same Process Server. To deploy SNAPSHOT versions or to change versions of an artifact in an existing container, set this parameter to DEVELOPMENT.
    • ImageStream Namespace (IMAGE_STREAM_NAMESPACE): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace is openshift. If you have installed the image streams file, the namespace is the name of the OpenShift project.

  2. You can set the following user names and passwords. By default, the deployment automatically generates the passwords.

    • KIE Admin User (KIE_ADMIN_USER) and KIE Admin Password (KIE_ADMIN_PWD): The user name and password for the administrative user. If you want to use the Business Central Monitoring to control or monitor any Process Servers other than the Process Server deployed by the same template , you must set and record the user name and password.
    • KIE Server User (KIE_SERVER_USER) and KIE Server Password (KIE_SERVER_PWD): The user name and password that a client application can use to connect to any of the Process Servers.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.

3.1.3. Configuring pod replica numbers for monitoring and a single Process Server

When configuring the template to deploy Business Central Monitoring and a single managed Process Server, you can set the initial number of replicas for Process Server and Business Central Monitoring.

Prerequisites

Procedure

To configure the numbers of replicas, set the following parameters:

  • Business Central Monitoring Container Replicas (BUSINESS_CENTRAL_MONITORING_CONTAINER_REPLICAS): The number of replicas that the deployment initially creates for Business Central Monitoring. If you do not want to use a high-availability configuration for Business Central Monitoring, set this number to 1.
  • KIE Server Container Replicas (KIE_SERVER_CONTAINER_REPLICAS): The number of replicas that the deployment initially creates for Process Server.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.

3.1.4. Configuring access to a Maven mirror in an environment without a connection to the public Internet for monitoring and a single Process Server

When configuring the template to deploy Business Central Monitoring and a single managed Process Server, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.6, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 2.6, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.

  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.

    • If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.
    • If you configure a built-in Business Central Maven repository (BUSINESS_CENTRAL_MAVEN_SERVICE), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror: external:*,!repo-rhpamcentr.
    • If you configure both repositories, change MAVEN_MIRROR_OF to exclude the artifacts in both repositories from the mirror: external:*,!repo-rhpamcentr,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.

3.1.5. Setting parameters for RH-SSO authentication for monitoring and a single Process Server

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy Business Central Monitoring and a single managed Process Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Process Automation Manager is created in the RH-SSO authentication system.

  • User names and passwords for Red Hat Process Automation Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Process Automation Manager roles and users. The following users are required in order to set the parameters for the environment:

    • An administrative user with the kie-server,rest-all,admin roles. This user can administer and use the environment. Process Servers use this user to authenticate with Business Central Monitoring.
    • A server user with the kie-server,rest-all,user roles. This user can make REST API calls to the Process Server. Business Central Monitoring uses this user to authenticate with Process Servers.
  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Process Automation Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Process Automation Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for monitoring and a single Process Server”.

Procedure

  1. Set the KIE_ADMIN_USER and KIE_ADMIN_PASSWORD parameters of the template to the user name and password of the administrative user that you created in the RH-SSO authentication system.
  2. Set the KIE_SERVER_USER and KIE_SERVER_PASSWORD parameters of the template to the user name and password of the server user that you created in the RH-SSO authentication system.

  3. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Process Automation Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.

  4. Complete one of the following procedures:

    1. If you created the clients for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:

      • Business Central Monitoring RH-SSO Client name (BUSINESS_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central Monitoring.
      • Business Central Monitoring RH-SSO Client Secret (BUSINESS_CENTRAL_SSO_SECRET): The secret string that is set in RH-SSO for the client for Business Central Monitoring.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for Process Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for Process Server.

    2. To create the clients for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:

      • Business Central Monitoring RH-SSO Client name (BUSINESS_CENTRAL_SSO_CLIENT): The name of the client to create in RH-SSO for Business Central Monitoring.
      • Business Central Monitoring RH-SSO Client Secret (BUSINESS_CENTRAL_SSO_SECRET): The secret string to set in RH-SSO for the client for Business Central Monitoring.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for Process Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for Process Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Process Automation Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.

After completing the deployment, review the URLs for components of Red Hat Process Automation Manager in the RH-SSO authentication system to ensure they are correct.

3.1.6. Setting parameters for LDAP authentication for monitoring and a single Process Server

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy Business Central Monitoring and a single managed Process Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. In the LDAP service, create all user names in the deployment parameters. If you do not set any of the parameters, create users with the default user names. The created users must also be assigned to roles:

    • KIE_ADMIN_USER: default user name adminUser, roles: kie-server,rest-all,admin

    • KIE_SERVER_USER: default user name executionUser, roles kie-server,rest-all,guest

      For the user roles that you can configure in LDAP, see Roles and users.

  2. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Process Automation Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.3, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.

3.1.7. Enabling Prometheus metric collection for monitoring and a single Process Server

If you want to configure your Process Server deployment to use Prometheus to collect and store metrics, enable support for this feature in Process Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.8, “Completing deployment of the template for monitoring and a single Process Server”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring Process Server.

3.1.8. Completing deployment of the template for monitoring and a single Process Server

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

3.2. Deploying an additional managed Process Server for a freeform environment

You can add a managed Process Server to a freeform environment. This server can use a PostgreSQL or MySQL database server in a pod or an external database server.

Deploy the server in the same project as the Business Central Monitoring deployment.

The Process Server loads services from a Maven repository.

The server starts with no loaded services. Use Business Central Monitoring or the REST API of the Process Server to deploy and undeploy services on the server.

3.2.1. Starting configuration of the template for an additional managed Process Server

To deploy an additional managed Process Server, use one of the following template files:

  • rhpam76-kieserver-postgresql.yaml to use a PostgreSQL pod for persistent storage. Use this template unless you have a specific reason to use another template.
  • rhpam76-kieserver-mysql.yaml to use a MySQL pod for persistent storage.

  • rhpam76-kieserver-externaldb.yaml to use an external database server for persistent storage.

    Important

    The standard Process Server image for an external database server includes drivers for MySQL and PostgreSQL external database servers. If you want to use another database server, you must build a custom Process Server image. For instructions, see Section 2.4, “Building a custom Process Server extension image for an external database”.

Procedure

  1. Download the rhpam-7.6.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the required template file.

  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the <template-file-name>.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.

    • To use the OpenShift command line console, prepare the following command line: 

      oc new-app -f <template-path>/<template-file-name>.yaml -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Replace <template-file-name> with the name of the template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 3.2.2, “Setting required parameters for an additional managed Process Server” to set common parameters. You can view the template file to see descriptions for all parameters.

3.2.2. Setting required parameters for an additional managed Process Server

When configuring the template to deploy an additional managed Process Server, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

    • KIE Server Keystore Secret Name (KIE_SERVER_HTTPS_SECRET): The name of the secret for Process Server, as created in Section 2.2, “Creating the secrets for Process Server”.
    • KIE Server Certificate Name (KIE_SERVER_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 2.2, “Creating the secrets for Process Server”.
    • KIE Server Keystore Password (KIE_SERVER_HTTPS_PASSWORD): The password for the keystore that you created in Section 2.2, “Creating the secrets for Process Server”.
    • Application Name (APPLICATION_NAME): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and Process Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. You can deploy several applications using the same template into the same project, as long as you use different application names. Also, the application name determines the name of the server configuration (server template) that the Process Server joins on Business Central Monitoring. If you are deploying several Process Servers, you must ensure each of the servers has a different application name.
    • Maven repository URL (MAVEN_REPO_URL): A URL for a Maven repository. You must upload all the processes (KJAR files) that are to be deployed on the Process Server into this repository.
    • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
    • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
    • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.
    • KIE Server Mode (KIE_SERVER_MODE): In the rhpam76-kieserver-*.yaml templates the default value is PRODUCTION. In PRODUCTION mode, you cannot deploy SNAPSHOT versions of KJAR artifacts on the Process Server and cannot change versions of an artifact in an existing container. To deploy a new version with PRODUCTION mode, create a new container on the same Process Server. To deploy SNAPSHOT versions or to change versions of an artifact in an existing container, set this parameter to DEVELOPMENT.
    • ImageStream Namespace (IMAGE_STREAM_NAMESPACE): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace is openshift. If you have installed the image streams file, the namespace is the name of the OpenShift project.

  2. You can set the following user name and password. By default, the deployment automatically generates the password.

    • KIE Server User (KIE_SERVER_USER) and KIE Server Password (KIE_SERVER_PWD): The user name and password that a client application can use to connect to any of the Process Servers.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

3.2.3. Configuring the image stream namespace for an additional managed Process Server

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

If you installed an image streams file according to instructions in Section 2.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

3.2.4. Configuring information about a Business Central Monitoring instance for an additional managed Process Server

To enable a connection from the Business Central Monitoring instance that you deployed to the Process Server, you must configure information about the Business Central Monitoring instance.

Prerequisites

Procedure

  1. Set the following parameters:

    • KIE Admin User (KIE_ADMIN_USER) and KIE Admin Password (KIE_ADMIN_PWD): The user name and password for the administrative user. These values must be the same as the KIE_ADMIN_USER and KIE_ADMIN_PWD settings for the Business Central Monitoring. If the Business Central Monitoring uses RH-SSO or LDAP authentication, these values must be a user name and password configured in the authentication system with an administrator role for the Business Central Monitoring.
    • Name of the Business Central service (BUSINESS_CENTRAL_SERVICE): The OpenShift service name for the Business Central Monitoring.

  2. Ensure that the following settings are set to the same value as the same settings for the Business Central Monitoring:

    • Maven repository URL (MAVEN_REPO_URL): A URL for the external Maven repository from which services must be deployed.
    • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
    • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

3.2.5. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an additional managed Process Server

When configuring the template to deploy an additional managed Process Server, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.6, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 2.6, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.

  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.

    • If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.
    • If you configure a built-in Business Central Maven repository (BUSINESS_CENTRAL_MAVEN_SERVICE), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror: external:*,!repo-rhpamcentr.
    • If you configure both repositories, change MAVEN_MIRROR_OF to exclude the artifacts in both repositories from the mirror: external:*,!repo-rhpamcentr,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

3.2.6. Setting parameters for RH-SSO authentication for an additional managed Process Server

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an additional managed Process Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Process Automation Manager is created in the RH-SSO authentication system.

  • User names and passwords for Red Hat Process Automation Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Process Automation Manager roles and users. The following users are required in order to set the parameters for the environment:

    • An administrative user with the kie-server,rest-all,admin roles. This user can administer and use the environment. Process Servers use this user to authenticate with Business Central Monitoring.
    • A server user with the kie-server,rest-all,user roles. This user can make REST API calls to the Process Server. Business Central Monitoring uses this user to authenticate with Process Servers.
  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Process Automation Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Process Automation Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 3.2.1, “Starting configuration of the template for an additional managed Process Server”.

Procedure

  1. Set the KIE_ADMIN_USER and KIE_ADMIN_PASSWORD parameters of the template to the user name and password of the administrative user that you created in the RH-SSO authentication system.
  2. Set the KIE_SERVER_USER and KIE_SERVER_PASSWORD parameters of the template to the user name and password of the server user that you created in the RH-SSO authentication system.

  3. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Process Automation Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.

  4. Complete one of the following procedures:

    1. If you created the client for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:

      • Business Central Monitoring RH-SSO Client name (BUSINESS_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central Monitoring.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for Process Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for Process Server.

    2. To create the clients for Red Hat Process Automation Manager within RH-SSO, set the following parameters in the template:

      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for Process Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for Process Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Process Automation Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

After completing the deployment, review the URLs for components of Red Hat Process Automation Manager in the RH-SSO authentication system to ensure they are correct.

3.2.7. Setting parameters for LDAP authentication for an additional managed Process Server

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an additional managed Process Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. In the LDAP service, create all user names in the deployment parameters. If you do not set any of the parameters, create users with the default user names. The created users must also be assigned to roles:

    • KIE_ADMIN_USER: default user name adminUser, roles: kie-server,rest-all,admin

    • KIE_SERVER_USER: default user name executionUser, roles kie-server,rest-all,guest

      For the user roles that you can configure in LDAP, see Roles and users.

  2. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Process Automation Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.3, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

3.2.8. Setting parameters for using an external database server for an additional managed Process Server

If you are using the rhpam76-kieserver-externaldb.yaml template to use an external database server for the Process Server, complete the following additional configuration when configuring the template to deploy an additional managed Process Server.

Prerequisites

Procedure

  1. Set the following parameters:

    • KIE Server External Database Driver (KIE_SERVER_EXTERNALDB_DRIVER): The driver for the server, depending on the server type:

      • mysql
      • postgresql
      • mariadb
      • mssql
      • db2
      • oracle
      • sybase
    • KIE Server External Database User (KIE_SERVER_EXTERNALDB_USER) and KIE Server External Database Password (KIE_SERVER_EXTERNALDB_PWD): The user name and password for the external database server
    • KIE Server External Database URL (KIE_SERVER_EXTERNALDB_URL): The JDBC URL for the external database server

    • KIE Server External Database Dialect (KIE_SERVER_EXTERNALDB_DIALECT): The Hibernate dialect for the server, depending on the server type:

      • org.hibernate.dialect.MySQL5InnoDBDialect (used for MySQL and MariaDB)
      • org.hibernate.dialect.PostgreSQL82Dialect
      • org.hibernate.dialect.SQLServer2012Dialect (used for MS SQL)
      • org.hibernate.dialect.DB2Dialect
      • org.hibernate.dialect.Oracle10gDialect
      • org.hibernate.dialect.SybaseASE157Dialect
    • KIE Server External Database Host (KIE_SERVER_EXTERNALDB_SERVICE_HOST): The host name of the external database server
    • KIE Server External Database Port (KIE_SERVER_EXTERNALDB_SERVICE_PORT): The port number of the external database server
    • KIE Server External Database name (KIE_SERVER_EXTERNALDB_DB): The database name to use on the external database server
    • JDBC Connection Checker class (KIE_SERVER_EXTERNALDB_CONNECTION_CHECKER): The name of the JDBC connection checker class for the database server. Without this information, a database server connection cannot be restored after it is lost, for example, if the database server is rebooted.
    • JDBC Exception Sorter class (KIE_SERVER_EXTERNALDB_EXCEPTION_SORTER): The name of the JDBC exception sorter class for the database server. Without this information, a database server connection cannot be restored after it is lost, for example, if the database server is rebooted.

  2. If you created a custom image for using an external database server other than MySQL or PostgreSQL, as described in Section 2.4, “Building a custom Process Server extension image for an external database”, set the following parameters:

    • Drivers Extension Image (EXTENSIONS_IMAGE): The ImageStreamTag definition of the extension image, for example, jboss-kie-db2-extension-openshift-image:11.1.4.4
    • Drivers ImageStream Namespace (EXTENSIONS_IMAGE_NAMESPACE): The namespace to which you uploaded the extension image, for example, openshift or your project namespace.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

3.2.9. Enabling Prometheus metric collection for an additional managed Process Server

If you want to configure your Process Server deployment to use Prometheus to collect and store metrics, enable support for this feature in Process Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.10, “Completing deployment of the template for an additional managed Process Server”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring Process Server.

3.2.10. Completing deployment of the template for an additional managed Process Server

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

3.3. (Optional) Providing the LDAP role mapping file

If you configure the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, you must provide a file that defines the role mapping. Mount this file on all affected deployment configurations.

Procedure

  1. Create the role mapping properties file, for example, my-role-map. The file must contain entries in the following format: 

    ldap_role = product_role1, product_role2...

    For example: 

    admins = kie-server,rest-all,admin

  2. Create an OpenShift configuration map from the file by entering the following command: 

    oc create configmap ldap-role-mapping --from-file=<new_name>=<existing_name>

    Replace <new_name> with the name that the file is to have on the pods (it must be the same as the name specified in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES file) and <existing_name> with the name of the file that you created. Example: 

    oc create configmap ldap-role-mapping --from-file=rolemapping.properties=my-role-map

  3. Mount the configuration map on every deployment configuration that is configured for role mapping.

    The following deployment configurations can be affected in this environment:

    Replace myapp with the application name. Sometimes, several Process Server deployments can be present under different application names.

    For every deployment configuration, run the command: 

     oc set volume dc/<deployment_config_name> --add --type configmap --configmap-name ldap-role-mapping --mount-path=<mapping_dir> --name=ldap-role-mapping

    Replace <mapping_dir> with the directory name (without file name) set in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, for example, /opt/eap/standalone/configuration/rolemapping .