[Version 5.0.2 and later]Selecting a user registry

Information about users and groups reside in a user registry. In WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.

WebSphere Application Server for z/OS is designed with the capability to support multiple operating systems or operating environment-based user registries (z/OS SAF registry) and most of the major Lightweight Directory Access Protocol (LDAP)-based user registries. You can use the custom LDAP feature to support any LDAP server by setting up the correct configuration (user and group filters). However, support is not extended to these custom LDAP servers because there are many possibilities that cannot be tested.

In addition to Local OS and LDAP registries, WebSphere Application Server also provides a plug-in to support any registry by using the custom user registry feature. The custom user registry feature allows the configuration of any user registry that is not made available through the security configuration panels of the WebSphere Application Server. The possibilities are endless with the implementation of the UserRegistry interface. This interface is very helpful in situations where the current user and group information exists in some other formats (for example, a database) and cannot move to Local OS or LDAP. In such a case, implement the UserRegistry interface so that WebSphere Application Server can use the existing registry for all the security-related operations. The process of implementing a custom user registry is a software implementation effort and it is expected that the implementation does not depend on other WebSphere Application Server resources, for example, data sources, for its operation.

Before configuring the user registry, decide which registry to use. The choices of user registry include:

Though different types of user registries are supported, only a single user registry can be active at one time. All processes in WebSphere Application Server can use one active registry. Configuring the correct registry is a prerequisite to assigning users and groups to roles for applications. This is usually done as part of enabling global security. Restart the servers and assign users and groups to roles for all your applications.

[5.0 only][Version 5.0.1]Note: (PQ81586) You can only use non-local OS registries such as LDAP or custom user registries to authenticate and authorize clients using Web applications. Enterprise JavaBeans (EJBs) files that are part of the same application, deployed in the same J2EE server, and allocated with the Web application that triggered the client authentication and authorization can be accessed using the identity defined in the LDAP or custom user registry. Attempts to access remote EJBs propagates the identity from the LDAP or custom user registry downstream. When you use LDAP and custom registries the Remote Method Invocation (RMI) connector cannot be configured to process administrative requests. Refer to User registries for more information.


Related concepts
User registries
Selecting an authentication mechanism
Related tasks
Managing security
Related reference
Example: Custom user registries



Searchable topic ID:   csecselectreg
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_selectreg.html

Library | Support | Terms of Use | Feedback