Configure
a user registry. For more information, see Selecting a user registry
. You can configure a local OS,
Lightweight Directory Access Protocol (LDAP), or custom user registry through
the links under User registry on the Global security panel.One of the details
common to all user registries is the server user ID. This ID is a member
of the chosen user registry, but also has special privileges in WebSphere
Application Server. The privileges for this ID and the privileges that are
associated with the administrative role ID are the same. The server user ID
can access all the protected administrative methods.
The
ID must not be the same name as the machine name of your system because the
user registry sometimes returns machine-specific information when querying
a user of the same name.
In LDAP user registries, verify that the server
user ID is a member of the user registry and not just the LDAP administrative
role ID. The entry must be searchable.
The server
user ID does not run WebSphere Application Server processes. Rather,
the process ID runs the WebSphere Application Server processes.
The
process ID is determined by the way the process starts. For example, if you
use a command line to start processes, the user ID that is logged into the
system is the process ID. If running as a service, the user ID that is logged
into the system is the user ID running the service. If you choose the Local
OS user registry, the process ID requires special privileges to call the operating
system APIs. The process ID must have the following platform-specific privileges:
Act as Part of Operating System privileges
Root privileges
Modify
the default Secure Sockets Layer (SSL) keystore and truststore files that
are packaged with the product. This action protects the integrity
of the messages sent across the Internet. The product provides a single location
where you can specify SSL configurations that the various WebSphere Application
Server features that use SSL can utilize, including the LDAP user registry,
Web container and the authentication protocol (CSIv2 and SAS). Create a new
keystore and truststore, by referring to the Creating a keystore file
and Creating truststore files
articles.
You can create different keystore files and truststore files for different
uses or you can create just one set for everything that the server uses Secure
Sockets Layer (SSL) for. After you create these new keystore and truststore
files, specify them in the SSL Configuration Repertoires. To get to
the SSL Configuration Repertoires, click Security > SSL. See
the article, Configuring Secure Sockets Layer (SSL)
for more information. To get to the SSL Configuration
Repertoire, click Security > SSL. You can either edit the DefaultSSLConfig
file or create a new SSL configuration with a new alias name. If you create
a new alias name for your new keystore and truststore files, change every
location that references the DefaultSSLConfig SSL configuration alias. The
following list specifies the locations of where the SSL configuration repertoire
aliases are used in the WebSphere Application Server configuration. For
any transports that use the new network input/output channel chains, including
HTTP and Java Message Service (JMS), you can modify the SSL configuration
repertoire aliases in the following location for each server:
For the Object Request Broker (ORB) SSL transports, you can modify
the SSL configuration repertoire aliases in the following locations.
- Click Security > Global security. Under Authentication, click Authentication
protocol > CSIv2 Inbound Transport.
- Click Security > Global security. Under Authentication, click Authentication
protocol > CSIv2 Outbound Transport.
- Click Security > Global security. Under Authentication,
click Authentication protocol > SAS Inbound Transport.
- Click Security > Global security. Under Authentication,
click Authentication protocol > SAS Outbound Transport.
For the Simple Object Access Protocol (SOAP) Java Management Extensions
(JMX) administrative transports, you can modify the SSL configurations repertoire
aliases by clicking Servers > Application servers > server_name.
Under Server infrastructure, click Administration > Administration services.
Under Additional properties, click JMX connectors > SOAPConnector.
Under Additional properties, click Custom properties. If you want to
point the sslConfig property to a new alias, click sslConfig and select
an alias in the Value field.
For the Lightweight Directory Access Protocol (LDAP) SSL transport,
you can modify the SSL configuration repertoire aliases by clicking Security
> Global security. Under User registries, click LDAP.