Community Manager Docker installation document

Docker provides the automated way to bundle the service components as an image, and distribute them for the ease of customers to install and run the software.

Important: The Red Hat Operating System uses device-mapper as docker’s storage driver. See Docker and the Device Mapper storage driver documentation for the recommended production configuration for Docker version 1.11.

For more information about Docker and its commands, see Docker documentation.

Docker Setup Recommendations

This topic lists the recommendations and best practices to configure and secure your Docker setups.

Recommendations

After bringing up the image, do not modify anything within the container.
Set up a test environment where you can perform the migration tasks and run the tests before migrating to the production environment.
Back up your data before performing the migration.
Ensure that both host and database server time are synchronized and are in the same time zone.
During any activity configuration, if you add a new API configuration that has a host name, add all the host name mappings by adding --add-host=<host_name>:<IP address> in the docker run command.
To resolve the hostname, add the hostname mapping by adding --add-host=<host_name>:<IP address> in the docker run command, delete the old container, and create a new container by running the updated docker run command.

Best Practices for Docker Setups

It is recommended to adhere to certain best practices while configuring your Docker setups. This enhances the security of your Docker daemon and improves its performance. For detailed information, refer to the IBM support document Best Practices for Docker Security and Configuration.

PCM Deployment Guide in Docker Environment

This document provides a step-by-step guide to deploy the Pragma Community Manager (PCM) application in a Docker environment with recommended best practices.

1. Prerequisites

Before deploying PCM in Docker, ensure the following files and directories are available on the host system:

application.yml – Application configuration file.
keystore.p12 – SSL keystore (generate using tools like openssl or keytool).
Database drivers (jars) – Required for DB connection (Oracle/MSSQL/Db2).
logs folder – Directory for storing PCM logs.
Sterling Integrator archive folder (if applicable).

Note: For production, keep sensitive files (keystore, config, DB jars) on secure mounts with restricted permissions.

2. Generating Keystore

You can generate the keystore using openssl or keytool.

Example with OpenSSL:

openssl req –newkey rsa:2048 -nodes –keyout tls.key -x509 -days 365 -out tls.crt
openssl pkcs12 -export -in tls.crt –inkey tls.key -out keystore.p12 -name pcm-cert

Place keystore.p12 in your mounted config directory.

3. Directory Structure (Recommended)

/opt/IBM/PCM/
├── Config/
│   ├── application.yml
│   ├── keystore.p12
├── jars/
│   ├── db2jcc4.jar
│   ├── <other db jars>
├── logs/
│   ├── community-manager-cm.log
├── archieve/ (optional – Sterling archive folder)

Commands:

mkdir -p /opt/IBM/PCM/Config
mkdir -p /opt/IBM/PCM/Logs
mkdir -p /opt/IBM/PCM/Jars
mkdir -p /opt/IBM/PCM/Archive

4. Environment Variables

PCM supports the following environment variables in Docker:

APP – Defines the application profile. Accepted values: pcm, cm, sso–ssp-seas, cm-api, saml

LOGGER_LEVEL – Defines logging verbosity: TRACE, DEBUG, INFO, WARN, ERROR, ALL, OFF

NODE_IP – Domain or server IP where PCM runs.

NODE_PORT – Container port.

DB_PASS – Database password (plain or encrypted). For production, store secrets in Vaults (e.g., HashiCorp Vault, Ansible Vault, Bitnami) or encrypt them using PCM’s password utility.

5. Encrypting / Decrypting Passwords

Encrypt Password

docker run -it –rm -e APP=encrypt -e TEXT=‘Expl0re’ <image> Output:

ENC(cKtfzpIvwNdvHP+8QdHYiQ==)

Decrypt Password

docker run -it –rm -e APP=decrypt -e TEXT=‘ENC(cKtfzpIvwNdvHP+8QdHYiQ==)’ <image>

Output:

Expl0re

6. Pull Docker Image

Download the application image from the container registry:

docker pull <registry-name>/<repository>:<tag>

Replace placeholders:

<registry-name> → Registry URL or hostname (e.g., io, harbor.example.com).
<repository> → Repository path (e.g., pcm-app).
<tag> → Specific commit ID or version (e.g., 0.0).

7. Application Configuration (application.yaml)

Inside /opt/IBM/PCM/Config, create or update application.yaml with the following details:

General

accept-license: true

PCM theme color

cm
  color: black# Available Themes: red,
green, grey, yellow, black
  #api-connect-enabled: true #This should
not be released to precisely
  protocol:
    disallowed-special-characters: “!@#:$%^&*()+?,<>{}[]|;\”‘/\\” #We need to add the special characters in double quotes, 
    by default <> are restricted and make sure escape characters are being handled properly

Apache JServ Protocol (AJP), PCM header, and ports

server:
  ajp:
    enabled: false #true, for cluster deployments
    port: 8585

SSL Configuration

To enable secure HTTPS connections, create a keystore (keystore.p12) and store it inside /opt/IBM/PCM/Config.

ssl:
  enabled: true
  key-store: /opt/IBM/config/keystore.p12
  key-store-password: <KeystorePassword>
  key-store-type: PKCS12

key-store → Absolute path to your SSL certificate (keystore).
key-store-password → Password you set during keystore creation.
key-store-type → Typically PKCS12.

Spring Configuration

spring:
  jackson:
    time-zone: America/Chicago
liquibase:
  enabled: true
  tablespace: <tablespace>
datasource:
  type: com.zaxxer.hikari.HikariDataSource
  url: jdbc:db2://<DB-Host>:<Port>/<SchemaName>
  username: <DB-Username>
  driver-class-name: com.ibm.db2.jcc.DB2Driver 
hikari:
  connection-timeout: 60000
  maximum-pool-size: 60
  auto-commit: false
jpa:
  show_sql: true
  open-in-view: false
  database-platform: com.pe.pcm.config.database.dialect.Oracle10gExtendedDialect
  properties:
    id:
      new_generator_mappings: true
hibernate:
  naming:
    physical-strategy: com.pe.pcm.config.database.PhysicalNamingStrategy

<DB-Host> → Database hostname or IP.
<Port> → DB2 port (default: 50000).
<SchemaName> → Target schema name.
<DB-Username> → Database user ID.

Database Connection

Oracle:

com.pe.pcm.config.database.dialect.Oracle10gExtendedDialect
##ORACLE
## i.URL : jdbc:oracle:thin:@HostName:1521/SID (ex=jdbc:oracle:thin:@localhost:1521/XE)
## ii.DRIVER : oracle.jdbc.driver.OracleDriver
## iii.USERNAME : dbUserName
## iv.DATABASE_PLATFORM :
com.pe.pcm.config.database.dialect.Oracle10gExtendedDialect (For 12c :
com.pe.pcm.config.database.dialect.Oracle12cExtendedDialect)
## v.DATABASE : oracle:

MSSQL:

##b.MSSQL
## i.URL : jdbc:sqlserver://HostName;databaseName=DbName (ex=jdbc:sqlserver://localhost;databaseName=TestDB)
## ii.DRIVER : com.microsoft.sqlserver.jdbc.SQLServerDriver
## iii.USERNAME : dbUserName
## iv.DATABASE_PLATFORM : org.hibernate.dialect.SQLServer2012Dialect
#org.hibernate.dialect.SQLServerDialect (for lower) (Part of application.wml)

DB2:

## v.DATABASE : sql_server
##c.DB2
## i.URL : jdbc:db2://HostName:Port/DbName (ex=jdbc:db2://localhost:50000/TestDB)
## ii.DRIVER : com.ibm.db2.jcc.DB2Driver
## iii.USERNAME : dbUserName
## iv.DATABASE_PLATFORM : com.pe.pcm.config.database.dialect.DB2ExtendedDialect
## v.DATABASE : db2

Mail Configuration

mail:                      
  host: <SMTP-Host>                             
  port: <SMTP-Port>                               
tls_protocol: “TLSv1.3”                             
  username: <SMTP-User>                               
  cmks: <SMTP-Password>                               
  from: pcm-notifications-noreply@<yourdomain>     
app-contact-mail: pcmtechsupport@<yourdomain>       
mail-signature: Community Manager Portal support team

<SMTP-Host> → SMTP server host (e.g., office365.com).
<SMTP-Port> → 587 (TLS) or 25.
<SMTP-User> → SMTP username.
<SMTP-Password> → SMTP password (encrypted if using CMKS).

PCM UI and API Authentication

login:
sm: # Site minder PCM UI, API authentication
enable: false
param-name: SM_USER
max-false-attempts: 5 # Max false attempts allowed by Application
reset-false-attempts: 5 #minutes, user will be reset after 5 min.
#Execute the following command to generate the JWT secret key #> openssl rand -base64 32
jwt: #PCM UI and API authentication
secretkey: #Specify the JWT secret key
session-expire: 60 # Minutes
saml: # SAML PCM UI and API authentication setup
jwt:
secret-key: #Specify the JWT secret
key
session-expire: 60 # Minutes
idp:
metadata: D:\jks\FederationMetadata.xml #Provide the IDP metadata file
entity-id: PcmEntityIdp
scheme: https # PCM protocol name.
host: # Application host.
url:
client: https://hostname:7080 #Provide the Application Access URL
entity: https:// hostname:7080 #Provide the Application Access URL
ssl: # configure SAML SSL
key-store: D:\jks\localhost-keystore.jks
key-cmks: pass@localhost

SAML Configuration

saml:
  sso-url: https://trial-9976564.okta.com/app/trial-9976564_pcmdev_1/exk8vrtwbsSlfTdQ0697/sso/saml
#https://dev-37961581.okta.com/app/dev-37961581_pcmlocal_1/exk5x8pgqakiU5Tup5d7/sso/saml
#https://dev-37961581.okta.com/app/dev-37961581_pcmdev_1/exk5x8ncbuaHtPyRE5d7/sso/saml
  idp:
    metadata: C:\IDPConfigs\pcm-local-okta-metadata.xml
    registration-id: pcm
  idp-groups-role-mapper: madmin_app3538395-super_admin,mmin_app3538395- admin,metl_cmonboarder_app3538395-on_boarder,meadmin_app3538395- business_admin,metl_cmb3538395-business_user,messor_app3538395-data_processor,mcessorrestricted_app3538395-data_processor_restricted,metl_cmfileoperator_app3538395-file_operator
  default-role: super_admin
  jwt:
    secret-key: #Specify the JWT secret key
    session-expire: 60 # Minutes

Configure Connection Properties

Configure connection properties for IBM Sterling B2B Integrator and IBM Sterling File Gateway:

sterling-b2bi: 
  core-bp:
    inbound: CM_MailBox_GET_RoutingRule_Inbound # Inbound Mailbox bootstrap BP
    outbound: CM_MailBox_GET_RoutingRule_Outbound # Outbound Mailbox bootstrap BP
  user:
    cmks:       #Password from IBM Sterling B2B Integrator security.properties file
    cmks-validation: true #Set value to true ensure proper functionality of PCM API’s
    cmks-validation-profile: CM_Profile # Profile created in IBM Sterling B2B Integrator to match the password; the profile should be an SFTP profile. Set the value of the profile as Expl@re
  connectivity: #To perform Test Connection, Archive Reprocess and Known Host Key Grab, configure the connectivity details
    api:
      baseUrl: http://<B2Bi-Host>:<HTTP-Port>/
      username: <B2Bi-User>
      password: <B2Bi-Password>

<B2Bi-Host> → Host/IP of B2Bi.
<HTTP-Port> → B2Bi HTTP adapter port.
<B2Bi-User> / <B2Bi-Password> → Credentials for API access.

B2Bi and SFG API Configuration

b2bi-api:
  active: true                                     
  auth-host: ‘[SEAS Authentication]’: 1             
  api:                                             
    username: <API-User>                            
    cmks: <API-Password>                            
    baseUrl: http://<B2Bi-Host>:<APIPort>/B2BAPIs/svc b2bi-sfg-api:                 
  active: true                                     
  community-name: <SFG-Community-Name>              
  sfg-api:                                    
    active: true             
    api:              
      username: <SFG-User>                        
      cmks: <SFG-Password>                 
      baseUrl: http://<B2Bi-Host>:<APIPort>/sfgapis  

<API-User> / <API-Password> → B2Bi API credentials.
<APIPort> → API service port.
<SFG-Community-Name> → SFG community name.

SSP Integration

ssp:
  active: true 
  api:
    username: <SSP-User>
    cmks: <SSP-Password> 
    baseUrl: https://<SSPCM-Host>:<SSPCM-Port>/sspcmrest/sspcm/rest

<SSP-User> / <SSP-Password> → SSP credentials.
<SSPCM-Host> → SSP server hostname.
<SSPCM-Port> → SSP REST port.

Configure IBM PEM Standard to work with ConnectDirect

Configure IBM PEM Standard to work with ConnectDirect, using the net-map-name value as the ConnectDirect name:

cd:
net-map-name: Test_CD

Note: The following items should be left blank if ConnectDirect is not used:

proxy: 
  internal:
    server-host: 10.0.0.1
    server-port: 1364
    secure-plus-option: ENABLED 
    ca-cert: CA_cd_0099
    system-certificate: B2BHttp 
    security-protocol: TLS 1.2 
    cipher-suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 
  external: 
    server-host: 10.0.0.1
    server-port: 1364
    secure-plus-option: ENABLED 
    ca-cert: CA_cd_0099 
    system-certificate: B2BHttp
    security-protocol: TLS 1.2
    cipher-suites: ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Configure IBM PEM

cd: net-map-name: Test_CD

IBM Sterling Secure Proxy (SSP)

ssp: # provide SSP API  end point information
  active: true
  api:
    username: user cmks: password
    baseUrl: https://hostname:port/sspcmrest/sspcm/rest

Configure Adapters

Configure adapters using the adapter names created when PCM artifacts were imported. If communication adapters are already configured for IBM Sterling B2B Integrator, update values to reflect current settings:

adapters: #Profiles Default Adapters Details Configuration
  ftpServerAdapterName: PragmaFTPServerAdapter
  ftpClientAdapterName: FTP Client Adapter
  ftpsServerAdapterName: Pragma_FTPS_ServerAdapter
  ftpsClientAdapterName: FTP Client Adapter
  sftpServerAdapterName: Pragma_SFTPServerAdapter
  sftpClientAdapterName: Pragma_SFTPClientAdapter
  as2ServerAdapterName: Pragma_AS2ServerAdapter
  as2ClientAdapterName: Pragma_AS2ClientAdapter
  as2HttpClientAdapter: HTTPClientAdapter
  cdClientAdapterName: Pragma_CDClientAdapter
  httpServerAdapterName: Pragma_HTTPServerSync
  httpsServerAdapterName: Pragma_HTTPSServerSync
  mqAdapterName: Pragma_MQAdapter
  wsServerAdapterName: Pragma_HTTPSServerSync
  fsAdapter: PragmaFileSystem
  sfgSftpClientAdapterName: Pragma_SFTPClientAdapter
  sfgSftpServerAdapterName: Pragma_SFTPServerAdapter
  sfgFtpClientAdapterName: Pragma_FTPClientAdapter
  sfgFtpServerAdapterName: PragmaFTPServerAdapter
  sfgFtpsClientAdapterName: Pragma_FTPSClientAdapter
  sfgFtpsServerAdapterName: Pragma_FTPS_ServerAdapter

Configure External Database API

pem: #Configure external database integration
  remote:
    server:
      pem-key: #Provide the absolute path of remote server pem-key(if server is in aws we have to provide pem key of the server)
      base-directory:
        path: #Provide the base directory path
      session-timeout: 5000 #Time in milliseconds(can be increased based on database connectivity speed)
  datasource: #External database details to connect VIA API
    url: jdbc:<host:port>/ORCL
    username: PCM_UAT #PEM Database username
    cmks: password #PEM Database password
    driver-class-name: oracle.jdbc.driver.OracleDriver #Database driver class name oracle/mssql/db2
  api-ws: #PEM API Configurations
    active: true #Default value is true (if it is set to false we cannot connect to pem)
    base-url: https://<host:port>/pemws/sponsors/<sponsorname>
    username: # PEM API username
    cmks: password # PEM API user password

Configure IBM Sterling B2B Integrator key

Enable file decryption in the PCM file transfer search screen, ensuring that files are encrypted using the IBM Sterling B2B Integrator key.

file:
  archive:
    scheduler: #Scheduler to call the Delete script which can delete the files from source 
               #file and destination file archive according to the file age configured in 
      cron:  #Cron setup
      delete-files-job:
        active: false #it will enable or disable the filejob scheduler which will delete 
                      #the files in filesystem
        script-file-loc: #Absolute path of Delete script file
    pgp:
      private-key: #Absolute path of PGP public key which will be used while decrypting 
                   #PCM files set in the source file and destination file archive rules 
                   #with encryption on       
      cmks: #PGP key passphrase
    aes:
      secret-key: # Key for decrypting the PCM files set in the source file and 
                  # destination file archive rules with encryption on
      salt: #Salt value for decrypting the PCM files set in the source file and
            #destination file archive rules with encryption on

Configure SSO with SSP and SEAS

sso-ssp-seas:
  ssp:
    logout-endpoint: #SSP Logout endpoint ,default value is : /Signon/logout.html
    user-header-name: #User header name config in SSP, default value is : SM_USER
    token-cookie-name: #Token cookie name config in SSP, default value is : SSOTOKEN
  seas:
    auth-profile: #Authentication Profile Name in SEAS
    host:  #SEAS Host Name
    port:  #SEAS Port
    ssl:
      enabled: false #SSL enable or not in SEAS
      protocol:  #SEAS Protocol (Optional)
      cipher-suits:  #SEAS Cipher Suits (Optional)
      trust-store:
        name: #SEAS truststore file name (Absolute path)
        cmks: #SEAS truststore password
        alias: #SEAS truststore alias
        type: #SEAS truststore type
      key-store:
        name: #keystore file name (Absolute path)
        cmks: #keystore password.
        alias: #keystore alias
        type: #keystore type
  user-request:
    user: #Custom properties config in SEAS
      email: email #Email property name config in SEAS
      role: role #Role property name config in SEAS
      first-name: firstName #FirstName property name config in SEAS
      last-name: lastName #LastName property name config in SEAS
      phone: phone #Phone property name config in SEAS
      external-id: externalId #FirstName property name config in SEAS
      preferred-language: preferredLanguage #Language property name config in SEAS(Optional)
    user-roles: #LDAP roles mapping to PCM (CM Role – LDAP Role)
      super_admin: #LDAP user super admin role name
      admin: #LDAP user admin role name
      on_boarder: #LDAP user onboarder role name
      business_admin: #LDAP user business admin role name
      business_user: #LDAP user business user role name
      data_processor: #LDAP user data processor role name
      data_processor_restricted: #LDAP user dataprocessor restricted admin role name
      file_processor: #LDAP user fileprocessor role name
      business_admin_dpr: #LDAP user business_admin_dpr role name
    role-delimiter: #LDAP role name to assign more than one roles to PCM

Setting Up Microsoft OAuth

You can enable or disable Microsoft OAuth authorization for send-email API and configure the details in the application.yml file under OAuth 2.0 indentation. This will authenticate the send-email request with OAuth, and then send the email once the token is validated successfully.

The following parameters must be configured for authenticating email requests using OAuth 2.0:

oauth2:
      enable: true #we can enable or disable oauth for send-email api by giving true or false
      token-url: https://login.microsoftonline.com/e16b3we5-6e25-4446-99443c-d19c0eb0f803/oauth2/token #token url for ms oauth token generation
      grant-type: client_credentials #grant type can be password or client_credentials
      client-id: #app registered client id
      client-secret: #app registered client secret
      username: pem_standard #username used to create the app registration
      cmks: Kos00495 #user account password used for app registration
      scope: openid #default
      resource:
           token:
            response-parser: access_token
            prefix: Bearer
            header: Authorization
     file-transfer: #configure the max-file-length 
       search:
         time-range: 24 #Hours, Time range in File Transfer search screen in UI
         max-file-length: #Default is 10 MB max file size allowed to view

8. Start Application with Docker

Run the following command to start the container:

docker run -d \
-v /opt/IBM/PCM/Config:/opt/IBM/config \
-v /opt/IBM/PCM/Jars:/opt/IBM/PCM/jars \
-v /opt/IBM/PCM/Logs:/opt/IBM/PCM/logs \
-v /opt/IBM/PCM/Archive:/opt/IBM/PCM/archive \
-e APP=cm \
-e LOGGER_LEVEL=INFO \
-e DB_PASS=<DB-Password> \
-e NODE_PORT=<App-Port> \
-e NODE_IP=<App-Host> \
-p <Host-Port>:<Container-Port> \
–name <Container-Name> \
<registry-name>/<repository>:<tag>

Replace placeholders:

<DB-Password> → Database password.
<App-Port> → Application port inside container.
<App-Host> → Application host IP.
<Host-Port> → Port on host to expose (e.g., 8443).
<Container-Port> → Application port inside container (match NODE_PORT).
<Container-Name> → Name for the container (e.g., pcm-app).
<registry-name>/<repository>:<tag> → Image name pulled earlier.

9. Access Application

Once the container is running, access the application at:

https://<App-Host>:<App-Port>/

10. Best Practices

Secrets Management:
- Use Vaults (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) instead of plain DB passwords.
- If using encryption, rely on the PCM encryption utility for runtime decryption.
Logging:
- Mount logs folder to persist logs.
- Use LOGGER_LEVEL=INFO in production for balanced verbosity.
Configuration Management:
- Externalize application.yml for easy updates without rebuilding images.
- Maintain separate config files per environment (dev, test, prod).
Security:
- Mount keystore with strict file permissions.
- Run containers as non-root where possible.
- Avoid –privileged mode unless absolutely necessary.
Networking:
- Map container ports properly (-p <hostport>:<containerport>).
- Use reverse proxy (NGINX/HAProxy/OpenShift routes) for TLS termination if required.

11. Verification

Check running container: docker ps
Check container logs: docker logs -f <container_name>
Verify application access: https://<NODE_IP>:<NODE_PORT>

12. Summary

Place prerequisites (application.yml, keystore.p12, DB jars, logs) in mounted directories.

Use Docker environment variables to configure PCM runtime.

Secure sensitive data using Vaults or PCM’s encryption utility.

Run container with proper mounts and environment variables.

Verify application startup logs and test endpoints.