Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager
What is new in this release
The new features and enhancements available in this release are listed here.
Multiple security domain support
In virtual member manager version 8.0, you can configure a separate instance of virtual member manager for each security domain in a multiple security domain environment.
Flexible administration
In the flexible administration mode, you can have different virtual member manager configurations for admin agent and subsystems, including a combination of both virtual member manager repositories and non-virtual member manager repositories. The admin agent JVM can host multiple instances of virtual member manager, one per subsystem that has virtual member manager as the active user registry. For more information, read about Configure job managers and Manage administrative jobs using wsadmin.sh in the WAS information center.
Federated repository management rights
We can map users and groups to roles for assigning federated repository management rights. Read about the predefined roles and their permissions in the topic, Provide security, in the virtual member manager documentation.
The following wsadmin commands enable users who are not WAS administrators to access the virtual member manager API methods. We can use the following commands to assign users and groups to a predefined virtual member manager role:
- mapIdMgrUserToRole
- mapIdMgrGroupToRole
- removeIdMgrUsersFromRole
- removeIdMgrGroupsFromRole
- listIdMgrUsersForRoles
For more information, read about using these commands in the topic, IdMgrConfig command group in the WAS information center.
changeMyPassword command
A wsadmin command is provided, which allows you to change your password when you are logged in to WAS, regardless of the WAS role you are assigned. For detailed information of the command parameters and examples, read about the changeMyPassword command in the topic, WIMManagementCommands command group in the WAS information center.
SAF mapping module logging
To enable logging for the SAF mapping module, set debugEnabled=false in the code and specify a custom property through the administrative console. The steps are listed in the topic (step 5), Configure a custom System Authorization Facility (SAF) mapping module for federated repositories in the WAS information center.
Default LDAP configuration settings for Microsoft Active Directory
In virtual member manager version 8.0, the following default LDAP configuration settings for Microsoft Active Directory have been changed:
- The default value of membership attribute for users is "memberOf". This is used when searching for groups to which a user belongs.
- The default value of user search filter for Active Directory is "(ObjectCategory=User)".
Default value of cache distribution policy (dynacache)
The default value of cacheDistPolicy property is none. In releases prior to version 8.0, the default value was push.
This default value also applies when you use the setIdMgrLDAPAttrCache, setIdMgrLDAPSearchResultCache, updateIdMgrLDAPAttrCache, and updateIdMgrLDAPSearchResultCache wsadmin commands.
Support for user-defined schema
We can specify a user-defined database schema where you want to create the federated repository tables. Use the dbSchema parameter and the tablespacePrefix parameter (tablespacePrefix is for DB2 for z/OS only) with the following wsadmin commands:
- setupIdMgrDBTables
- setupIdMgrPropertyExtensionRepositoryTables
- setupIdMgrEntryMappingRepositoryTables
- deleteIdMgrDBTables
- deleteIdMgrPropertyExtensionRepositoryTables
- deleteIdMgrEntryMappingRepositoryTables
- createIdMgrDBRepository
- updateIdMgrDBRepository
- setIdMgrEntryMappingRepository
- setIdMgrPropertyExtensionRepository
For more information see the following topics in the WAS information center:
- Set up an entry mapping repository, a property extension repository, or a custom registry database repository using wsadmin
- IdMgrRepositoryConfig command group
For specifying a user-defined database schema during manual setup of federated repository tables, see the following topics:
- Manually set up the property extension repository for federated repositories
- Manually set up the property extension repository for DB2 for iSeries or DB2 for z/OS
Support for user-defined bufferpools (DB2 for z/OS only)
We can specify user-defined bufferpools when creating the federated repository tables on DB2 for z/OS. Use the tablesBufferPool, LOBtablesBufferPool, and indextablesBufferPool parameters with the following wsadmin commands:
- setupIdMgrDBTables
- setupIdMgrPropertyExtensionRepositoryTables
- setupIdMgrEntryMappingRepositoryTables (only tablesBufferPool)
For more information see the topic, Set up an entry mapping repository, a property extension repository, or a custom registry database repository using wsadmin in the WAS information center.
For specifying user-defined bufferpools during manual setup of federated repository tables, see the topic, Manually set up the property extension repository for DB2 for iSeries or DB2 for z/OS.
Documentation enhancements
To help programmers who are developing virtual member manager applications, sample code for using virtual member manager APIs in various scenarios are provided under the section, Integrate virtual member manager into the application.
Performance benchmarking results of startup time and memory footprint for virtual member manager 8.0 as compared with the previous version 7.0 is documented at Performance benchmark for virtual member manager.