Realm configuration settings
The realm can consist of identities in the file-based repository built into the system, in one or more external repositories, or in both the built-in, file-based repository and one or more external repositories.
To view this administrative console page:
Security > Security domains > User realm > Customize for this domain > Realm type > Federated repositories > Configure
When we finish adding or updating the federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.
A single built-in, file-based repository is built into the system and included in the realm by default.
We can configure one or more LDAP repositories to store identities in the realm. Click Add base entry to realm to specify a repository configuration and a base entry into the realm. We can configure multiple different base entries into the same repository.
Click Remove to remove selected repositories from the realm. Repository configurations and contents are not destroyed. The following restrictions apply:
- The realm must always contain at least one base entry; therefore, we cannot remove every entry.
- If we plan to remove the built-in, file-based repository from the administrative realm, verify that at least one user in another member repository is a console user with administrative rights. Otherwise, disable security to regain access to the administrative console.
WebSphere Application Server distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository.
If we are adding a previous version node to the latest version cell and the previous version node used a server identity and password, ensure that the server identity and password for the previous version are defined in the repository for this cell. Enter the server user identity and password on this panel.
Realm name
Name of the realm. We can change the realm name, but we should complete any other federated repository configuration steps prior to making this change.
Primary administrative user name
Name of the user with administrative privileges defined in the repository, for example, adminUser.
The user name is used to log on to the administrative console when administrative security is enabled. v6.1 requires an administrative user that is distinct from the server user identity so that administrative actions can be audited.
In WebSphere Application Server, v6.0.x, a single user identity is required for both administrative access and internal process communication. When migrating to v6.1, this identity is used as the server user identity. We need to specify another user for the administrative user identity.
Automatically generated server identity
Enables the application server to generate the server identity, which is recommended for environments that contain only v6.1 or later nodes. Automatically generated server identities are not stored in a user repository.
Information Value Default: Enabled
Server identity stored in the repository
User identity in the repository used for internal process communication. Cells that contain v6.1 or later nodes require a server user identity defined in the active user repository.
Information Value Default: Enabled
Server user ID or administrative user on a v6.0.x node
User ID used to run the application server for security purposes.
(Dist)
Password
Password that corresponds to the server ID.
Ignore case for authorization
That a case-insensitive authorization check is performed.
If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option.
Allow operations if some of the repositories are down
Specifies whether operations (such as login, search, or get) are allowed even if the repositories in the realm are down.
Use global schema for model
Sets the global schema option for the data model in a multiple security domain environment. Global schema refers to the schema of the admin domain.
Application domains that are set to use global schema share the same schema of the admin domain. If we extend the schema for an application in one domain, we must also consider how that might affect applications of other domains, as they are bound by the same schema. For example, adding a mandatory property for one application might cause other applications to fail.
Base entry
Base entry within the realm. This entry and its descendents are part of the realm.
Repository identifier
Unique identifier for the repository. This identifier uniquely identifies the repository within the cell.
Repository type
Repository type, such as File or LDAP.
Related tasks:
Manage the realm in a federated repository configuration Related reference:
LDAP repository configuration settings