Configuring the passwords of Content Delivery user accounts

By default, access to the Content Delivery microservices is secured by OAuth. The Ambient Data Framework configuration file (cd_ambient_conf.xml) of the Discovery Service contains a number of predefined user accounts. To secure your setup, change the default passwords of these user accounts.

Procedure

  1. Create a folder, say Encrypter\, on your computer, the Content Delivery server or any other machine with Java installed.
  2. Access the SDL Tridion Sites installation media.
  3. Navigate to Content Delivery\roles\api\rest\java\lib\.
  4. Copy the following files to the folder you just created:
    • udp-common-util-BUILD.jar
    • udp-core-BUILD.jar

    where BUILD is the build number (but not necessarily the same in each case) of the JAR file.

  5. In the configuration location of the Discovery Service, open cd_ambient_conf.xml for editing.
  6. Find the <Accounts> section.
    You see a number of Account child elements. By default, the following accounts are preconfigured:
    Account IDRoleDescription
    cmusercmAccount used by services facing Content Manager and Topology Manager
    cdusercdAccount used by services facing the Content Delivery client
    itadminproviderNot in use by default; available for use by you in customizations
    registrationproviderAccount used by the microservice registration tool and by the installation scripts if the -auto-register switch is used
    implementerimplementerNot in use by default; available for use by you in customizations

    You can remove accounts that are not in use if you like, but SDL recommends that you keep at least one user account for each role.

    You can also change any or all account IDs if you want.

  7. For each Account child element, invent a password that you consider sufficiently secure.
  8. Store the passwords you invented in a secure location.
  9. For each password you invented, do the following:
    1. Encrypt each password in turn by opening a command prompt, accessing the folder you created earlier, and running one of the following commands, depending on your operating system:
      Windows operating systems
      java -cp udp-common-util-BUILD.jar;udp-core-BUILD.jar com.tridion.crypto.Encrypt PLAINTEXTPASSWORD
      Unix operating systems
      java -cp udp-common-util-BUILD.jar:udp-core-BUILD.jar com.tridion.crypto.Encrypt PLAINTEXTPASSWORD

      where PLAINTEXTPASSWORD is the password you want to encrypt.

      The encryption tool responds as follows:
      Configuration value = encrypted:ENCRYPTEDVALUE

      where ENCRYPTEDVALUE is an encrypted version of your original password.

    2. Copy the encrypted password, including the encrypted: prefix, to your clipboard.
    3. In cd_ambient_conf.xml, in the Account element of the account you are configuring, paste the string you copied to your clipboard into the Password attribute, replacing the value already there.
    4. Continue to the next account and password.
  10. From cd_ambient_conf.xml, copy the value of the Password attribute of the account with ID registration to your clipboard.
  11. Save and close cd_ambient_conf.xml.
    You have now created secure, encrypted, non-default passwords for the various user accounts that interact with the Content Delivery microservices.
  12. In the same location, open cd_storage_conf.xml for editing.
  13. Find the ConfigRepository section.
  14. Set the ClientSecret attribute to the encrypted password you copied to your clipboard.
  15. Save and close cd_storage_conf.xml.
    You have now configured the Discovery Service to securely register additional microservices with itself.

What to do next

Whenever the SDL Tridion Sites documentation requires you to configure these passwords, it will explain how to do so. Specifically, you need to configure these passwords in the following situations:
  • when setting up publishing from Content Manager to Content Delivery
  • when setting up the presentation environment, specifically the Content Interaction Libraries
  • when setting up the Contextual Image Delivery client software