Creating secrets to protect sensitive IBM FileNet Content Manager configuration data

Before you install IBM FileNet® Content Manager, create secrets manually to protect the configuration data you are going to enter.

Before you begin

Before you prepare your ibm-fncm-secret, review the requirements for the user credentials that are given to the operator using the secret:

About this task

Before you deploy, you must create a secret for the security details of the directory service providers and data sources that you configured in preparation for use with FileNet Content Manager. Collect the following required users and passwords to add to the secret. When you add your values, note the following points:
  • Always specify one group to be the FileNet P8 domain administrators and a different group for the object store administrators. Using groups ensures that the FileNet P8 domain and object store remain accessible if the group is modified to include and exclude users without requiring direct modification of the FileNet P8 domain.
  • The value that you specify for the appLoginUsername must be an existing directory services user that you want for the FileNet P8 domain administrator role. If you initialize object stores through a scripted method, the appLoginUsername is automatically assigned to also be an object store administrator. This ensures that if the appLoginUsername is not a member of the specified object store administrators group, subsequent ecm_initialization actions to create object store objects (such as Advanced Storage Devices) will not fail.
  • If the CR is generated by using the prerequisites script, the user account that is provided for the FileNet appLoginUser is automatically placed in the list for the oc_cpe_obj_store_admin_user_group parameter. This list should be augmented to also include at least one group to act as object store administrators.
  • The ldapUsername, ldapPassword, externalLdapUsername, and externalLdapPassword are included in ldap_configuration.lc_bind_secret and ext_ldap_configuration.lc_bind_secret.
  • The keystorePassword must be at least 16 characters when FIPS is enabled.
  • All of the PostgreSQL DBPassword must be at least 16 characters when FIPS is enabled.
Using your values, run the following command:
kubectl create secret generic ibm-fncm-secret \ 
--from-literal=gcdDBUsername="db2inst1" \
--from-literal=gcdDBPassword="xxxxxxxx" \ 
--from-literal=chDBUsername="db2inst1" \
--from-literal=chDBPassword="xxxxxxxx" \ 
--from-literal=bawtosDBUsername="db2inst1" \
--from-literal=bawtosDBPassword="xxxxxxxx" \ 
--from-literal=bawdosDBUsername="db2inst1" \
--from-literal=bawdosDBPassword="xxxxxxxx" \ 
--from-literal=bawdocsDBUsername="db2inst1" \
--from-literal=bawdocsDBPassword="xxxxxxxx" \ 
--from-literal=aeosDBUsername="db2inst1" \
--from-literal=aeosDBPassword="xxxxxxxx" \ 
--from-literal=appLoginUsername="filenet_admin" \
--from-literal=appLoginPassword="xxxxxxxx" \ 
--from-literal=keystorePassword="xxxxx" \ 
--from-literal=ltpaPassword="xxxxxx"
Note: When you create secrets, special characters such as $, \, *, =, and ! are interpreted by your shell, and therefore need escaping. In most shells, the simplest way to escape a password is to surround it with single quotation marks ('). For example, if your password is S!B\*d$zDsb= then use single quotation marks around the password string:
--from-literal=password='S!B\*d$zDsb='

You do not need to escape special characters in passwords from files (--from-file). For more information, see Managing Secrets.

The secret that you create, ibm-fncm-secret, is the value for the parameter fncm_secret_name.

If you have multiple object store data sources with different login credentials, you can use the dc_os_label parameter to differentiate your object store credentials in the secret. Assign a label for each object store, specify the label in the CR YAML for each data source by using the dc_os_label parameter, and add the label value to your credential specification in the secret.

For example, you have two object store data sources, FNOS1DS and FNOS2DS. In the YAML, you specify the following values, including values for the dc_os_label parameter that are specific to each data source:
dc_os_datasources:
    - dc_database_type: "db2"
      dc_os_label: “os1”
      dc_common_os_datasource_name: "FNOS1DS"
      dc_common_os_xa_datasource_name: "FNOS1DSXA"
      database_servername: “server_name”
      database_name: “database_name”
      database_port: "50000"
    - dc_database_type: "db2"
      dc_os_label: “os2”
      dc_common_os_datasource_name: "FNOS2DS"
      dc_common_os_xa_datasource_name: "FNOS2DSXA"
      database_servername: “server_name”
      database_name: “database2_name”
      database_port: "50000"
When you create the secret, you add the label value (os1 and os2) to your username and password credentials:
--from-literal=os1DBUsername="db2inst1" \
--from-literal=os1DBPassword="password1" \
--from-literal=os2DBUsername="db2inst2" \
--from-literal=os2DBPassword="{xor}password2”

This example uses two data sources, but you can use the dc_os_label parameter for multiple other data sources.

For the Document Processing pattern, the two dc_os_label values devos1 and aeos are set by the pattern deployment and must be included in the ibm-fncm-secret.

What to do next

To set up or configure storage to prepare for the container configuration and deployment, see Configuring storage for the content services environment.