Information about users and groups reside in a user registry. In WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.
Before configuring the user registry or repository, decide which user registry or repository to use. You can configure one Active default registry for the Cell.
WebSphere
Application Server is designed with the capability to support multiple
operating systems or operating environment-based user registries,
such as the z/OS SAF registry, and most of the major Lightweight Directory
Access Protocol (LDAP)-based registries. You can use the custom LDAP
feature to support any LDAP server by setting up the correct configuration
information, such as user and group filters. However, support is not
extended to these custom LDAP servers because there are many possibilities
that cannot be tested.
Configuring
the correct registry or repository is a prerequisite to assigning
users and groups to roles for applications. When a user registry or
repository is not configured, the local operating system registry
is used by default. If your choice of user registry is not the local
operating system registry, you need to first configure the registry
or repository, which is normally done as part of enabling security,
restart the servers, and then assign users and groups to roles for
all your applications.
Configuring
the correct registry or repository is a prerequisite to assigning
users and groups to roles for applications. By default, when a user
registry or repository is not configured the local operating system
SAF-based user registry is used (PQ81586). If your choice of user
registry or repository is not the local operating system, you must
first configure the user registry or repository. Configuring the user
registry or repository is normally done as part of enabling administrative
security, restarting the servers, and then assigning users and groups
to roles for all of your applications.
In addition to local operating system, LDAP, and Federated repository registries, WebSphere Application Server also provides a plug-in to support any registry by using the custom registry feature. The custom registry feature enables you to configure any user registry that is not made available through the security configuration panels of the WebSphere Application Server.
The UserRegistry interface is used to implement both the custom registry and the federated repository options for the user account repository. The interface is very helpful in situations where the current user and group information exists in some other formats, for example, a database, and cannot move to local operating system or LDAP registries. In such a case, you can implement the UserRegistry interface so that WebSphere Application Server can use the existing registry for all the security-related operations. The process of implementing a custom registry is a software implementation effort, and it is expected that the implementation does not depend on WebSphere Application Server resource management for its operation. For example, you cannot use an Application Server data source configuration; generally you must invoke database connections and dictate their behavior directly in your code.
$AdminApp deleteUserAndGroupEntries yourAppNamewhere yourAppName is the name of the application. Backing up the old application is advised before performing this operation. However, if both of the following conditions are true, you might be able to switch the registries without having to delete the users and groups information:
By default, an application does not contain access IDs in the bindings file. These IDs are generated when the applications start. However, if you migrated an existing application from an earlier release, or if you used the wsadmin script to add access IDs for the applications to improve performance, you have to remove the existing user and group information and add the information after configuring the new user registry.
For more information on updating access IDs, see updateAccess IDs in the AdminApp object for scripted administration article.
Complete one of the following steps to configure your user registry:
If the server or servers start without any problems, the setup is correct.
In this information ...Subtopics
Related concepts
Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) |