Configuring local operating system registries
Use these steps to configure local operating system registries.
Before you begin
For detailed information about using the local operating system user registry, see Local operating system registries. These steps set up security based on the local operating system user registry on which WebSphere Application Server is installed.
For security purposes, the WebSphere Application Server provides and supports the implementation for Windows operating system registries, AIX®, Solaris and multiple versions of Linux® operating systems. The respective operating system application programming interface (API) are called by the product processes (servers) for authenticating a user and other security-related tasks (for example, getting user or group information). Access to these APIs are restricted to users who have special privileges. These privileges depend on the operating system and are described later in this topic.
When a local operating system registry is chosen, the started task identity is chosen as the server identity. A user ID and password are not required to configure the server.
- The server ID needs to be different from the Windows machine name where the
product is installed. For example, if the Windows machine name is
vicky
and the security server ID isvicky
y, the Windows system fails when getting the information (group information, for example) for uservicky
. - WebSphere Application Server dynamically determines whether the machine is a member of a Windows system domain.
- WebSphere Application Server does not support Windows trusted domains.
- If a machine is a member of a Windows domain, both the domain user registry and the local user registry of the machine participate in authentication and security role mapping.
- If you use a Windows domain user ID to install and run WebSphere Application Server, the ID must have the following privileges:
- Be a member of the domain administrative groups in the domain controller
- Have the Act as part of the operating system privilege in the local security policy on the local machine.
- Have the Log on as a service privilege on the local machine if the server runs as a service.
- The domain user registry takes precedence over the local user registry of the machine and can have undesirable implications if users with the same password exist in both user registries.
- The user that the product processes run under requires the Administrative and Act as part of the operating system privileges to call the Windows operating system APIs that authenticate or collect user and group information. The process needs special authority, which is given by these privileges. The user in this example might not be the same as the security server ID (the requirement for which is a valid user in the registry). This user logs into the machine (if using the command line to start the product process) or the Log On User setting in the services panel if the product processes have started using the services.
- The user that the product processes run under requires the root privilege. This privilege is needed to call the operating system APIs to authenticate or to collect user and group information. The process needs special authority, which is given by the root privilege. This user might not be the same as the security server ID (the requirement is that it should be a valid user in the registry). This user logs into the machine and is running the product processes.
- The user that enables administrative security must have the root privilege if you use the local operating system registry. Otherwise, a failed validation error is displayed.
- You might need to have the password shadow file in your system.
About this task
When you set up a user registry for WebSphere Application Server, the System Authorization Facility (SAF) works in conjunction with the user registry to authorize applications to run on the server. For more information on the SAF capabilities, see System Authorization Facility user registries. Complete the following steps to configure additional properties that are associated with the local OS user registry and SAF configuration.
The following steps are needed to perform this task initially when setting up security for the first time.
Procedure
Results
For any changes in this panel to be effective, you need to save, stop, and start all the product servers, including deployment managers, nodes and application servers. If the server comes up without any problems, the setup is correct.
After completed these steps, you have configured WebSphere Application Server to use the local operating system registry to identify authorized users.
What to do next
Complete any remaining steps for enabling security. For more information, see Enabling security.