Local operating system user registry settings

Use this page to configure local operating system user registry settings.

To view this administrative console page, complete the following steps:
  1. Click Security > Global security.
  2. Under User registries, click Local OS.

Custom properties [z/OS]

Under the Custom properties link, you can add a value for the com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property. Set this property to turn ICH408I messages on or off. The default value for this property is false, which does not suppress messages. You can set this value to true to suppress the ICH408I messages.

This property affects access violation message generation for both application-defined roles and for WebSphere Application Server Runtime roles for the naming and administrative subsystems. System Management Facility (SMF) records are unaffected by this property. EJBROLE profile checks are done for both declarative (deployment descriptors) and programmatic checks:
  • Declarative checks are coded as security constraints in Web applications, and deployment descriptors are coded as security constraints in enterprise beans. This property is not used to control messages in this case. Instead, a set of roles is permitted, and if an access violation occurs an ICH408I access violation message indicates a failure for one of the roles. SMF then logs a single access violation (for that role).
  • Program logic checks (or access checks) are performed using the programmatic isCallerinRole(x) for enterprise bean or isUserInRole(x) for Web applications. The com.ibm.security.SAF.EJBROLE.Audit.Messages.Suppress property controls the messages that are generated by this call.

force.credential.creation.for.validation

[z/OS]

Setting this property either forces the creation of an ACEE or locates the ACEE of a user from the cache during ID assertion logins, ACEE information for users that have been revoked is not available. However, if you force the creation of credentials all of the time, performance can be affected.

disable.principal.case.preservation

[z/OS]

Setting this property forces the principals returned by getRemoteUser() and getUserPrincipal() calls to be upper-case.

If this property is not set, WebSphere Application Server uses the existing case.

Configuration tab

Server user ID

[AIX HP-UX Linux Solaris Windows]

Specifies a valid user ID in the local OS registry.

This ID is the security server ID, which is only used for WebSphere Application Server security and is not associated with the system process that runs the server. The server calls the local OS user registry to authenticate and obtain privilege information about users by calling the native APIs in that particular user registry.

[AIX HP-UX Linux Solaris Windows] [z/OS] Access to native APIs is normally restricted to users having special privileges. To use security in the application server, the process ID (not the security server ID) on which WebSphere Application Server runs requires enough privileges to call the system APIs. The special privilege means that the process running WebSphere Application Server needs to be part of the Administrators group.

[Windows] The process must have the Act as part of operating system privilege.

[AIX HP-UX Solaris] The process must be root or have root authority.

[Windows] Note: If you are configuring local OS security and you encounter the A required privilege is not helped by the client error message, you must follow the procedure documented to give the user those privileges. To set the privilege, click Start > Settings > Control Panel > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignments > Act as part of the operating system.

[Windows] When using a Windows platform user registry, this ID cannot match the name of the Windows machine. Windows platforms treat the machine name bob as having an account similar to user bob.

Data type: String
Units: Alphanumeric characters

Server user password

[AIX HP-UX Linux Solaris Windows]

Specifies a valid user password that corresponds to a valid user ID in the local OS user registry.

Data type String

Ignore case for authorization

[z/OS]

When this option is set to true, a case insensitive authorization check is performed.

SAF user IDs are usually in uppercase letters. Enabling this option is necessary only when your registry is case insensitive and does not provide a consistent case when queried for users and groups.




Related tasks
Configuring local operating system user registries
Reference topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 11:08:29 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=usecrpseclos
File name: usec_rpseclos.html