Local operating system registries

With the registry implementation for the local operating system, the WebSphere® Application Server authentication mechanism can use the user accounts database of the local operating system.

If you want to use the local operating system registry to represent the principals who access your WebSphere Application Server resources, you do not have to complete any special user registry setup steps. The local operating system registry is used for authentication and authorization of users who access WebSphere Application Server resources, but not for WebSphere Application Server users who access operating system resources. WebSphere Application Server does not run under the operating system user profile of Application Server users. Instead, WebSphere Application Server runs under the operating system profile that is configured by the Application Server administrator.

If you want to authorize a user for any WebSphere Application Server resource, a user profile for that user must exist in the operating system. Use the Create User Profile (CRTUSRPRF) command to create new user IDs that can be used by WebSphere Application Server

Do not use a local operating system registry in a WebSphere Application Server environment where application servers are dispersed across more than one machine because each machine has its own user registry.

As mentioned previously, the access IDs taken from the user registry are used during authorization checks. Because these IDs are typically unique identifiers, they vary from machine to machine, even if the exact users and passwords exist on each machine.

Web client certificate authentication is not currently supported when using the local operating system user registry. However, Java™ client certificate authentication does function with a local operating user registry. Java client certificate authentication maps the first attribute of the certificate domain name to the user ID in the user registry.

Even though Java client certificates function correctly, the following error displays in the SystemOut.log file:

CWSCJ0337E: The mapCertificate method is not supported

The error is intended for Web client certificates; however, it also displays for Java client certificates. Ignore this error for Java client certificates.

Using either the local or the domain user registry

. If you want to access users and groups from either the local or the domain user registry, instead of both, set the com.ibm.websphere.registry.UseRegistry property. This property can be set to either local or domain. When this property is set to local (case insensitive) only the local user registry is used. When this property is set to domain, (case insensitive) only the domain user registry is used.

Set this property by completing the following steps to access the Custom Properties panel in the administrative console:
  1. Click Security > Global security
  2. Under User account repository, click the Available realm definitions drop-down list, select Local operating system, and click Configure.
  3. Under Additional properties, click Custom properties.
You can also use wsadmin to configure this property. When the property is set, the privilege requirement for the user who is running the product process does not change. For example, if this property is set to local, the user that is running the process requires the same privilege, as if the property was not set.

Using system user registries

The following notes apply when you use system user registries:



Related tasks
Selecting a registry or repository
Concept topic    

Terms of Use | Feedback

Last updated: Oct 20, 2010 11:50:58 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-base-iseries&topic=cseclocalos
File name: csec_localos.html