Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Configure multiple security domains using scripting

Configure custom user registries using scripting

Use this topic to configure custom user registries for global security and security domain configurations using the wsadmin tool. We can define custom user registries at the global level and for multiple security domains.

We must meet the following requirements before configuring custom user registries:

• We must have the administrator or new admin role.
• Enable global security in the environment.
• Implement and build the UserRegistry interface and configure a custom registry.

• To configure custom user registries for multiple security domains, configure at least one security domain.

WAS security supports stand-alone custom registries in addition to the local operating system registry, standalone LDAP registries, and federated repositories for authentication and authorization. A stand-alone custom-implemented registry uses the UserRegistry Java interface as provided by the product. A stand-alone custom registry can support any type of account repository from a relational database, flat file, and so on. We can specify custom user registries at the global level and at the security domain.

When you configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security run time. The realm name for custom registries is set by the custom registry.

Use the following command to make a specific user registry the active user registry in the global security configuration:

Jython

AdminTask.setAdminActiveSecuritySettings ('[-activeUserRegistry CustomUserRegistry]')

Jacl

$AdminTask setAdminActiveSecuritySettings {-activeUserRegistry CustomUserRegistry}

Use the following command to make a specific user registry the active user registry in the security domain configuration:

Jython

AdminTask.setAppActiveSecuritySettings ('[-securityDomainName domain2 -activeUserRegistry CustomUserRegistry]')

Jacl

$AdminTask setAppActiveSecuritySettings {-securityDomainName domain2 -activeUserRegistry CustomUserRegistry}

In security domains, you can configure a different realm for a user registry configuration. For example, you can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This method supports the configuration to serve different sets of users and groups. To use this type of scenario, specify a realm name for each user registry configured for a domain. Multiple realms can exist in the configuration, and you can also specify a list of trusted realms. Communications between applications that use different realms is supported.

Use the following steps to configure custom user registries for your global security configuration and for multiple security domains:

Procedure

• Configure custom user registries for global security configurations.

  This command is not supported in a local mode.

  
  Optional parameters. Use the configureAdminCustomUserRegistry command and the following optional parameters to configure a custom user registry in your global security configuration:

  Parameter	Description	Data Type
  -autoGenerateServerId	Whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter.	Boolean
  -serverId	User identity in the repository to use for internal process communication.	String
  -serverIdPassword	Password that corresponds to the user identity.	String
  -primaryAdminId	Name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository.	String
  -customRegClass	Class name that implements the UserRegistry interface in the com.ibm.websphere.security class.	String
  -ignoreCase	Whether to require case sensitive authorization. Specify true to ignore case during authorization.	Boolean
  -customProperties	Specifies a list of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example: Jython -customProperties ["attribute1=value1", "attribute2=value2"] Jython -customProperties {"attribute1=value1", "attribute2=value2"}	String
  -verifyRegistry	Whether to verify the user registry. The default value is true and verification is automatically performed.	Boolean

  Use the following example command to configure the custom user registry for global security:

  Jython

  AdminTask.configureAdminCustomUserRegistry ('[-autoGenerateServerId true -primaryAdminId gsAdmin
   -customProperties ["attribute1=value1","attribute2=value2"]]')
  

  Jacl

  $AdminTask configureAdminCustomUserRegistry {-autoGenerateServerId true -primaryAdminId gsAdmin
   -customProperties {"attribute1=value1","attribute2=value2"}}
  

• Configure custom user registries for security domains.
  1. Determine the name of the security domain to configure.

     Use the listSecurityDomains command to list all security domains on the server:

     Jython

     AdminTask.listSecurityDomains()
     

     Jacl

     $AdminTask listSecurityDomains
     

  2. Configure a custom user registry for a security domain.

     This command is not supported in a local mode.

     
     Optional parameters. Use the configureAppCustomUserRegistry command and the following optional parameters to configure a custom user registry:

     Parameter	Description	Data type
     -securityDomainName	Unique name that identifies the security domain of interest.	String
     -realmName	Name of the realm of the user registry.	String
     -customRegClass	Class name that implements the UserRegistry interface in the com.ibm.websphere.security class.	String
     -ignoreCase	Whether to require case sensitive authorization. Specify true to ignore case during authorization.	Boolean
     -customProperties	Specifies a list of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example: Jython -customProperties ["attribute1=value1", "attribute2=value2"] Jython -customProperties {"attribute1=value1", "attribute2=value2"}	String
     -verifyRegistry	Whether to verify the user registry. The default value is true and verification is automatically performed.	Boolean

     Use the following example command to configure the custom user registry for the domain2 security domain:

     Jython

     AdminTask.configureAppCustomUserRegistry ('[-securityDomainName domain2 -realmName domain2Realm
      -customProperties ["attribute1=value1","attribute2=value2"]]')
     

     Jacl

     $AdminTask configureAppCustomUserRegistry {-securityDomainName domain2 -realmName domain2Realm
      -customProperties {"attribute1=value1","attribute2=value2"}}
     

What to do next

Save the configuration changes:

AdminConfig.save()

Local operating system registries
Configure security domains using scripting
Map resources to security domains using scripting
Remove resources from security domains using scripting
Remove security domains using scripting

+

Search Tips   |   Advanced Search