Configure
a user registry. For more information, see Configuring user registries. You can configure a local OS,
Lightweight Directory Access Protocol (LDAP), or custom user registry through
the links under User registry on the Global security panel.One of the details
common to all user registries is the server user ID. This ID is a member
of the chosen user registry, but also has special privileges in WebSphere
Application Server. The privileges for this ID and the privileges that are
associated with the administrative role ID are the same. The server user ID
can access all the protected administrative methods.
The
ID must not be the same name as the machine name of your system because the
user registry sometimes returns machine-specific information when querying
a user of the same name.
In LDAP user registries, verify that the server
user ID is a member of the user registry and not just the LDAP administrative
role ID. The entry must be searchable.
The server user
ID does not run WebSphere Application Server processes. Rather, the
process ID runs the WebSphere Application Server processes.
The
process ID is determined by the way the process starts. For example, if you
use a command line to start processes, the user ID that is logged into the
system is the process ID. If running as a service, the user ID that is logged
into the system is the user ID running the service. If you choose the Local
OS user registry, the process ID requires special privileges to call the operating
system APIs. The process ID must have the following platform-specific privileges:
Act as Part of Operating System privileges
Root privileges
Modify
the default Secure Sockets Layer (SSL) keystore and truststore files that
are packaged with the product. This action protects the integrity
of the messages sent across the Internet. The product provides a single location
where you can specify SSL configurations that the various WebSphere Application
Server features that use SSL can utilize, including the LDAP user registry,
Web container and the authentication protocol (CSIv2 and SAS). Create a new
keystore and truststore, by referring to the Creating a keystore file and Creating truststore files articles. You can create different
keystore files and truststore files for different uses or you can create just
one set for everything that the server uses Secure Sockets Layer (SSL) for.
After you create these new keystore and truststore files, specify them in
the SSL Configuration Repertoires. To get to the SSL Configuration
Repertoires, click Security > SSL. See the article, Configuring Secure Sockets Layer for more information. To get to the SSL
Configuration Repertoire, click Security > SSL. You can either edit
the DefaultSSLConfig file or create a new SSL configuration with a new alias
name. If you create a new alias name for your new keystore and truststore
files, change every location that references the DefaultSSLConfig SSL configuration
alias. The following list specifies the locations of where the SSL configuration
repertoire aliases are used in the WebSphere Application Server configuration. For
any transports that use the new network input/output channel chains, including
HTTP and Java Message Service (JMS), you can modify the SSL configuration
repertoire aliases in the following locations for each server:
- Click Server > Application server > server_name. Under Communications,
click Ports. Locate a transport chain where SSL is enabled and click View
associated transports. Click transport_channel_name. Under Transport
Channels, click SSL Inbound Channel (SSL_2).
For the Object Request Broker (ORB) SSL transports, you can modify
the SSL configuration repertoire aliases in the following locations. These
configurations are for the server-level for WebSphere Application Server and
WebSphere Application Server Express and the cell level for WebSphere Application
Server Network Deployment.
- Click Security > Global security. Under Authentication, click Authentication
protocol > CSIv2 Inbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > CSIv2 Outbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > SAS Inbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > SAS Outbound Transport.
For the Simple Object Access Protocol (SOAP) Java Management Extensions
(JMX) administrative transports, you can modify the SSL configurations repertoire
aliases by clicking Servers > Application servers > server_name.
Under Server infrastructure, click Administration > Administration services.
Under Additional properties, click JMX connectors > SOAPConnector.
Under Additional properties, click Custom properties. If you want to
point the sslConfig property to a new alias, click sslConfig and select
an alias in the Value field.
For the Lightweight Directory Access Protocol (LDAP) SSL transport,
you can modify the SSL configuration repertoire aliases by clicking Security
> Global security. Under User registries, click LDAP.