Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users

Select a registry or repository

In WAS, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization. During profile creation, either during installation or post-installation, administrative security is enabled by default, and the file-based federated user repository is configured as the default user registry. You can configure one active default registry for a cell.

WAS supports...

• local operating system registry
• stand-alone LDAP registry
• stand-alone custom registry
• federated repositories

Registries and repositories are used to...

• Authenticate a user using...
  • basic authentication
  • identity assertion
  • client certificates

• Retrive information about users and groups to perform security-related administrative functions, such as mapping users and groups to security roles

When a user registry or repository is not configured, the local operating system registry is used by default. To use another registry or repository as the default...

1. Configure the new registry or repository

2. Back up applications

3. For each application, delete all user and group assignments, including any RunAs role...
   $AdminApp deleteUserAndGroupEntries yourAppName

4. For each application, assign users and groups to new roles.

If both of the following conditions are true, you might be able to switch the registries without having to delete the users and groups information:

• All of the user and group names, including the password for the RunAs role users, in all of the applications match in both user registries.
• The application bindings file does not contain the access IDs which are unique for each user registry even for the same user or group name.

By default, an application does not contain access IDs in the bindings file. These IDs are generated when the applications start. However, if you migrated an existing application from an earlier release, or if you used the wsadmin script to add access IDs for the applications to improve performance, we have to remove the existing user and group information and add the information after configuring the new user registry. See updateAccess IDs.

For AIX, the following characters are not supported in a user name: ˋ # = \ : " , / ? ' A space character. For HP-UX, the following characters are not supported in a user name with HP-UX: ˋ : " / A space character

Configure your user registry

• Configure local operating system registries
• Configure LDAP user registries
• Configure stand-alone custom registries.
• Manage realms in a federated repository

User registry proxy

WAS has implemented a user registry proxy using the UserRegistry interface. The return values are a little different from the interface. For example, getUniqueUserId returns the uniqueID with the realm name wrapped. We cannot use the return value to pass to getUserSecurityName, as shown in the following example:

// Retrieve the default InitialContext for this server.
javax.naming.InitialContext ctx = new javax.naming.InitialContext();

// Retrieve the local UserRegistry object.
com.ibm.websphere.security.UserRegistry reg = (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry");

// Retrieve the registry uniqueID based on the userName specified in the NameCallback.
String uniqueid = reg.getUniqueUserId(userName);

// Strip the realm name and get real uniqueID
String uid = com.ibm.wsspi.security.token.WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID);

// Retrieve the security name from the user registry based on the uniqueID.
String securityName = reg.getUserSecurityName(uid);

Instead, use a Service Provider Interface (SPI) for this parsing function.

What to do next

If you are enabling security, make sure that you complete the remaining steps. Verify that the User account repository on the Global security panel is set to the appropriate registry or repository. As the final step, validate the user ID and the password by clicking Apply on the Global security panel. Save, stop and start all WASs.

For any changes in user registry panels to be effective, validate the changes by clicking Apply on the Global security panel. After validation, save the configuration and stop and start all WASs, including the cells, nodes and all of the application servers.

To avoid inconsistencies between the WAS processes, make sure that any changes to the registry or repository are done when all of the processes are running. If any of the processes are down, force synchronization to make sure that the process can start later.

If the server or servers start without any problems, the setup is correct.

WAS provides a plug-in to support any registry using the custom registry feature. The UserRegistry interface implements both the custom registry and the federated repository options.

Related

Stand-alone custom registries
Configure local operating system registries
Configure LDAP user registries
Configure stand-alone custom registries
Manage realms in a federated repository
Local operating system registries
Standalone LDAP registries
Federated repositories
Enable security
Authenticate users

Related

Commands for the AdminApp object using wsadmin.sh

+

Search Tips   |   Advanced Search