Documentation Center

Changing credentials for access to Content Delivery microservices

When you installed the Discovery Service, you were instructed to secure your setup by changing the default passwords of the user accounts set up by default for the various roles. You were also told you could change the set of user accounts as needed. This topic explains how to change the user accounts and/or their passwords after installation.

About this task

By default, access to the Content Delivery microservices is secured by OAuth. The cd_ambient_conf.xml configuration file of the Discovery Service contains the configured user accounts and their passwords.

Procedure

  1. If you have not yet done so, from the Tridion Sites installation media folder Content Delivery\roles\api\rest\java\lib\, copy the following files to a folder of your choice on a computer that has Java installed:
    • udp-common-util-BUILD.jar
    • udp-core-BUILD.jar

    where BUILD is the build number (but not necessarily the same in each case) of the JAR file.

  2. In the configuration location of the Discovery Service, open cd_ambient_conf.xml for editing.
  3. Find the <Accounts> section.
    You see a number of Account child elements. If you have not changed them, the following accounts are preconfigured:
    Account IDRoleDescription
    cmusercmAccount used by services facing Content Manager and Topology Manager
    cdusercdAccount used by services facing the Content Delivery client
    itadminproviderNot in use by default; available for use by you in customizations
    registrationproviderAccount used by the microservice registration tool and by the installation scripts for the registration of microservices as Capabilities
    implementerimplementerNot in use by default; available for use by you in customizations
  4. If you want to change the password of any configured account, generate a new password that you consider sufficiently secure.
  5. Store the new password(s) you generated in a secure location.
  6. For each password you generated, do the following:
    1. Encrypt each password in turn by opening a command prompt, accessing the folder you chose in step 1, and running one of the following commands, depending on your operating system:
      Windows operating systems
      java -cp udp-common-util-BUILD.jar;udp-core-BUILD.jar com.tridion.crypto.Encrypt PLAINTEXTPASSWORD
      Unix operating systems
      java -cp udp-common-util-BUILD.jar:udp-core-BUILD.jar com.tridion.crypto.Encrypt PLAINTEXTPASSWORD

      where PLAINTEXTPASSWORD is the password you want to encrypt.

      The encryption tool responds as follows:
      Configuration value = encrypted:ENCRYPTEDVALUE

      where ENCRYPTEDVALUE is an encrypted version of your original password.

    2. Copy the encrypted password, including the encrypted: prefix, to your clipboard.
    3. In cd_ambient_conf.xml, in the Account element of the account you are configuring, paste the string you copied to your clipboard into the Password attribute, replacing the value already there.
    4. Continue to the next account and password.
  7. If you want to change any or all of the accounts being used, you can do so. After doing so, set the correct passwords for these accounts as explained above. You can also remove accounts that are not in use if you like, but RWS recommends that you keep at least one user account for each role.
  8. After changing the configured passwords and/or user accounts, save and close cd_ambient_conf.xml.
  9. Now, go through the places in your implementation where you configured these accounts and passwords, and update them as needed. Specifically, you will have configured these credentials:
    • when setting up publishing from Content Manager to Content Delivery
    • when setting up the presentation environment, specifically the Content Interaction Libraries
    • when setting up the Contextual Image Delivery client software