Prerequisites for installing PEM Community Manager

Standard Certified Container

Before you install the application, you must ensure the following prerequisites are in place.
The following sections provide the list of prerequisites for every version.
V6.2.3

Prerequisites:

1. Kubernetes version >= 1.20.0 with beta APIs enabled ##Review need to be
tested

2. ocp version >= 4.12 with beta APIs enabled ##Review

3. Helm version >= 3.2

4. Ensure that one of the supported database server (Oracle/DB2) is installed and
the database is accessible from inside the cluster.

5. Ensure that the docker images for IBM Partner Engagement Manager Standard
from Entitlement registry are loaded to an appropriate docker registry.

6. When volumeClaims.resources.enabled is true, create a persistent volume for

application resources with access mode as 'Read Only Many' and place the
database driver jar , SEAS jars and MQ jars in the mapped volume location.
7. When volumeClaims.logs.enableAppLogOnConsole is false, create a persistent volume for
application logs with access mode as 'Read Write Many'.
8. When communitymanager.prod.archive.enabled is true, create a persistent volume for
archive document storage with access mode as 'Read Write Many'.
9. When communitymanager.nonprod.archive.enabled is true, create a persistent volume
for archive document storage with access mode as 'Read Write Many'.

Mount the archive persistent volume to pcm server

10. Create secrets with requisite confidential credentials for passphrase.txt,

Keystore.jks dbpasswords and keystore passwords. You can use the supplied
configuration files under pak_extensions/pre-install/secret directory.

Create a secret from the provided syntax file included in helm charts /ibm-
cloudpak-extensons/preinstall/secrets.yaml

oc apply -f secrets.yaml

11. Create a secret to pull the image from a private registry or repository using
following command

oc create secret docker-registry <name of secret> --docker-server=<your-registry-server> --docker-

username=<your-username> --docker-password=<your-password> --docker-email=<your-email>

1
 12. create secrets for certificates (Keystore files) required by PCM to connect to the
Database and MQ using below command.

oc create secret generic <secret-name> --from-file=/path/to/<Keystore.jks>

13. For new installation ensure that dbsetup.upgrade parameter is set to false

This will create the required database tables and metadata in the database before
installing the chart.

14. For upgrading existing installation ensure that dbsetup.upgrade parameter is set
to true

system requirements
Before you begin the installation, verify that your system meets the hardware and
software requirements that are specified for this release.

The hardware requirements that are listed in the System Requirements are the
minimum requirements. Your system requirements might exceed these requirements if
you are running other applications on the same machine as IBM Partner Engagement
manager Standard.

Installation strictly enforces the following system requirements. If any of these

requirements are not met, the installation fails. If the installation fails, review the
installation log for a list of non-compliant items.

Please find below system requirement:

Memory Memory CPU CPU

Pod
Requested Limit Requested Limit

PCM Prod pod 2 Gi 4 Gi 1 2

PCM Non Prod

2 Gi 4 Gi 1 2
pod

Agent pod 2 Gi 4 Gi 1 2

Purge (API) pod 0.5 Gi 1 Gi 0.1 0.5

Platform Supported Model and Delivery

2
  Platform supported: RedHat OpenShift Container Platform 4.11
 Amazon’s Cloud
 OnPrem

Autoscaling:

It a feature in OpenShift where the application deployed can scale. In OpenShift

autoscaling is also Known as pod autoscaling
The Horizontal Pod Autoscaler automatically scales the number of pods
OpenShift Container Platform should automatically increase or decrease the scale of
a replication controller or deployment configuration, based on metrics collected from
the pods that belong to the replication controller or deployment configuration.
Understanding horizontal pod autoscalers:
You can create a horizontal pod autoscaler to specify the minimum and maximum
number of pods you want to run, as well as the CPU utilization or memory utilization
your pods should target.
After you create a horizontal pod autoscaler, OpenShift Container Platform begins to
query the CPU and/or memory resource metrics on the pods. When these metrics are
available, the horizontal pod autoscaler computes the ratio of the current metric
utilization with the desired metric utilization and scales up or down accordingly. The
query and scaling occur at a regular interval but can take one to two minutes before
metrics become available.
values.yaml
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 85

Horizontal Scaling is useful when there is a need of more request by increasing the
availability.
Applying this definition will create a Horizontal Pod Autoscaler that maintains between
1 and 2 replicas of the Pods, HPA will increase and decrease the number of replicas to
maintain an average CPU utilization across all Pods of 85%.

Database servers

3
  Database version must match exactly.
 If you are using an Oracle, Microsoft SQL Server, or DB2 database, decide if you
are going to manually or automatically apply Database Definition Language sDDL
statements, you need to complete the data base schema work before you begin
the installation.
 Determine if the database password needs to be encrypted.

Creating database schema

URL: DB2 database configuration - IBM Documentation

: www.ibm.com/docs/en/spems/6.2.2?topic=schema-db2-database-
configuration
URL: Oracle database configuration - IBM Documentation
: www.ibm.com/docs/en/spems/6.2.2?topic=schema-oracle-database-
configuration

Installing OpenShift container platform

OpenShift container platform brings together Docker and Kubernetes and provides an
API to manage these services. OpenShift Container Platform allows you to create and
manage containers.

It is an on-prem platform service that uses Kubernetes to manage containers built on a

foundation of Red Hat Enterprise Linux. For more information on how to setup an
OpenShift container platform cluster environment

Refer below link:

Installation and update | Architecture | OpenShift Container Platform 4.12

The Certified Container can be deployed in the above mentioned cluster environments.

Setting up PersistentVolume(s)

A PersistentVolume (PV) is a piece of storage in the cluster that is provisioned by an

administrator or dynamically provisioned using storage classes.

4
You need to create a PersistentVolume to provide the required environment-specific
external resources like database drivers, DB Drivers, Key Stores, and Trust Stores to
enable SSL connections to the database server, WMQ server, and so on.
This volume is further referenced as resources volume.

You can redirect the application logs to console, which is the recommended option, or
written to a file system or a storage location outside the application containers, in which
case, you need to create an additional PersistentVolume for logs.
This volume is further referenced as logs volume.

1. volumeClaims.resources.enabled is true, create a persistent volume for application

resources with access mode as 'Read Only Many' and place the database driver
jar , SEAS jars and MQ jars in the mapped volume location.
2. When volumeClaims.logs.enableAppLogOnConsole is false, create a persistent volume for
application logs with access mode as 'Read Write Many'.
3. When communitymanager.prod.archive.enabled is true, create a persistent volume for
archive document storage with access mode as 'Read Write Many'.
4. When communitymanager.nonprod.archive.enabled is true, create a persistent volume
for archive document storage with access mode as 'Read Write Many'.

Mount the archive persistent volume to PCM Standard server

For more information, see:

OpenShift - Configuring Persistent Storage.
Installing License Service

The script installs License Service, creates an instance and validates the installation
steps.

This procedure guides you through the installation of License Service. It does not cover
the installation of License Service Reporter which is not available without an IBM Cloud
Pak on OpenShift Container Platform.

1. Goto the the directory which is installed from chart repository: ibm_cloud_pak\
pak_extensions\pre-install\licenseibm_licensing_operator_install.sh.

2. Run the script.

Installation is complete and License Service is running in your cluster. To check if

License Service components are properly installed, and perform extra configuration

Checking License Service components

After you install IBM License Service, complete the following steps to check whether it
works:

1. To check if the pod is running, by running the following commands:

podName=`kubectl get pod -n ibm-common-services -o jsonpath="{range .items[*]}{.metadata.name}

{'\n'}" | grep ibm-licensing-service-instance`

5
kubectl logs $podName -n ibm-common-services
kubectl describe pod $podName -n ibm-common-services

2. Check Route or Ingress settings depending on your parameter settings, for example,
using these commands.

kubectl get ingress -n ibm-common-services -o yaml

Then examine the status part of the output. It should include host, path, tls (if
configured), and other networking information.

Configuring the Certified Container

The values.yaml file in the Helm Charts contains all the configurations
required for the application.

Configurable parameters of the IBM-PEM-Community-Standard-prod

chart and their default values.

Parameter Description Default

image.name null

image.tag null

image.pullPolicy null

image.pullSecret ""

arch "amd64"

replicas 1

serviceAccountName null

timezone.configmapname null

volumeClaims.resources.enabled true

volumeClaims.resources.capacity "100Mi"

volumeClaims.resources.storageclass "slow"

volumeClaims.logs.enabled false

volumeClaims.logs.capacity "1Gi"

volumeClaims.logs.storageclass null

communitymanager.install true

6
 Parameter Description Default

communitymanager.image.repository null

communitymanager.image.pullPolicy null

communitymanager.image.tag null

communitymanager.image.pullSecret null

communitymanager.prod.enable true

communitymanager.prod.autoscaling.enabled false

communitymanager.prod.autoscaling.minReplicas 1

communitymanager.prod.autoscaling.maxReplicas 2

communitymanager.prod.autoscaling.targetCPUUtiliza
85
tionPercentage

communitymanager.prod.resources.requests.memory "2Gi"

communitymanager.prod.resources.requests.cpu "250m"

communitymanager.prod.resources.limits.memory "4Gi"

communitymanager.prod.resources.limits.cpu "500m"

communitymanager.prod.replicacount 1

communitymanager.prod.readinessProbe.initialDelayS
10
econds

communitymanager.prod.readinessProbe.periodSecon
60
ds

communitymanager.prod.livenessProbe.initialDelaySe
60
conds

communitymanager.prod.livenessProbe.timeoutSecon
30
ds

communitymanager.prod.livenessProbe.periodSecond
60
s

communitymanager.prod.livenessProbe.successThresh
1
old

communitymanager.prod.livenessProbe.failureThresh
3
old

communitymanager.prod.setupfile configmap name null

communitymanager.prod.dbpassword secretName null

communitymanager.prod.archive.enable true

7
 Parameter Description Default

communitymanager.prod.archive.capacity "100Mi"

communitymanager.prod.archive.storageclass "slow"

communitymanager.prod.ssl.enable false

communitymanager.prod.ssl.keystore secret null

communitymanager.prod.ssl.keystorefilename null

communitymanager.prod.ssl.keystorepassword secretname null

communitymanager.nonprod.enable true

communitymanager.nonprod.resources.requests.mem
"2Gi"
ory

communitymanager.nonprod.resources.requests.cpu "250m"

communitymanager.nonprod.resources.limits.memory "4Gi"

communitymanager.nonprod.resources.limits.cpu "500m"

communitymanager.nonprod.replicacount 1

communitymanager.nonprod.autoscaling.enabled true

communitymanager.nonprod.autoscaling.minReplicas 1

communitymanager.nonprod.autoscaling.maxReplicas 2

communitymanager.nonprod.autoscaling.targetCPUUti
85
lizationPercentage

communitymanager.nonprod.readinessProbe.initialDel
10
aySeconds

communitymanager.nonprod.readinessProbe.periodSe
60
conds

communitymanager.nonprod.livenessProbe.initialDela
60
ySeconds

communitymanager.nonprod.livenessProbe.timeoutSe
30
conds

communitymanager.nonprod.livenessProbe.periodSec
60
onds

communitymanager.nonprod.livenessProbe.successTh
1
reshold

communitymanager.nonprod.livenessProbe.failureThr
3
eshold

communitymanager.nonprod.hostname null

8
 Parameter Description Default

communitymanager.nonprod.setupfile configmap name null

communitymanager.nonprod.dbpassword secretName null

communitymanager.nonprod.archive.enable true

communitymanager.nonprod.archive.capacity "100Mi"

communitymanager.nonprod.archive.storageclass "slow"

communitymanager.nonprod.ssl.enable false

communitymanager.nonprod.ssl.keystore secret null

communitymanager.nonprod.ssl.keystorefilename null

communitymanager.nonprod.ssl.keystorepassword secretname null

Sample values.yaml file

You can refer the default values.yaml file to define your own custom values.yaml file for
specifying required values and overriding default configurations while installing the IBM
Partner Engagement Manager Standard application using Certified Container.

imag
e:
name:
tag:
pullPolicy:
pullSecret: ""

arch: amd64

serviceAccountName:
timezone:
configmapname:
volumeClaims:
resources:
enabled: true
capacity: 100Mi
storageclass: slow

9
 logs:
enabled: false
capacity: 1Gi
storageclass:
test:
image:
repository: 'cp.icr.io/cp'
name: 'opencontent-common-utils'
tag: '1.1.11'
pullPolicy: 'IfNotPresent'

dbsetup:
upgrade: true
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
setupfile:
passphrasesecret:
migrator:
default_sponsor: true
## For more information about configuring the properties of Setup.cfg file,
#refer to
#http://www.ibm.com/support/knowledgecenter/SSKPRS/com.ibm.help.pem.local.doc/
r_setup_cfg_file_properties.html
## LICENSE
## Setting this value to true enables you to accept the licenses and start
#the docker container. Valid values are true and false.
accept_license: true
## SUBSCRIPTION MONITOR
## Specify the host and the port details for proxy server, which enables you
#to connect to the subscription monitor.
proxy_host:
proxy_port:
proxy_user_name:
#Provide the secret name
proxy_password:
proxy_protocol:
## Specify the customer ID. Ensure that the customer ID that you specify
#matches with your Bluemix ID that you have registered to download IBM PEM
#image.
customer_id:

10
## DATABASE AND SSL PROPERTIES THAT ARE COMMON TO ALL THE APPLICATIONS
## Specify the type of database, either DB2 or Oracle.
db_type:
## Enable or disable the SSL connection for master and testmode database
#schemas. Valid values are true and false and the default value is set to
#false.
ssl_connection:
## Specify the database details for the master schema. These properties
#enable you to start the following docker containers: IBM PEM, Partner
#Repository, Partner Provisioner, Purge, Migrator, Master key regenerator,
#and DBUtils.
db_port:
db_host:
db_name:
db_schema:
db_user:
#Provide the secret name
db_password:
db_driver:
## DB CONNECTION MANAGER DETAILS. COMMON FOR IBM PEM, PARTNER REPOSITORY &
#PARTNER PROVISIONER
## Specify the maximum pool size of the master schema's database connection.
#If you do not specify the size, a default value of 500 is set.
db_max_pool_size: 500
## Specify the minimum pool size of the master schema's database connection.
#If you do not specify the size, a default value of 5 is set.
db_min_pool_size: 5
## Specify the maximum time after which the physical connection is discarded
#by pool maintenance of the master schema's database connection. If you do
#not specify the time, a default value of 1440m is set. Here, m refers to
#minutes.
db_aged_timeout: 1440m
## Specify the maximum idle time for the master schema's database
#connection. If you do not specify the idle time, a default value of 1440m is
#set. Here m refers to minutes.
db_max_idle_time: 1440m
## Specify the keystore/truststore file name containing the public
#certificate and password of the master schema's database. The
#keystore/truststore (.jks file) has to be copied in the <mount
#location>/resources/security folder.
db_sslTrustStoreName:
#Provide the secret name
db_sslTrustStoresecret:
#Provide the secret name
db_sslTrustStorePassword:
## Specify the database details for the test mode schema. These properties

11
 #enable you to start the following docker containers: IBM PEM, Partner
#Provisioner, Migrator, Master key regenerator, and DBUtils.
testmode_db_port:
testmode_db_host:
testmode_db_name:
testmode_db_schema:
testmode_db_user:
#Provide the secret name
testmode_db_password:
testmode_db_driver:
## TESTMODE DB CONNECTION MANAGER DETAILS. COMMON FOR IBM PEM, PARTNER
#REPOSITORY & PARTNER PROVISIONER
## Specify the maximum pool size of the test mode schema's database
#connection. If you do not specify the size, a default value of 500 is set.
testmode_db_max_pool_size: 500
## Specify the minimum pool size of the test mode schema's database
#connection. If you do not specify the size, a default value of 5 is set.
testmode_db_min_pool_size: 5
## Specify the maximum time after which the physical connection is discarded
#by pool maintenance of the testmode schema's database connection. If you do
#not specify the time, a default value of 1440m is set. Here, m refers to
#minutes.
testmode_db_aged_timeout: 1440m
## Specify the maximum idle time for the test mode schema's database
#connection. If you do not specify the idle time, a default value of 1440m is
#set. Here m refers to minutes.
testmode_db_max_idle_time: 1440m
## Specify the keystore/truststore file name containing the public
#certificate and password of the testmode schema's database. The
#keystore/truststore (.jks file) has to be copied in the <mount
#location>/resources/security folder.
testmode_db_sslTrustStoreName:
testmode_db_sslTrustStoresecret:
#Provide the secret name
testmode_db_sslTrustStorePassword:

security:
runAsUser: 1011
supplementalGroups:
- 555
fsGroup: 1011

ssoSeas:
enable: false #if enabled copy the seas jars to resources volume

12
truststoreName: #Specify the secret name for truststorefile
truststorePassword: #specify the secret name for truststore password
truststoreAlias: #Specify the SEAS truststore alias
truststoreType: #Specify the SEAS truststore type.
keystoreName: #Specify the secret name for keystore file
keystorePassword: #specify the secret name for keystore password
keystoretype: #Specify the SEAS keystore type.
keystoreAlias: #Specify the SEAS keystore alias
ssomigration:
enable: false #if enabled resources volume must be enabled to generate data files
migrationAction:
sponsorContext:
orgDataFilename:
userDataFilename:

pem:
enable: true
replicas: 1
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 85
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
hostname:
setupfile:
servers:
## Specify the list of JVM options for the servers, and separated by space.
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options: "-Xms4g -Xmx4g"

13
 ## Specify the server details that are common for IBM PEM, Partner
#Repository, and Partner Provisioner. The keystore file (.jks file) has to be
#copied in the <mount location>/resources/security folder.
#Provide the secret name
keystore_password:
keystore_alias:
keystore_filename:
## Specify the maximum size for the server log file in MB. The default value
#is 100 MB.
max_file_size: 100
password:
## Specify the maximum number of server log files. The default value is 20.
max_files: 20
## Specify the console log level. For example, "INFO".
console_log_level: INFO
## Specify the trace specification. The default value is "*: info".
trace_specification: "*: info"

pp:
enable: true
replicas: 1
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 85
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
hostname:
setupfile:
servers:

14
## Specify the list of JVM options for the servers, and separated by space.
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options: "-Xms4g -Xmx4g"
## Specify the server details that are common for IBM PEM, Partner
#Repository, and Partner Provisioner. The keystore file (.jks file) has to be
#copied in the <mount location>/resources/security folder.
#Provide the secret name
keystore_password:
keystore_alias:
keystore_filename:
## Specify the maximum size for the server log file in MB. The default value
#is 100 MB.
max_file_size: 100
## Specify the maximum number of server log files. The default value is 20.
max_files: 20
## Specify the console log level. For example, "INFO".
console_log_level: INFO
## Specify the trace specification. The default value is "*: info".
trace_specification: "*: info"
## JMS PROPERTIES FOR PARTNER PROVISIONER & PARTNER REPOSITORY
## Enables the Java Messaging Service (JMS) feature that is common for
#Partner Repository and Partner Provisioner.
## TO ENABLE JMS FOR PARTNER REPOSITORY
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## TO ENABLE JMS FOR PARTNER PROVISIONER
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For embedded server use enableJmsFeatures: "embdServerAndClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## For more information, refer to Configuring the properties of Setup.cfg
#file topic in the product documentation.
enable_jms_features: embdServerAndClientOnly
## Specify the embedded JMS queue details that are common for Partner
#Repository and Partner Provisioner.
provisioner_request_queue: PEM_request
provisioner_response_queue: PEM_response
remote_server_ssl: false
remote_server_host: #service hostname
remote_server_port: 7276 #7276 for non ssl 7286 for ssl
## If you are using WebSphere MQ (WMQ) as your JMS service provider, specify
#the WMQ details that are common for Partner Repository and Partner
#Provisioner.
channel:
connection_name_list:
queue_manager:
username:

15
 password: #Provide the secret name
wmq_provisioner_request_queue_manager:
wmq_provisioner_response_queue_manager:
wmq_provisioner_request_queue_name:
wmq_provisioner_response_queue_name:
ssl_cipher_suite:

pr:
enable: true
replicas: 1
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 85
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
hostname:
setupfile:
servers:
## Specify the list of JVM options for the servers, and separated by space.
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options: "-Xms4g -Xmx4g"
## Specify the server details that are common for IBM PEM, Partner
#Repository, and Partner Provisioner. The keystore file (.jks file) has to be
#copied in the <mount location>/resources/security folder.
#Provide the secret name
keystore_password:
keystore_alias:
keystore_filename:
## Specify the maximum size for the server log file in MB. The default value

16
 #is 100 MB.
max_file_size: 100
## Specify the maximum number of server log files. The default value is 20.
max_files: 20
## Specify the console log level. For example, "INFO".
console_log_level: INFO
## Specify the trace specification. The default value is "*: info".
trace_specification: "*: info"
## JMS PROPERTIES FOR PARTNER PROVISIONER & PARTNER REPOSITORY
## Enables the Java Messaging Service (JMS) feature that is common for
#Partner Repository and Partner Provisioner.
## TO ENABLE JMS FOR PARTNER REPOSITORY
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## TO ENABLE JMS FOR PARTNER PROVISIONER
## For embedded client use enableJmsFeatures: "embdClientOnly"
## For embedded server use enableJmsFeatures: "embdServerAndClientOnly"
## For wmq client use enableJmsFeatures: "wmqClientOnly"
## For more information, refer to Configuring the properties of Setup.cfg
#file topic in the product documentation.
enable_jms_features: embdClientOnly
## Specify the embedded JMS queue details that are common for Partner
#Repository and Partner Provisioner.
provisioner_request_queue: PEM_request
provisioner_response_queue: PEM_response
remote_server_ssl: false
remote_server_host:
remote_server_port: 7276
## If you are using WebSphere MQ (WMQ) as your JMS service provider, specify
#the WMQ details that are common for Partner Repository and Partner
#Provisioner.
channel:
connection_name_list:
queue_manager:
username:
#Provide the secret name
password:
wmq_provisioner_request_queue_manager:
wmq_provisioner_response_queue_manager:
wmq_provisioner_request_queue_name:
wmq_provisioner_response_queue_name:
ssl_cipher_suite:

purge:
enable: false

17
schedule: "0 9 * * 1"
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
setupfile:
purge:
## PURGE
## Specify the purge tool name. This property prevents two users who specify
#the same purge name from purging the records simultaneously.
name:
## Specify the number of days before the current date for which the records
#need to be purged. Only those records that qualify are purged. For example,
#if you specify 60 days, records that are present before 60 days from the
#current date and satisfy the purge criteria are purged.
number_of_purge_days:
## Specify the number of records to be purged in a batch. The default value
#is 1. IMPORTANT: Please do not modify this value.
purge_count:
## Specify the Sponsor context or * where * takes all the sponsors in the
#system.
sponsor_context:
## Specify the maximum number of pooled connections allowed for the
#database. The default value is 50.
no_of_db_connections:
## Default value for resource_to_purge is set to SPONSOR.
## For more information, refer to Configuring the properties of Setup.cfg
#file topic in the product documentation.
resource_to_purge:
## Specify the resource key for Sponsor / Sponsor user / Partner / Partner
#user / Third party processor / Third party processor user.
resource_to_purge_key:
# PURGE STRATEGY
# To enable purge, purge_strategy: "DELETE". This will only delete data from
#source database.
# To enable archive, purge_strategy: "ARCHIVE". This will delete data from
#source database and copies to target database.
# Default value for purge_strategy is set to ARCHIVE
purge_strategy:
## Enable or disable the source database and target database schemas are
#same or not. Valid values are true and false and the default value is set to
#true.
target_db_is_same_as_source_db:

18
 ## DATABASE AND SSL PROPERTIES FOR PURGE TARGET DATABASE, This properties
#need to configure only
## Specify the type of purge target database, either DB2 or Oracle.
target_db_type:
## Enable or disable the SSL connection for purge target database schema.
#Valid values are true and false and the default value is set to false.
## Specify the list of JVM options for purge separated by space.
jvm_options:
## Specify the log level, either FINE, INFO, or SEVERE. The default value is
#INFO.
java_util_logging_file_handler_level:
## Specify the file size limit, in MB for each log file.
java_util_logging_file_handler_limit:
## Specify the number of log files.
java_util_logging_file_handler_count:

agent:
replicas: 1
enable: false
resources:
requests:
memory: "1Gi"
cpu: "250m"
limits:
memory: "2Gi"
cpu: "500m"
setupfile:
agent:
## AGENT
## Specify the type of agent, scanagent or certificateupdate. If you want to
#run both Scan Agent and certificate update, specify both the values
#separated by commas. For example, "scanagent,certificateupdate".
type:
## Specify the list of JVM options for the scan agent separated by space.
jvm_options:
## Set the host or IP of the antivirus server.
antivirus_server_host:
## Enter a port number of the antivirus server.
antivirus_server_port:
## Specify the maximum number of pooled connections allowed to the database.
#The default value is 50.
no_of_db_connections:
## Specify the time interval between retries for connection failure with
#antivirus server. The default value is set to 21600 seconds, and accepts
#only numeric values.

19
 retry_interval_in_sec:
## Specify the maximum number of times the agent must retry scanning a file,
#in case the scan fails for some reason. The default value is 1460 seconds,
#and accepts only numeric values.
max_retry_count:
## Specify the limit, in MB for each log file. The default value is set to
#100.
com_ibm_vch_identity_security_limit:
## Specify the log level, either FINE, INFO, or SEVERE. The default value is
#INFO.
com_ibm_vch_identity_security_level:
## Specify the number of log file counts. The default value is 20.
com_ibm_vch_identity_security_count:
## Specify the class to enable antivirus extensibility.
scan_extensibility_class:

gateway:
replicas: 1
enable: true
resources:
requests:
memory: "1Gi"
cpu: "250m"
limits:
memory: "2Gi"
cpu: "500m"
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
hostname:
setupfile:
servers:
## Specify the list of JVM options for the servers, and separated by space.
#For example, jvm_options: "-Xms4g -Xmx4g".
jvm_options:
## Specify the server details that are common for IBM PEM, Partner
#Repository, and Partner Provisioner. The keystore file (.jks file) has to be
#copied in the <mount location>/resources/security folder.
#Provide the secret name

20
 keystore_password: pem-secret
keystore_alias: keystoreCER
keystore_filename: keystore.jks
## Specify the maximum size for the server log file in MB. The default value
#is 100 MB.
max_file_size: 100
## Specify the maximum number of server log files. The default value is 20.
max_files: 20
## Specify the console log level. For example, "INFO".
console_log_level: INFO
## Specify the trace specification. The default value is "*: info".
trace_specification: "*: info"
gateway:
## GATEWAY
## Enter the list of containers available for each service in a comma
#separated fashion [https://<host1>:<port1>,https://<host2>:<port2>,...]
pem_servers:
pr_servers:
max_file_size:
max_request_size:
hostname_validation_required: "false"

communitymanager:
install: false
image:
repository:
pullPolicy:
tag:
pullSecret:
prod:
enable: true
setupfile: #configmap
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 85
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
replicacount: 1

21
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
cmapi: #configure these values only if sso disabled
replicacount: 1
hostname:
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 60
sso:
enable: false
hostname:
dbpassword: #secretName
archive:
enable: true
capacity: 100Mi
storageclass: slow
ssl:
enable: false
keystore: #secret
keystorefilename:
keystorepassword: #secretname

22
nonprod:
enable: false
setupfile:
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
replicacount: 1
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 85
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
cmapi: #configure these values only if sso disabled
replicacount: 1
hostname:
resources:
requests:
memory: "2Gi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "500m"
readinessProbe:
initialDelaySeconds: 10
periodSeconds: 60
livenessProbe:
initialDelaySeconds: 60
timeoutSeconds: 30
periodSeconds: 60
successThreshold: 1
failureThreshold: 3
autoscaling:
enabled: false

23
 minReplicas: 1
maxReplicas: 2
targetCPUUtilizationPercentage: 60
hostname:
sso:
enable: false
dbpassword: #secretName
archive:
enable: true
capacity: 100Mi
storageclass: slow
ssl:
enable: false
keystore: #secret
keystorefilename:
keystorepassword: #secretname

Downloading Certified Container artifacts

You can download Certified Container artifacts from the following locations:

 IBM Entitled Registry for Certified Container Images

Downloading Certified Container Images from Entitled Repository :

24
You can pull the Partner Engagement Manager Standard Certified Container images
from IBM Entitled Registry into the cluster

IBM Partner Engagement Manager Standard Certified Container v6.2.3 Certified

Container

o cp.icr.io/cp/ibm-pem/pcm:6.2.3

Complete the following steps to download Certified Container images from IBM
Entitled Registry:

1. Ensure that you have obtained the Entitlement key.

2. Log in to MyIBM Container Software Library with the IBM ID and Password that
are associated with the entitled software. In case, you are not directed to the
entitlement page, click Get an entitlement key and obtain the Entitlement Key.
3. In the Entitlement key section, click Copy key to copy the entitlement key to
the clipboard.
4. Save the Entitlement Key to a safe location for later use.

To confirm your Entitlement Key is valid, click View library provided in the left
of the page. You can view the list of products that you are entitled to. If Sterling
B2B Integrator or Sterling File Gateway is not listed, or if the View library link is
disabled, it indicates that the identity with which you are logged in to the
container library does not have an entitlement for Sterling B2B
Integrator or Sterling File Gateway. In this case, the Entitlement Key is not valid
for installing the software.

5. Set Entitled Registry information by completing the following steps:

a. Run export commands that set ENTITLED_REGISTRY to cp.icr.io.
b. Set ENTITLED_REGISTRY_USER to cp.
c. Set ENTITLED_REGISTRY_KEY to the entitlement key that you saved to a
safe location.
6. Optional. Log in to Entitled Registry using the following docker login command
to validate the Entitled Registry credentials:

docker login "$ENTITLED_REGISTRY" -u "$ENTITLED_REGISTRY_USER" -p

"$ENTITLED_REGISTRY_KEY"

7. Run the following command to create Docker pull Secret for pulling the images
from IBM Entitled Registry:

kubectl create secret docker-registry <secret name> --docker-

username="cp" --docker-password="<Entitled registry API key>" --
docker-email="<email address" --docker-server="cp.icr.io" -n
<namespace>

8. Update the service account or Helm Chart image pull secret configurations with
the above Secret name.

25
 9. Follow these steps to download and push images to an OpenShift or a local image
registry

9.1 Download the image using the docker or podman pull command

docker pull cp.icr.io/cp/ibm-pem/pem_cm:6.2.3

podman pull cp.icr.io/cp/ibm-pem/pem_cm:6.2.3

9.2 Tag the downloaded image with the correct local or OpenShift registry.

docker tag <imageid> <registry URL>:<tag>

podman tag <imageid> <registry URL>:<tag>

9.3 Push the Docker image using the docker or podman push command.

docker push <registry URL>:<tag>

podman push <registry URL>:<tag>

Downloading Certified Container artifacts

You can download Certified Container artifacts from the following locations:

 IBM chart repository for Certified Container Helm Charts

Downloading Certified Container Helm charts from Chart Repository

You can download Partner Engagement Manager Standard Certified Container Helm
charts from IBM chart repository or Red Hat OpenShift Container Platform Developer
Catalog.

You can download Partner Engagement Manager Standard v6.2.3 Helm charts from IBM
chart repository here :
Chart Repository URL :
https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-pem-standard-prod-
1.2.4.tgz

Downloading from Red Hat OpenShift Container Platform

You can also download and install Partner engagement Manager Standard Helm
charts from Developer Catalog on Red Hat OpenShift Container Platform by
performing the following steps:

1. Log in to the Red Hat OpenShift Container platform with your user credentials.

26
 2. From the left navigation pane, select the option for the Developer dashboard.
3. Click +Add and select the From Catalog option. The Developer Catalog page is
displayed.
4. From the Type menu, select the Helm Charts checkbox.
5. In the All-Items filter, search for the product. For example, based on your
entitlement, select Sterling B2B Integrator or Sterling File Gateway for which you
want to install the Helm chart.
6. For prerequisites before installing the Helm charts, see

Prerequisites for installing Partner Engagement Manager Standard Certified

Container Link.

7. Read the license details and click Install Helm Chart.

8. Edit the values as needed and click Install. For more information about the
available values in values.yaml file, see Configuring the Certified Container link
9. Go to the Administrator dashboard and validate the deployed resources.

Using Helm Command Line

You can install Partner Engagement Manager Standard using Helm Command Line.

Follow these steps

Installing the Chart

To install the chart with the release name my-release, ensure

Ensure that the chart is downloaded locally and available

Run the following command:
$ helm install my-release -f values.yaml ./ibm-pem-standard --timeout 3600s --namespace <namespace>

Note: Depending on the capacity of the openshift worker node and database network
connectivity, chart deployment can take on average

 2-3 minutes for 'installation against a pre-loaded database' and

 10-20 minutes for 'installation against a fresh new or older release upgrade'

Upgrading the Chart

You can upgrade the existing deployment when you have a new Docker image or a Helm
chart version or a change in the configuration.

To upgrade the chart with the release name my-release

27
 1. Ensure that the chart is downloaded locally and available.

2. Before upgrading the release for any configurations change, set

the dataSetup.setup as false

3. Run the following command to upgrade your deployments.

helm upgrade my-release -f values.yaml ./ibm-pem-standard --timeout 3600s

4. Run the following command to upgrade your deployments

helm upgrade my-release -f values.yaml ./ibm-pem-standard --timeout 3600s --recreate-pods

For product release version upgrade, please refer product documentation.

Rollback the Chart

If the upgraded environment is not working as expected or you made an error while
upgrading, you can easily rollback the chart to a previous revision. Procedure To
rollback a chart with release name to a previous revision invoke the following
command:

helm rollback my-release <previous revision number>

To get the revision number execute the following command:

helm history my-release

Note : If the revision isn't specified then by default rolls back to the last revision.

Recover to last stable running state

1. Back up the database

Procedure

Back up the database used with IBM Partner Engagement Manager Standard . If you are using
ORACLE / DB2, this is part of the IBM PEM Standard installation directory structure. Take the
following precautions:

 If you are using ORACLE, stop PEM and PCM before backing up the file system.

 If you are using another database, perform one of the following:

-- Stop IBM PEM / PCM before backing up the database.

28
 -- Use a database backup tool that allows you to back up the database while it is live.
Never attempt to back up a live database otherwise.

2. Rollback the Chart

If the upgraded environment is not working as expected or you made an error while upgrading,
you can easily rollback the chart to a previous revision.

Procedure

To rollback a chart with release name <my-release> to a previous revision invoke the following
command:

helm rollback my-release <previous revision number>

To get the revision number execute the following command:

helm history my-release

Note : The rollback is only supported to a previous release.

3. Restore the database

 Restore the database used with IBM Partner Engagement Manager Standard.

Uninstalling the Chart

To uninstall or delete the my-release deployment, run the following command:
helm delete my-release --purge

Since there are certain kubernetes resources created using the pre-install hook, helm
delete command will try to delete them as a post delete activity. In case it fails to do so,
you need to manually delete the following resources created by the chart:

 ConfigMap - -Migrator-Setupfile
 ConfigMap - -Dbutils-Setupfile
 PersistentVolumeClaim if persistence is enabled - -resources-pvc only if
resources pv are enabled
 PersistentVolumeClaim if persistence is enabled - -logs-pvc #enable logs for
migrator and dbutils

Note: You may also consider deleting the secrets and peristent volumes created as part
of prerequisites, after creating their backups.

Installation validation:
We can verify whether the application is installed successfully or not
by following below two procedures
1. Connect to OpenShift command line
29
Login to the OpenShift CLI and run the below mentioned command:

Command : oc get routes --no-headers -o custom-columns=":spec.host"

After successful running of the above command you could see URL for below mentioned
applications
1.Community Manager -Prod
2.Community Manager-NonProd

Check all the above-mentioned application URLs are accessible and check the application
functionality

Upgrade and Rollback

After you have planned the upgrade and completed the prerequisite tasks, you are
ready to upgrade Sterling B2B Integrator.
About this task
Note: You must perform a backup of the database. If, for some reason, the update is
interrupted or stopped midway, you must manually revert the database changes using the
backup and then restart the update.

Follow these steps to perform an upgrade:

Procedure
1. Upgrade the database schema to the latest version. Make sure you have correctly
configured the below parameters in your Helm chart configuration
file, values.yaml.
dataSetup:
setup: true
Perform helm install, if you want to upgrade from an IBM Installation Manager or
Docker deployment.
helm install <release-name> -f <helm configuration file> <latest version helm chart location> --
timeout <timeout in seconds or minutes> --namespace <Kubernetes namespace>

30
Note: release-name: release name of your choice

helm configuration file: custom/updated values yaml

latest helm chart location: path for latest helm charts

timeout: specify a timeout for the helm install command. It can be specified in
seconds or minutes viz. 3600s/60m

For a release version upgrade with dataSetup enabled the helm install command
takes approximately 15-20 minutes. For a pre-upgraded database it takes about 2-3
minutes.
namespace: project/namespace for the product installation

2. Perform helm upgrade, if you want to upgrade from a previous Certified Container
release compatible with the supported Kubernetes container platform and Helm
versions.
helm upgrade <existing release-name> -f <helm configuration file> <latest version helm
chart location> --timeout <timeout in seconds or minutes> --namespace <Kubernetes
namespace>

Note: release-name: release name of your choice

helm configuration file: custom/updated values yaml

latest helm chart location: path for latest helm charts

timeout: specify a timeout for the helm install command. It can be specified in seconds
or minutes viz. 3600s/60m

For a release version upgrade with dataSetup enabled the helm install command
takes approximately 15-20 minutes. For a pre-upgraded database it takes about 2-3
minutes.
namespace: project/namespace for the product installation

Note: Helm upgrade or rolling upgrade is not supported for upgrades from older
Certified Container 6.0.3.x releases to latest version releases (>= v6.1.0) due to the
underlying container platform and Helm version upgrade limitations.

Rollback the Chart

If the upgraded environment is not working as expected or you made an error while
upgrading, you can easily rollback the chart to a previous revision. Procedure To
rollback a chart with release name to a previous revision invoke the following
command:

helm rollback my-release <previous revision number>

31
To get the revision number execute the following command:

helm history my-release

Note : If the revision isn't specified then by default rolls back to the last revision.

32