Injected Configuration

Database Connections

The following JDBC environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer. These are the minimum required for connection to the database.

It is a good practice to store the database and LDAP username and password as Kubernetes secrets. This can be added to the deployment configuration as follows:

envFrom:
          - secretRef:
              name: bpm.database.secrets
          - secretRef:
              name: bpm.ldap.secrets

The bpm.database.secrets should have the following names:

JDBC_USERNAME
JDBC_PASSWORD

The bpm.ldap.secrets should have the following names:

LDAP_SYSTEM_PRINCIPAL
LDAP_SYSTEM_CREDENTIALS

LDAP_NAME_PRINCIPAL
LDAP_NAME_CREDENTIALS

Parameter	Description
JDBC_URL	The JDBC connection string that TIBCO BPM Enterprise uses to connect to the TIBCO BPM Enterprise database, in the format: jdbc:postgresql://`hostname`:`port`/`dbtype`

LDAP Directory Connections

The following LDAP environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer. These are the minimum required for connection to the database.

Parameter	Description
LDAP_`NAME`_ALIAS	The name used to identify this LDAP directory. (This name is displayed as the Alias for an LDAP source when creating or editing an LDAP Container in the Organization Browser.)
LDAP_`NAME`_URL	The URL that TIBCO BPM Enterprise uses to connect to this LDAP directory, in the format: ldap://`hostname`:`port`/`DN` where: `hostname` is the DNS name or IP address of the machine hosting the LDAP server. `port` is the port number used by the LDAP server. `DN` is the Distinguished Name to use as the search base for this LDAP directory.

Parameter

Description

LDAP_NAME_ALIAS

The name used to identify this LDAP directory. (This name is displayed as the Alias for an LDAP source when creating or editing an LDAP Container in the Organization Browser.)

LDAP_NAME_URL

The URL that TIBCO BPM Enterprise uses to connect to this LDAP directory, in the format:

ldap://hostname:port/DN

where:

hostname is the DNS name or IP address of the machine hosting the LDAP server.
port is the port number used by the LDAP server.
DN is the Distinguished Name to use as the search base for this LDAP directory.

where NAME is the name of the LDAP connection.

The following shows an LDAP Directory Connection example. Every system must have a "system" alias from which the "tibco-admin" user can be sourced. This provides an example of that:

LDAP_SYSTEM_ALIAS=system
LDAP_SYSTEM_URL=ldap://bpm-apacheds:10389/ou=system
LDAP_SYSTEM_PRINCIPAL=uid=admin,ou=system
LDAP_SYSTEM_CREDENTIALS=secret

SSL Configurations

The following SSL Configuration environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer.

Parameter	Description
JDBC_SSL_CONFIG	This is the SSL configuration for the JDBC connection. It essentially a direct passthrough to the JDBC driver. A basic PostgreSQL example is: ssl=true;sslmode=verify-full;sslrootcert=<full_path_to_ssl_root_certificate> Since this is a passthrough to the driver, you can look a the PostgreSQL JDBC driver specification for more details. Note that it's important that the <full_path_to_ssl_root_certificate> is the full path as seen from inside the container. Essentially, it involves getting the SSL certificate mounted into the container on a specific path, which is then used as <full_path_to_ssl_root_certificate>.
LDAP_<`GROUP_NAME`>_SSLCERT	This is for LDAP SSL, where `GROUP_NAME` is the same as the other LDAP environment variable (see above). For example, if you have LDAP_SYSTEM_ALIAS defined for an LDAP Directory Connection, this would be LDAP_SYSTEM_SSLCERT. Its value is simply the full path to the certificate required to connect to the LDAP server, much like it is for JDBC. The difference here is that it is the only component of the value, so an example value is simply: <full_path_to_ldap_ssl_certificate> You would make this certificate available to the container in exactly the same way as you would for JDBC.

Parameter

Description

JDBC_SSL_CONFIG

This is the SSL configuration for the JDBC connection. It essentially a direct passthrough to the JDBC driver. A basic PostgreSQL example is:

ssl=true;sslmode=verify-full;sslrootcert=<full_path_to_ssl_root_certificate>

Since this is a passthrough to the driver, you can look a the PostgreSQL JDBC driver specification for more details.

Note that it's important that the <full_path_to_ssl_root_certificate> is the full path as seen from inside the container. Essentially, it involves getting the SSL certificate mounted into the container on a specific path, which is then used as <full_path_to_ssl_root_certificate>.

LDAP_<GROUP_NAME>_SSLCERT

This is for LDAP SSL, where GROUP_NAME is the same as the other LDAP environment variable (see above). For example, if you have LDAP_SYSTEM_ALIAS defined for an LDAP Directory Connection, this would be LDAP_SYSTEM_SSLCERT. Its value is simply the full path to the certificate required to connect to the LDAP server, much like it is for JDBC. The difference here is that it is the only component of the value, so an example value is simply:

<full_path_to_ldap_ssl_certificate>

You would make this certificate available to the container in exactly the same way as you would for JDBC.

ADMIN_CRYPTO_KEY - Shared Resource Encryption Key

ADMIN_CRYPTO_KEY defines the key used to encrypt and decrypt sensitive data held in the BPM database definition of shared resources (HTTP Clients, Keystore Providers, SSL Client Providers, SMTP Connections, SAML Connections, and OpenID Connections) used by TIBCO BPM Enterprise.

Use of ADMIN_CRYPTO_KEY is optional but recommended. When used, ADMIN_CRYPTO_KEY must be injected into the Kubernetes pod so that it is available to the TIBCO BPM Enterprise application container.

When ADMIN_CRYPTO_KEY is used, the following Shared Resource configuration parameters are stored in the BPM database in symmetrically encrypted form (AES 128-bit GCM mode). If ADMIN_CRYPTO_KEY is not used, these parameters are instead stored as clear (unencrypted) text.

Shared Resource	Parameters encrypted when using ADMIN_CRYPTO_KEY
HTTP Client	Realm, Username, and Password (for basic authentication)
Keystore Provider	Password (for Keystore)
SSL Client Provider	Key alias for identity, Key Alias Password (for Mutual Authentication)
SMTP Connection	Username, Password (Login credentials)
SAML Connection	KeyAlias to encrypt, Key alias to encrypt password, Key alias to sign, Key alias to sign password, Default key alias, Default key alias password (Advanced settings)
OpenID Connection	Client ID, Client secret

ADMIN_CRYPTO_KEY can be specified using either of the following methods:

by defining the encryption key as a Kubernetes secret, which is referenced from ADMIN_CRYPTO_KEY using the valueFrom parameter. See Example 1 below.
by assigning a simple text string value to ADMIN_CRYPTO_KEY. See Example 2 below.

Example 1 - Using ADMIN_CRYPTO_KEY with Secrets in a Deployment Configuration File

Use the following command to define a secret (admin-crypto-key) on the kube-apiserver. admin-crypto-key contains a single key (secretkey) with a value of password123.

$ kubectl create secret generic admin-crypto-key  --from-literal=secretkey=password123

Use the following definition to inject the encryption key into the Kubernetes pod.

apiVersion: apps/v1
kind: Deployment
.
.
spec:
.
.
  env: 
    - name: ADMIN_CRYPTO_KEY
      valueFrom: 
        secretKeyRef: 
          name: admin-crypto-key
          key: secretkey

Important: The admin-crypto-key secret must exist on the kube-apiserver when the Deployment is applied. If it does not exist, the container will not start.

Example 2 - Using ADMIN_CRYPTO_KEY as a Plain Environment Variable in a Deployment Configuration File

apiVersion: apps/v1
kind: Deployment
.
.
spec:
.
.
  env: 
    - name: ADMIN_CRYPTO_KEY
      value: TheSecretPasswordToUseForEncryption

Contents

Index

Search Results

Injected Configuration

Database Connections

LDAP Directory Connections

SSL Configurations

ADMIN_CRYPTO_KEY - Shared Resource Encryption Key