After you completed the installation process you then have to do the initial configuration of IBM Financial Services Workbench to get Solution Designer and Solution Hub up and running. Be aware, that even if all necessary pods are running without this configuration you are not able to work with neither one of the components.
All the configurations mentioned in this chapter are related to Solution Designer and Solution Hub. This chapter is not about the configurations related to deployed projects. You can find this information under Run Time Configuration.
The initial configuration of IBM Financial Services Workbench is done via a REST API called K5 Configurator Controller API. This API provides a Swagger UI for ease-of-use, but you can use the tool of your choice for calling APIs (e.g. cURL, Postman).
As long as not configured otherwise, the default URL where you can find the K5 Configurator Swagger UI is built like this:<https://k5-configurator>.<domain>
The exact URL can be found within the route named k5-configuration-management. It can be easily retrieved by executing
oc get route k5-configurator -n <namespace>
whereby <namespace> points to the namespace, where the Solution Designer and Hub are installed (e.g. zen).
For a new installation at least, the following configuration must be provided:
ArgoCD: Configures the properties to access ArgoCD service
Helm repository: Configures the properties to access the Helm repository
IAM: Configures the properties to access the Identity and Access Management system ( IAM), respectively Keycloak
Master key: Configures the master key, needed to have encryption at rest for some sensitive user data, like Git tokens or API keys
MongoDB: Configures the connection to the Mongo database, which is used by the Solution Designer
Audit binding: Configure connection to the audit logging collector
S3 storage:Configures properties to access an S3-Storage, which is used as a persistence layer for the k5-marketplace
Truststore: Updates the truststore, which holds a bunch of certificates, that should be trusted within FSW
Vault: Configures the properties to access a HashiCorp Vault
ArgoCD
These configurations are required to connect to the ArgoCD service.
Use PUT method Update properties for accessing ArgoCD of the Swagger UI or
ParameterDescriptionurlThe url of the ArgoCD serviceusernameThe username to login into the ArgoCD servicepasswordThe password to login into the ArgoCD servicenamespaceThe namespace (or OpenShift project) of the ArgoCD installation (default: openshift-gitops)
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
url, username and password are required to connect to the ArgoCD service. Please use the route URL as url or ensure that all certificates (whole chain) of the ArgoCD Service are included in the Truststore.
Helm repository
These configurations are required to connect to the Helm repository and to upload helm charts to it.
Use PUT method Update properties for accessing Helm repository of the Swagger UI or
ParameterDescriptionurlThe url of the Helm repositoryusernameThe username to login into the Helm repositorypasswordThe password to login into the Helm repositoryuploadUrlThe url to upload helm charts touploadRequestTypeThe request type for uploading helm charts (e.g. PUT)uploadFilePatternThe filePattern to upload a helm chart, see below for more information
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
url, username and password are required to connect to the Helm repository. If your helm repository is not backed by ChartMuseum it is also required to set uploadUrl, uploadFilePattern and uploadRequestType in order to make the following command work:
ParameterDescriptionadminUsernameThe IAM admin’s usernameadminPasswordThe IAM admin’s passwordhostnameThe hostname of the IAM providerrealmThe default realm name
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Master Key
This configuration is necessary for the encryption.
Use PUT method Update properties for the master key in the Swagger UI or
ParameterDescriptionkeyThe master key. It is not allowed to use empty values for this, as it would cause security risks. Data (especially user tokens) would not be encrypted and hence stored in plaintext in the database, which must not happen.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
This information needs to be provided by the customer. There are no further restrictions on the key, but it is recommended to provide a master key that matches the common AES rules.
Losing/changing the master key will cause data loss, because user tokens are encrypted with that and can't be decrypted without it!
In the initial state the value is empty, which is why the encryption is failing. Only due to that it is safe in respect of data loss in the initial state.
MongoDB
This configuration is necessary to connect to the Mongo database.
Use PUT method Update properties for accessing solution designer mongodb in the Swagger UI or
ParameterDescriptionconnectionStringThe mongoDB connectionString for the Solution Designer.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Audit Binding
This configuration is necessary to connect to your audit logging collector (e.g. Fluentd). By default, the audit logging is disabled since it is not meant to be used without a connection to an audit logging collector.
Use PUT method Configure connection to the audit logging collector in the Swagger UI or
ParameterDescriptionaccesskeyAccess key of the S3 storage with a restriction of a minimum key length of 3 characters. It is not allowed to use an empty value for this, as it would cause security risks. The S3 Storage would allow anonymous access without that.secretkeySecret key of the S3 storage with a restriction of a minimum key length of 8 characters. It is not allowed to use an empty value for this, as it would cause security risks. The S3 Storage would allow anonymous access without that. The S3 Storage would allow anonymous access without that.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Losing/changing accesskey and secretkey will cause S3 Storage data loss, because the whole storage is encrypted with that and can't be decrypted without them!
In the initial state the s3 storage is not working, because no access- and secretkey was set. Only due to that it is safe in respect of data loss in the initial state.
Truststore
Updates the truststore, which holds a bunch of certificates, that should be trusted within IBM Financial Services Workbench.
Use PUT method Update entries within the truststore in the Swagger UI or
Calling that API overrides the current truststore!By default all Solution Designer and Hub services (pods) and with FSW created services trust the default certificates that are provided by the Red Hat Universal Base Image (UBI) image and don't need to be included manually into the truststore. Open /etc/pki/tls/certs/ca-bundle.crt in any pod to check the trusted certificates.
Request Parameters:
ParameterDescriptiondataBody parameter (JSON). The value for the key (required)
Configuration Parameters (body parameters)
The body parameters contain key-value pairs. It is possible to provide the value of each entry as a base64 string, e.g.:
As an alternative you can provide the PEM certificates as plain text but line breaks have to be replaced with "\n" for the Swagger UI or "" for cURL operations.
The line length of the certificates must comply with the PEM standard, with each line containing exactly 64 printable characters except the last line and 64 or fewer printable characters in the last line.
An OpenShift token with following permissions must be provided:
secrets: get, create, update
Vault
Configures properties to access a HashiCorp Vault. This configuration is not mandatory.
Use PUT method Update properties for accessing the vault in the Swagger UI or
ParameterDescriptionurlThe url of the HashiCorp VaultroleThe name of the role you configured in your vault. You can find information how to do that here.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Losing/changing the vault configuration can cause errors and secrets need to be recreated.
Config Maps Configuration
The config-maps-controller in the K5 Configurator Controller API allows configuration of all config maps that are provided through IBM Financial Services Workbench. Config maps allow a very detailed level of control for the components. Any adjustments to the initial values, might have unwanted side effects.
Configuration changes within the config map section is not mandatory. Nevertheless, the most important options are listed below:
GETList all available config maps: Lists all config maps that can be configured by the k5-configurator API. Includes the names of the config maps and their contents to proceed with different APIs.
PUTUpdate an existing config map: Updates the content of a config map.
DELETEReset a config map to the initial values of the installation: Resets a config map to the initial values.
PUTUpdate a key-value pair in the config map: Updates an existing entry within a config map.
POSTCreate a new key-value pair in the config map: Creates a not-existing entry within a config map.
DELETEDelete a key-value pair in the config map: Removes an entry from a config map.
List all available config maps
Use GET method List all available config maps in the Swagger UI or
ParameterTypeDescriptionconfig-map-namePath parameterName of the config mapdataBody parameter (JSON)The new data the config map should contain (body parameters contain key-value pairs)
Calling that API overrides the current data map!
An OpenShift token with following permissions must be provided:
configmaps: get, update
Reset a config map
Use DELETE method Reset a config map to the initial values of the installation in the Swagger UI or
ParameterTypeDescriptionconfig-map-namePath parameterName of the config mapkeyPath parameterName of the keydataBody parameter (JSON)The new value for the key (required)
Configuration Parameters (content of the body parameter):
ParameterDescriptionvaluePath parameter
An OpenShift token with following permissions must be provided:
configmaps: get, update
Create a new key-value pair
Use POST method Create a new key-value pair in the config map in the Swagger UI or
for creating new key-value pairs within a config map.
Request Parameters:
ParameterTypeDescriptionconfig-map-namePath parameterName of the config mapkeyPath parameterName of the keydataBody parameter (JSON)The new value for the key (required)
Configuration Parameters (content of the body parameter):
ParameterDescriptionvaluePath parameter
An OpenShift token with following permissions must be provided:
configmaps: get, update
Delete a key-value pair
Use DELETE method Delete a key-value pair in the config map in the Swagger UI or
After you completed the installation process you then have to do the initial configuration of IBM Financial Services Workbench to get
Solution Designer and Solution Hub up and running. Be aware, that even if all necessary pods are running without this
configuration you are not able to work with neither one of the components.
All the configurations mentioned in this chapter are related to Solution Designer and Solution Hub. This chapter is
not about the configurations related to deployed projects. You can find this information
under Run Time Configuration.
The initial configuration of IBM Financial Services Workbench is done via a REST API called K5 Configurator Controller API. This API
provides a Swagger UI for ease-of-use, but you can use the tool of your choice for calling APIs (e.g. cURL, Postman).
Tip: As long as not configured otherwise, the default URL where you can find the K5 Configurator Swagger UI
is built like this:
<https://k5-configurator>.<domain>
The exact URL can be found within the route named k5-configuration-management. It can be easily retrieved by executing
oc get route k5-configurator -n <namespace>
whereby <namespace> points to the namespace, where the Solution Designer and Hub are installed (e.g. zen).
For a new installation at least, the following configuration must be provided:
ArgoCD: Configures the properties to access ArgoCD service
Helm repository: Configures the properties to access the Helm repository
IAM: Configures the properties to access the Identity and Access Management system (
IAM), respectively Keycloak
Master key: Configures the master key, needed to have encryption at rest for
some sensitive user data, like Git tokens or API keys
MongoDB: Configures the connection to the Mongo database, which is
used by the Solution Designer
Audit binding: Configure connection to the audit logging collector
S3 storage:Configures properties to access an S3-Storage, which is used as a
persistence layer for the k5-marketplace
Truststore: Updates the truststore, which holds a bunch of certificates, that
should be trusted within FSW
Vault: Configures the properties to access a HashiCorp Vault
ArgoCD
These configurations are required to connect to the ArgoCD service.
Use PUT method Update properties for accessing ArgoCD of the Swagger UI or
The namespace (or OpenShift project) of the ArgoCD installation (default: openshift-gitops)
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
url, username and password are required to connect to the ArgoCD service. Please use the route URL as url or
ensure that all certificates (whole chain) of the ArgoCD Service are included in the Truststore.
Helm repository
These configurations are required to connect to the Helm repository and to upload helm charts to it.
Use PUT method Update properties for accessing Helm repository of the Swagger UI or
The request type for uploading helm charts (e.g. PUT)
uploadFilePattern
The filePattern to upload a helm chart, see below for more information
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
url, username and password are required to connect to the Helm repository. If your helm repository is not backed
by ChartMuseum it is also required to set uploadUrl, uploadFilePattern
and uploadRequestType in order to make the following command work:
The master key. It is not allowed to use empty values for this, as it would cause security risks. Data (especially user tokens) would not be encrypted and hence stored in plaintext in the database, which must not happen.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
This information needs to be provided by the customer. There are no further restrictions on the key, but it is
recommended to provide a master key that matches the common AES rules.
Attention: Losing/changing the master key will cause data loss, because user tokens are encrypted with that
and can't be decrypted without it!
In the initial state the value is empty, which is why the encryption is failing. Only due to that it is safe in respect
of data loss in the initial state.
MongoDB
This configuration is necessary to connect to the Mongo database.
Use PUT method Update properties for accessing solution designer mongodb in the Swagger UI or
The mongoDB connectionString for the Solution Designer.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Audit Binding
This configuration is necessary to connect to your audit logging collector (e.g. Fluentd). By default, the audit logging
is disabled since it is not meant to be used without a connection to an audit logging collector.
Use PUT method Configure connection to the audit logging collector in the Swagger UI or
Access key of the S3 storage with a restriction of a minimum key length of 3 characters. It is not allowed to use an empty value for this, as it would cause security risks. The S3 Storage would allow anonymous access without that.
secretkey
Secret key of the S3 storage with a restriction of a minimum key length of 8 characters. It is not allowed to use an empty value for this, as it would cause security risks. The S3 Storage would allow anonymous access without that. The S3 Storage would allow anonymous access without that.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Warning: Losing/changing accesskey and secretkey will cause S3 Storage data loss, because the whole storage
is encrypted with that and can't be decrypted without them!
In the initial state the s3 storage is not working, because no access- and secretkey was set. Only due to that it is
safe in respect of data loss in the initial state.
Truststore
Updates the truststore, which holds a bunch of certificates, that should be trusted within IBM Financial Services Workbench.
Use PUT method Update entries within the truststore in the Swagger UI or
Warning: Calling that API overrides the current truststore!
Note: By default all Solution Designer and Hub services (pods) and with FSW created services trust the
default certificates that are provided by the Red Hat Universal Base Image (UBI) image and don't need to be included
manually into the truststore. Open /etc/pki/tls/certs/ca-bundle.crt in any pod to check the trusted
certificates.
Request Parameters:
Parameter
Description
data
Body parameter (JSON). The value for the key (required)
Configuration Parameters (body parameters)
The body parameters contain key-value pairs. It is possible to provide the value of each entry as a base64 string, e.g.:
As an alternative you can provide the PEM certificates as plain text but line breaks have to be replaced with "\n" for
the Swagger UI or "" for cURL operations.
Attention: The line length of the certificates must comply with the PEM standard, with each line containing
exactly 64 printable characters except the last line and 64 or fewer printable characters in the last line.
An OpenShift token with following permissions must be provided:
secrets: get, create, update
Vault
Configures properties to access a HashiCorp Vault. This configuration is not mandatory.
Use PUT method Update properties for accessing the vault in the Swagger UI or
The name of the role you configured in your vault. You can find information how to do that here.
An OpenShift bearer token with following permissions must be provided to perform this action:
secrets: get, create, update
Warning: Losing/changing the vault configuration can cause errors and secrets need to be recreated.
Config Maps Configuration
The config-maps-controller in the K5 Configurator Controller API allows configuration of all config maps that are
provided through IBM Financial Services Workbench. Config maps allow a very detailed level of control for the components. Any adjustments
to the initial values, might have unwanted side effects.
Configuration changes within the config map section is not mandatory. Nevertheless, the most important options are
listed below:
GETList all available config maps: Lists all config maps
that can be configured by the k5-configurator API. Includes the names of the config maps and their contents to proceed
with different APIs.
PUTUpdate an existing config map: Updates the content of
a config map.
DELETEReset a config map to the initial values of the installation:
Resets a config map to the initial values.
PUTUpdate a key-value pair in the config map: Updates an
existing entry within a config map.
POSTCreate a new key-value pair in the config map: Creates
a not-existing entry within a config map.
DELETEDelete a key-value pair in the config map: Removes an
entry from a config map.
List all available config maps
Use GET method List all available config maps in the Swagger UI or