Realm configuration settings

Use this page to manage the realm. The realm can consist of identities in the file-based repository that is built into the system, in one or more external repositories, or in both the built-in, file-based repository and one or more external repositories.

To view this administrative console page, complete the following steps:
  1. In the administrative console, click Security > Security domains.
  2. Under User realm, select Customize for this domain. Select Federated repositories from the Realm type field and click Configure.

When you finish adding or updating your federated repository configuration, go to the Security > Global security panel and click Apply to validate the changes.

A single built-in, file-based repository is built into the system and included in the realm by default.

You can configure one or more Lightweight Directory Access Protocol (LDAP) repositories to store identities in the realm. Click Add base entry to realm to specify a repository configuration and a base entry into the realm. You can configure multiple different base entries into the same repository.

Click Remove to remove selected repositories from the realm. Repository configurations and contents are not destroyed. The following restrictions apply:
  • The realm must always contain at least one base entry; therefore, you cannot remove every entry.
  • If you plan to remove the built-in, file-based repository from the administrative realm, verify that at least one user in another member repository is a console user with administrative rights. Otherwise, you must disable security to regain access to the administrative console.

WebSphere® Application Server Version 7.0 distinguishes between the user identities for administrators who manage the environment and server identities for authenticating server to server communications. In most cases, server identities are automatically generated and are not stored in a repository.

[AIX Solaris HP-UX Linux Windows]However, if you are adding a previous version node to the latest version cell and the previous version node used a server identity and password, you must ensure that the server identity and password for the previous version are defined in the repository for this cell. Enter the server user identity and password on this panel.

Realm name

Specifies the name of the realm. You can change the realm name, but you should complete any other federated repository configuration steps prior to making this change.

Primary administrative user name

Specifies the name of the user with administrative privileges that is defined in the repository, for example, adminUser.

The user name is used to log on to the administrative console when administrative security is enabled. Version 6.1 requires an administrative user that is distinct from the server user identity so that administrative actions can be audited.
Attention: In WebSphere Application Server, Version 6.0.x, a single user identity is required for both administrative access and internal process communication. When migrating to Version 6.1, this identity is used as the server user identity. You need to specify another user for the administrative user identity.

Automatically generated server identity

Enables the application server to generate the server identity, which is recommended for environments that contain only Version 6.1 or later nodes. Automatically generated server identities are not stored in a user repository.

Information Value
Default: Enabled
[AIX Solaris HP-UX Linux Windows]

Server identity that is stored in the repository

Specifies a user identity in the repository that is used for internal process communication. Cells that contain Version 6.1 or later nodes require a server user identity that is defined in the active user repository.

Information Value
Default: Enabled
[AIX Solaris HP-UX Linux Windows]

Server user ID or administrative user on a Version 6.0.x node

Specifies the user ID that is used to run the application server for security purposes.

[AIX Solaris HP-UX Linux Windows]

Password

Specifies the password that corresponds to the server ID.

Ignore case for authorization

Specifies that a case-insensitive authorization check is performed.

If case sensitivity is not a consideration for authorization, enable the Ignore case for authorization option.

Allow operations if some of the repositories are down

Specifies whether operations (such as login, search, or get) are allowed even if the repositories in the realm are down.

Use global schema for model

Sets the global schema option for the data model in a multiple security domain environment. Global schema refers to the schema of the admin domain.

Avoid trouble: Application domains that are set to use global schema share the same schema of the admin domain. If you extend the schema for an application in one domain, you must also consider how that might affect applications of other domains, as they are bound by the same schema. For example, adding a mandatory property for one application might cause other applications to fail.

Base entry

Specifies the base entry within the realm. This entry and its descendents are part of the realm.

Repository identifier

Specifies a unique identifier for the repository. This identifier uniquely identifies the repository within the cell.