Select a registry or repository
Overview
Information about users and groups reside in a user registry. In WAS, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.
During profile creation, either during installation or post-installation, administrative security is enabled by default. You might decide not to enable security, but if the default is accepted, the file-based federated user repository is configured as the active user registry. You can use a different user registry before the profile is created.
All of the processes in WAS can use only one active registry.
Local operating system registry
When a user registry or repository is not configured, the local operating system registry is used by default. To use a different registry...
- Configure the registry or repository
- Restart servers
- Assign users and groups to roles for all your applications
Custom user registries
WAS provides a custom registry plug-in that enables you to configure any user registry not through the security configuration panels of the console. The UserRegistry interface is used to implement both the custom registry and the federated repository options for the user account repository.
The UserRegistry interface is useful in situations where the current user and group information exists in some other formats, for example, a database, and cannot move to local operating system or LDAP registries.
The process of implementing a custom registry is a software implementation effort, and it is expected that the implementation does not depend on WAS resource management for its operation. For example, you cannot use a WAS data source. Generally invoke database connections and dictate their behavior directly in the code.
Supported registries
WAS supports the following types of user registries:
- Federated repository
- Local operating system
- Standalone DAP registry
- Standalone custom registry
After the applications are assigned users and groups and change the user registries, delete all the users and groups, including any RunAs role, from the applications, and reassign them after changing the registry through the console or by using wsadmin...
$AdminApp deleteUserAndGroupEntries yourAppNameBacking up the old application is advised before performing this operation. However, if both of the following conditions are true, you might be able to switch the registries without having to delete the users and groups information:
- All of the user and group names, including the password for the RunAs role users, in all of the applications match in both user registries.
- The application bindings file does not contain the access IDs which are unique for each user registry even for the same user or group name.
By default, an application does not contain access IDs in the bindings file. These IDs are generated when the applications start. However, if you migrated an existing application from an earlier release, or if you used the wsadmin script to add access IDs for the applications to improve performance, you have to remove the existing user and group information and add the information after configuring the new user registry.
To update access IDs, run AdminApp updateAccess.
Complete one of the following steps to configure your user registry:
- Configure local operating system registries
- Configure LDAP user registries
- Configure standalone custom registries.
- Manage the realm in a federated repository configuration
What to do next
- If you are enabling security, make sure that you complete the remaining steps. Verify that the User account repository on the Secure administration, applications, and infrastructure panel is set to the appropriate registry or repository. As the final step, validate the user ID and the password by clicking Apply on the Secure administration, applications, and infrastructure panel. Save, stop and start all WAS servers.
- For any changes in user registry panels to be effective, validate the changes by clicking Apply on the Secure administration, applications, and infrastructure panel. After validation, save the configuration and stop and start all WAS servers, including the cells, nodes and all of the appservers. To avoid inconsistencies between the WAS processes, make sure that any changes to the registry or repository are done when all of the processes are running. If any of the processes are down, force synchronization to make sure that the process can start later.
If the server or servers start without any problems, the setup is correct.
User registries and repositories
Configure local operating system registries
Configure LDAP user registries
Configure standalone custom registries
Manage the realm in a federated repository configuration
Local operating system registries
Standalone LDAP registries
Federated repositories
Related tasks
Enabling security
Authenticating users
Related Reference
Commands for the AdminApp object