Configuring local operating system user registries using scripting

Use this topic to configure user registries for global security and security domain configurations using the wsadmin tool. You can define user registries at the global level and for multiple security domains.

Before you begin

You must meet the following requirements before configuring local operating system user registries:
  • You must have the administrator or new admin role.
  • Enable global security in your environment.
  • To configure local operating system user registries for multiple security domains, you must configure at least one security domain.

About this task

Configure local operating system user registries to support use of the authentication mechanism with the user accounts database of the local operating system. You can specify local operating system user registries at the global level and at the security domain.

When you configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security runtime. The system typically specifies the hostname for local operating system registries.

In security domains, you can configure a different realm for a user registry configuration. For example, you can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This allows the configuration to serve different sets of users and groups. To use this type of scenario, you must specify a realm name for each user registry configured for a domain. Because there can be multiple realms in your configuration, you can also specify a list of trusted realms. This allows communication between applications that use different realms.

Use the following steps to configure local operating system user registries for your global security configuration and for multiple security domains:

Procedure

  • Configure local operating system registries for global security configurations.
    1. Use the configureAdminLocalOSUserRegistry command and the following optional parameters to configure a local operating system user registry in your global security configuration.
      Supported configurations: This command is not supported in a local mode.
      Table 1. Optional parameters . This table lists the configureAdminLocalOSUserRegistry command and its optional parameters:
      Parameter Description Data type
      -autoGenerateServerId Specifies whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter. Boolean
      -serverId Specifies the user identity in the repository to use for internal process communication. String
      -serverIdPassword Specifies the password that corresponds to the user identity. String
      -primaryAdminId Specifies the name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository. String
      -customProperties Specifies a list of attribute and value pairs to store as custom properties on the user registry. Separate each attribute and value pair with a comma character (,), as the following syntax displays: "attribute1=value1","attribute2=value2" String
      -verifyRegistry Specifies whether to verify the user registry. The default value is true and verification is automatically performed. Boolean
      -ignoreCase Specifies whether to perform the case-sensitive authorization check. This only applies to the z/OS® local operating system user registry. Boolean
      Use the following Jython example command to configure the local operating system registry for global security: 
      AdminTask.configureAdminLocalOSUserRegistry('-autoGenerateServerId true -primaryAdminId gsAdmin')
    2. Configure the user registry to be the active user registry for the server.
      For example, the following Jython command sets the active user registry as the LocalOSUserRegistry registry for your global security configuration:
      AdminTask.setAdminActiveSecuritySettings('-activeUserRegistry LocalOSUserRegistry')
    3. Save your configuration changes.
      Use the following command example to save your configuration changes:
      AdminConfig.save()
  • Configure local operating system registries for security domains.
    1. Determine the name of the security domain to configure.
      Use the listSecurityDomains command to list all security domains on the server, as the following Jython example demonstrates: 
      AdminTask.listSecurityDomains()
      If you want to configure the local operating system registry for a specific server, cluster, or cell, use the getSecurityDomainForResource command to display the security domain name for the management scope of interest. The following Jython example displays the name of the security domain configured at the cell-level:
      AdminTask.getSecurityDomainForResource('-resourceName Cell=:Node=myNode:Server=myServer')
      For this example, the command returns the following output: 
      domain2
    2. Configure a local operating system user registry for a security domain.
      Use the configureAppLocalOSUserRegistry command and the following optional parameters to configure a local operating system user registry.
      Supported configurations: This command is not supported in a local mode.
      Table 2. Optional parameters . This table describes the configureAppLocalOSUserRegistry command and its optional parameters:
      Parameter Description Data type
      -securityDomainName Specifies the unique name that identifies the security domain of interest. String
      -realmName Specifies the name of the realm of the user registry. String
      -customProperties Specifies a list of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character (,). String
      -verifyRegistry Specifies whether to verify the user registry. The default value is true, and verification is automatically performed. Boolean
      -ignoreCase Specifies whether to perform the case-sensitive authorization check. This only applies to the z/OS local operating system user registry. Boolean
      Use the following Jython command to configure the local operating system user registry for the domain2 security domain:
      AdminTask.configureAppLocalOSUserRegistry('-securityDomainName domain2 -realmName domain2Realm')
    3. Configure the user registry to be the active user registry for the server.
      For example, the following Jython command sets the active user registry as the LocalOSUserRegistry registry for your security domain configuration:
      AdminTask.setAppActiveSecuritySettings('-securityDomainName domain2 -activeUserRegistry LocalOSUserRegistry')
    4. Save your configuration changes.
      Use the following command example to save your configuration changes:
      AdminConfig.save()