Manage the user registry on z/OS

After installing and deploying IBM WebSphere Portal, which includes installing and configuring the user registry, we can manage the user registry by running various update and/or delete tasks. These tasks include, but are not limited to, adding a property extension database, updating or deleting the entity type, and deleting the registry.

Complete the following tasks to configure security:

• Configure a property extension database on z/OS
  You can configure a property extension database to store attributes the LDAP directory does not or cannot store, but which to include in the portal user registry. For example, if the LDAP directory does not allow schema extensions for new attributes. A property extension database extends the user registry, making new attributes available as part of the portal user profile.
• Add a database user registry on z/OS
  Add a database user registry to the default federated repository to store user account information for authentication and authorization. We can add multiple database user registries to the default federated repository although we can only add one database user registry at a time.
• Modify to the federated repository on z/OS
  If you originally configured a standalone LDAP user registry but find that you need a more robust security configuration, we can change to the federated user repository.
• Update the database user registry on z/OS
  After creating and using the database user registry, we can update the database user ID, password, and/or the database where the data is stored. This task does not change the DN structure stored in the database repository.
• Update the federated LDAP user registry on z/OS
  After creating and using the LDAP user registry in the default federated repository, you may find the LDAP user registry is not working exactly as you would like.

  For example, we can change the LDAP Bind password.

• Update the standalone LDAP user registry on z/OS
  

  Changing the LDAP bind password removes any existing attribute mappings. Review all existing attribute mappings before proceeding so we can re-create them after completing this task.

• Create additional base entries
  To support multiple realms to allow flexible user management with various configuration options, you will need to create additional base entries within the federated LDAP user registries and/or database user registry. We can create additional base entries in the default realm or within other realms.
• Update the realm configurations on z/OS
  After creating and using the realm(s) in the default federated repository, you may find that the realm configuration is not working exactly as you would like. We can update the realm configurations and make the necessary changes.
• Querying the base entry
  If you support multiple realms and you need to see what base entries exist for a particular realm, we can query the realm for a list of base entries.
• Set the default realm
  If you have multiple realms, perform this task to specify which realm is the default realm
• Update the default parents for a realm
  After adding the user registry, you may find that update a single entity type with the value of the default parent.

  For example, if you delete a repository, you will need to update the entity type if it points to the deleted repository.

• Update where new users and groups are stored
  After you have configured the federated user registry with one or more LDAP user registries and/or a database user registry, you may want to update the user registry where new users and groups are stored.
• Create the entity type on z/OS
  If an entity type exists within IBM WebSphere Portal to use but it does not exist within the LDAP user registry, we can create the entity type within the LDAP user registry and then add the relative distinguished name (RDN) to the entity type to map it between WebSphere Portal and your LDAP user registry.
• Update an entity type on z/OS
  After adding the user registry, you may find that update a single entity type with the value of the default parent.

  For example, if you delete a repository, you will need to update the entity type if it points to the deleted repository.

• Update the group membership configuration on z/OS
  When you configure your LDAP user registry, a group membership is automatically created. You may need to adjust the group membership configuration if you notice high loads on the LDAP server and/or long response times on authentication requests. When you delete or rename users, some LDAP servers, such as the z/OS LDAP server, do not automatically clean the membership for users. For this reason, we might choose to adjust the group membership configuration to flag this LDAP server as one that requires manual cleanup through the Virtual Member Manager (VMM).
• Enable the distinguished name login
  If you have realms containing short names that are not unique for the realm, we can enable login with the full distinguished name.
• Delete the repository on z/OS
  If you have made changes to the company and no longer require the use of a repository within the default federated repository, we can delete the repository from the configuration.
• Delete a realm on z/OS
  If you made changes to the IBM WebSphere Portal and no longer require a realm that you created, we can delete the realm from the user registry.
• Delete the LDAP entity type on z/OS
  If you made changes to the LDAP user registry and no longer require an entity type that you created, we can delete it.
• Restore the VMM setup with a federated file repository on z/OS
  If the business needs change or something happens to make the user registry configuration inoperable, we can run the task...
  wp-restore-default-repository-configuration

  ...to restore the default VMM setup with a federated file repository. The task deletes all existing repositories, creates a new realm, and configures a file repository in VMM. The task also creates a new user and a new user group, which is set to portal and WAS administrators.

• Regenerating LTPA keys to secure production environments
  The LTPA key holds cryptographic keys that secure the user authentication session and cookies. To secure the production server environment, regenerate the LTPA key using the WAS admin console. To enable single sign-on at a later time, first disable the automatic key generation.
• Change the authentication mode for portlet deployment on z/OS
  IBM WebSphere Portal provides two user authentication modes that the Portlet dmgr can use to authenticate with the IBM WAS administrative services when security is enabled.

Parent: Manage user data