Configure the custom user registry
Before you begin this task, implement and build the UserRegistry interface. For more information on the developing custom user registries, see and Develop custom user registries. For a sample custom user registry code example, see Custom user registries.
The following steps are required to configure custom user registries through the administrative console:
In the administrative console, click Security --> User Registries --> Custom in the left navigation panel.
Enter a valid user name in the Server User ID field.
Enter the password of the user in the Server User Password field.
Enter the full name of the location of the implementation class file in the Custom Registry Classname field. This should be a dot (.) separated file name. For the sample, this is com.ibm.websphere.security.FileRegistrySample. The file can be located in any directory in the integrated file system as long as these conditions are true:
- It is recommended that the directory is not located in a product directory. That is, the path name of the directory should not begin with /QIBM/ProdData.
- The directory is specified in the ws.ext.dir property.
- The directory is specified in the server.policy file.
- The QEJBSVR user profile has Execute (*X) authority to the directory and Read and Execute (*RX) authority to the class file and its supporting classes. For the sample, this includes the FileRegistrySample.class and RegExpSample.class files.
- It is recommended that you not use a
To specify in the ws.ext.dir property the directory that contains your custom registry implementation class file, perform these steps in the administrative console:
- Expand Servers in the navigation menu, and click Application Servers.
- In the Application Servers page, click the name of your server.
- Under Additional Properties, click Process Definition.
- Under Additional Properties, click Java Virtual Machine.
- Under Additional Properties, click Custom Properties.
- If the ws.ext.dirs property has already been defined, click it, append a colon (:) to the value, and add the fully-qualified path of the directory that contains your implementation class.
If the ws.ext.dirs property is not listed, click New. Specify ws.ext.dirs as the name of the property, and specify the directory which contains your implementation class or JAR file.
- Click OK.
- Click Save.
In a Network Deployment environment, these steps must be performed for all application servers in the cell because the security code runs on all servers. Additionally, the ws.ext.dirs property must be set for the deployment manager and node agent in the cell. (If you are not using the WebSphere Application Server Network Deployment product, you may skip these steps.)
Use the WebSphere administrative console to configure the ws.ext.dirs property for the deployment manager (Network Deployment only):
- Expand System Administration in the navigation menu, and click Deployment Manager.
- Under Additional Properties, click Process Definition.
- Under Additional Properties, click Java Virtual Machine.
- Under Additional Properties, click Custom Properties.
- If the ws.ext.dirs property has already been defined, click it, append a colon (:) to the value, and add the fully-qualified path of the directory that contains your implementation class.
If the ws.ext.dirs property is not listed, click New. Specify ws.ext.dirs as the name of the property, and specify the directory which contains your implementation class or JAR file.
- Click OK.
- Click Save.
Use the WebSphere administrative console to configure the ws.ext.dirs property for the node agent (Network Deployment only):
- Expand System Administration in the navigation menu, and click Node Agents.
- In the Node Agents page, click the name of the node agent.
- Under Additional Properties, click Process Definition.
- Under Additional Properties, click Java Virtual Machine.
- Under Additional Properties, click Custom Properties.
- If the ws.ext.dirs property has already been defined, click it, append a colon (:) to the value, and add the fully-qualified path of the directory that contains your implementation class.
If the ws.ext.dirs property is not listed, click New. Specify ws.ext.dirs as the name of the property, and specify the directory which contains your implementation class or JAR file.
- Click OK.
- Click Save.
To add the directory to the server.policy file, edit the server.policy file that is located in the properties subdirectory of your instance. Specify the following permission:
grant codeBase "file:/CustomRegistry/-" { permission java.security.AllPermission; };For more information about server.policy files, see Configure the server.policy file.
Select the Ignore Case checkbox for the authorization to perform a case-insensitive check. Enabling this option is necessary only when your registry is case insensitive and does not provide a consistent case when queried for users and groups.
Click Apply if you have any other additional properties to enter for the registry initialization. Otherwise click OK and complete the steps required to enable security.
To enter additional properties to initialize your implementation, click Custom Properties at the bottom of the panel. Click New. Enter the property name and value. Click OK. Repeat this step to add other additional properties.
For the sample, enter the following two properties: (assuming the users.props and groups.props are in myDir directory under the product installation directory).
Property name Property value usersFile ${USER_INSTALL_ROOT}/myDir/users.props groupsFile ${USER_INSTALL_ROOT}/myDir/groups.props Note: The QEJBSVR user profile must have Execute (*X) authority for the directory that contains user.props and groups.props. Additionally, QEJBSVR must have Read and Execute (*RX) authority for the user.props and groups.props files.
The Description, Required, and Validation Expression fields are not used and can be left blank.
Note: In a Network Deployment environment where multiple WebSphere Application Server processes exist (cell, and multiple nodes in different machines), these properties are available for each process. So, use the relative name ${USER_INSTALL_ROOT} to locate any files, as this expands to the product installation directory. If this name is not used, ensure that the files exist in the same location in all the nodes.
If you are enabling security for the first time, complete the remaining steps and then go to the Global Security panel. Select Custom as the Active User Registry. If security is already enabled but information on this panel is changed, make sure to go to the Global Security panel and click OK or Apply to validate your changes. If your changes are not validated, the server may not be able to start.