Use these steps to configure local
operating system registries.
Before you begin
For detailed information about using the local operating
system user registry, see Local operating system registries.
These steps set up security based on the local operating system user
registry on which WebSphere® Application Server
is installed.
When a local
operating system registry is chosen, the started task identity is
chosen as the server identity. A user ID and password are not required
to configure the server.
Important: Each
started task, for example, a controller, servant, or daemon might
have a different identity. Because you should give differing resource
authorizations to each, you should give differing user IDs to controllers
and servants. The z/OS Profile Management Tool sets up these identities.
About this task
When you set up a user registry for WebSphere Application Server, the System
Authorization Facility (SAF) works in conjunction with the user registry
to authorize applications to run on the server. Complete
the following steps to configure additional properties that are associated
with the local OS user registry and SAF configuration.
Important: The local operating system is not
a valid user account repository when you have a mixed cell environment
that includes both z/OS® platform and non-z/OS platform
nodes.
Procedure
- Click Security > Global security.
- Under User account repository, select Local operating
system and click Configure.
- If SAF authorization is not enabled, enter
a valid user name in the Primary administrative user name field.
This value is the name of a user with administrative privileges
that is defined in the registry. This user name is used to access
the administrative console or used by wsadmin.
- Optional: Select the Ignore
case for authorization option to enable WebSphere Application
Server to perform a case insensitive authorization check when you
use the default authorization.
- Click Apply.
- Select either the Automatically generated
server identity or User identity for the z/OS started task.
- Optional: Enable and configure SAF
authorization.
- Click Security > Global security > External
authorization provider.
- Select the System Authorization Facility (SAF) authorization option
to enable SAF as the authorization provider.
- Under Related items, click z/OS SAF
authorization to configure SAF authorization. To see
an explanation of the SAF authorization options, see z/OS System Authorization Facility authorization.
- Click OK.
The administrative
console does not validate the user ID and password when you click OK.
Validation is only done when you click OK or Apply in
the Global security panel. First, make sure that you select Local
operating system as the available realm definition in the User
account repository section, and click Set as current. If security
was already enabled and you had changed either the user or the password
information in this panel, make sure to go to the Global security
panel and click OK or Apply to validate your changes.
If your changes are not validated, the server might not start.
Important: Until you authorize other users to perform administrative
functions, you can only access the administrative console with the
server user ID and password that you specified.
Results
For any changes in this panel
to be effective, you need to save, stop, and start all the product
servers, including deployment managers, nodes and application servers.
If the server comes up without any problems, the setup is correct.
After
completing these steps, you have configured WebSphere Application
Server to use the local operating system registry to identify authorized
users.
What to do next
Complete any remaining steps for enabling
security. For more information, see Enabling security.