CP4BA Process Federation Server parameters
The pfs_configuration section of the custom resource (CR) templates
includes all the parameters for configuring Process Federation Server. All parameters are
optional.
IBM Process Federation Server configuration parameters
| Parameter name | Description | Example values | Required |
|---|---|---|---|
| hostname | <meta-name>-pfs-route hostname. If the hostname is not set, a default
hostname with the following format is
used. |
||
| port | Process Federation Server port. The
default value is 443. |
443 |
|
| service_type | How the HTTPS endpoint service should be published. The default value is
Route. |
Route, ClusterIP, NodePort |
|
| timezone | Timezone of the Process Federation Server. The default value is Etc/UTC. |
Etc/UTC |
No |
| elasticsearch.endpoint | Endpoint of your external Elasticsearch, such as: https://<external_es_host>:<external_es_port> | ||
| elasticsearch.admin_secret_name | The external Elasticsearch administrative secret that contains the following keys:
|
||
| elasticsearch.connect_timeout | Number of seconds for external Elasticsearch connection timeout. The default value is
10s. |
10s |
|
| elasticsearch.read_timeout | Number of seconds for external Elasticsearch read timeout. The default value is
30s. |
30s |
|
| elasticsearch.thread_count | External Elasticsearch thread count. | ||
| admin_secret_name | Name of the Kubernetes secret that contains the Process Federation Server administration passwords, such
as keystorePassword, ltpaPassword,
oidcClientPassword, sslKeyPassword, and
truststorePassword. The default value is
ibm-pfs-admin-secret, |
ibm-pfs-admin-secret |
|
| config_dropins_overrides_secret | The name of the Kubernetes secret that contains the files that will be mounted in the /config/configDropins/overrides folder. | ||
| enable_notification_server | Whether to enable the notification server. The default value is
true. |
true |
|
| enable_default_security_roles | Whether to enable default security roles. The default value is true. |
true |
|
| admin_user_id | Designate a list of users for the Process Federation Server administrator by entering the
distinguished name for the LDAP user. This parameter is only used when
enable_default_security_roles is true. |
uid=cp4baAdminUser,ou=cp4ba,dc=company,dc=com |
|
| admin_group_id | Designate a list of groups for the Process Federation Server administrator by entering the
distinguished name for the LDAP group. This parameter is only used when
enable_default_security_roles is true. |
uid=cp4baAdminGroup,ou=cp4ba,dc=company,dc=com |
|
| image.repository | Process Federation Server image. By
default, the path points to the URL and location in the IBM Entitled Registry. The default value is
<path>/pfs-prod where <path> is
cp.icr.io/cp/cp4a/baw/. If sc_image_repository has a value, the
path is that value. |
<path>/pfs-prod |
|
| image.tag | Process Federation Server image tag. If you want to use a specific image version, you can override the default tag or digest. | 24.0.0 |
|
| image.pull_policy | Process Federation Server image pull
policy. The default value is IfNotPresent. |
IfNotPresent, Always |
|
| seccomp_profile.type | The type of seccomp profile to be used by the pods. You can also define the seccomp profile
globally at shared_configuration.sc_seccomp_profile. Supported values are:
Unconfined, RuntimeDefault, and Localhost. For
more information about seccomp profile, see Restrict a Container's Syscalls with
seccomp. The default value is RuntimeDefault on OpenShift® Container Platform 4.11 and later. On
other platforms, the default value is empty. |
Localhost |
No |
| seccomp_profile.localhost_profile | The local path of the seccomp profile file. This parameter is required if
seccomp_profile.type is set to Localhost. The value of
seccomp_profile.localhost_profile is ignored if
seccomp_profile.type is set to anything other than
Localhost. |
profiles/audit.json |
Only if seccomp_profile.type is set to Localhost. |
| enable_fips | For OpenShift Container Platform deployments on Red Hat Enterprise Linux (RHEL) Server - x86
only. Enable or disable Federal Information Processing Standards (FIPS) mode for your deployment.
The default value is false. If you set this parameter to true, you
must also set spec.shared_configuration.enable_fips in the
icp4acluster CR to be true. |
false |
|
| liveness_probe.initial_delay_seconds | Number of seconds after Process Federation Server container starts before the
liveness probe is initiated. The default value is 300. |
300 |
|
| readiness_probe.initial_delay_seconds | Number of seconds after Process Federation Server container starts before the
readiness probe is initiated. The default value is 240. |
240 |
|
| replicas | Number of initial Process Federation Server pods. The default value is 1. In a production deployment cluster, it is
recommended that you set a value of 2 or higher. |
1 |
|
| service_account | Service account name for the Process Federation Server pod. | ||
| anti_affinity | Whether Kubernetes can (soft) or must not (hard) deploy Process Federation Server pods onto the same node. The
default value is hard. |
hard, soft |
|
| resources_security_secret | The name of the Kubernetes secret that contains the files to be mounted in the /config/resources/security folder. | ||
| custom_libs_pvc | Name of an existing Kubernetes Persistent Volume Claim, which can optionally be provided to mount files on the Process Federation Server pod into the /config/resources/libs folder. | ltpa.keys |
|
| external_tls_secret | This parameter is used only by stand-alone Business Automation Workflow on containers. For the
pfs-route, the name of the secret that contains the certificates and Transport
Layer Security (TLS) private key to be used for the route. If you set this parameter, the setting
overrides the default generated certificate and the shared setting for route certificates. If you
need to customize the route's certificate, create a secret that uses the following command and set
the secret name to the
property..crt file must contain the route certificate followed by any intermediate CA signer
certificates and the root CA signer certificate in an unencrypted PEM format. The key file must also
be in unencrypted PEM format. |
||
| external_tls_ca_secret | This parameter is used only by stand-alone Business Automation Workflow on containers. For the
pfs-route, provide the name of the secret containing the root CA certificate that
signed the route certificate. If a customized secret for external_tls_secret is provided, you must
also set the external_tls_ca_secret using the following
command..crt file must contain the root CA signer certificate in an unencrypted PEM
format. |
||
| monitor_enabled | Specify whether to use the built-in monitoring capability. The default value is
false. |
false |
|
| tls.tls_secret_name | Existing TLS secret that contains the tls.key and tls.crt
keys. The certificate should be signed by the CA in
shared_configuration.root_ca_secret. If you don't want to use a customized TLS
certificate, leave it empty. |
||
| tls.tls_trust_list | Existing TLS trust secret. | ||
| tls.tls_trust_store | Secret to store your custom trusted keystore (optional). The type for the keystore must be
JKS or PKCS12. All certificates from the keystore are imported
into the trust keystore of the Process Federation Server server. You cannot use this
parameter when FIPS mode is enabled. External sourced trust stores are also not supported. You might
run the following sample command to create the secret:
|
||
| resources.requests.cpu | Requested CPU for Process Federation Server
Resource Registry configuration. The
default value is 500m. |
500m |
|
| resources.requests.memory | Minimum memory required to start an Elasticsearch pod. This memory includes the JVM heap and
file system cache. The default value is 512Mi. |
512Mi |
|
| resources.limits.cpu | CPU limit for the Process Federation Server Resource Registry configuration. The default value is 2. |
2 |
|
| resources.limits.memory | Maximum memory to allocate to each Elasticsearch pod. This memory includes the JVM heap and
file system cache. The default value is 4Gi. |
4Gi |
|
| saved_searches.index_name | The name of the Elasticsearch index used to store saved searches. The default value is
ibmpfssavedsearches. |
ibmpfssavedsearches |
|
| saved_searches.index_number_of_shards | Number of shards of the Elasticsearch index used to store saved searches. The default value
is 3. |
3 |
|
| saved_searches.index_number_of_replicas | Number of replicas (pods) of the Elasticsearch index used to store saved searches. The
default value is 1. |
1 |
|
| saved_searches.index_batch_size | Batch size used for retrieving saved searches. The default value is
100. |
100 |
|
| saved_searches.update_lock_expiration | Amount of time before an update lock is expired. Valid values are numbers with a trailing
'm' or 's' for minutes or seconds. The default value is
5m. |
5m |
|
| saved_searches.unique_constraint_expiration | The amount of time before a unique constraint is expired. Valid values are numbers with a
trailing 'm' or 's' for minutes or seconds. The default value is
5m. |
5m |
|
| security.sso.domain_name | SSO domain names property of the webAppSecurity tag. |
||
| security.sso.cookie_name | SSO cookie name property of the webAppSecurity tag. The default value is
ltpatoken2. |
ltpatoken2 |
|
| security.sso.ltpa.filename | keysFileName property of the ltpa tag. The default value is
ltpa.keys. |
ltpa.keys |
|
| security.sso.ltpa.expiration | Expiration property of the ltpa tag. The default value is
120m. |
120m |
|
| security.sso.ltpa.monitor_interval | monitorIntervalproperty of the ltpa tag. The default value
is 60s. |
60s |
|
| security.ssl_protocol | sslProtocol property of the ssl tag that is used as the
default SSL configuration. The default value is SSL. |
SSL |
|
| executor.max_threads | Value of the maxThreads property of the executor tag. The
default value is 80. |
80 |
|
| executor.core_threads | Value of the coreThreads property of the executor tag. The
default value is 40. |
40 |
|
| rest.user_group_check_interval | Value of the userGroupCheckInterval property of the
ibmPfs_restConfig tag. The default value is 300s. |
300s |
|
| rest.system_status_check_interval | Value of the systemStatusCheckInterval property of the
ibmPfs_restConfig tag. The default value is 60s. |
60s |
|
| rest.bd_fields_check_interval | Value of the bdFieldsCheckInterval property of the
ibmPfs_restConfig tag. The default value is 300s. |
300s |
|
| custom_env_variables.names | Names of the custom environment variables that are defined in the secret that is referenced
in customEnvVariables.secret. |
||
| custom_env_variables.secret | Secret holding custom environment variables. | ||
| logs.console_format | Format for printing logs on the console. The valid values are basic or JSON format. The
default value is json. |
json |
|
| logs.console_log_level | Log level for printing logs on the console. The valid values are INFO,
AUDIT, WARNING, ERROR, and OFF.
The default value is INFO. |
INFO |
|
| logs.console_source | Source of the logs for printing on the console. This property applies only when the
consoleFormat is JSON. Valid values are message, trace,
accessLog, ffdc, and audit. |
message, trace, accessLog, ffdc, audit | |
| logs.trace_format | Format for printing trace logs. The default format for the Liberty server is
ENHANCED. The BASIC and ADVANCED formats are for
WebSphere® Application
Server. The default value is
ENHANCED. |
ENHANCED |
|
| logs.trace_specification | Specification for printing trace logs. An example value is
=info:com.ibm.bpm.federated.=all. The default value is
*=info. |
*=info |
|
| logs.storage.use_dynamic_provisioning | Whether to use dynamic provisioning for storing the log data for Process Federation Server. The default value is
true. |
true |
|
| logs.storage.size | Minimum size of the PV used mounted as Process Federation Server Liberty server
/logs folder. The default value is 1Gi. |
1Gi
|
|
| logs.storage.storage_class | Storage class if using dynamic provisioning. The default value is
shared_configuration.storage_configuration.sc_fast_file_storage_classname. |
shared_configuration.storage_configuration. sc_fast_file_storage_classname |
|
| logs.storage.existing_pvc_name | PVC for logs if you are not using dynamic provisioning. | ||
| dump.persistent | Whether to enable persistent storage for Process Federation Server dump files. The default value
is false. |
false |
|
| dump.storage.use_dynamic_provisioning | Whether to use dynamic provisioning for Process Federation Server dump storage. The default value
is true. |
true |
|
| dump.storage.size | Minimum size of the PV that is mounted as the dump store. The default value is
5Gi. |
5Gi |
|
| dump.storage.storage_class | Storage class if you are using dynamic provisioning for Process Federation Server dump file storage. The default
value is
shared_configuration.storage_configuration.sc_slow_file_storage_classname. |
shared_configuration.storage_configuration.sc_slow_file_storage_classname |
|
| dump.storage.existing_pvc_name | PVC for dump files if not using dynamic provisioning. | ||
| dba_resource_registry.lease_ttl | Duration of the lease that creates the Process Federation Server entry in the DBA Service
Registry, in seconds. The default value is 120. |
120 |
|
| dba_resource_registry.pfs_check_interval | Interval at which to check that Process Federation Server is running, in seconds. The
default value is 10. |
10 |
|
| dba_resource_registry.pfs_connect_timeout | The number of seconds after which Process Federation Server is considered as not running if
no connection can be established. The default value is 10. |
10 |
|
| dba_resource_registry.pfs_response_timeout | The number of seconds after which Process Federation Server is considered as not running if
it has not yet responded. The default value is 30. |
30 |
|
| dba_resource_registry.pfs_registration_key | Key under which Process Federation Server
should be registered in the DBA Service Registry when running. The default value is
/dba/appresources/IBM_PFS/PFS_SYSTEM. |
/dba/appresources/IBM_PFS/PFS_SYSTEM |
|
| dba_resource_registry.resources. limits.memory | Memory limit for Process Federation Server and Resource Registry integration pod.
The default value is 512Mi. |
512Mi |
|
| dba_resource_registry.resources. limits.cpu | CPU limit for Process Federation Server
and Resource Registry integration pod.
The default value is 100m. |
100m |
|
| dba_resource_registry.resources. requests.memory | Requested amount of memory for Process Federation Server and Resource Registry integration pod. The default
value is 512Mi. |
512Mi |
|
| dba_resource_registry.resources. requests.cpu | Requested amount of CPU for Process Federation Server and Resource Registry integration pod. The default
value is 50m. |
50m |
|
| dba_resource_registry.liveness_probe. failure_threshold | When a probe fails, the number of times that Kubernetes tries to resolve the issue before it
restarts the container. The default value is 3. |
3 |
|
| dba_resource_registry.liveness_probe. initial_delay_seconds | Number of seconds after the Process Federation Server registration container starts
before the liveness probe is initiated. The default value is 5. |
5 |
|
| dba_resource_registry.liveness_probe. period_seconds | Number of seconds to wait before the next probe. The default value is
5. |
5 |
|
| dba_resource_registry.liveness_probe. success_threshold | Minimum consecutive successes for the probe to be considered successful after it failed. The
default value is 1. |
1 |
|
| dba_resource_registry.liveness_probe. timeout_seconds | Number of seconds after which the probe times out. The default value is
5. |
5 |
|
| dba_resource_registry.readiness_probe. failure_threshold | When a probe fails, the number of times that Kubernetes tries to resolve the issue before it
restarts the container. The default value is 3. |
3 |
|
| dba_resource_registry.readiness_probe. initial_delay_seconds | Number of seconds after the Process Federation Server registration container starts
before the readiness probe is initiated. The default value is 1. |
1 |
|
| dba_resource_registry.readiness_probe. period_seconds | Number of seconds to wait before the next probe. The default value is
10. |
10 |
|
| dba_resource_registry.readiness_probe. success_threshold | Minimum consecutive successes for the probe to be considered successful after it failed. The
default value is 1. |
1 |
|
| dba_resource_registry.readiness_probe. timeout_seconds | Number of seconds after which the probe times out. The default value is
5. |
5 |
|
| node_affinity.deploy_arch | Values in this field are used as kubernetes.io/arch selector values. The
valid values are amd64, s390x, and
ppc64le. |
||
| node_affinity.custom_node_selector_match_expression | Added in node selector match expressions. It accepts array list inputs. You can assign
multiple selector match expressions except (kubernetes.io/arch). |
|
|
| custom_annotations | Values in this field are used as annotations in all generated pods. They must be valid annotation key-value pairs. | customAnnotationKey: customAnnotationValue |
|
| custom_labels | Values in this field are used as labels in all generated pods. They must be valid label key-value pairs. | customLabelKey: customLabelValue |
|
| zen_performance.keepalive | Number of idle keepalive connections to an upstream server that remain open for each worker
process. This parameter is optional. The default value is 512. |
512 | No |
| zen_performance.keepalive_timeout | How long an idle keepalive connection remains open. This parameter is optional. The default
value is 30s. |
30s | No |
| zen_performance.keepalive_requests | The number of requests a client can make over a single keepalive connection. This parameter
is optional. The default value is 500. |
500 | No |
| zen_performance.proxy_buffer_size | Size of the buffer used to read the first part of the response received from the proxy
server. This parameter is optional. The default value is 256k. |
256k | No |
| zen_performance.proxy_buffers | Number and size of the buffers that are used for reading a response from the proxy server,
for a single connection. This parameter is optional. The default value is 8
512k. |
8 512k | No |
| zen_performance.proxy_busy_buffers_size | When buffering of responses from the proxy server is enabled, this parameter limits the total
size of buffers that can be busy sending a response to the client while the response is not yet
fully read. This parameter is optional. The default value is 512k. |
512k | No |
| zen_performance.proxy_connect_timeout | Timeout for establishing a connection with a proxy server. This parameter is optional. The
default value is 300s. |
300s | No |
| zen_performance.proxy_send_timeout | Timeout for transmitting a request to the proxy server. The timeout is set only between two
successive write operations, not for the transmission of the whole request. If the proxy server does
not receive anything within this time, the connection is closed. This parameter is optional. The
default value is 300s. |
300s | No |
| zen_performance.proxy_read_timeout | Timeout for reading a response from the proxy server. The timeout is set only between two
successive read operations, not for the transmission of the whole response. If the proxy server does
not transmit anything within this time, the connection is closed. This parameter is optional. The
default value is 300s. |
300s | No |