Configure local operating system user registries

Use this topic to configure user registries for global security and security domain configurations . We can define user registries at the global level and for multiple security domains.

We must meet the following requirements before configuring local operating system user registries:

• We must have the administrator or new admin role.

• Enable global security in the environment.

• To configure local operating system user registries for multiple security domains, configure at least one security domain.

Configure local operating system user registries to support use of the authentication mechanism with the user accounts database of the local operating system. We can specify local operating system user registries at the global level and at the security domain.

When you configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security runtime. The system typically specifies the hostname for local operating system registries.

In security domains, we can configure a different realm for a user registry configuration. For example, we can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This allows the configuration to serve different sets of users and groups. To use this type of scenario, specify a realm name for each user registry configured for a domain. Because there can be multiple realms in the configuration, we can also specify a list of trusted realms. This allows communication between applications that use different realms.

Use the following steps to configure local operating system user registries for the global security configuration and for multiple security domains:

• Configure local operating system registries for global security configurations.

  1. Use the configureAdminLocalOSUserRegistry command and the following optional parameters to configure a local operating system user registry in the global security configuration.

     Supported configurations: This command is not supported in a local mode.

     table lists the configureAdminLocalOSUserRegistry command and its

     Parameter	Description	Data type
     -autoGenerateServerId	Whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter.	Boolean
     -serverId	User identity in the repository to use for internal process communication.	String
     -serverIdPassword	Password that corresponds to the user identity.	String
     -primaryAdminId	Name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository.	String
     -customProperties	List of attribute and value pairs to store as custom properties on the user registry. Separate each attribute and value pair with a comma character (,), as the following syntax displays: "attribute1=value1","attribute2=value2"	String
     -verifyRegistry	Whether to verify the user registry. The default value is true and verification is automatically performed.	Boolean
     -ignoreCase	Whether to perform the case-sensitive authorization check. This only applies to the z/OS local operating system user registry.	Boolean

     Use the following Jython example command to configure the local operating system registry for global security:

     AdminTask.configureAdminLocalOSUserRegistry('-autoGenerateServerId true -primaryAdminId gsAdmin')

  2. Configure the user registry to be the active user registry for the server.

     For example, the following Jython command sets the active user registry as the LocalOSUserRegistry registry for the global security configuration:

     AdminTask.setAdminActiveSecuritySettings('-activeUserRegistry LocalOSUserRegistry')

  3. Save the configuration changes.

     Use the following command example to save the configuration changes:

     AdminConfig.save()

• Configure local operating system registries for security domains.

  1. Determine the name of the security domain to configure.

     Use the listSecurityDomains command to list all security domains on the server, as the following Jython example demonstrates:

     AdminTask.listSecurityDomains()

     To configure the local operating system registry for a specific server, cluster, or cell, use the getSecurityDomainForResource command to display the security domain name for the management scope of interest. The following Jython example displays the name of the security domain configured at the cell-level:

     AdminTask.getSecurityDomainForResource('-resourceName Cell=:Node=myNode:Server=myServer')

     For this example, the command returns the following output:

     domain2

  2. Configure a local operating system user registry for a security domain. Use the configureAppLocalOSUserRegistry command and the following optional parameters to configure a local operating system user registry.

     Supported configurations: This command is not supported in a local mode.

     table describes the configureAppLocalOSUserRegistry command and its

     Parameter	Description	Data type
     -securityDomainName	Unique name identifying security domain of interest.	String
     -realmName	Name of the realm of the user registry.	String
     -customProperties	List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character (,).	String
     -verifyRegistry	Whether to verify the user registry. The default value is true, and verification is automatically performed.	Boolean
     -ignoreCase	Whether to perform the case-sensitive authorization check. This only applies to the z/OS local operating system user registry.	Boolean

     Use the following Jython command to configure the local operating system user registry for the domain2 security domain:

     AdminTask.configureAppLocalOSUserRegistry('-securityDomainName domain2 -realmName domain2Realm')

  3. Configure the user registry to be the active user registry for the server.

     For example, the following Jython command sets the active user registry as the LocalOSUserRegistry registry for the security domain configuration:

     AdminTask.setAppActiveSecuritySettings('-securityDomainName domain2 -activeUserRegistry LocalOSUserRegistry')

  4. Save the configuration changes.

     Use the following command example to save the configuration changes:

     AdminConfig.save()

What to do next

Related concepts

Local operating system registries

Related tasks

Configure security domains

Mapping resources to security domains

Remove resources from security domains

Remove security domains