Managing your user registry on z/OS
After you install and deploy IBM® WebSphere® Portal, which includes installing and configuring the user registry, you can manage the user registry by running various updates and delete tasks. These tasks include, but are not limited to, adding a property extension (lookaside) database, updating or deleting the entity type, and deleting the registry.
About this task
- Configuring a property extension database on z/OS
You can configure a property extension database (previously referred to as a lookaside database) to store attributes that the LDAP directory does not or cannot store. Which you want to include in your portal user registry. This situation often occurs when you are using an LDAP directory that does not allow schema extensions for new attributes to support portal applications. When you configure a property extension database, you effectively extend the user registry to make new attributes available as part of your portal user profile. However, it is preferable to store all user attributes in the main user registry. You must complete this task only if you cannot add new attributes to your LDAP directory. The topic explains how to configure property extensions in a single-server environment and in a clustered environment. - Adding a database user registry on z/OS
Add a database user registry to the default federated repository to store user account information for authentication and authorization. You can add multiple database user registries to the default federated repository although you can add only one database user registry at a time. - Modifying to the federated repository on z/OS
If you originally configured a stand-alone LDAP user registry but find that you need a more robust security configuration, you can change to the federated user repository. - Updating the database user registry on z/OS
After creating and using the database user registry, you can update the database user ID, password, and/or the database where the data is stored. This task does not change the DN structure stored in the database repository. - Updating the federated LDAP user registry on z/OS
After creating and using the LDAP user registry in the default federated repository, you may find that your LDAP user registry is not working exactly as you would like. You can easily update the LDAP user registry and make the necessary changes. For example, you can change your LDAP Bind password. - Updating the standalone LDAP user registry on z/OS
After configuring and using the standalone LDAP user registry, you may find that your LDAP user registry is not working exactly as you would like. You can easily update the LDAP user registry and make the necessary changes. For example, you can change your LDAP Bind password. This task removes any existing attribute mappings. Review all existing attribute mappings before proceeding so you can re-create them after completing this task. - Creating additional base entries
If you plan to support multiple realms to allow flexible user management with various configuration options, you will need to create additional base entries within your federated LDAP user registries and/or database user registry. You can create additional base entries in the default realm or within other realms. - Updating the realm configurations on z/OS
After you create and use the realms in the default federated repository, you might find that your realm configuration is not working exactly as you would like. You can easily update the realm configurations and make the necessary changes. - Querying the base entry
If you support multiple realms and you need to see what base entries exist for a particular realm, you can query the realm for a list of base entries. - Setting the default realm
If you have multiple realms, perform this task to specify which realm is the default realm - Updating the default parents for a realm
After adding your user registry, you may find that you need to update a single entity type with the value of the default parent. For example, if you delete a repository, you will need to update the entity type if it points to the deleted repository. - Updating where new users and groups are stored
After you have configured your federated user registry with one or more LDAP user registries and/or a database user registry, you may want to update the user registry where new users and groups are stored. - Creating the entity type on z/OS
If an entity type exists within IBM WebSphere Portal that you want to use but it does not exist within your LDAP user registry, you can create the entity type within your LDAP user registry and then add the relative distinguished name (RDN) to the entity type to map it between WebSphere Portal and your LDAP user registry. - Updating an entity type on z/OS
After adding your user registry, you may find that you need to update a single entity type with the value of the default parent. For example, if you delete a repository, you will need to update the entity type if it points to the deleted repository. - Updating the group membership configuration on z/OS
When you configure your LDAP user registry, a group membership is automatically created. You may need to adjust the group membership configuration if you notice high loads on the LDAP server and/or long response times on authentication requests. When you delete or rename users, some LDAP servers, such as the z/OS® LDAP server, do not automatically clean the membership for users. For this reason, you might choose to adjust the group membership configuration to flag this LDAP server as one that requires manual cleanup through the Virtual Member Manager (VMM). - Enabling the distinguished name login
If you have realms that contain short names that are not unique for the realm, you can enable login with the full distinguished name. - Deleting the repository on z/OS
If you have made changes to your company and no longer require the use of a repository within your default federated repository, you can delete the repository from your configuration. - Deleting a realm on z/OS
If you changed to your IBM WebSphere Portal and no longer require a realm that you created, you can delete the realm from your user registry. - Deleting the LDAP entity type on z/OS
If you changed your LDAP user registry and no longer require an entity type that you created, you can delete it. - Restoring the VMM setup with a federated file repository on z/OS
If your business needs change or something happens to make your user registry configuration inoperable, you can run the wp-restore-default-repository-configuration task to restore the default VMM setup with a federated file repository, which will allow you to re-configure your user registry to meet your business needs. The task deletes all existing repositories, creates a new realm, and configures a file repository in VMM. The task also creates a new user and a new user group, which is set to portal and WAS administrators. - Regenerating LTPA keys to secure production environments
The Lightweight Third Party Authentication (LTPA) key holds cryptographic keys that secure the user authentication session and cookies. To secure the production server environment, regenerate the LTPA key using the WebSphere Integrated Solutions Console. If you plan to enable single sign-on at a later time, you must first disable the automatic key generation. - Changing the authentication mode for portlet deployment on z/OS
IBM WebSphere Portal provides two user authentication modes that the Portlet Deployment Manager can use to authenticate with the IBM WebSphere Application Server administrative services when security is enabled.