How to Create and Test Workflow on Red Hat Process Automation Manager with REST API

Red Hat Process Automation Manager, or RHPAM, is a platform that are being use for automating business decisions and processes. It enables enterprise business and IT users to document, simulate, manage, automate and monitor business processes and decisions.

And for today’s example im trying to simulate a logic to validate a very simple condition, to check whether a user registration data is valid or not. The parameter is, a user should have a valid name, and age between 21 and 49.

First we need to create a simple Data Object to accomodate our parameter data and result,

Next is creating a simple decision table,

Put data constraint there,

Create expected result,

After adding some decision logic, the end result should be like this,

Next is creating a workflow (Business Processes), in here we are doing some data unmarshalling, logging, validating the data with our existing data table, and providing the result. The result of this workflow is going to be stored in a “status” variable.

The whole project structure will looks like this,

Next, we can do build, and deploy after that. This will make our project deployed to Kie Server.

Now here comes the exciting part, how to access and test our deployed pam project thru REST API. First we need to understand that our project is being deployed to a Kie Server, therefore we need to see what api services that are provided there. We can check easily by seeing our Kie Server’s swagger link,


We can list all projects available on our Kie Server with this curl command, dont forget replacing pamuser and pampassword with your actual RHPAM username and password

curl -kv https://pamuser:pampassword@kieserver-url/services/rest/server/containers/

Use this curl command to see the api endpoint for our business process workflow,

curl -kv https://pamuser:pampassword@kieserver-url/services/rest/server/containers/Project01_1.0.0-SNAPSHOT/processes

Once we found our business process id, we can start our workflow by using this curl command,

curl -kv https://pamuser:pampassword@kieserver-url/services/rest/server/containers/Project01_1.0.0-SNAPSHOT/processes/Project01.Business01/instances \
-H 'Content-Type: application/json' \
--data-raw '{
    "application": {
        "com.edw.project01.User": {
            "age": 2,

This curl command will return a specific numerical id,

We can see the progress result of corresponding id on “Process Instances” menu,

Or by using a curl api call,

curl -kv https://pamuser:pampassword@kieserver-url/services/rest/server/containers/Project01_1.0.0-SNAPSHOT/processes/instances/12

Next is seeing what is the workflow result, by seeing that we are giving “age” parameter below 20 means we are expeting the registration result to be “false”. We can achieve that by using this curl command,

curl -kv https://pamuser:pampassword@kieserver-url/services/rest/server/containers/Project01_1.0.0-SNAPSHOT/processes/instances/12/variables/instances/status

And it is showing that value is “false”,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

Lets try with a correct data,

curl -kv https://pamuser:pampassword@kieserver-url/services/rest/server/containers/Project01_1.0.0-SNAPSHOT/processes/Project01.Business01/instances \
-H 'Content-Type: application/json' \
--data-raw '{
    "application": {
        "com.edw.project01.User": {
            "age": 25,

This time it will shows “true”

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

You can check my sample code on github,

So, it’s pretty much simple right.
Have fun with RHPAM (Y)

Downloading Red Hat Process Automation Manager Workflow Project to Your Local or to Github

Basically it is quite simple, you can see “Settings” tab on your project page,

There’s a url field there, and we can do a git clone to that corresponding url.

After cloned, we can push to github. This is the example git repository,

Migrating ReplicationController Between Openshift Cluster

For this scenario, im trying to migrate replicationcontroller (RC) between two OCP with different version. One OCP is on version 3.x, while the other one is 4.x.
So, it’s actually quite tricky. This is the first method that im doing, a simple export on OCP 3

oc get rc -o yaml -n projectname --export > rc.yaml

And do a simple import on OCP 4

oc create -n projectname -f rc.yaml

But there are some error happens,

Error from server (Forbidden): replicationcontrollers "rc-1" is forbidden: 
cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil>

It seems like despite im using –export parameter, somehow still exporting the previous DC uid on rc.yaml

      app: HelloWorld
      group: com.redhat.edw helloworld
      provider: fabric8
      version: "1.0"
    name: helloworld-5
    namespace: project
    - apiVersion:
      blockOwnerDeletion: true
      controller: true
      kind: DeploymentConfig
      name: helloworld
      uid: 8a96de62-9be4-11ea-a05c-0a659b38d468
    resourceVersion: "65350349"
    selfLink: /api/v1/namespaces/project/replicationcontrollers/helloworld-5
    uid: 257eda84-9be7-11ea-a05c-0a659b38d468

The solution is by removing ownerReferences tag from yaml,

sed -i '/ownerReferences/,+6 d' rc.yaml

It will regenerate ownerReference tag once successfully imported to a new project.

But another problem arise. It seems like despite i’ve successfully import all my RCs, they are not showing when i do a oc get rc command. The culprit is revisionHistoryLimit, removing it from our dc solve this problem.

oc patch  dc helloworld -n project --type json --patch '[{ "op": "remove", "path": "/spec/revisionHistoryLimit" }]'

Migrating Image Stream from One Openshift Image Registry to Another Image Registry with Skopeo

I have a requirement where i need to move all images from Image Registry on Openshift 3, to Image Registry on Openshift 4. There are a lot of ways to do it, such as mounting the same disk to multiple Openshift instance or move in manually using docker pull, tag and then push.

After brainstorming for quite some time, i come up with a solution of using Skopeo as a tools to do image migration. It’s a very convenient tool for handling image copying from one image registry to another.

It is actually a very simple script, first we need to capture all images within every OCP3 project,

oc get project -o template --template='{{range.items}}{{}}{{"\n"}}{{end}}' | while read line
	oc get imagestreamtag -n $line -o template \ 
		--template='{{range.items}}{{.metadata.namespace}}{{"/"}}{{}}{{"\n"}}{{end}}' > images.txt

Use this command to capture your OCP username and token,

# capturing your username
oc whoami 

#capturing your token
oc whoami -t

And then we need to iterate the content of generated file with the username and token you get from previous command.

cat images.txt | while read line
	skopeo copy  --src-creds ocp3username:ocp3token --src-tls-verify=false \
		--dest-creds ocp4username:ocp4token  --dest-tls-verify=false \
		docker://docker-registry-from.ocp3/$line \

After all is done, what is left is do a simple validation to count how many images has been migrated.

 oc get imagestreamtag --no-headers | wc -l

Securing Connection Between Pods in Openshift with SSL

On this post, im trying to create a simple microservices application on top of Openshift 3.11 and each services will do a simple secure connection between it by using a self-sign SSL which are managed by Openshift.

The goal of why Openshift are managing SSL certificate thru Openshift Secret is to have a rolling or rotating certificate feature on each services but can be triggered by Openshift without have to replace SSL on each services manually.

First is generate a p12 certificate by using keytool

cert>keytool -genkey -alias edw 
	-keystore edw.p12 -storetype PKCS12 
	-keyalg RSA -storepass password 
	-validity 730 -keysize 4096
What is your first and last name?
  [Unknown]:  Edwin
What is the name of your organizational unit?
  [Unknown]:  Company 01
What is the name of your organization?
  [Unknown]:  IT
What is the name of your City or Locality?
  [Unknown]:  Jakarta
What is the name of your State or Province?
  [Unknown]:  Jakarta
What is the two-letter country code for this unit?
  [Unknown]:  ID
Is CN=Edwin, OU=Company 01, O=IT, L=Jakarta, ST=Jakarta, C=ID correct?
  [no]:  yes

Next is creating two java projects which are connected one and another,

There are several part of the code that need mentioning,

First is making sure https option is active on, include our p12 certificate and make certificate password as parameterized. This parameter later on will be injected as environment variables on Openshift.



And the next is because we are using a custom certificate, dont forget to include it on RestTemplate.

public class MyRestTemplate {

    private String sslKeyStore;

    private String sslPassword;

    public RestTemplate restTemplate() throws Exception {
        KeyStore clientStore = KeyStore.getInstance("PKCS12");
        clientStore.load(new FileInputStream(sslKeyStore), sslPassword.toCharArray());

        SSLContext sslContext = SSLContextBuilder
                .loadTrustMaterial(clientStore, new TrustSelfSignedStrategy())
        SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
        HttpClient httpClient = HttpClients.custom()
        HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);

        return new RestTemplate(factory);

Deploy those two application to Openshift,

oc new-app

oc new-app

Deploy certificate as OCP Secret and mount it as a volume on our application,

oc create secret generic cert --from-file=cert\edw.p12

oc set volume dc ssl-pods-example --add -t secret -m /deployments/cert --name cert --secret-name cert
oc set volume dc ssl-pods-example-2 --add -t secret -m /deployments/cert --name cert --secret-name cert

And our certificate password as OCP Secret and inject it as environment variable to our application

oc create secret generic sslpassword --from-literal=SSLPASSWORD=password

oc set env dc ssl-pods-example --from=secret/sslpassword 
oc set env dc ssl-pods-example-2 --from=secret/sslpassword 

After all deployed on OCP, next is give a route for our application. Im using re-encrypt method for ensuring an end to end encryption within the app. In order to do so, we need to include our application CA certificate as our route’s destination certificate. We can do so by exporting our certificate from p12 file using this command,

keytool -exportcert -keystore edw.p12 -storetype PKCS12 -storepass password -alias edw -file edw.crt -rfc

And paste the certificate on our route,

The end result would be like below image,

And as you can see, we are using certificate from end to end for securing our connection.