Set custom user registries using scripting
Use this topic to configure custom user registries for global security and security domain configurations using wsadmin. We can define custom user registries at the global level and for multiple security domains. You must meet the following requirements before configuring custom user registries:
- You must have the administrator or new admin role.
- Enable global security in the environment.
- Implement and build the UserRegistry interface and configure a custom registry.
- To configure custom user registries for multiple security domains, configure at least one security domain.
WAS security supports stand-alone custom registries in addition to the local operating system registry, standalone LDAP registries, and federated repositories for authentication and authorization. A stand-alone custom-implemented registry uses the UserRegistry Java™ interface as provided by WAS ND. A stand-alone custom registry can support any type of account repository from a relational database, flat file, and so on. We can specify custom user registries at the global level and at the security domain.
When you configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security run time. The realm name for custom registries is set by the custom registry. Use the following Jython command to make the user registry the active user registry in the global security configuration:
AdminTask.setAdminActiveSecuritySettings('-activeUserRegistry CustomUserRegistry')Use the following Jython command to make the user registry the active user registry in the application security configuration:AdminTask.setAppActiveSecuritySettings('-securityDomainName domain2 -activeUserRegistry CustomUserRegistry')In security domains, we can configure a different realm for a user registry configuration. For example, we can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This method supports the configuration to serve different sets of users and groups. To use this type of scenario, specify a realm name for each user registry configured for a domain. Multiple realms can exist in the configuration, and we can also specify a list of trusted realms. Communications between applications that use different realms is supported.
Use the following steps to configure custom user registries for the global security configuration and for multiple security domains:
- Set custom user registries for global security configurations.
Use the configureAdminCustomUserRegistry command and the following optional parameters to configure a custom user registry in the global security configuration:
Table 1. Optional parameters
Parameter Description Data Type -autoGenerateServerId Specifies whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter. Boolean -serverId User identity in the repository to use for internal process communication. String -serverIdPassword that corresponds to the user identity. String -primaryAdminId Name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository. String -customRegClass Class name that implements the UserRegistry interface in the com.ibm.websphere.security class. String -ignoreCase Specifies whether to require case sensitive authorization. Specify true to ignore case during authorization. Boolean -customProperties List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character (,) as the following syntax displays: "attribute1=value1","attribute2=value2" String -verifyRegistry Specifies whether to verify the user registry. The default value is true and verification is automatically performed. Boolean
Use the following Jython example command to configure the local operating system registry for global security:
AdminTask.configureAdminCustomUserRegistry('-autoGenerateServerId true -primaryAdminId gsAdmin')- Set custom user registries for security domains.
- Determine the name of the security domain to configure.
Use the listSecurityDomains command to list all security domains on the server, as the following Jython example demonstrates:
AdminTask.listSecurityDomains()- Set a custom user registry for a security domain.
Use the configureAppCustomUserRegistry command and the following optional parameters to configure a local custom user registry:
Table 2. Optional parameters
Parameter Description Data type -securityDomainName Unique name that identifies the security domain of interest. String -realmName Name of the realm of the user registry. String -customRegClass Class name that implements the UserRegistry interface in the com.ibm.websphere.security class. String -ignoreCase Specifies whether to require case sensitive authorization. Specify true to ignore case during authorization. Boolean -customProperties List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character (,) as the following syntax displays: "attribute1=value1","attribute2=value2" String -verifyRegistry Specifies whether to verify the user registry. The default value is true and verification is automatically performed. Boolean
Use the following Jython example command to configure the local operating system user registry for the domain2 security domain:
AdminTask.configureAppCustomUserRegistry('-securityDomainName domain2 -realmName domain2Realm')
What to do next
Use the following command example to save the configuration changes:AdminConfig.save()
Local operating system registries
Related tasks
Set security domains using scripting
Mapping resources to security domains using scripting
Remove resources from security domains using scripting
Remove security domains using scripting