Configure local operating system user registry

If you want to use the OS/400 user registry to represent the principals who access your WebSphere resources, no special user registry setup is necessary.

The OS/400 user registry is used for authentication of WebSphere users and for authorization of WebSphere users who access WebSphere resources, but not for WebSphere users who access OS/400 resources. A WebSphere application server does not run under the OS/400 user profile of the WebSphere users. Instead, the WebSphere application server runs under the OS/400 profile that is configured by the WebSphere administrator.

If you want to authorize a user for any WebSphere resource, a user profile must exist on the iSeries system for that user. Use the Create User Profile (CRTUSRPRF) command on your iSeries server to create new user IDs that can be used by WebSphere.

As installed, security is disabled for WebSphere Application Server. It is necessary to take these steps to enable security. These steps will set up security based on the local operating system user registry on the iSeries system on which WebSphere Application Server is installed.

Perform these steps in the WebSphere administrative console:

  1. In the navigation menu, click Security --> User Registries --> LocalOS.

  2. Enter a valid iSeries user profile name in the Server User ID field. The Server User ID specifies the iSeries user profile to use when the server authenticates to the underlying operating system. This is also the user that has initial authority to access the administrative application through the administrative console.

    The administrative user ID is common to all user registries. The administrative ID is a member of the chosen user registry, and it has special privileges in WebSphere Application Server. However, it has no special privileges in the user registry that it represents. In other words, you can select any valid user ID in the registry to use as the administrative user ID (Server User ID).

    For the Server User ID field, you can specify any iSeries user profile that meets this criteria:

    • It has a status of *ENABLED.
    • It has a valid password.
    • It is not used as a group profile.

      A group profile is assigned a unique group ID number, which is not assigned to a regular user profile. Run the Display User Profile (DSPUSRPRF) command to determine if the user profile you want to use as the Server User ID has a defined group ID number. If the Group ID field is set to *NONE, the user profile can be used as the administrative user ID.

  3. In the Server User Password field, enter the valid password for the user profile you specified as the Server User ID.

  4. Click OK.

    Note that the WebSphere administrative console does not validate the user ID and password when you click OK. Validation is only performed when you click OK or Apply in the Global Security panel.

    If you are in the process of enabling security for the first time, complete the remaining configuration steps. Navigate to the Global Security panel, and make sure that Local OS is selected as the Active User Registry. Then, click OK or Apply. If you do not complete this action, your changes are not validated, and the server may not be able to start.

Note: Until you authorize other users to perform administrative functions, you can only access the administrative console with the Server User ID and Password you specified. For more information, see Assign users to administrative roles.