Configure Environment Variables

The following shows environment variables that are needed to get TIBCO BPM Enterprise up and running.

These environment variables are included in the deployment sample that is provided in the TIBCO BPM Enterprise installer. The following shows the minimum required.

Database Connections

The following JDBC environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer. These are the minimum required for connection to the database.

It is a good practice to store the database and LDAP username and password as Kubernetes secrets. This can be added to the deployment configuration as follows: 
envFrom:
          - secretRef:
              name: bpm.database.secrets
          - secretRef:
              name: bpm.ldap.secrets

The bpm.database.secrets should have the following names:

  • JDBC_USERNAME
  • JDBC_PASSWORD

The bpm.ldap.secrets should have the following names:

  • LDAP_SYSTEM_PRINCIPAL
  • LDAP_SYSTEM_CREDENTIALS
  • LDAP_NAME_PRINCIPAL
  • LDAP_NAME_CREDENTIALS
Parameter Description
JDBC_URL The JDBC connection string that TIBCO BPM Enterprise uses to connect to the TIBCO BPM Enterprise database, in the format: 
jdbc:postgresql://hostname:port/dbtype

 

LDAP Directory Connections

The following LDAP environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer. These are the minimum required for connection to the database.

Parameter Description
LDAP_NAME_ALIAS The name used to identify this LDAP directory. (This name is displayed as the Alias for an LDAP source when creating or editing an LDAP Container in the Organization Browser.)
LDAP_NAME_URL The URL that TIBCO BPM Enterprise uses to connect to this LDAP directory, in the format: 
ldap://hostname:port/DN

where:

  • hostname is the DNS name or IP address of the machine hosting the LDAP server.
  • port is the port number used by the LDAP server.
  • DN is the Distinguished Name to use as the search base for this LDAP directory.

where NAME is the name of the LDAP connection.

 

The following shows an LDAP Directory Connection example. Every system must have a "system" alias from which the "tibco-admin" user can be sourced. This provides an example of that: 

LDAP_SYSTEM_ALIAS=system
LDAP_SYSTEM_URL=ldap://bpm-apacheds:10389/ou=system
LDAP_SYSTEM_PRINCIPAL=uid=admin,ou=system
LDAP_SYSTEM_CREDENTIALS=secret

 

ADMIN_CRYPTO_KEY - Shared Resource Encryption Key

ADMIN_CRYPTO_KEY defines the key used to encrypt and decrypt sensitive data held in the BPM database definition of shared resources (HTTP Clients, Keystore Providers, SSL Client Providers, SMTP Connections, SAML Connections, and OpenID Connections) used by TIBCO BPM Enterprise.

Use of ADMIN_CRYPTO_KEY is optional but recommended. When used, ADMIN_CRYPTO_KEY must be injected into the Kubernetes pod so that it is available to the TIBCO BPM Enterprise application container.

When ADMIN_CRYPTO_KEY is used, the following Shared Resource configuration parameters are stored in the BPM database in symmetrically encrypted form (AES 128-bit GCM mode). If ADMIN_CRYPTO_KEY is not used, these parameters are instead stored as clear (unencrypted) text.

Shared Resource Parameters encrypted when using ADMIN_CRYPTO_KEY
HTTP Client Realm, Username, and Password (for basic authentication)
Keystore Provider Password (for Keystore)
SSL Client Provider Key alias for identity, Key Alias Password (for Mutual Authentication)
SMTP Connection Username, Password (Login credentials)
SAML Connection KeyAlias to encrypt, Key alias to encrypt password, Key alias to sign, Key alias to sign password, Default key alias, Default key alias password (Advanced settings)
OpenID Connection Client ID, Client secret

ADMIN_CRYPTO_KEY can be specified using either of the following methods:

  • by defining the encryption key as a Kubernetes secret, which is referenced from ADMIN_CRYPTO_KEY using the valueFrom parameter. See Example 1 below.
  • by assigning a simple text string value to ADMIN_CRYPTO_KEY. See Example 2 below.

Example 1 - Using ADMIN_CRYPTO_KEY with Secrets in a Deployment Configuration File

Use the following command to define a secret (admin-crypto-key) on the kube-apiserver. admin-crypto-key contains a single key (secretkey) with a value of password123. 

$ kubectl create secret generic admin-crypto-key  --from-literal=secretkey=password123

Use the following definition to inject the encryption key into the Kubernetes pod. 

apiVersion: apps/v1
kind: Deployment
.
.
spec:
.
.
  env: 
    - name: ADMIN_CRYPTO_KEY
      valueFrom: 
        secretKeyRef: 
          name: admin-crypto-key
          key: secretkey
Important: The admin-crypto-key secret must exist on the kube-apiserver when the Deployment is applied. If it does not exist, the container will not start.

Example 2 - Using ADMIN_CRYPTO_KEY as a Plain Environment Variable in a Deployment Configuration File 

apiVersion: apps/v1
kind: Deployment
.
.
spec:
.
.
  env: 
    - name: ADMIN_CRYPTO_KEY
      value: TheSecretPasswordToUseForEncryption