Configuring custom user registries using scripting

Use this topic to configure custom user registries for global security and security domain configurations using the wsadmin tool. You can define custom user registries at the global level and for multiple security domains.

Before you begin

You must meet the following requirements before configuring custom user registries:
  • You must have the administrator or new admin role.
  • Enable global security in your environment.
  • Implement and build the UserRegistry interface and configure a custom registry.
  • To configure custom user registries for multiple security domains, you must configure at least one security domain.

About this task

WebSphere® Application Server security supports stand-alone custom registries in addition to the local operating system registry, standalone Lightweight Directory Access Protocol (LDAP) registries, and federated repositories for authentication and authorization. A stand-alone custom-implemented registry uses the UserRegistry Java™ interface as provided by the product. A stand-alone custom registry can support any type of account repository from a relational database, flat file, and so on. You can specify custom user registries at the global level and at the security domain.

When you configure a user registry in the global security configuration, the administrator does not specify a realm name for the user registry. The system determines the realm name from the security run time. The realm name for custom registries is set by the custom registry.

Use the following command to make a specific user registry the active user registry in the global security configuration:
Jython
AdminTask.setAdminActiveSecuritySettings ('[-activeUserRegistry CustomUserRegistry]')
Jacl
$AdminTask setAdminActiveSecuritySettings {-activeUserRegistry CustomUserRegistry}
Use the following command to make a specific user registry the active user registry in the security domain configuration:
Jython
AdminTask.setAppActiveSecuritySettings ('[-securityDomainName domain2 -activeUserRegistry CustomUserRegistry]')
Jacl
$AdminTask setAppActiveSecuritySettings {-securityDomainName domain2 -activeUserRegistry CustomUserRegistry}

In security domains, you can configure a different realm for a user registry configuration. For example, you can configure two registries that use the same LDAP server listening on the same port, but use different base distinguished names (baseDN). This method supports the configuration to serve different sets of users and groups. To use this type of scenario, you must specify a realm name for each user registry configured for a domain. Multiple realms can exist in your configuration, and you can also specify a list of trusted realms. Communications between applications that use different realms is supported.

Use the following steps to configure custom user registries for your global security configuration and for multiple security domains:

Procedure

  • Configure custom user registries for global security configurations.
    Supported configurations: This command is not supported in a local mode.
    Table 1. Optional parameters . Use the configureAdminCustomUserRegistry command and the following optional parameters to configure a custom user registry in your global security configuration:
    Parameter Description Data Type
    -autoGenerateServerId Specifies whether to automatically generate the server identity to use for internal process communication. To set a specific server identity, specify the -serverId parameter. Boolean
    -serverId Specifies the user identity in the repository to use for internal process communication. String
    -serverIdPassword Specifies the password that corresponds to the user identity. String
    -primaryAdminId Specifies the name of the user with administrative privileges as defined in the registry. This parameter does not apply to security configurations. The user name must exist in the user registry repository. String
    -customRegClass Specifies the class name that implements the UserRegistry interface in the com.ibm.websphere.security class. String
    -ignoreCase Specifies whether to require case sensitive authorization. Specify true to ignore case during authorization. Boolean
    -customProperties Specifies a list of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example:
    Jython
    -customProperties ["attribute1=value1",
    "attribute2=value2"]
    Jython
    -customProperties {"attribute1=value1",
    "attribute2=value2"}
    		 String
    -verifyRegistry Specifies whether to verify the user registry. The default value is true and verification is automatically performed. Boolean
    Use the following example command to configure the custom user registry for global security:
    Jython
    AdminTask.configureAdminCustomUserRegistry ('[-autoGenerateServerId true -primaryAdminId gsAdmin
 -customProperties ["attribute1=value1","attribute2=value2"]]')
    Jacl
    $AdminTask configureAdminCustomUserRegistry {-autoGenerateServerId true -primaryAdminId gsAdmin
 -customProperties {"attribute1=value1","attribute2=value2"}}
  • Configure custom user registries for security domains.
    1. Determine the name of the security domain to configure.
      Use the listSecurityDomains command to list all security domains on the server:
      Jython
      AdminTask.listSecurityDomains()
      Jacl
      $AdminTask listSecurityDomains
    2. Configure a custom user registry for a security domain.
      Supported configurations: This command is not supported in a local mode.
      Table 2. Optional parameters . Use the configureAppCustomUserRegistry command and the following optional parameters to configure a custom user registry:
      Parameter Description Data type
      -securityDomainName Specifies the unique name that identifies the security domain of interest. String
      -realmName Specifies the name of the realm of the user registry. String
      -customRegClass Specifies the class name that implements the UserRegistry interface in the com.ibm.websphere.security class. String
      -ignoreCase Specifies whether to require case sensitive authorization. Specify true to ignore case during authorization. Boolean
      -customProperties Specifies a list of attribute and value pairs to store as custom properties on the user registry object. Separate each attribute and value pair with a comma character. Also, separately surround the attribute and value pairs with bracket characters ([]) for the Jython programming language and brace characters ({}) for the Jacl programming language. For example:
      Jython
      -customProperties ["attribute1=value1",
      "attribute2=value2"]
      Jython
      -customProperties {"attribute1=value1",
      "attribute2=value2"}
      		 String
      -verifyRegistry Specifies whether to verify the user registry. The default value is true and verification is automatically performed. Boolean
      Use the following example command to configure the custom user registry for the domain2 security domain:
      Jython
      AdminTask.configureAppCustomUserRegistry ('[-securityDomainName domain2 -realmName domain2Realm
 -customProperties ["attribute1=value1","attribute2=value2"]]')
      Jacl
      $AdminTask configureAppCustomUserRegistry {-securityDomainName domain2 -realmName domain2Realm
 -customProperties {"attribute1=value1","attribute2=value2"}}

What to do next

Use the following command example to save your configuration changes:
AdminConfig.save()