Credential encryption

The Content Platform Engine requires user credentials, user name and password, for a variety of purposes, including access to external services and devices.

The password component of these credentials is stored in encrypted form, encrypted using an AES algorithm with a master key that is generated during creation of the domain. For releases up to and including V5.5.1, that key is always 128 bits in length. With the V5.5.2 release the option is provided to select a 256-bit key length.

The master key is normally stored securely within the Global Configuration Database. However, starting in the V5.5.2 release you can choose to store the master key and other encryption keys in an external key store that is managed by a KMIP-compliant service. See Using external key management.

The password for the following sets of credentials are encrypted in this manner:

The password for the System User (previously known as the bootstrap user).
The password for the directory service user (cpe_service_user) for each Directory Configuration.
The Image Services password that is used for CFS content federation.
The CFS-IBM Content Integrator password that is used for CFS content federation.
The IBM Spectrum Protect password.
Third-party fixed storage device credentials (Centera (deprecated), Snaplock).
The Content Manager OnDemand password that is used for CFS content federation.
The password for an S3 or Open Stack advanced storage device.
The password if used for published PDF documents.

Tip: You can view and modify all of these IDs and passwords in Administration Console for Content Platform Engine.

Any attempt to retrieve these password fields via any public API returns zero length binary data. This results in a null value when any object containing a password field is exported. You must reset the password before you can use the imported object.