Managing the realm in a federated repository configuration

Follow this topic to manage the realm in a federated repository configuration.

Before you begin

The realm can consist of identities in: Before you configure your realm, review Limitations of federated repositories.

Procedure

  1. Configure your realm by using one of the following topics. You might be configuring your realm for the first time or changing an existing realm configuration.
  2. Configure supported entity types using the steps described in Configuring supported entity types in a federated repository configuration. You must configure supported entity types before you can manage this account with Users and Groups. The Base entry for the default parent determines the repository location where entities of the specified type are placed on a create operation.
  3. Optional: Use one or more of the following tasks to extend the capabilities of storing data and attributes in your realm:
    1. Configure an entry mapping repository using the steps described in Configuring an entry mapping repository in a federated repository configuration. An entry mapping repository is used to store data for managing profiles on multiple repositories.
    2. Configure a property extension repository using the steps described in Configuring a property extension repository in a federated repository configuration. A property extension repository is used to store attributes that cannot be stored in your Lightweight Directory Access Protocol (LDAP) server.
    1. Set up a database repository using wsadmin commands as described in Setting up an entry mapping repository, a property extension repository, or a custom registry database repository using wsadmin commands
  4. Optional: Use one or more of the following advanced user tasks to extend the capabilities of LDAP repositories in your realm:
  5. Optional: Manage repositories that are configured in your system by following the steps described in Managing repositories in a federated repository configuration.
  6. Optional: Add an external repository into your realm by following the steps described in Adding an external repository in a federated repository configuration.
  7. Optional: Change the password for the repository that is configured under federated repositories by the following steps described in Changing the password for a repository under a federated repositories configuration.

Results

Configuring federated repositories in a mixed-version environment
In a mixed-version deployment manager cell that contains both Version 6.1.x and Version 5.x or 6.0.x nodes, the following limitations apply for configuring federated repositories:
  • You can configure only one Lightweight Directory Access Protocol (LDAP) repository under federated repositories, and the repository must be supported by Version 5.x or 6.0.x.
  • You can specify a realm name that is compatible with prior versions only. The host name and the port number represent the realm for the LDAP server in a mixed-version nodes cell. For example, machine1.austin.ibm.com:389.
  • You must configure a stand-alone LDAP registry; the LDAP information in both the stand-alone LDAP registry and the LDAP repository under the federated repositories configuration must match. During node synchronization, the LDAP information from the stand-alone LDAP registry propagates to the Version 5.x or 6.0.x nodes.
    Important: Before node synchronization, verify that Federated repositories is identified in the Current realm definition field. If Federated repositories is not identified, select Federated repositories from the Available realm definitions field and click Set as current. Do not set the stand-alone LDAP registry as the current realm definition.
  • You cannot configure an entry mapping repository or a property extension repository in a mixed-version deployment manager cell.
Configuring LDAP servers in a federated repository

The LDAP connection connectTimeout default value is 20 seconds. LDAP should respond within 20 seconds for any request from WebSphere Application Server. If you cannot connect to your LDAP within this time, make sure that your LDAP is running. A connection error displays at the top of the LDAP configuration panel when the connection timeout exceeds 20 seconds.

Coexisting with Tivoli Access Manager
For Tivoli Access Manager to coexist with a federated repositories configuration, the following limitations apply:
  • You can configure only one LDAP repository under federated repositories, and that LDAP repository configuration must match the LDAP server configuration under Tivoli Access Manager.
  • The distinguished name for the realm base entry must match the LDAP distinguished name (DN) of the base entry within the repository. In WebSphere Application Server, Tivoli Access Manager recognizes the LDAP user ID and LDAP DN for both authentication and authorization. The federated repositories configuration does not include additional mappings for the LDAP user ID and DN.
  • The federated repositories functionality does not recognize the metadata that is specified by Tivoli Access Manager. When users and groups are created under user and group management, they are not formatted using the Tivoli Access Manager metadata. The users and groups must be manually imported into Tivoli Access Manager before you use them for authentication and authorization.

What to do next

  1. After configuring the federated repositories, click Security > Secure administration, applications, and infrastructure to return to the Secure administration, applications, and infrastructure panel. Verify that Federated repositories is identified in the Current realm definition field. If Federated repositories is not identified, select Federated repositories from the Available realm definitions field and click Set as current. To verify the federated repositories configuration, click Apply on the Secure administration, applications, and infrastructure panel. If Federated repositories is not identified in the Current realm definition field, your federated repositories configuration is not used by WebSphere Application Server.
  2. If you are enabling security, complete the remaining steps as specified in Enabling security for the realm. As the final step, validate this setup by clicking Apply in the Secure administration, applications, and infrastructure panel.
  3. Save, stop, and restart all the product servers (deployment managers, nodes, and Application Servers) for changes in this panel to take effect. If the server comes up without any problems, the setup is correct.



In this information ...


Subtopics

IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 8:21:57 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-express-iseries&topic=twim_managing_realm
File name: twim_managing_realm.html