Configure user registries
Before you beginBefore configuring the user registry, decide which registry to use. Though different types of registries are supported, all of the processes in WebSphere Application Server can use one active registry. Configuring the correct registry is a prerequisite to assigning users and groups to roles for applications. When a user registry is not configured, the Local OS user registry is used by default. So, if your choice of registry is not Local OS you need to first configure the registry, which is normally done as part of enabling security, restart the servers, and then assign users and groups to roles for all your applications.
OverviewAfter the applications are assigned users and groups, and you need to change the registries (for example from Lightweight Directory Access Protocol (LDAP) to Custom), delete all the users and groups (including any RunAs role) from the applications, and reassign them after changing the registry through the administrative console or by using wsadmin scripting. The following wsadmin command, which uses Jacl, removes all of the users and groups (including the RunAs role) from any application:
$AdminApp deleteUserAndGroupEntries yourAppName where yourAppName is the name of the application. Backing up the old application is advised before performing this operation. However, if both of the following conditions are true, you might be able to switch the registries without having to delete the users and groups information:
- All of the user and group names (including the password for the RunAs role users) in all of the applications match in both registries.
- The application bindings file does not contain the accessIDs, which are unique for each registry even for the same user or group name.
By default, an application does not contain accessIDs in the bindings file (these IDs are generated when the applications start). However, if you migrated an existing application from an earlier release, or if you used the wsadmin script to add accessIDs for the applications to improve performance you have to remove the existing user and group information and add the information after configuring the new registry.
For more information on updating accessIDs, see updateAccessIDs in the AdminApp object for scripted administration article.
Complete one of the following steps to configure your user registry:
Steps for this task (dependent on configuration)
- Configuring local operating system user registries
- Configuring Lightweight Directory Access Protocol user registries
- Configuring custom user registries.
What to do next
- If you are enabling security, make sure that you complete the remaining steps. Verify that the Active User Registry field in the Global Security panel is set to the appropriate registry. As the final step, validate the user ID and the password by clicking OK or Apply in the Global Security panel. Save, stop and start all WAS appservers.
- For any changes in user registry panels to be effective, validate the changes by clicking OK or Apply in the Global Security panel. After validation, save the configuration, stop and start all WebSphere Application Servers (cells, nodes and all the application servers). To avoid inconsistencies between the WAS processes, make sure that any changes to the registry are done when all of the processes are running. If any of the processes are down, force synchronization to make sure that the process can start later.
If the server or servers start without any problems, the setup is correct.
Local operating system user registries
Configuring local operating system user registries
Lightweight Directory Access Protocol
Configuring Lightweight Directory Access Protocol user registries
Configuring Lightweight Directory Access Protocol search filters
Using specific directory servers as the LDAP server
Locating a user's group memberships in Lightweight Directory Access Protocol
Dynamic groups and nested group support
Dynamic and nested group support for the SunONE or iPlanet Directory Server
Configuring dynamic and nested group support for the SunONE or iPlanet Directory Server
Dynamic groups and nested group support for the IBM Tivoli Directory Server
Configuring dynamic and nested group support for the IBM Tivoli Directory Server
Custom user registries
Configuring custom user registries
Configuring global security
Commands for the AdminApp object
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.