Connecting Content Manager to a secured Add-ons Service

If you have secured your Add-ons Service, you must ensure that Content Manager can connect to it. To do so, modify the addonsSettings.json configuration file.

Before you begin

This task has the following prerequisites:
  • You have access as an Administrator to the Content Manager server.
  • You know the following information:
    • URL of the installed Access Management service
    • Client ID and Client Secret for the service account for the Add-ons Service, as configured Access Management

Procedure

  1. On the Content Manager server, go to the config\ subfolder of %TRIDION_HOME% and open addonsSettings.json for editing.
  2. Within the addonsSettings section, at the end of the section, ensure the presence of a subsection called openIdConnectParameters.
  3. Within this openIdConnectParameters subsection, set the following properties:
    PropertyDescription of value
    AddressThe URL of the installed Access Management application.

    Example: http://localhost:5000/access-management/connect/token

    ClientIdThe client ID defined in Access Management for the Add-ons Service API's service account.
    ClientSecretThe client secret defined in Access Management for the Add-ons Service API's service account.
  4. Save and close AddonsSettings.json.
  5. Consider limiting access to the file AddonsSettings.json to selected users: read access should be limited to users who run services with Add-ons, while read-write access should be limited to administrators.
  6. To prevent sensitive data, such as the client secret, from being seen by people with access to the file, or from being sent to the Add-on service in cleartext, go to the tools\ subfolder and run the following command:
    Tridion.AddonService.ConfigProtector.exe protect -f PATH\config\AddonsSettings.json

    Where PATH is the full path to the installed Add-ons Service.

    The command encrypts and updates data in the file and puts the keys in the config\key\ subfolder of %TRIDION_HOME%. You can always decrypt the data later by running the same command, but using unprotect instead of protect as the verb.
  7. Ensure that you restrict file system access to the config\key\ subfolder of %TRIDION_HOME% to users who run services with Add-ons only.
  8. Restart all Tridion services, and IIS, to apply your changes.