With the registry implementation for the local operating system, the WebSphere® Application Server authentication mechanism can use the user accounts database of the local operating system.
If you want to use the local operating system
registry to represent the principals who access your WebSphere Application
Server resources, you do not have to complete any special user registry
setup steps. The local operating system registry is used for authentication
and authorization of users who access WebSphere Application
Server resources, but not for WebSphere Application Server
users who access operating system resources. WebSphere Application
Server does not run under the operating system user profile of Application
Server users. Instead, WebSphere Application Server
runs under the operating system profile that is configured by the
Application Server administrator.
If you want to authorize a user for any WebSphere Application Server resource,
a user profile for that user must exist in the operating system. Use
the Create User Profile (CRTUSRPRF) command to create new user IDs
that can be used by WebSphere Application Server
Do
not use a local operating system registry in a WebSphere Application
Server environment where application servers are dispersed across
more than one machine because each machine has its own user registry.
As
mentioned previously, the access IDs taken from the user registry
are used during authorization checks. Because these IDs are typically
unique identifiers, they vary from machine to machine, even if the
exact users and passwords exist on each machine.
Web
client certificate authentication is not currently supported when
using the local operating system user registry. However, Java client certificate authentication does
function with a local operating user registry. Java client
certificate authentication maps the first attribute of the certificate
domain name to the user ID in the user registry.
CWSCJ0337E: The mapCertificate method is not supported
The error is intended for web client certificates; however, it also displays for Java client certificates. Ignore this error for Java client certificates.If you want to access users and groups from either the local or the domain user registry, instead of both, set the com.ibm.websphere.registry.UseRegistry property. This property can be set to either local or domain. When this property is set to local (case insensitive) only the local user registry is used. When this property is set to domain, (case insensitive) only the domain user registry is used.