IBM Enterprise Records
Deploy IER
If IBM Enterprise Records is required, you should have already staged the image per the previous instructions in Staging.
Create the ibm-ier-secret
If deploying IER, create the following
kubectl create secret generic ibm-ier-secret \
--from-literal=appLoginUsername="cpadmin" \
--from-literal=appLoginPassword="Password" \
--from-literal=keystorePassword="p@ssw0rd" \
--from-literal=ltpaPassword="p@ssw0rd"
Create the config map fncmdeploy-tm-custom-env
This step is required when deploying IER to the cluster. Task Manager pods require the TM_JOB_URL env variable to point to the location of the IER plugin.
kind: ConfigMap
apiVersion: v1
metadata:
name: fncmdeploy-tm-custom-env
labels:
app: fncmdeploy-tm-custom-env
data:
TM_JOB_URL: "https://fncmdeploy-ier-svc:9443/EnterpriseRecordsPlugin/IERApplicationPlugin.jar"
In our case, the TM_JOB_URL referenced here needs to point to the internal service URL, not the external URL as it does not exist.
This is also a custom env variable for Task Manager that we will enable in the CR below.
Apply it to the cluster
kubectl apply -f fncmdeploy-tm-custom-env.yaml
Update the CR for Task Manager
In the filenet CR you used to deploy the cluster, make the following changes and additions:
Under the Task Manager application block in the CR add the custom_configmap to point to the config map we just created. Also make sure the security_roles_to_group_mapping are set to cpadmins and cpusers as these are the groups that exist in LDAP.
custom_configmap:
- name: fncmdeploy-tm-custom-env
is_env: true
# - name: <name of configmap>
# volume_path: # optional
## All users/groups belong to one of three roles (Admin, User, or Auditor) that are specific to Task Manager.
## Each role takes a list of users/groups (e.g., groups: [taskAdmins, taskAdmins2]). Refer to Knowledge Center documentation for details.
security_roles_to_group_mapping:
task_admins:
groups: [cpadmins]
users: []
task_users:
groups: [cpusers]
users: []
task_auditors:
groups: [cpadmins]
users: []
Updating CR for IER deployment
In the filenet CR you used to deploy the cluster, make the following changes and additions:
content_optional_components:
cpe: true
graphql: true
cmis: false
css: false
es: false
tm: true
ban: true
ier: true
After the navigator_configuration entry in the CR, add the following section
ier_configuration:
arch:
amd64: "3 - Most preferred"
replica_count: 2
ier_ext_tls_secret_name:
ier_auth_ca_secret_name:
image:
# This should point to whatever repo you staged the image in. Leave this as default if using IBM's registry
repository: cp.icr.io/cp/cp4a/ier/ier
tag: ga-5218-ier-if005
pull_policy: IfNotPresent
# This NEEDS to be set to the correct secret name. Make sure it's the one you created above.
ier_secret_name: ibm-ier-secret
log:
format: json
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 1
memory: 1024Mi
auto_scaling:
enabled: false
max_replicas: 3
min_replicas: 1
target_cpu_utilization_percentage: 80
ier_production_setting:
license: accept
collectd_enable_plugin_write_graphite: false
run_as_user:
datavolume:
existing_pvc_for_ier_instance: ""
probe:
readiness:
initial_delay_seconds: 120
period_seconds: 5
timeout_seconds: 10
failure_threshold: 6
liveness:
initial_delay_seconds: 600
period_seconds: 5
timeout_seconds: 5
failure_threshold: 6
Uploading config jars to the Task Manager pod
Before we apply the modified CR, let's prepare the Task Manager pod.
The following files are required for the Task Manager pod:
The above files and how to get them are referenced here, but we've included them in our repo.
Retrieve the name of your existing Task Manager pod
kubectl get pods | grep tm-deploy
fncmdeploy-tm-deploy-9db6b7f7f-6zzjb 1/1 Running 0 5d20h
Push the jars downloaded above to the configDropins/overrides directory on the Task Manager pod.
kubectl cp Jace.jar fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
kubectl cp pe.jar fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
kubectl cp peResources.jar fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
Push up the TM-Liberty.xml file to configDropins/overrides
kubectl cp TM-Liberty.xml fncmdeploy-tm-deploy-9db6b7f7f-6zzjb:configDropins/overrides
Apply the CR
kubectl apply -f ibm_fncm_cr_production.yaml
Wait for about five minutes or so and then check to see if the pod has spun up.
kubectl get pods
NAME READY STATUS RESTARTS AGE
fncmdeploy-cmis-deploy-654774fd5f-5xtnr 1/1 Running 0 6d6h
fncmdeploy-cpe-deploy-7d7dbffc94-n86tt 1/1 Running 0 3d9h
fncmdeploy-css-deploy-1-66bbd484b-qzrl9 1/1 Running 0 6d7h
fncmdeploy-es-deploy-58f9659b8b-klmjh 1/1 Running 0 6d6h
fncmdeploy-graphql-deploy-775766b99d-cx899 1/1 Running 0 6d6h
fncmdeploy-ier-deploy-6f7465cd5d-sxp9d 1/1 Running 0 7h55m
fncmdeploy-navigator-deploy-58b9c95c4-k9gx7 1/1 Running 0 157m
fncmdeploy-tm-deploy-7d4fd64759-x28qw 1/1 Running 0 6d6h
ibm-fncm-operator-748884b478-qkd4f 1/1 Running 0 4d2h
postgres-759fd876ff-d5fxd 1/1 Running 0 6d9h
IER Configuration
IBM Enterprise Records (IER) works in conjunction with FileNet Content Manager to provide the foundation for an enterprise compliance platform. Below diagram is a presentation how the content in FileNet Content Manager and the record objects work together.
On the left side is a folder in FileNet Content Manager that is in a record-enabled FileNet object store. On the right side is a special object store that contains the record objects. This is called a File Plan Object Store.
Create the following objects stores and configure them as mentioned. These are the prerequisite for IER Functaionality to work correctly.
-
ROS - Object Store
Configure connection points for ROS. Below is a screenshot for reference
-
FPOS - Object Store
Validate the FPOS object store is created:
- In the acce console create a CodeModules folder:
-
IER Task Manager Setup Configuration
Configuring Task Manager for IER in ICN - In the systems content navigator administration interface go to the settings node:
Scroll down in the general tab under settings to Task Manager configuration and fill in the following:
- Enable the task manager service
- Enter the task manager url
- This is the URL uing which other applications can comunicate with TM
- e.g. - http or https ://ServerName:Portnumber/taskManagerWeb/api/V1.
- ServerName =
- ServiceName if the IER pod is in the same namespace
- ServiceName.Namespace if the IER pod is in another namespace
- ServerName =
- Specify the log diretcory
Add the TM_JOB_URL environment variable to the Task Manager deployment: Task Manager in Container
- IER Configuration on ICN
Log in to ICN and navigate to Plugins and create a New Plug-in:
Add JAR file path and hit load. It will look like this:
Save and Close. Edit the added plugin and scroll down. You will see the file plan repository like this and select Connect and then Click on the FPOS:
Create a desktop IER and select repository FPOS.
Navigate to Repository Tab (General -> Authentication -> Repository) and add FPOS and ROS like it is shown below:
Login to IER desk top and navigate to administration. IER desk top will be visible under desktops and FPOS repository would be visible under Repositories
IER desk top will have the options shown below:
Create a custom menu - Copy Document Context Menu and add the IER option as shown below:
Add the menu to the desktop where IER functionality is exceted. Below is the image where you can add the custom menu created on above step:
Profile Creation
Prerequsites :
1.File Plan Object Store is created
2.Record Object Store is created
3.Connection Point for IER is created
To start Configuration Manager use below commands . ier_install_path is the location where IBM Enterprise Record is installed.
- Windows
- macOS/Linux
ier_install_path\configure\configmgr.exe
./ier_install_path/configure/configmgr
- Follow below steps for profile creation . Do a Save and Run Task for each of those.
Create a profile:
Create Marking Sets and Add-ons:
Configure File Plan Object Store:
Configure Record Object Store:
Configure Workflows:
Transfer Workflows:
Configure Content Engine Sweep:
Upon Successful Completion the tasks would show like this in task view:
Appendix
Applying fix for IER
As of 23.0.x release of CP4BA, the following bug was introduced into IBM FileNet Content Manager:
When trying to access the IBM Enterprise Records desktop, an error message says that you cannot connect to the web client. The log also shows that an exception was thrown "java.lang.NoClassDefFoundError: org.apache.xerces.xni.parser.XMLEntityResolver".
Cause: After moving to Java 11, IERApplicationPlugin.jar is unable to resolve the path to XercesImpl.jar in the ICN container.
Tracked in this link
The following instructions handle addressing this missing jar file.
We have included the required files here.
Keep in mind that future releases of CP4BA and FileNet may not require this fix to be applied. This is currently only applicable to 23.0.1.
Determine the navigator pod with the following command:
kubectl get pods
NAME READY STATUS RESTARTS AGE
fncmdeploy-cmis-deploy-654774fd5f-5xtnr 1/1 Running 0 12d
fncmdeploy-cpe-deploy-7d7dbffc94-n86tt 1/1 Running 0 9d
fncmdeploy-css-deploy-1-66bbd484b-qzrl9 1/1 Running 0 12d
fncmdeploy-es-deploy-58f9659b8b-klmjh 1/1 Running 0 12d
fncmdeploy-graphql-deploy-775766b99d-cx899 1/1 Running 0 12d
fncmdeploy-ier-deploy-6f7465cd5d-sxp9d 1/1 Running 0 6d8h
fncmdeploy-navigator-deploy-58b9c95c4-kt6jc 1/1 Running 0 3d9h
fncmdeploy-tm-deploy-7d4fd64759-x28qw 1/1 Running 0 12d
ibm-fncm-operator-748884b478-qkd4f 1/1 Running 0 10d
postgres-759fd876ff-d5fxd 1/1 Running 0 12d
Create the ier-jars subdirectory on the navigator pod:
kubectl exec -it fncmdeploy-navigator-deploy-58b9c95c4-kt6jc -- mkdir configDropins/overrides/ier-jars
Upload the ier-library.xml and the xercesImpl-2.12.2.jar to that subdirectory on the navigator pod.
kubectl cp ier-library.xml fncmdeploy-navigator-deploy-58b9c95c4-kt6jc:configDropins/overrides/
kubectl cp xercesImpl-2.12.2.jar fncmdeploy-navigator-deploy-58b9c95c4-kt6jc:configDropins/overrides/ier-jars/xercesImpl.jar
Scale the navigator deployment down and up. If your replicas are more that 1, scale appropriately.
kubectl scale deploy fncmdeploy-navigator-deploy --replicas=0
kubectl scale deploy fncmdeploy-navigator-deploy --replicas=1
Troubleshoot
On Configuration Manager
If you see this error when running the Configure File Plan Object Store task:
Starting to run Configure File Plan Object Store
Configure File Plan Object Store *************************
Finished running Configure File Plan Object Store
An error occurred while running Configure File Plan Object Store
Running the task failed with the following message: A network error occurred when processing a Web service request or response. See the nested exception for specific details. See full stack trace for details. Message: Unexpected end of file from server Duration 50,063 milliseconds.
Workaround:
Update config of server.xml in the CPE pod, add a timeout for 10m:
cat server.xml
<server>
<httpEndpoint id="defaultHttpEndpoint"
readTimeout="10m"
host="*"
httpPort="9080"
httpsPort="9443"
protocolVersion="http/1.1">
<httpOptions PurgeDataDuringClose="true" />
</httpEndpoint>
</server>
On deploying IER (IER pod doesn't start properly or it starts but getting ssl related error)
If your IER pod doesn't start:
Unable to attach or mount volumes: unmounted volumes=[custom-config-volume ier-custom-keystore-volume], unattached volumes=[], failed to process volumes=[]: timed out waiting for the condition
OR IER pod running ok but you see some SSL related error prevent IER engine to start:
[ERROR ] CWWKS9582E: The [cssSSLSettings] sslRef attributes required by the orb element with the defaultOrb id have not been resolved within 10 seconds. As a result, the applications will not start. Ensure that you have included a keyStore element and that Secure Sockets Layer (SSL) is configured correctly. If the sslRef is defaultSSLConfig, then add a keyStore element with the id defaultKeyStore and a password.
There is a workaround by manually uploading the plugin.jar to pod:
-
Copy
IERApplicationPlugin.jarfrom the latest IER fixpack. -
log onto Openshift and retrieve navigator pod:
oc get pods | grep fncmdeploy-navigator
fncmdeploy-navigator-deploy-f64db4b8f-jj44k 1/1 Running 1 (18d ago) 18d
- Upload IER plugin jar to plug-in store:
oc cp IERApplicationPlugin.jar fncmdeploy-navigator-deploy-f64db4b8f-jj44k:/opt/ibm/plugins
- upload IER plugin jar to Task Manager pod: configdropin/overrrides & :/opt/ibm/extTM:
oc get pod | grep navigator
oc cp IERApplicationPlugin.jar fncmdeploy-tm-deploy-854595dfcd-ptwm6:configDropins/overrides
oc cp IERApplicationPlugin.jar fncmdeploy-tm-deploy-854595dfcd-ptwm6:/opt/ibm/extTM
On Content Navigator (when declaring FPOS as File Plan repository)
If you see error when declaring FPOS as File Plan repository:
- Create a file named ier-library.xml containing:
<server>
<library id="FileNetLib">
<fileset dir="${server.config.dir}/configDropins/overrides/ier-jars" includes="*.jar" scanInterval="5s" />
</library>
</server>
-
Copy
xercesImpl-2.12.2.jarfrom<IER_install_path>/API/JARM -
Navigate to your navigator pod, cd to
/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overridesand create a folder:
mkdir ier-jars
- Then upload the files from local machine to pod:
oc cp ier-library.xml fncmdeploy-navigator-deploy-f64db4b8f-25xz5:/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides
oc cp xercesImpl-2.12.2.jar fncmdeploy-navigator-deploy-f64db4b8f-25xz5::/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides/ier-jars/