Functional accounts
There are a series of endpoints that aren't associated with regular user ids:
- Management console (Port 8889)
- Metrics endpoint (Port 8890)
-
Health check (Port 8886)
Tip
You can also configure access to Health check (Port 8886) using the following environment parameters:
- HEALTHCHECK_USER
- HEALTHCHECK_PASSWORD
To enable access to those, you need functional accounts. Same applies to the use of KEEP in a local context when running on a client.
There are many reasons to keep this users separate from your enterprise directory:
- They need to be available when the directory isn't available.
- They don't need access to regular end points.
Note
Functional account names are verbatim. Domino REST API doesn't accept any variations as you expect in a Domino login.
For information on setting up a functional account, see Set up a functional account.
Functional users configuration file
Create a file functionalUsers.json in the directory [NotesData]/keepconfig.d. Add the following JSON structure:
{
"identity": {
"healthcheckAPI": {},
"managementAPI": {},
"metricsAPI": {},
"singleDbModeUsers": {}
}
}
In each of the sections you specify a user object in the same way:
Example 1
{
"metrics": {
"active": true,
"secret": "13549ED65AD8760294B9DC898C44F8ABEED399ABB1CA7DC51E8CCFF461D56D13:32BDC8A5DF60FCE424299543DFFF408F500DB1B1EEC4FAB848AA0ED794F5D89AA65A5449EC36BF9CBF53980E4B7DF2B3A3581186E409F5B69BC0C16E51237CC8"
}
}
Example 2
{
"John Doe": {
"active": true,
"CN": "CN=John Doe/O=Mauraders",
"secret": "E4B321EBA91B7F92D9BF5EAFA5322824FEC2287B8A6C133D7C31EFB706A2BA30:1A57478185E7AF3A98F01ECA08F0BA881DBC88BEC60AE8C6F1B1CC5CC55C11A20F676E082BF2D28BB96DB5A8CFB091C767C035B380DB4CBC7D1001EA8BE01663"
}
}
| Key | Purpose |
|---|---|
| JSON key | UserId for authentication, case sensitive, no variations. In the examples, metrics and John Doe are JSON keys. You can use other values for the JSON key. |
| active | true/false to temporarily disable an account. |
| CN | Optional: Common name in X500 format. When defined, the name is for display only. You still need to login using the JSON key as your username. |
| secret | Salted and encrypted password. |
Obtain salted passwords
The management endpoint (Port 8889) has, besides others, a utility function to salt and encrypt passwords. To access the management endpoint, you need to have a salted password already. To solve this, create a file tempmanagement.json in your keepconfig.d directory and copy in the following content:
{
"identity": {
"managementAPI": {
"Doctor Notes": {
"active": true,
"secret": "E4B321EBA91B7F92D9BF5EAFA5322824FEC2287B8A6C133D7C31EFB706A2BA30:1A57478185E7AF3A98F01ECA08F0BA881DBC88BEC60AE8C6F1B1CC5CC55C11A20F676E082BF2D28BB96DB5A8CFB091C767C035B380DB4CBC7D1001EA8BE01663"
}
}
}
}
This creates the user "Doctor Notes" with the password password to access the management console.
Tip
Don't leave default passwords in your system.
When done with creating new salted passwords, securely back-up tempmanagement.json to prevent unauthorized access, and then restart Domino REST API.