Content Platform Engine, Version 5.2.1            

Content Platform Engine bootstrap account

An account that Content Platform Engine uses to establish a connection with the application server, access the application server's JNDI tree, look up the data sources for accessing the GCD, and start up Content Platform Engine background tasks.

Content Platform Engine bootstrap account
Unique identifier
cpe_bootstrap_admin
Description
The cpe_bootstrap_admin, also known as the Content Platform Engine system user, is an account that is stored in the CEMPBoot.properties file that is archived in the Content Platform Engine EAR file. You enter the bootstrap account's credentials while running the Configuration Manager's Configure Bootstrap Properties task. Any deployments of the EAR file for the same FileNet P8 domain must use the same credentials for the bootstrap account.

Content Platform Engine uses this account to authenticate to the application server and access the data sources named in the GCDConnection property. Content Platform Engine will not be able to start if this user is not able to authenticate.

In keeping with the principle of granting to an account only those permissions necessary to accomplish its purpose, do not use the cpe_bootstrap_admin account to serve in the role of gcd_admin. This can happen if you log in as cpe_bootstrap_admin the first time you start IBM® Administration Console for Content Platform Engine following initial installation. Doing this places cpe_bootstrap_admin on the security tab of the FileNet P8 domain object with Full Control access rights. The result is that the cpe_bootstrap_admin is functioning as the gcd_admin. This is not a recommended configuration. If it is your configuration, consider using IBM Administration Console for Content Platform Engine to add a new gcd_admin account to the security of the FileNet P8 domain object, making sure to grant Full Control to the P8 domain, and then removing the cpe_bootstrap_admin from the security tab of the P8 domain.

To make sure it is not misused or locked out by accident, do not use cpe_bootstrap_admin as an all-purpose account. For example, if a user tried to log on to some other application using the cpe_bootstrap_admin account and provided the wrong password several times, thereby exceeding the number of allowable login failures, this account could be locked out of the directory server, depending on your local policies. This would mean that Content Platform Engine would not start.

If possible, exempt cpe_bootstrap_admin from policies requiring periodic password change.

If you change your system's login parameters so that the cpe_bootstrap_admin credentials are no longer valid, the result would be that Content Platform Engine will not be able to start. For example, if you modified the User Short Name Attribute or User Search Filter, in the application server's authentication provider and in the IBM Administration Console for Content Platform Engine P8 Domain Properties > Modify Directory Configuration > User property sheet, from samAccountName to distinguishedName, you would also need to use the Configuration Manager bootstrap task to make the same change in the Content Platform Engine EAR file.

Restriction: If you are deploying Content Platform Engine on an application server with federated user repositories and with multiple realms in your FileNet® P8 domain, be sure that no two realms contain the same short name for this user; otherwise, this user will not be able to authenticate.
Minimum required permissions
The account must be a directory server account that resides in the realm that has been configured for Content Platform Engine authentication.
An exception to this rule is that if you are using IBM virtual member manager, the bootstrap account must reside in the file-based repository if your repository is file-based, or in the custom repository if your repository is a custom repository.
If your application server is WebSphere® Application Server and your database is DB2® for z/OS®, the account used for cpe_bootstrap_admin must be a member of at least the WebSphere Monitor role. This is required because Content Platform Engine must add custom properties to the data sources, and the Monitor role is the minimum privilege required to read data source properties.
If you are using WebSphere Application Server security domains, see "Security planning considerations" for additional requirements for cpe_bootstrap_admin.


Last updated: October 2015
p8psu003.htm

© Copyright IBM Corporation 2015.