Configure custom user registries

Use this topic to configure custom user registries for global security and security domain configurations . We can define custom user registries at the global level and for multiple security domains.

We must meet the following requirements before configuring custom user registries:

• We must have the administrator or new admin role.

• Enable global security in the environment.

• Implement and build the UserRegistry interface and configure a custom registry.

• To configure custom user registries for multiple security domains, configure at least one security domain.

WAS security supports stand-alone custom registries in addition to the local operating system registry, standalone LDAP registries, and federated repositories for authentication and authorization. A stand-alone custom-implemented registry uses the UserRegistry Java interface as provided by the product. A stand-alone custom registry can support any type of account repository from a relational database, flat file, and so on. We can specify custom user registries at the global level and at the security domain.

When you configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security run time. The realm name for custom registries is set by the custom registry.

Use the following command to make a specific user registry the active user registry in the global security configuration:

Jython

AdminTask.setAdminActiveSecuritySettings ('[-activeUserRegistry CustomUserRegistry]')

Jacl

$AdminTask setAdminActiveSecuritySettings {-activeUserRegistry CustomUserRegistry}

Use the following command to make a specific user registry the active user registry in the security domain configuration:

Jython

AdminTask.setAppActiveSecuritySettings ('[-securityDomainName domain2 -activeUserRegistry CustomUserRegistry]')

Jacl

$AdminTask setAppActiveSecuritySettings {-securityDomainName domain2 -activeUserRegistry CustomUserRegistry}

In security domains, we can configure a different realm for a user registry configuration. For example, we can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This method supports the configuration to serve different sets of users and groups. To use this type of scenario, specify a realm name for each user registry configured for a domain. Multiple realms can exist in our configuration, and we can also specify a list of trusted realms. Communications between applications that use different realms is supported.

Use the following steps to configure custom user registries for the global security configuration and for multiple security domains:

• Configure custom user registries for global security configurations.

  Supported configurations: This command is not supported in a local mode.

  the configureAdminCustomUserRegistry command and the following optional parameters to configure a custom user registry in the global security

  Parameter	Description	Data Type
  -autoGenerateServerId	Whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter.	Boolean
  -serverId	User identity in the repository to use for internal process communication.	String
  -serverIdPassword	Password that corresponds to the user identity.	String
  -primaryAdminId	Name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository.	String
  -customRegClass	Class name that implements the UserRegistry interface in the com.ibm.websphere.security class.	String
  -ignoreCase	Whether to require case sensitive authorization. Specify true to ignore case during authorization.	Boolean
  -customProperties	List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example: Jython -customProperties ["attribute1=value1", "attribute2=value2"] Jython -customProperties {"attribute1=value1", "attribute2=value2"}	String
  -verifyRegistry	Whether to verify the user registry. The default value is true and verification is automatically performed.	Boolean

  Use the following example command to configure the custom user registry for global security:

  Jython

  AdminTask.configureAdminCustomUserRegistry ('[-autoGenerateServerId true -primaryAdminId gsAdmin
   -customProperties ["attribute1=value1","attribute2=value2"]]')

  Jacl

  $AdminTask configureAdminCustomUserRegistry {-autoGenerateServerId true -primaryAdminId gsAdmin
   -customProperties {"attribute1=value1","attribute2=value2"}}

• Configure custom user registries for security domains.

  1. Determine the name of the security domain to configure.

     Use the listSecurityDomains command to list all security domains on the server:

     Jython

     AdminTask.listSecurityDomains()

     Jacl

     $AdminTask listSecurityDomains

  2. Configure a custom user registry for a security domain.

     Supported configurations: This command is not supported in a local mode.

     the configureAppCustomUserRegistry command and the following optional

     Parameter	Description	Data type
     -securityDomainName	Unique name identifying security domain of interest.	String
     -realmName	Name of the realm of the user registry.	String
     -customRegClass	Class name that implements the UserRegistry interface in the com.ibm.websphere.security class.	String
     -ignoreCase	Whether to require case sensitive authorization. Specify true to ignore case during authorization.	Boolean
     -customProperties	List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example: Jython -customProperties ["attribute1=value1", "attribute2=value2"] Jython -customProperties {"attribute1=value1", "attribute2=value2"}	String
     -verifyRegistry	Whether to verify the user registry. The default value is true and verification is automatically performed.	Boolean

     Use the following example command to configure the custom user registry for the domain2 security domain:

     Jython

     AdminTask.configureAppCustomUserRegistry ('[-securityDomainName domain2 -realmName domain2Realm
      -customProperties ["attribute1=value1","attribute2=value2"]]')

     Jacl

     $AdminTask configureAppCustomUserRegistry {-securityDomainName domain2 -realmName domain2Realm
      -customProperties {"attribute1=value1","attribute2=value2"}}

What to do next

Use the following command example to save the configuration changes:

AdminConfig.save()

Related concepts

Local operating system registries

Related tasks

Configure security domains

Mapping resources to security domains

Remove resources from security domains

Remove security domains