Configure Environment Variables
The following shows environment variables that are required to get TIBCO BPM Enterprise up and running.
These environment variables are included in the deployment sample that is provided in the TIBCO BPM Enterprise installer.
The following shows the minimum requirements.
Database Connections
The following JDBC environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer. These are the minimum requirements for connection to the database.
It is a good practice to store the database and LDAP username and password as Kubernetes secrets. This can be added to the deployment configuration as follows:
envFrom: - secretRef: name: bpm.database.secrets - secretRef: name: bpm.ldap.secrets
The
bpm.database.secrets
should have the following names:
- JDBC_USERNAME
- JDBC_PASSWORD
The
bpm.ldap.secrets
should have the following names:
- LDAP_SYSTEM_PRINCIPAL
- LDAP_SYSTEM_CREDENTIALS
- LDAP_NAME_CREDENTIALS
Parameter | Description |
---|---|
JDBC_URL | The JDBC connection string that TIBCO BPM Enterprise uses to connect to the TIBCO BPM Enterprise database. |
LDAP Directory Connections
The LDAP environment variables are made up of three parts, each separated by an underscore (_). For example, LDAP_SYSTEM_PRINCIPAL.
-
The first part, LDAP denotes the type of environment variable (for LDAP connection)
-
The second part, SYSTEM denotes the group the environment variable belongs to. LDAP connections require a number of configurable parameters to work, such as ALIAS, PRINCIPAL, CREDENTIALS, and URL. We must know which ones belong together. The group name (for example, SYSTEM) can be anything you like as long as it is the same for each of the environment variable types.
-
The third part is the type of environment variable. These can be (but are not limited to) ALIAS, URL, PRINCIPAL, and CREDENTIALS. The value of ALIAS is how the connection shows up in the UI and the rest determines the actual connection details.
The following LDAP environment variables are provided in the deployment samples that are included with the TIBCO BPM Enterprise installer. These are the minimum requirements for connection to the database.
Parameter | Description |
---|---|
LDAP_NAME_ALIAS | The name used to identify this LDAP directory. (This name is displayed as the Alias for an LDAP source when creating or editing an LDAP Container in the Organization Browser.) |
LDAP_NAME_URL | The URL that
TIBCO BPM Enterprise uses to connect to this LDAP directory, in the format:
ldap://hostname:port/DN where:
|
where NAME is the name of the LDAP connection.
The following shows an LDAP Directory Connection example. Every system must have a "system" alias from which the "tibco-admin" user can be sourced.
LDAP_SYSTEM_ALIAS:system LDAP_SYSTEM_URL:ldap://bpm-apacheds:10389/ou=system LDAP_SYSTEM_PRINCIPAL:uid=admin,ou=system LDAP_SYSTEM_CREDENTIALS:secret
ADMIN_CRYPTO_KEY - Shared Resource Encryption Key
ADMIN_CRYPTO_KEY defines the key used to encrypt and decrypt sensitive data held in the BPM database definition of shared resources (HTTP Clients, Keystore Providers, SSL Client Providers, SMTP Connections, SAML Connections, and OpenID Connections) used by TIBCO BPM Enterprise.
Use of ADMIN_CRYPTO_KEY is optional but recommended. When used, ADMIN_CRYPTO_KEY must be injected into the Kubernetes pod so that it is available to the TIBCO BPM Enterprise application container.
When ADMIN_CRYPTO_KEY is used, the following Shared Resource configuration parameters are stored in the BPM database in symmetrically encrypted form (AES 128-bit GCM mode). If ADMIN_CRYPTO_KEY is not used, these parameters are instead stored as clear (unencrypted) text.
Shared Resource | Parameters encrypted when using ADMIN_CRYPTO_KEY |
---|---|
HTTP Client | Realm, Username, and Password (for basic authentication) |
Keystore Provider | Password (for Keystore) |
SSL Client Provider | Key alias for identity, Key Alias Password (for Mutual Authentication) |
SMTP Connection | Username, Password (Login credentials) |
SAML Connection | KeyAlias to encrypt, Key alias to encrypt password, Key alias to sign, Key alias to sign password, Default key alias, Default key alias password (Advanced settings) |
OpenID Connection | Client ID, Client secret |
ADMIN_CRYPTO_KEY can be specified using either of the following methods:
- by defining the encryption key as a
Kubernetes secret, which is referenced from ADMIN_CRYPTO_KEY using the
valueFrom
parameter. See Example 1 below. - by assigning a simple text string value to ADMIN_CRYPTO_KEY. See Example 2 below.
Example 1 - Using ADMIN_CRYPTO_KEY with Secrets in a Deployment Configuration File
Use the following command to define a secret (admin-crypto-key
) on the kube-apiserver.
admin-crypto-key
contains a single key (secretkey
) with a value of
password123
.
$ kubectl create secret generic admin-crypto-key --from-literal=secretkey=password123
Use the following definition to inject the encryption key into the Kubernetes pod.
apiVersion: apps/v1 kind: Deployment . . spec: . . env: - name: ADMIN_CRYPTO_KEY valueFrom: secretKeyRef: name: admin-crypto-key key: secretkey
Example 2 - Using ADMIN_CRYPTO_KEY as a Plain Environment Variable in a Deployment Configuration File
apiVersion: apps/v1 kind: Deployment . . spec: . . env: - name: ADMIN_CRYPTO_KEY value: TheSecretPasswordToUseForEncryption