Configure local operating system user registries using scripting
Use this topic to configure user registries for global security and security domain configurations using the wsadmin tool. We can define user registries at the global level and for multiple security domains.
We must meet the following requirements before configuring local operating system user registries:
- We must have the administrator or new admin role.
- Enable global security in the environment.
- To configure local operating system user registries for multiple security domains, configure at least one security domain.
Configure local operating system user registries to support use of the authentication mechanism with the user accounts database of the local operating system. We can specify local operating system user registries at the global level and at the security domain.
When we configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security runtime. The system typically specifies the hostname for local operating system registries.
In security domains, we can configure a different realm for a user registry configuration. For example, we can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This allows the configuration to serve different sets of users and groups. To use this type of scenario, specify a realm name for each user registry configured for a domain. Because there can be multiple realms in the configuration, we can also specify a list of trusted realms. This allows communication between applications that use different realms.
Use the following steps to configure local operating system user registries for our global security configuration and for multiple security domains:
Tasks
- Configure local operating system registries for global security configurations.
- Use the configureAdminLocalOSUserRegistry command and the following optional parameters to configure a local operating system user registry in your global security configuration.
This command is not supported in a local mode.
Parameter Description Data type -autoGenerateServerId Specifies whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter. Boolean -serverId User identity in the repository to use for internal process communication. String -serverIdPassword Password that corresponds to the user identity. String -primaryAdminId Name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository. String -customProperties List of attribute and value pairs to store as custom properties on the user registry. Separate each attribute and value pair with a comma character (,), as the following syntax displays: "attribute1=value1","attribute2=value2" String -verifyRegistry Specifies whether to verify the user registry. Default is true and verification is automatically performed. Boolean -ignoreCase Specifies whether to perform the case-sensitive authorization check. This only applies to the z/OS local operating system user registry. Boolean Use the following Jython example command to configure the local operating system registry for global security:
AdminTask.configureAdminLocalOSUserRegistry('-autoGenerateServerId true -primaryAdminId gsAdmin')- Configure the user registry to be the active user registry for the server.
For example, the following Jython command sets the active user registry as the LocalOSUserRegistry registry for our global security configuration:
AdminTask.setAdminActiveSecuritySettings('-activeUserRegistry LocalOSUserRegistry')- Save the configuration changes.
AdminConfig.save()
- Configure local operating system registries for security domains.
- Determine the name of the security domain to configure.
Use the listSecurityDomains command to list all security domains on the server...
AdminTask.listSecurityDomains()
To configure the local operating system registry for a specific server, cluster, or cell, use the getSecurityDomainForResource command to display the security domain name for the management scope of interest. The following Jython example displays the name of the security domain configured at the cell-level:
AdminTask.getSecurityDomainForResource('-resourceName Cell=:Node=myNode:Server=myServer')
For this example, the command returns the following output:
domain2
- Configure a local operating system user registry for a security domain. Use the configureAppLocalOSUserRegistry command and the following optional parameters to configure a local operating system user registry.
This command is not supported in a local mode.
Parameter Description Data type -securityDomainName Unique name that identifies the security domain of interest. String -realmName Name of the realm of the user registry. String -customProperties List of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character (,). String -verifyRegistry Specifies whether to verify the user registry. Default is true, and verification is automatically performed. Boolean -ignoreCase Specifies whether to perform the case-sensitive authorization check. This only applies to the z/OS local operating system user registry. Boolean Use the following Jython command to configure the local operating system user registry for the domain2 security domain:
AdminTask.configureAppLocalOSUserRegistry('-securityDomainName domain2 -realmName domain2Realm')- Configure the user registry to be the active user registry for the server.
For example, the following Jython command sets the active user registry as the LocalOSUserRegistry registry for our security domain configuration:
AdminTask.setAppActiveSecuritySettings('-securityDomainName domain2 -activeUserRegistry LocalOSUserRegistry')- Save the configuration changes.
AdminConfig.save()
What to do next
Related:
Local operating system registries Configure security domains using scripting Mapping resources to security domains using scripting Removing resources from security domains using scripting Removing security domains using scripting