User registries

In WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.The information about users and groups reside in a user registry. WebSphere Application Server makes access control decisions using the user registry .

[AIX HP-UX Linux Solaris Windows] With WebSphere Application Server, a user registry authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.

With WebSphere Application Server, a user registry is used for:
  • Authenticating a user using basic authentication, identity assertion, or client certificates
  • Retrieving information about users and groups to perform security-related administrative functions, such as mapping users and groups to security roles
The users and groups and security role mapping information is used by the configured authorization engine to perform access control decisions.

WebSphere Application Server provides several implementations to support multiple types of operating system base user registries. You can use the custom Lightweight Directory Access Protocol (LDAP) feature to support any LDAP server by setting up the correct configuration. However, support is not extended to these custom LDAP servers because many configuration possibilities exist.

[z/OS] If you are configuring an LDAP registry as the active registry, you can configure one of the following authorization mechanisms:
  • System Authorization Facility (SAF) authorization using EJBROLE or GEJBROLE profiles. SAF overrides any other authorization mechanism.
  • Tivoli Access Manager as a Java Contract for Containers (JACC) provider. For more information, see Tivoli Access Manager integration as the JACC provider.
  • User-to-role bindings, which are created by the application assembler or the WebSphere Application Server security administrator.
[z/OS] SAF authorization, which is the use of SAF EJBROLE profiles to assign SAF users and groups to roles, can be used as an authorization mechanism for all user registries. If SAF authorization is selected on the administrative console:

[z/OS] You must provide a mapping from a user registry identity to a SAF user ID unless local OS is selected as the user registry. For more information, see Custom System Authorization Facility mapping modules.

[z/OS] These authorization mechanism choices are valid for all user registries, with the exception of Tivoli Access Manager, which is supported for LDAP only.

In addition to Local operating system (local OS) and LDAP registries, WebSphere Application Server also provides a plug-in that supports any user registry by using the custom registry feature, which is also referred to as a custom user registry). The custom registry feature supports any user registry that is not implemented by WebSphere Application Server. You can use any user registry that is used in the product environment by implementing the UserRegistry interface.

The UserRegistry interface is very helpful in situations where the current user and group information exists in some other format, such as a database, and cannot move to Local OS or LDAP. In such a case, implement the UserRegistry interface so that WebSphere Application Server can use the existing registry for all of the security-related operations. Building a custom registry is a software implementation effort. The implementation does not depend on other WebSphere Application Server resources, for example, data sources, for its operation.

Although WebSphere Application Server supports different types of user registries, only one user registry can be active. This active registry is shared by all of the product server processes.




Related concepts
Custom user registries
Local operating system user registries
Tivoli Access Manager integration as the JACC provider
Concept topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 11:08:29 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=csecregistries
File name: csec_registries.html