Configure a user registry

Though different types of user registries are supported, only one active registry can be used by all of the processes in WebSphere Application Server. Configuring the correct registry is a prerequiste to assigning users and groups to roles for applications. LocalOS is the default registry. However, you still need to configure the registry as the first step in enabling global security, after which you restart the servers, and then assign users and groups to roles for all your applications. For more information, see Assign users and groups to roles and Assign users to RunAs roles.

If you select a different user registry after users and groups are assigned to roles for your applications, it is recommended that you delete all the users and groups (including any RunAs role) from the applications and reassign them after you change the registry. Deleting all the users and groups can be done through the administrative console or through wsadmin scripting.

This wsadmin command removes all the users and groups (including the RunAs role) from any application:

  $AdminApp deleteUserAndGroupEntries yourAppName

where yourAppName is the name of the application. Backing up the old application is adviced before performing this operation.

If all of the user and group names (including the password for the RunAs role users) are the same in both the registries and if the application bindings file does not contain the accessIDs (which are unique for each registry, even for the same user or group name), you may be able to change the registries without having to delete the users and groups information. By default, an application does not contain accessIDs in the bindings file (they are generated on the fly when the applications are started). However, if you have migrated an existing application from an earlier release or if you used the wsadmin script to add accessIDs for the applications (to improve performance), remove the existing user and group information and add them after you configure the new registry.

The administrative user ID is common to all user registries. The administrative ID is a member of the chosen user registry, and it has special privileges in WebSphere Application Server. However, it has no special privileges in the user registry that it represents. In other words, you can choose any user ID in the registry to use as the administrative user ID. However, for LDAP user registries, ensure that the administrative user ID is a member of the registry and is not the LDAP administrative ID. Also, for LDAP registries, the member you use must be searchable.

See these topics for instructions about configuring particular types of user registries:

Configure the local operating system user registry
If you want WebSphere security to use OS/400 user profiles to perform authentication, see this topic for instructions.

Configure the LDAP user registry
If you want to use a supported third-party user registry, see this topic.

Configure the custom user registry
If your user registry product is not one of the officially supported registries or if you want to create your own registry, see this topic for more information.