Selecting a user registry

Information about users and groups reside in a user registry. In WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.

Before you begin

Before configuring the user registry, decide which user registry to use. Though different types of registries are supported, all of the processes in WebSphere Application Server can use one active registry. Configuring the correct registry is a prerequisite to assigning users and groups to roles for applications. When a user registry is not configured, the Local OS user registry is used by default. If your choice of user registry is not Local OS, you need to first configure the registry, which is normally done as part of enabling security, restart the servers, and then assign users and groups to roles for all your applications.

WebSphere Application Server supports the following types of user registries:
  • Custom
  • Standalone Lightweight Directory Access Protocol (LDAP) registry
  • Local OS

Before configuring the user registry, decide which user registry to use. Though different types of registries are supported, all of the processes in WebSphere Application Server can use only one active registry.

Configuring the correct registry is a prerequisite to assigning users and groups to roles for applications. When a user registry is not configured, the local operating system registry is used by default. If your choice of user registry is not the local operating system registry, you need to first configure the registry, which is normally done as part of enabling security, restart the servers, and then assign users and groups to roles for all your applications.

About this task

After the applications are assigned users and groups and you need to change the user registries, delete all the users and groups, including any RunAs role, from the applications, and reassign them after changing the registry through the administrative console or by using wsadmin scripting. The following wsadmin command, which uses Jacl, removes all of the users and groups from any application:
$AdminApp deleteUserAndGroupEntries yourAppName
where yourAppName is the name of the application. Backing up the old application is advised before performing this operation. However, if both of the following conditions are true, you might be able to switch the registries without having to delete the users and groups information:

By default, an application does not contain access IDs in the bindings file. These IDs are generated when the applications start. However, if you migrated an existing application from an earlier release, or if you used the wsadmin script to add access IDs for the applications to improve performance, you have to remove the existing user and group information and add the information after configuring the new user registry.

For more information on updating access IDs, see updateAccess IDs in the AdminApp object for scripted administration article.

Complete one of the following steps to configure your user registry:

Procedure

What to do next

  1. If you are enabling security, make sure that you complete the remaining steps. Verify that the Active User Registry field in the Global security panel is set to the appropriate registry. As the final step, validate the user ID and the password by clicking OK or Apply in the Global Security panel. Save, stop and start all WebSphere Application Servers.
  2. For any changes in user registry panels to be effective, you must validate the changes by clicking OK or Apply in the Global Security panel. After validation, save the configuration and stop and start all WebSphere Application Servers, including the deployment managers, node agents and all of the application servers. To avoid inconsistencies between the WebSphere Application Server processes, make sure that any changes to the user registry are done when all of the processes are running. If any of the processes are down, force synchronization to make sure that the process can start later.

    If the server or servers start without any problems, the setup is correct.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 7:21:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-dist&topic=tsecuseregistry
File name: tsec_useregistry.html