Skip to content

Installation Parameters

The parameters order

The installer is strictly command line based and all configuration and parameters are passed in values files or as single arguments to the installer script.

If the same parameter is passed to the installer several times the last in order will override the previous ones.

If a values yaml file that can hold many parameters structured in the yaml standard with the values:

**example-values.yaml

global:
namespace: exampleprod
customerCode: example
environmentType: prod
solutionSetName: My Groovy Solution!!
replicas: 2

ifsappproxy:
accessLog: enabled

If above ifscloud-values.yaml is passed to the installer, and the parameter is also passed to the installer like this:

.\installer.cmd --values ifscloud-values.yaml --set ifsappproxy.accessLog=enabled --set global.replicas=1

the installer will use the "enabled" value of the parameter ifsappproxy.accessLog and "1" of the global.replicas since that was passed as a "--set" in the command line. So "--set" wins over "values" and if the same parameter is "--set" several times the last will win.

.\installer.cmd --values ifscloud-values.yaml  --values solutionset.yaml

in this example the "solutionSetName: My Groovy Solution!!" will be overwritten by the solutionSetName that is always defined parameter in a solutionset.yaml files.

IFS cloud values file

All configuration files and certificates should be placed in the config folder according to the folder structure in Windows Management Server.

**This is a good starting point: Follow this link to get an example template of ifscloud-values.yaml . **

Use the parameter guidance in the sections below to fill in the values in the ifscloud-values.yaml file and add optional parameters.

Password limitations

As IFS Cloud has many underlying password dependencies and locales, we restrict the passwords to fulfil all limitations. The following restrictions and recommendations apply:

  • Must start with an alphanumerical character [a-z] [A-Z]

  • Passwords should have least 15 characters (recommended)

  • These special characters are not allowed: \ / @ ' " | - * $ & # § [] {} () (and other language specific characters )

General Parameters

Bold parameters are mandatory others are optional

Parameter Purpose Examples/Defaults
chart specifies which master-chart to be used Default: ifscloud/ifs-cloud
can be a path to a local master-chart as well (only used by RnD).
To use the local master-chart  set e.g.  " chart: .\master-chart "
chartVersion Normally only used by RnD to specify specific helm chart version.
certificateFile Location of the pfx file that holds the certificate and private key.  See  Certificate Handling for more certificate requirements and info.
If the certificateFile is omitted or the file can not be found, a new selfsigned certificate will be automatically generated and used.
e.g. /path/to/yourcert.pfx or c:\path\to\yourcert.pfx
certificatePassword password for the pfx file. Note the pwd need to be a string. e.g. ifs123 or "12345"
helmRepo The url of the Helm Chart repository. Use - https://ifscloud.jfrog.io/artifactory/helm
helmUser The service principal user name. This username should be provided per customer by IFS.
helmPwd The service principal password. This password should be provided per customer by IFS.
global.namespace Sets the namespace in the k8s cluster norally you would set is as a concatination of the customerCode and environmentType none, but the parameter is mandatory and must consist of only lowercase alphanumeric characters or '-'
volvobnt
global.customerCode This is a label of the system. All monitoring metrics will be tagged with this label. Typically the label would be an abriviation of the company name. none, but the parameter is mandatory
e.g. volvo
global.environmentType This is a label of the system. All monitoring metrics will be tagged with this label. Typical values prod/test/bnt/dev none, but the parameter is mandatory
e.g. bnt
global.customerId Used in the License report. The id can be found in the Build Place portal. The parameter is mandatory
global.customerName Used in the License report. The id can be found in the Build Place portal. The parameter is mandatory
global.installationId Used in the License report. Just an environment identifier that is unique per customerId e.g. TEST/PROD/DEV/MIG/TRAIN/CFG The parameter is mandatory
is typically the same as the parameter
environmentType
global.systemUrl The FQDN of the primary url where the system is accessed.
Note: the https:// is not part of the FQDN
e.g. ifscloud.corpnet.ifs.com
global.secondarySystemUrl The FQDN of the secondary url where the system is accessed. This could be an internet facing external proxy that only allows b2b and mobile client requests. This FQDN could have a different domain than the normal systemUrl. If the entire system is exposed to internet, the secondarySystemUrl is not needed.
e.g. ifscloud.ifs.com
global.containerRegistry The url of the docker container registry, where all containers will be fetched from.
Note: Always append a trailing slash.
Note: the https:// is not part of the FQDN
Use - ifscloud.jfrog.io/docker/
global.imageCredentials.username The service principal user name. This username should be provided per customer by IFS.
global.imageCredentials.password The service principal password. This password should be provided per customer by IFS.
global.scale Defines the scaling of cpu/memory compared to the production mode 100%. Default: 100
A scale of 10-20 is a small development environment.
A scale of aprox 50 is a small test environment.
Scale should be set to 100 in all production like environments.
global.replicas Sets how many containers should be started by default The default number of replicas to be started of each type of container. Can be overridden by the containers local replicas parameter.
global.cpuRatio This will set the k8s CPU request/limit ratio on all containers. Default: 50
This will set the CPU request to 50% of the CPU limit on the containers. Read more on k8s CPU request & limits on k8s user documentation for more infomation.
global.httpConnectTimeout This will set the timeout of http connection to the ingress proxy and the ifsapp-proxy Default: 60
global.httpSendTimeout This will set the Send timeout of http connection to the ingress proxy and the ifsapp-proxy Default: 600
global.httpReadTimeout This will set the Read timeout of http connection to the ingress proxy and the ifsapp-proxy Default: 600
global.ingressLimitRps Limits requests per second that the ingress will pass through. Can be used to prevent DoS attacks Default: not set
set with care, highly dependant on the workload of the specific environment.
global.ingressLimitRpm Limits requests per minute that the ingress will pass through. Can be used to prevent DoS attacks Default: not set
set with care, highly dependant on the workload of the specific environment.
global.sslCiphers The SSL ciphers used by the ifsapp-proxy
To set cipher on ingress edit ifs-ingress-values.yaml in Remote installation.
Default: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"<br
global.sslProtocols The TLS versions used by the ifsapp-proxy
To set TLSv in ingress edit ifs-ingress-values.yaml in Remote installation.
Default: "TLSv1.2 TLSv1.3"
global.demandPort Demand Server Port number Default: 5010
global.crystalPort Crystal Server Port number Default: 443
global.ssrsPort SSRS Server Port number Default: 80
global.nodeSelector or
pod.nodeSelector
Can be used to define nodeSelector on namespace or pod global:
nodeSelector: |
IFSCloud: "true"

or e.g.
ifsapp-odata:
nodeSelector: |
IFSCloud: "true"
global.tolerations or
pod.tolerations
Can be used to define tolerations on namespace or pod global:
tolerations: |
- key: "IFSCloud"
operator: "Equal"
value: "true"
effect: "NoSchedule"
global.affinity or
pod.affinity
Can be used to define affinity on namespace or pod ifsapp-odata:
affinity: |
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
-key: "beta.kubernetes.io/os"
operator: "In"
values:
- "linux"
ifscore.secrets.jdbcUrl.name ifs-jdbc-url
ifscore.secrets.jdbcUrl.data The host should be the DB server's IP address.

Oracle db service name or sid.
Oracle db listener port.
Advanced jdbc strings to support failover/RAC or TCPS can be defined here.
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=10.241.0.4)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=CLOUD)))

Note: If passing the jdbcUrl as a command line argument it needs to be quoted and escaped.
set ifscore.secrets.jdbcUrl.data= \" jdbc:or......D)) \"
ifscore.networkpolicy.enabled Set to true to activate network policy default: true
ifscore.networkpolicy.internetAccess
ExceptionList
Optional if network policy is enabled.

A list of subnets that should be blocked for access from containers

Note: the DB server will always be automatically opened on port 1521 even if behind internetAccessExceptionList subnet.
ifscore:
  networkpolicy:
    enabled: true
    demandhost: 10.0.2.4
     internetAccessExceptionList:
    - ip: 10.0.0.0/16
    - ip: 193.41.170.171/32

ifscore.networkpolicy.demandhost Can only be set if network policy and internetAccessExceptionList is enabled.
The IP's of servers that can have Demand Server (as e.g. Cold standby). This IP will be opened even if behind a restricted subnet (internetAccessExceptionList)
ifscore:
  networkpolicy:
    enabled: true
     demandhost: 10.0.2.4,10.0.2.10
    internetAccessExceptionList:
    - ip: 10.0.0.0/16
    - ip: 193.41.170.171/32
ifscore.networkpolicy.crystalhost Can only be set if network policy and internetAccessExceptionList is enabled.
The IP's of servers that can have Crystal Services. This IP will be opened even if behind a restricted subnet (internetAccessExceptionList)
ifscore:
  networkpolicy:
    enabled: true
     crystalhost: 10.0.2.5
    internetAccessExceptionList:
    - ip: 10.0.0.0/16
    - ip: 193.41.170.171/32
ifscore.networkpolicy.ssrshost Can only be set if network policy and internetAccessExceptionList is enabled.
The IP of a server that can have SSRS Services. This IP will be opened even if behind a restricted subnet (internetAccessExceptionList)
ifscore:
  networkpolicy:
    enabled: true
    ssrshost: 10.0.2.6
    internetAccessExceptionList:
    - ip: 10.0.0.0/16
    - ip: 193.41.170.171/32
ifscore.networkpolicy.connecthost Can only be set if network policy and internetAccessExceptionList is enabled.
The IP's of servers that can have service that the ifsapp-connect pod need to reach. This IP will be opened even if behind a restricted subnet (internetAccessExceptionList)
ifscore:
  networkpolicy:
    enabled: true
     connecthost: 10.0.2.7
    internetAccessExceptionList:
    - ip: 10.0.0.0/16
    - ip: 193.41.170.171/32
ifscore.networkpolicy.systemurlhost Can only be set if network policy and internetAccessExceptionList is enabled.
If the IP of system_url is behind a internetAccessExceptionList subnet and a pod with internet access need access to the system url, this IP will be opened even if behind a restricted subnet (internetAccessExceptionList)
ifscore:
  networkpolicy:
    enabled: true
     systemurlhost: 10.0.5.1
    internetAccessExceptionList:
    - ip: 10.0.0.0/16
    - ip: 193.41.170.171/32
ifscore.passwords.ifssysPassword.data Set the ifssys-password for the IFSSYS user in the DB.
ifscore.passwords.ifsadminPassword.data The iifsadmin-pw of the IFSADMIN is the initial user defined in IAM. This user is the only user that can logon to Cloud Web in a fresh installed system. With this user the additional users are defined in Solution Manager
.certificates.certname1 Path to a.cer file or a key as a string
The string certname1 can be named a more descriptive name

read special section below.
e.g.
certificates.database.dbcert: /path/to/dbcert.cer
global.certificates.database.certname1 As a encryption certificate for the db connection are common for all pods the database cetificate is a global (ifscore) parameter.
e.g.
global.certificates.database.dbcert: /path/to/dbcert.cer
global.serverTimeZone Time zone of the database server. Valid time zone should be provided. Value cannot be changed after been set. e.g. Asia/Colombo

Specific Certificate for pods

Certificates can be imported per pod, and will then be added to the java truststore (cacerts) at pod startup. Under each pod parameter section a certificate section can be added.

e.g:

ifsappconnect:  
     certificates:  
        mycertintext: |  
           -----BEGIN CERTIFICATE-----   
           MIIDHzdIZ3+TSgCbI2tupJsv1FRWV3pMg3pdIGo7Ia   
           FyJKCqEj4rV/q7MW2a4JQJF8ykXixZ4YTLwi67VFMSfd2D516r1Xx2k617B+01dg  
           GRwQDY3H2NWh1QjBoyIOJKklLd/fEPzm+UU/JH8K/yBQdVZBaxw4KjU0xyqQFTd0   
           jhsIc1pqf2aVEsejwyNLhs9DnZyvzRBNsyvuVm//0gWV4OPDAa/i0BULgHnjJF2y   
           2M8H0QgLNafuaVxL2K6jArHg5JB1Qgkd7jxvmylwQhelfV86MmO9cy7f3gIRcX52   
           lU+UKetAgt4koD5opvDOzWtToavXGALzFjMxMN9iyGEfFf8=   
           -----END CERTIFICATE-----  
       mycertfromfile: C:\remote\ifsroot\config\certs\mycert.crt    

Note: All certificate names (e.g. mycertintext, mycertfromfile ) need to be unique over the entire ifscloud-values.yaml

Parameters for DB installer and DB import

Parameter Purpose Examples/Defaults
dbInstaller.ifsappPassword The IFS Cloud application schema owner's password.
Used when creating the application owner in prepares.sql
dbInstaller.deliveryPath Path to DELIVERY or BUILD_HOME (this is normally passed as an argument since it should not be persisted in a ifscloud-values.yaml file.) It default to the delivery or build home from where the installer was started.
ifscore.users.ifsappUser.data If the IFS Cloud schema owner is not IFSAPP, this parameter can set a different schema owner name defaults to IFSAPP, All new system should use IFSAPP.
dbInstaller.jdbcUrl Only one of the jdbcUrl's is required. This param will win over the ifscore.secrets.jdbcUrl.data parameter. But the ifscore.secrets.jdbcUrl.data should be used if it is a simple jdbcUrl.
ifscore.secrets.jdbcUrl.data This is the default jdbcUrl used by all contaniers, it can/should also be used by the db installer. If the ifscore.secrets.jdbcUrl.data points to an Oracle RAC cluster or Oracle Dataguard the dbInstaller.jdbcUrl should be used to deploy to the DB.
dbInstaller.fileName Full path to a file to be deployed. (this is normally passed as an argument since it should not be persisted in a ifscloud-values.yaml file.)
dbInstaller.sysAdminUser Admin user (PDB common user) when running Prepare Database, i.e. used when deliveryPath is set and delivery contains prepare.sql. If no value is given, SYS will be used as fallback. SYS
dbInstaller.sysPassword Password for the SYS Admin user (e.g. SYS) in DB. Only used when deliveryPath is set and delivery contains prepare.sql. If sysPassword not defined, prepare.sql as the admin user will not be run. (this is normally passed as an argument since it should not be persisted in a ifscloud-values.yaml file.)
dbInstaller.connectRole If connection must be done as SYSDBA or SYSOPER, instead of NORMAL. Only relevant when action is FILEXEC. When running Prepare Database, the connect role is always set to SYSDBA
dbInstaller.ialOwner If the IAL schema owner is not IFSINFO, this parameter can set a different schema owner name. defaults to IFSINFO
dbInstaller.extLogging Extended logging. defaults to N
dbInstaller.waitingTime Waiting time for still running processes, e.g. background jobs. default = 3600 (one hour)
dbInstaller.exitOnWaitingTime Terminating installation with exit code 10, if dbInstaller.waitingTime reached defaults to N
dbInstaller.dbServerSize Number of parallel threads when running independent file types default = 12
logFileLocation Path to where all logs will be placed defaults to %TEMP%/ifsinstaller_<namespace>
--set logFileLocation=c:\logs
ifscore.passwords.ifsiamPassword.data Password when creating the user ifsiamsys in prepare.sql Random value set as fallback in define.tem
ifscore.passwords.ifssysPassword.data Password when creating the user ifssys in prepare.sql Random value set as fallback in define.tem
ifscore.passwords.ifsmonPassword.data Password when creating the user ifsmonitoring in prepare.sql Random value set as fallback in define.tem

Parameters for AMM

Parameter Purpose Examples/Defaults
ifsappamm.replicas Sets how many containers of this type should be started Defaults to 1
Note:  this container should not have more than 1 container running.
ifscore.passwords.ifsmonPassword.name ifsmon-password ifsmon-password
ifscore.passwords.ifsmonPassword.data ifsmonitoring password
ifscore.passwords.ifsappmonitorPw.name ifsappmonitor-pw ifsappmonitor-pw
ifscore.passwords.ifsappmonitorPw.data ifsappmonitor password used by AMM to do login validation tests

Parameters for BUSMOD

Should only be set if component PBIES is active

Parameter Purpose Examples/Defaults
ifsappbusmod.replicas Sets how many containers of this type should be started Default set to global.replicas parameter
ifsappbusmod.assServerName The Fully qualified name of the Azure Analysis Service to connect to, required for v1 endpoints < 22R1 Optional
ifsappbusmod.authService The authentiction url Required
ifsappbusmod.appId The app id (client id) of the azure application registration or managed identity that is linked to the service, this needs to be created before the service can be installed, this should be handled when a new customer is provisioned in azure. Required
ifsappbusmod.tenantId The Azure tenant id where the app id (client id) is created Required
ifsappbusmod.logLevel The minimal level of messages that needs to be logged Optional, Default set to warn
ifsappbusmod.serviceAccountEnabled Set to true when using managed identities Optional
ifsappbusmod.managedIdentityEnabled Set to true when using managed identities Optional
ifsappbusmod.pbiBaseUri Url used to connect to the power bi service Optional, Default set to http://ifsapp-powerbi-svc:8080/
ifsappbusmod.dataLakeAccountName The account name of the ADLS Gen2 to create sas tokens for Optional when only using Advanced Analytics features, required when using analysis models framework features.
ifsappbusmod.dataLakeContainer The container of the ADLS Gen2 to create sas tokens for Optional when only using Advanced Analytics features, required when using analysis models framework features. Default set to AMC.
ifsappbusmod.targetWorkspaces The area to workspace mapping. Optional when only using Advanced Analytics features, required when using analysis models framework features. Example content that maps the HCM and the Finance area to 2 workspace ids: {HCM;3d43b5b3-cfa9-43a1-9839-490afba6c1b4}|{Finance;3efd157f-f356-4160-90d4-6747827519d4}
ifscore.passwords.busmodAadSecret.data value for the busmod-aad-secret this is used to get a OAuth token for the service principal to invoke Azure and Office 365 services Required when not using a managed identity
ifscore.users.ifsamfwUser.data value for the ifsamfw-user, the username of the database user that is used to maintain the administration tables Optional when only using Advanced Analytics features, required when using analysis models framework features, default value: IFSAMFW
ifscore.passwords.ifsamfwPassword.data value for the ifsamfw-password, the password of the database user that is used to maintain the administration tables Optional when only using Advanced Analytics features, required when using analysis models framework features
ifscore.secrets.jdbcUrl.data value for the ifs-jdbc-url, used to connect to the oracle database (see ## General Parameters for more info) Optional when only using Advanced Analytics features, required when using analysis models framework features
ifscore.secrets.ifsAmDataLakeAppKey.data value for the ifs-am-datalake-appkey, used to configure the gateway connections so the datasources of a Power BI Dataset can access the datalake content Optional when only using Advanced Analytics features, required when using Analysis Models Framework features

Parameters for Power BI Service (PBIES)

Should only be set if component PBIES is active

Parameter Required Purpose Examples/Defaults
ifsapppowerbisvc.replicas Sets how many containers of this type should be started Optional, Default set to global.replicas parameter
ifsapppowerbisvc.serviceConfigEnabled Indicate whether the service is configured or not, if false then the readiness probe will not fail. Optional, Default set to false
ifsapppowerbisvc.azureAdClientId The app id (client id) of the azure application registration or managed identity that is linked to the service, this needs to be created before the service can be installed, this should be handled when a new customer is provisioned in azure. Required
ifsapppowerbisvc.azureAdTenantId The Azure tenant id where the app id (client id) is created Required
ifsapppowerbisvc.azureAdServicePrincipalObjectId Required Required, the object id of the service principal of the Azure application registration
ifsapppowerbisvc.authConfigUserNameClaim The claim of the OpenIdConnect token to use to send in the effective identity to an SQL Server Analysis Services (SSAS) when Row Level Security (RLS) is turned on for the model Optional, Default set to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
ifsapppowerbisvc.authConfigCustomDataClaim The claim of the OpenIdConnect token to use to send in the effective identity to an Azure Analysis Services (AAS) when Row Level Security (RLS) is turned on for the model Optional, Default set to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
ifsapppowerbisvc.serviceAccountEnabled Set to true when using managed identities Optional
ifsapppowerbisvc.managedIdentityEnabled Set to true when using managed identities Optional
ifsapppowerbis