Realm configuration settings
Use this page to manage the realm. The realm can consist of identities in the file-based repository that is built into the system, in one or more external repositories, or in both the built-in, file-based repository and one or more external repositories.
To view this administrative console page:
- In the administrative console, click Security > Security domains.
- Under User realm, select Customize for this domain. Select Federated repositories from the Realm type field and click Configure.
When you finish adding or updating the federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.
A single built-in, file-based repository is built into the system and included in the realm by default.
We can configure one or more LDAP repositories to store identities in the realm. Click Add base entry to realm to specify a repository configuration and a base entry into the realm. We can configure multiple different base entries into the same repository.
Click Remove to remove selected repositories from the realm. Repository configurations and contents are not destroyed. The following restrictions apply:
- The realm must always contain at least one base entry; therefore, we cannot remove every entry.
- If we plan to remove the built-in, file-based repository from the administrative realm, verify that at least one user in another member repository is a console user with administrative rights. Otherwise, you must disable security to regain access to the administrative console.
WAS v7 distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository.
(dist) However, if you are adding a previous version node to the latest version cell and the previous version node used a server identity and password, you must ensure that the server identity and password for the previous version are defined in the repository for this cell. Enter the server user identity and password on this panel.
Realm name
Name of the realm. We can change the realm name, but you should complete any other federated repository configuration steps prior to making this change.
Primary administrative user name
Name of the user with administrative privileges defined in the repository, for example, adminUser.
The user name is used to log on to the administrative console when administrative security is enabled. Version 6.1 requires an administrative user that is distinct from the server user identity so that administrative actions can be audited.
In WebSphere Application Server, Version 6.0.x, a single user identity is required for both administrative access and internal process communication. When migrating to Version 6.1, this identity is used as the server user identity. You need to specify another user for the administrative user identity.
Automatically generated server identity
Enables the application server to generate the server identity, which is recommended for environments containing only Version 6.1 or later nodes. Automatically generated server identities are not stored in a user repository.
Information Value Default: Enabled
Server identity stored in the repository
User identity in the repository used for internal process communication. Cells containing Version 6.1 or later nodes require a server user identity defined in the active user repository.
Information Value Default: Enabled
(zos) User identity for the z/OS started task
User identity that is associated with the z/OS system started task. Each controller and server can have its own identity.
Server user ID or administrative user on a Version 6.0.x node
User ID used to run the application server for security purposes.
Password
Password that corresponds to the server ID.
Ignore case for authorization
Specifies that a case-insensitive authorization check is performed.
If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option.
Allow operations if some of the repositories are down
Whether operations (such as login, search, or get) are allowed even if the repositories in the realm are down.
Use global schema for model
Sets the global schema option for the data model in a multiple security domain environment. Global schema refers to the schema of the admin domain.
Avoid trouble: Application domains that are set to use global schema share the same schema of the admin domain. If we extend the schema for an application in one domain, you must also consider how that might affect applications of other domains, as they are bound by the same schema. For example, adding a mandatory property for one application might cause other applications to fail.gotcha
Base entry
Base entry within the realm. This entry and its descendents are part of the realm.
Repository identifier
Unique identifier for the repository. This identifier uniquely identifies the repository within the cell.
Repository type
Repository type, such as File or LDAP.
Related
Lightweight Directory Access Protocol repository configuration settings