Engine security configuration

The IBM® InfoSphere® Information Server engine performs user authentication separately from other InfoSphere Information Server components. Depending upon your user registry configuration, you might have to map credentials between the InfoSphere Information Server user registry and the local operating system user registry on the computer where the engine is installed.

InfoSphere Information Server product modules, such as IBM InfoSphere DataStage®, IBM InfoSphere QualityStage®, and IBM InfoSphere Information Analyzer require access to the engine and require that engine credentials be configured.

The InfoSphere Information Server engine requires valid user credentials for each InfoSphere Information Server user that needs to access the engine. User credentials are stored in a user registry.

If the InfoSphere Information Server engine can share the user registry that InfoSphere Information Server uses, such as an external LDAP registry, then the user credentials for both InfoSphere Information Server and the engine can come from this user registry. If the user registry cannot be shared, you create a mapping between credentials in the user registry that InfoSphere Information Server uses and valid user credentials that exist in the local operating system user registry on the computer where the engine is installed.

Configuring engine security is optional. By default the installation program uses the internal user registry for InfoSphere Information Server and already creates a credential mapping between the InfoSphere Information Server user (isadmin by default) and the engine administrator user (dsadm by default in the dstage group). To use the engine, only one engine user is required. You can assign InfoSphere Information Server users various DataStage roles if you want them to be able to access engine features.

The services tier and the engine can share a local operating system user registry if they are installed on the same computer. If they are installed on separate computers, they can share an external user registry such as a Lightweight Directory Access Protocol (LDAP) or Windows Active Directory user registry. The services tier and the engine cannot share the InfoSphere Information Server internal user registry.

In an installation with more than one InfoSphere Information Server engine, you choose the authentication method on a per InfoSphere Information Server engine basis.

Shared user registry overview: If you configure IBM InfoSphere Information Server to use an external user registry, you might be able to share the user registry between InfoSphere Information Server and the InfoSphere Information Server engine.
Credential mapping overview: If IBM InfoSphere Information Server and the InfoSphere Information Server engine do not share the user registry, you must create a mapping between credentials in the user registry that InfoSphere Information Server uses and user credentials that exist in the local operating system user registry on the engine tier computer.
Indicating to InfoSphere Information Server that the user registry is shared: After you have configured the shared user registry, use the IBM InfoSphere Information Server Web console to indicate the new configuration to InfoSphere Information Server.
Credential mapping: Do these tasks to map credentials.; After you share the user registry or define credential mappings, you must give your users access to IBM InfoSphere DataStage and IBM InfoSphere QualityStage.
Setting up security for the Engine File Connector: You can restrict file access on Engine host systems for the Engine File Connector.
.