Configure the UDDI registry to use WAS security

We can configure the UDDI registry to determine whether users are allowed access to services, and to determine security of data at the transport level.

• WebSphere Application Server administrative security must be enabled. For details, see the topic about enabling security.
• WAS must be configured to use HyperText Transport Protocol Secure Sockets Layer (HTTPS), to support secure access with the UDDI registry. By default, WAS is configured to accept SSL requests on port 9443. To make additional SSL configuration changes, see the topic about SSL configurations for selected scopes.

The UDDI registry uses two aspects of WAS security:

Authorization

Authorization determines whether users are allowed access to services. WAS determines authorization by mapping users, or groups of users, to roles. UDDI uses two WAS special subjects: Everyone (all users are allowed access) and AllAuthenticatedUsers (only valid WAS registered users are allowed access).

Data confidentiality

Data confidentiality determines security at the transport level. Data confidentiality for WAS services can be either none, where HTTP is used as the transport protocol, or confidential, where the use of SSL is required and HTTPS is used as the transport protocol.

When WAS security is enabled, the default settings in the UDDI Version 3 Application and web deployment descriptors produce the following results:

• Publish, Custody Transfer, and Security services are mapped to the AllAuthenticatedUsers special subject, and data confidentiality is enforced through HTTPS. Authentication uses the standard WAS security facilities and the UDDI registry does not have a separate registration function. To use publish functions, users must supply their WAS user name and password (unless you modified the supplied publish role), and must also be registered UDDI publishers. By registering users as UDDI publishers, you control which users in the AllAuthenticatedUsers subject can update the UDDI registry.
• Inquiry services are mapped to the Everyone special subject, data confidentiality is not enforced, and HTTP is used. To use inquiry services, users do not have to supply a user name or password, and do not have to be registered UDDI publishers.

Use the default settings, as described previously. To change the defaults, you map roles to different users or user groups. If we do this, enable the Automatically register UDDI publishers property of the UDDI node settings so that we do not have to use two mechanisms to give access to a subset of users. If we have a role that is not mapped to any users or user groups, all access to that role is disabled.

For more information about UDDI role mappings, and a list of UDDI registry services and roles, see the topic about access control for UDDI registry interfaces.

To change the default settings, use the following steps:

Tasks

• To change the role mappings using the administrative console, complete the following steps:

  1. In the navigation pane, click...

             Applications > Application Types > WebSphere enterprise applications.

  2. In the content pane, click the UDDI registry application.

  3. Under Detail Properties click Security role to user/group mapping.

  4. Make the changes you require, then click OK.

• To change the role mappings using the wsadmin command, complete the following step:

  1. Use the edit command of the AdminApp object and the MapRolesToUsers option of this command to map the roles defined in the UDDI registry application to the special subjects Everyone or AllAuthenticatedUsers, to users, or to user groups. For example, the following command maps the Version 3 GUI Publish role to Everyone, and the Version 3 SOAP Publish role to user user1 and group group1. UDDI_Registry_Application is a variable that represents the name of the UDDI registry application.

     Use Jython:

     AdminApp.edit(UDDI_Registry_Application, ["-MapRolesToUsers", 
     [["GUI_Publish_User", "Yes", "No", "", ""], 
     ["V3SOAP_Publish_ User_Role", "No", "No", "user1", "group1"]]] )
     

     Use Jacl:

     $AdminApp edit $UDDI_Registry_Application {-MapRolesToUsers { 
     {"GUI_Publish_User" Yes No "" ""} 
     {"V3SOAP_Publish_User_Role" No No "user1" "group1"} }} 
     

• Optional: To change the data confidentiality settings, see the topic about configuring SOAP API and GUI services for the UDDI registry.

Next topic: UDDI registry security and UDDI registry settings

Related:

Access control for UDDI registry interfaces

Enable security

Configure UDDI security with WAS security enabled

Configure UDDI Security with WAS security disabled

Configure SOAP API and GUI services for the UDDI registry

Options for the AdminApp object install, installInteractive, edit, editInteractive, update, and updateInteractive commands

UDDI node settings

SSL configurations for selected scopes