Local operating system user registries

With the user registry implementation for the local operating system, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system.

A local OS user registry is a centralized registry within a sysplex.

WebSphere Application Server uses the System Authorization Facility (SAF) interfaces. SAF interfaces are defined by MVS to enable applications to use system authorization services or user registries to control access to resources such as data sets and MVS commands. SAF allows security authorization requests to be processed directly through the Resource Access Control Facility (RACF) or a third party z/OS security provider. You must provide a mapping from a user registry identity to a SAF user ID unless you select local operating system as the user registry. For more information, see Custom System Authorization Facility mapping modules.

Web client certificate authentication is supported when using the local operating system user registry. Digital certificates can be mapped to MVS identities by both Web and Java clients when you select Local OS. A certificate name filter can be used to simplify the mapping. If you are using RACF as the security server, the RACDCERT MAP command creates a resource profile that maps multiple user identities to a digital certificate to simplify administration of certificates, conserve storage space in the RACF database, maintain accountability, or maintain access control granularity.

Using system user registries

The following notes apply when you use system user registries:
  • To create the shadow file, run the pwconv command (with no parameters). This command creates an /etc/shadow file from the /etc/passwd file. After creating the shadow file, you can enable local operating system security successfully.

Remote user registries

By default, the user registry is local to all of the product processes. The performance is higher because there is no need for remote calls and the user registry also increases availability. Any failing process does not effect other processes.

When using Local OS as the user registry, every product process must run with privilege access.

If this process is not practical, you can use a remote user registry from the node or from a cell. Be aware that using a remote user registry affects performance and potentially creates a single point of failure.
Tip: Use remote user registries only in rare situations.

The node and the cell processes are meant for manipulating configuration information and for hosting the user registry for all the application servers that create traffic and cause problems.

Using a node agent instead of the cell to host the remote user registry is preferable because the cell process is not designed to be highly available. Using a node to host the remote user registry indicates that only the application servers in that node are using it. Because the node agent does not contain any application code, giving it the access required privilege is not a concern.

You can set up a remote user registry by setting the WAS_UseRemoteRegistry property in the Global Security panel using the Custom Properties link at the bottom of the administrative console panel. Use either the Cell or the Node case insensitive value. If the value is Cell, the cell user registry is used by all of the product processes including the node agent and all of the application servers. If the cell process is down for any reason, restart all of the processes after the cell is restarted. If the node agent user registry is used for the remote user registry, set the WAS_UseRemoteRegistry value to node. In this case, all the application server processes use the node agent user registry. In this case, if the node agent fails and does not start automatically, you might need to restart all the application servers after the node agent is started.




Related concepts
Simple WebSphere authentication mechanism
User registries
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 8:25:23 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-zos&topic=cseclocalos
File name: csec_localos.html