Authors: Binoy M V

Co-author:  Akshay Rajan & Nusaiba K K

IBM Documentation Reference: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=deployments-installing-cp4ba-filenet-content-manager-production-deployment

Why using Ping directory for the  deployment: Beginning with version 25.0.0 of IBM Cloud Pak for Business Automation (CP4BA), IBM standardized Ping Directory as one of the supported LDAP options alongside Microsoft Active Directory (MSAD) and IBM Security Directory Server (SDS). This strategic inclusion was driven by Ping Directory’s high-performance LDAP capabilities, its support for complex identity models, and its scalability to handle large enterprise user bases making it a robust and flexible choice for CP4BA deployments

Prerequisites for the Deployment.

• Preparing for a deployment is completed (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=deployment-preparing-production )

• Optional: Preparing Custom JDBC & ICCSAP libraries is completed (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=icfcmpd-optional-preparing-customized-versions-jdbc-drivers-iccsap-libraries)

• Assuming Ping directory is already setup (Installing the PingDirectory server) 

For this blog we are going with recommended way of deployment, using script based deployment (https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=suc-recommended-option-1-setting-up-cluster-by-running-script)

📝 Note: In this deployment we are using the namespace cp25v.

Installing a fresh production deployment by running scripts for Ldap pingdirectory

You can install the Cloud Pak capabilities that you want by running the cluster admin script and the deployment script. The cluster admin script can be run on the command-line interface (CLI) or in silent mode. 

✅ Pre-Deployment Checklist

Before initiating the installation, ensure the following prerequisites are met:

• User Setup: A non-administrator user must be created. In this setup, the designated username is dbauser.

• Storage Class Configuration: Confirm the existence of a valid StorageClass. For this deployment, use managed-nfs-storage.

• ImageContentSourcePolicy: Verify that the ImageContentSourcePolicy named mirror-config has been correctly configured.

• Pull Secret Validation: Ensure the Kubernetes secret named pull-secret is present and updated with the required image credentials.

✅ Setting up the cluster with the admin script 

1. Administrator Actions

• Run Initialization Script: The cluster administrator initiates a script to configure the cluster and install operators.

• Silent Mode Option: To streamline the process, silent mode can be activated using predefined environment variables. This avoids interactive prompts.

• Output Artifacts: The script generates configuration details and prerequisites (like secrets or config maps) needed for further deployment.

2. User Handoff

• Share Required Info: Administrator shares the relevant output or credentials with a non-administrator user, such as RBAC details or namespace-level access configurations.

• Delegated Deployment: The non-admin user then executes the deployment script, leveraging the provided details.

✅ Step-by-Step Instructions

1. 📌Authenticate to the Cluster

• Log in to the target OpenShift cluster using a user with <cluster-admin> privileges.

2. 📌Download the Required Repository

• Navigate to a working directory on your infrastructure node.

• Clone the cert-kubernetes GitHub repository, switching to the branch for a fresh production deployment:

• 

3. 📌Navigate to the Script Directory

• Change into the directory containing the setup scripts:

• 

4. 📌Execute the Cluster Setup Script

Setting up the cluster with the admin script 

• Run Initialization Script: The cluster administrator initiates a script to configure the cluster and install operators.

• Silent Mode Option: To streamline the process, silent mode can be activated using predefined environment variables. This avoids interactive prompts.

• Output Artifacts: The script generates configuration details and prerequisites (like secrets or config maps) needed for further deployment.

a. Run the admin script

b. Select the CP4BA deployment environment:

c. Select the cloud platform to deploy:

d. Select the deployment type

e. If you plan to enable FIPS for your Cloud Pak for Business Automation deployment, select Yes to check that the worker nodes on the cluster are FIPS enabled.

f. Accept the default Yes to install CP4BA as a private catalog rather than in the global catalog namespace (GCN). The GCN uses the openshift-marketplace namespace, the private option uses the target namespace of your CP4BA deployment.

g. Select Yes if you want to install the CP4BA operators and the CP4BA deployments in separate namespaces. Select No if you do not want to install the CP4BA operators and the CP4BA deployments in separate namespaces. The default is No.

h. Enter the name for a new project or an existing namespace (cp4ba-project) for the target deployment

i. Select the user from the selection. j. Enter Yes or No to confirm whether you want to use the images in the IBM® Entitlement Registry.

k. If you replied Yes to use the IBM Entitlement Registry, enter your IBM Entitled Registry key

Then you will be seeing logs saying as follows. It takes around 10 minutes to complete the installation of the operator.

Once the operator installing completes verify it in the installed operator page. All the operator status should be Succeeded as shown in the following screenshot

Also you can use following oc command to verify the version.
oc get csv 

5. 📌Preparing databases and secrets for your chosen capabilities by running a script

• Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script

• Ldap reference: https://ibmdocs-test.dcs.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=scp-ldap-configuration
  https://ibmdocs-test.dcs.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=scp-ldap-configuration

🧩 Purpose of cp4a-prerequisites.sh

• This script is a pre-installation utility bundled in the cert-kubernetes repository. It helps streamline and validate your CP4BA setup by:

• Generating property files for selected capabilities (e.g., FNCM, BAW, ODM, etc.)

• Preparing database and LDAP configurations

• Creating Kubernetes secrets and SQL scripts

• Validating environment readiness before deployment

⚙️ Script Modes and Workflow

• You can run the script in three distinct modes:

✅ Step-by-Step Instructions

🧭 Running cp4a-prerequisites.sh in Property Mode

• Before you begin, ensure the following steps are completed:

Authenticate to the Target Cluster Use the OpenShift CLI to log in with appropriate credentials:

• Switch to the Correct Project (Namespace): Confirm you're operating within the intended namespace for the CP4BA deployment:

• Navigate to the Scripts Directory: Move into the scripts folder inside the cloned cert-kubernetes repository:

• Execute the Script in Property Mode: Run the prerequisites script to generate property files for your selected capabilities: Follow the interactive prompts to define LDAP, database, storage classes, and deployment profile.

• Follow the interactive prompts to define LDAP, database, storage classes, and deployment profile.

• Select the Cloud Pak for Business Automation capabilities that you want to install.

• For content pattern giving 1 and press Enter. Again press Enter to proceed to next prompt.

• Select the optional components that you want to include.

• Select all 6 sub components and press Enter to proceed to next prompt.

• Choose the LDAP type that you want to use for the CP4BA deployment. For this deployment we are selecting option 3

• Enter your dynamic storage classes for slow, medium, fast and zen file storage (RWX).

• Select a deployment profile size from small, medium, or large [1 to 3]. The default is small (1).

• Choose the database type that you want to use for the CP4BA deployment.

• Choose the alias name for the database that you selected.

• Choose the generation of network policy 

• Choose the creation of external certificate 

• Choose number of object store that need to deploy

• When the script is finished, the messages include some actions. Read the next actions carefully and make sure that you complete them all before you go to the next step.

• Folder structure for the same is

• Make sure that you are in the propertyfile folder under cp4ba-prerequisites/project/$NAMESPACE and edit the property files as indicated by the NEXT ACTIONS messages from the script. Update the (cp4ba_db_name_user.property, cp4ba_db_server.property, cp4ba_LDAP.property, cp4ba_user_profile.property, and optionally cp4ba_External_LDAP.property) with the values in your environment.

Following is the sample screenshot for cp4ba_user_profile.property

• (Reference - https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=pycc-recommended-preparing-databases-secrets-your-chosen-capabilities-by-running-script Step 5)

🧭 Running cp4a-prerequisites.sh in Generate Mode

• When the user property files are complete and ready, make sure that you are in the scripts folder under cert-kubernetes, and run the cp4a-prerequisites.sh script in the "generate" mode.

• Which create the db scripts ( for postgres EDB db we are not creating any db script) and secrets template and script to create the secrets.

• Also following is the folder structure it created

• As per the next action mentioned in the above step ypu need to run the create_secret.sh file and you need to create the database manually.

🧭 Run the create_secret.sh

• Before running the create_secret.sh make sure that you have copied your db and ldap certificate to the corresponding folders in cert folder. In our example we are using mssql as database and pingdirectory as ldap. So copy mssql database certificates to

• ./cert-kubernetes/scripts/cp4ba-prerequisites/project/cp25v/propertyfile/cert/db/mssql folder and ldap certificate to ./cert-kubernetes/scripts/cp4ba-prerequisites/project/cp25v/propertyfile/cert/ldap/ folder, then run the create_secret.sh

• Once you are completed with the secret creation create the databases using the scripts createICNDB.sql, createGCDDB.sql and createOS1DB.sql. Once database creation completed run the cp4a-prerequisites.sh in validate mode.

🧭 Running cp4a-prerequisites.sh in validate Mode

• When run in validate mode, the script performs a series of checks to ensure your environment is ready for Cloud Pak for Business Automation deployment:

1. Storage Class Validation

• Confirms that the storage classes defined in the property files meet the required access modes:

  • RWX (ReadWriteMany) for shared file storage

  • RWO (ReadWriteOnce) for block storage

• If the validation passes, the result is marked as PASSED.

2. Secret and Connectivity Checks

• Verifies the presence of required Kubernetes secrets (e.g., pull-secret, LDAP credentials).
• Submits lightweight validation queries to:
  • The configured LDAP server
  • The list of remote database servers
  • If using an external PostgreSQL for Zen metastore, its connectivity is also tested.

• These checks are non-invasive — no data is modified, and no queries are executed beyond connection validation.

• Successful operations within the timeout threshold are marked as PASSED.

3. Error Handling

• If any connection fails, the script provides a clear message indicating which component failed.
• To resolve issues:
  • Review and correct values in the relevant property files.
  • Re-run the script after adjustments.

6. 📌Installing the capabilities (operands) by running the deployment script.

• The script creates a custom resource (CR) file to deploy by the Cloud Pak operator. The deployment script prompts the user to enter values to get access to the container images and to select what is installed with the deployment.

• Reference : https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/25.0.0?topic=cpd-option-1-recommended-generating-custom-resource-deployment-script

✅ Step-by-Step Instructions

1. Make sure you are logged into the cluster with the cluster administrator that you used.

2. Switch to the project that you are using

1. Move to the script directory

2. Run the cp4a-deployment.sh

• Press Enter to continue

• Give “Yes” to accept the license.

• As we have not deployed a CP4BA FileNet Content Manager instance, Select No

• Choose “Production” for the deployment type

• Verify the summary and Press “Enter” to continue

• Choose OCP as cloud platform

• Since your deployment not in AWS/Azure Choose “No” for the platform.

• Choose “Yes” to use default IAM admin user

• Provide the zip file url of the JDBC and ICCSAP driver url

• Verify the summary and choose “Yes” to proceed.

• This will create custom resource file under the folder cert-kubernetes/scripts/generated-cr/project/cp25v

• Before applying the CR file, perform a thorough review to ensure all the values are correct in the generated cr file.

Since our scripts are not supporting custom ldap and you want to add custom ldap ( eg: openldap), then you have to add the ldap_configuration with   lc_selected_ldap_type as  Custom. . For example we are adding openldap as custom ldap and the configuration is given below.

• Apply the cr file.

• The operator reconciliation process may take a significant amount of time, so it's essential to verify that the automation containers are running, as the deployment could take a couple of hours depending on the OpenShift cluster's hardware capacity.

7. 📌Verify the deployment completion.

• Login to OCP console and verify config maps - content-cp4ba-access-info, content-initialization-config and content-verification-config.

• Now you can confirm that Fresh Production Deployment is now completed !!