Creating secrets to protect sensitive IBM FileNet Content Manager configuration data
Before you begin
ibm-fncm-secret
, review the requirements for the
user credentials that are given to the operator using the secret:- If you are database connection user, see Preparing your databases.
- If you are a FileNet P8 domain administrator and object store administrator, see Preparing users and groups.
About this task
- Always specify one group to be the FileNet P8 domain administrators and a different group for the object store administrators. Using groups ensures that the FileNet P8 domain and object store remain accessible if the group is modified to include and exclude users without requiring direct modification of the FileNet P8 domain.
- The value that you specify for the appLoginUsername must be an existing directory services user that you want for the FileNet P8 domain administrator role. If you initialize object stores through a scripted method, the appLoginUsername is automatically assigned to also be an object store administrator. This ensures that if the appLoginUsername is not a member of the specified object store administrators group, subsequent ecm_initialization actions to create object store objects (such as Advanced Storage Devices) will not fail.
- If the CR is generated by using the prerequisites script, the user account that is provided for the FileNet appLoginUser is automatically placed in the list for the oc_cpe_obj_store_admin_user_group parameter. This list should be augmented to also include at least one group to act as object store administrators.
- The ldapUsername, ldapPassword, externalLdapUsername, and externalLdapPassword are included in
ldap_configuration.lc_bind_secret
andext_ldap_configuration.lc_bind_secret
. - The keystorePassword must be at least 16 characters when FIPS is enabled.
- All of the PostgreSQL DBPassword must be at least 16 characters when FIPS is enabled.
kubectl create secret generic ibm-fncm-secret \
--from-literal=gcdDBUsername="db2inst1" \
--from-literal=gcdDBPassword="xxxxxxxx" \
--from-literal=chDBUsername="db2inst1" \
--from-literal=chDBPassword="xxxxxxxx" \
--from-literal=bawtosDBUsername="db2inst1" \
--from-literal=bawtosDBPassword="xxxxxxxx" \
--from-literal=bawdosDBUsername="db2inst1" \
--from-literal=bawdosDBPassword="xxxxxxxx" \
--from-literal=bawdocsDBUsername="db2inst1" \
--from-literal=bawdocsDBPassword="xxxxxxxx" \
--from-literal=aeosDBUsername="db2inst1" \
--from-literal=aeosDBPassword="xxxxxxxx" \
--from-literal=appLoginUsername="filenet_admin" \
--from-literal=appLoginPassword="xxxxxxxx" \
--from-literal=keystorePassword="xxxxx" \
--from-literal=ltpaPassword="xxxxxx"
$
, \
, *
,
=
, and !
are interpreted by your shell, and therefore need
escaping. In most shells, the simplest way to escape a password is to surround it with single
quotation marks ('). For example, if your password is S!B\*d$zDsb=
then use single
quotation marks around the password
string:--from-literal=password='S!B\*d$zDsb='
You do not need to escape
special characters in passwords from files (--from-file
). For more information, see
Managing Secrets.
The secret that you create, ibm-fncm-secret
, is the value for the parameter
fncm_secret_name
.
If you have multiple object store data sources with different login credentials, you can use the dc_os_label parameter to differentiate your object store credentials in the secret. Assign a label for each object store, specify the label in the CR YAML for each data source by using the dc_os_label parameter, and add the label value to your credential specification in the secret.
FNOS1DS
and
FNOS2DS
. In the YAML, you specify the following values, including values for the
dc_os_label
parameter that are specific to each data
source:dc_os_datasources:
- dc_database_type: "db2"
dc_os_label: “os1”
dc_common_os_datasource_name: "FNOS1DS"
dc_common_os_xa_datasource_name: "FNOS1DSXA"
database_servername: “server_name”
database_name: “database_name”
database_port: "50000"
- dc_database_type: "db2"
dc_os_label: “os2”
dc_common_os_datasource_name: "FNOS2DS"
dc_common_os_xa_datasource_name: "FNOS2DSXA"
database_servername: “server_name”
database_name: “database2_name”
database_port: "50000"
--from-literal=os1DBUsername="db2inst1" \
--from-literal=os1DBPassword="password1" \
--from-literal=os2DBUsername="db2inst2" \
--from-literal=os2DBPassword="{xor}password2”
This example uses two data sources, but you can use the dc_os_label
parameter
for multiple other data sources.
For the Document Processing pattern, the two dc_os_label
values devos1
and aeos
are set by the pattern deployment and must
be included in the ibm-fncm-secret
.
What to do next
To set up or configure storage to prepare for the container configuration and deployment, see Configuring storage for the content services environment.