EIM registry definitions

 

This information explains how you can create a registry definition to hold all your user registries for a system.

An Enterprise Identity Mapping (EIM) registry definition is an entry within EIM that you create to represent an actual user registry that exists on a system within the enterprise. A user registry operates like a directory and contains a list of valid user identities for a particular system or application. A basic user registry contains user identities and their passwords. One example of a user registry is the z/OS^® Security Server Resource Access Control Facility (RACF^®) registry. User registries can contain other information as well. For example, a Lightweight Directory Access Protocol (LDAP) directory contains bind distinguished names, passwords, and access controls to data that is stored in LDAP. Other examples of common user registries are the principals in a Kerberos realm or user identities in an Windows^® Active Directory domain, and the i5/OS^® user profiles registry.

You can also define user registries that exist within other user registries. Some applications use a subset of user identities within a single instance of a user registry. For example, the z/OS Security Server (RACF) registry can contain specific user registries that are a subset of users within the overall RACF user registry.

EIM registry definitions provide information regarding those user registries in an enterprise. The administrator defines these registries to EIM by providing the following information:

• A unique, arbitrary EIM registry name. Each registry definition represents a specific instance of a user registry. Consequently, you should choose an EIM registry definition name that helps you to identify the particular instance of the user registry. For example, you could choose the TCP/IP host name for a system user registry, or the host name combined with the name of the application for an application user registry. You can use any combination of alphanumeric characters, mixed case, and spaces to create unique EIM registry definition names.

• The type of user registry. There are a number of predefined user registry types that EIM provides to cover most operating system user registries. These include:

  • AIX^®

  • Domino^® - long name

  • Domino - short name

  • Kerberos

  • Kerberos - case sensitive

  • LDAP

  • - LDAP - short name

  • Linux^®

  • Novell Directory Server

  • - Other

  • - Other - case sensitive

  • i5/OS (or OS/400^®)

  • Tivoli^® Access Manager

  • RACF

  • Windows - local

  • Windows domain (Kerberos) (This type is case sensitive.)

  • X.509

  Although the predefined registry definition types cover most operating system user registries, you may need to create a registry definition for which EIM does not include a predefined registry type. You have two options in this situation. You can either use an existing registry definition which matches the characteristics of your user registry or you can define a private user registry type. For example in Figure 6, the administrator followed the process required and defined the type of registry as WebSphere LTPA for the System_A_WAS application registry definition.

In Figure 6, the administrator created EIM system registry definitions for user registries representing System A, System B, System C, and a Windows Active Directory that contains users' Kerberos principals with which users log into their desk top workstations. In addition, the administrator created an application registry definition for WebSphere^® (R) Lightweight Third-Party Authentication (LTPA), which runs on System A. The registry definition name that the administrator uses helps to identify the specific occurrence of the type of user registry. For example, an IP address or host name is often sufficient for many types of user registries. In this example, the administrator uses System_A_WAS as the application registry definition name to identify this specific instance of the WebSphere LTPA application. He also specifies that the parent system registry for the application registry definition is the System_A registry.

Figure 6: EIM registry definitions for five user registries in an enterprise

To further reduce the need to manage user passwords, the administrator in Figure 6 sets the i5/OS user profile passwords on System A and on System C to *NONE. The administrator in this case is configuring a single signon environment and the only application that his users work with are EIM-enabled applications such as iSeries™ Navigator. Consequently, the administrator wants to remove the passwords from their i5/OS user profiles so that both the users and he have fewer passwords to manage.

• System registry definitions
  Use this information to learn about creating a user registry for particular systems.

• Application registry definitions
  Use this information to learn how to create users registries for certain applications.

• Group registry definitions
  Use this information to learn about creating a group registry definition in an EIM domain that describes and represent a group of registry definitions.

 

Parent topic:

Enterprise Identity Mapping concepts

 

Related concepts

EIM domain
Defining a private user registry type in EIM