Configure custom user registries using scripting

Use this topic to configure custom user registries for global security and security domain configurations using the wsadmin tool. We can define custom user registries at the global level and for multiple security domains.

We must meet the following requirements before configuring custom user registries:

• We must have the administrator or new admin role.
• Enable global security in the environment.
• Implement and build the UserRegistry interface and configure a custom registry.

• To configure custom user registries for multiple security domains, configure at least one security domain.

WebSphere Application Server security supports stand-alone custom registries in addition to the local operating system registry, standalone LDAP registries, and federated repositories for authentication and authorization. A stand-alone custom-implemented registry uses the UserRegistry Java interface as provided by the product. A stand-alone custom registry can support any type of account repository from a relational database, flat file, and so on. We can specify custom user registries at the global level and at the security domain.

When we configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security run time. The realm name for custom registries is set by the custom registry.

To make a specific user registry the active user registry in the global security configuration:

Jython

AdminTask.setAdminActiveSecuritySettings ('[-activeUserRegistry CustomUserRegistry]')

Jacl

$AdminTask setAdminActiveSecuritySettings {-activeUserRegistry CustomUserRegistry}

To make a specific user registry the active user registry in the security domain configuration:

Jython

AdminTask.setAppActiveSecuritySettings ('[-securityDomainName domain2 -activeUserRegistry CustomUserRegistry]')

Jacl

$AdminTask setAppActiveSecuritySettings {-securityDomainName domain2 -activeUserRegistry CustomUserRegistry}

In security domains, we can configure a different realm for a user registry configuration. For example, we can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This method supports the configuration to serve different sets of users and groups. To use this type of scenario, specify a realm name for each user registry configured for a domain. Multiple realms can exist in the configuration, and we can also specify a list of trusted realms. Communications between applications that use different realms is supported.

Use the following steps to configure custom user registries for our global security configuration and for multiple security domains:

Tasks

• Configure custom user registries for global security configurations.

  This command is not supported in a local mode.

  Parameter	Description	Data Type
  -autoGenerateServerId	Specifies whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter.	Boolean
  -serverId	User identity in the repository to use for internal process communication.	String
  -serverIdPassword	Password that corresponds to the user identity.	String
  -primaryAdminId	Name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository.	String
  -customRegClass	Class name that implements the UserRegistry interface in the com.ibm.websphere.security class.	String
  -ignoreCase	Require case sensitive authorization. Specify true to ignore case during authorization.	Boolean
  -customProperties	List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example: Jython -customProperties ["attribute1=value1", "attribute2=value2"] Jython -customProperties {"attribute1=value1", "attribute2=value2"}	String
  -verifyRegistry	Specifies whether to verify the user registry. Default is true and verification is automatically performed.	Boolean

  Use the following example command to configure the custom user registry for global security:

  Jython

  AdminTask.configureAdminCustomUserRegistry ('[-autoGenerateServerId true -primaryAdminId gsAdmin
   -customProperties ["attribute1=value1","attribute2=value2"]]')
  

  Jacl

  $AdminTask configureAdminCustomUserRegistry {-autoGenerateServerId true -primaryAdminId gsAdmin
   -customProperties {"attribute1=value1","attribute2=value2"}}
  

• Configure custom user registries for security domains.

  1. Determine the name of the security domain to configure.

     Use the listSecurityDomains command to list all security domains on the server:

     Jython

     AdminTask.listSecurityDomains()
     

     Jacl

     $AdminTask listSecurityDomains
     

  2. Configure a custom user registry for a security domain.

     This command is not supported in a local mode.

     Parameter	Description	Data type
     -securityDomainName	Unique name that identifies the security domain of interest.	String
     -realmName	Name of the realm of the user registry.	String
     -customRegClass	Class name that implements the UserRegistry interface in the com.ibm.websphere.security class.	String
     -ignoreCase	Require case sensitive authorization. Specify true to ignore case during authorization.	Boolean
     -customProperties	List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example: Jython -customProperties ["attribute1=value1", "attribute2=value2"] Jython -customProperties {"attribute1=value1", "attribute2=value2"}	String
     -verifyRegistry	Specifies whether to verify the user registry. Default is true and verification is automatically performed.	Boolean

     Use the following example command to configure the custom user registry for the domain2 security domain:

     Jython

     AdminTask.configureAppCustomUserRegistry ('[-securityDomainName domain2 -realmName domain2Realm
      -customProperties ["attribute1=value1","attribute2=value2"]]')
     

     Jacl

     $AdminTask configureAppCustomUserRegistry {-securityDomainName domain2 -realmName domain2Realm
      -customProperties {"attribute1=value1","attribute2=value2"}}
     

What to do next

AdminConfig.save()

Related:

Local operating system registries

Configure security domains using scripting

Mapping resources to security domains using scripting

Removing resources from security domains using scripting

Removing security domains using scripting