Select a registry or repository
Overview
Information about users and groups reside in a user registry. In WAS, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.
During profile creation administrative security is enabled by default, and a file-based federated user repository is configured as the active user registry.
WAS provides implementations that support multiple types of registries and repositories including...
- local operating system registry
- standalone LDAP registry
- standalone custom registry
- federated repositories
A user repository is used to authenticate a user using...
- basic authentication
- identity assertion
- client certificates
UserRegistry Interface
WAS implements a user registry proxy for custom and federated registries by using the UserRegistry interface. However, the return values are little different from the interface. For example, getUniqueUserId returns the uniqueID with the realm name wrapped. We cannot use the return value to pass to getUserSecurityName, as shown in the following example:
// Retrieve the default InitialContext for this server. javax.naming.InitialContext ctx = new javax.naming.InitialContext(); // Retrieve the local UserRegistry object. com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry"); // Retrieve the registry uniqueID based on the userName specified // in the NameCallback. String uniqueid = reg.getUniqueUserId(userName); // Strip the realm name and get real uniqueID String uid = com.ibm.wsspi.security.token.WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID); // Retrieve the security name from the user registry based on the uniqueID. String securityName = reg.getUserSecurityName(uid);Use a Service Provider Interface (SPI) for this parsing function.
After the applications are assigned users and groups and we need to change the user registries, delete all the users and groups, including any RunAs role, from the applications, and reassign them after changing the registry through the admin console or by using wsadmin scripting.
The following wsadmin command, which uses Jacl, removes all of the users and groups from any application:
$AdminApp deleteUserAndGroupEntries yourAppName
...where yourAppName is the name of the application. Backing up the old application is advised before performing this operation. However, if both of the following conditions are true, we might be able to switch the registries without having to delete the users and groups information:
- All of the user and group names, including the password for the RunAs role users, in all of the applications match in both user registries.
- The application bindings file does not contain the access IDs which are unique for each user registry even for the same user or group name.
By default, an application does not contain access IDs in the bindings file. These IDs are generated when the applications start. However, if we migrated an existing application from an earlier release, or if we used the wsadmin script to add access IDs for the applications to improve performance, we have to remove the existing user and group information and add the information after configuring the new user registry.
Restrictions
Restrictions on the use of these non-alphanumeric characters depends on both the underlying operating system and the user registry type.
[AIX] For example, the following characters are not supported in a user name value:
- ˋ
- #
- =
- \
- :
- "
- ,
- /
- ?
- '
- A space character
For a comprehensive list of the non-alphanumeric characters that are not supported, see the IBM AIX operating system documentation.
[HP-UX] For example, the following characters are not supported in a user name value:
- ˋ
- :
- "
- /
- A space character
Procedure to configure the user registry
Complete one of the following steps to configure the user registry:
- Set local operating system registries
- Set LDAP user registries
- Set standalone custom registries.
- Manage the realm in a federated repository configuration
For any changes in user registry panels to be effective, validate the changes by clicking Apply on the Global security panel. After validation, save the configuration and stop and start all WASs, including the cells, nodes and all of the appservers. To avoid inconsistencies between the WAS processes, make sure that any changes to the registry or repository are done when all of the processes are running. If any of the processes are down, force synchronization to make sure that the process can start later.
Standalone custom registries
Set local operating system registries
Set LDAP user registries
Set standalone custom registries
Manage the realm in a federated repository configuration
Local operating system registries
Standalone LDAP registries
Federated repositories
Enable security
Authenticate users
Commands for AdminApp