Selecting a registry or repository
During profile creation, either during installation or post-installation, administrative security is enabled by default. The file-based federated user repository is configured as the active user registry.
WebSphere Application Server provides implementations that support multiple types of registries and repositories including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.
With WebSphere Application Server, a user registry or a repository, such as a federated repository, authenticates a user and retrieves information about users and groups to perform security-related functions including authentication and authorization.
With WebSphere Application Server, a user registry or repository is used for:
Authenticating a user using basic authentication, identity assertion, or client certificates.
Retrieving information about users and groups to perform security-related administrative functions, such as mapping users and groups to security roles.
In addition to local operating system, LDAP, and Federated repository registries, WebSphere Application Server also provides a plug-in to support any registry by using the custom registry feature. The custom registry feature enables you to configure any user registry that is not made available through the security configuration panels of the WebSphere Application Server.
Configuring the correct registry or repository is a prerequisite to assigning users and groups to roles for applications. When a user registry or repository is not configured, the local operating system registry is used by default. If your choice of user registry is not the local operating system registry, you need to first configure the registry or repository, which is normally done as part of enabling security, restart the servers, and then assign users and groups to roles for all your applications.
WebSphere Application Server supports the following types of user registries:
Local operating system
Standalone Lightweight Directory Access Protocol (LDAP) registry
Standalone custom registry
UserRegistry interface is used to implement both the custom registry and the
federated repository options for the user account repository. The interface is very helpful in
situations where the current user and group information exists in some other formats, for example,
a database, and cannot move to local operating system or LDAP registries. In such a case, you can
UserRegistry interface so that WebSphere Application Server can use the
existing registry for all the security-related operations. The process of implementing a custom
registry is a software implementation effort, and it is expected that the implementation does not
depend on WebSphere Application Server resource management for its operation. For example, you cannot
use an Application Server data source configuration; generally you must invoke database connections and
dictate their behavior directly in your code.
Federated repositories enable you to use multiple repositories with WebSphere Application Server. These repositories, which can be file-based repositories, LDAP repositories, or a sub-tree of an LDAP repository, are defined and theoretically combined under a single realm. All of the user repositories that are configured under the federated repository functionality are invisible to WebSphere Application Server.
When you use the federated repositories functionality, all of the configured repositories, which you specify
as part of the federated repository configuration, become active. It is required that the user ID, and the
distinguished name (DN) for an LDAP repository, be unique in multiple user repositories that are configured
under the same federated repository configuration. For example, there might be three different repositories
that are configured for the federated repositories configuration:
Repository C. When
user1 logs in, the federated repository adapter searches each of
the repositories for all of the occurrences of that user. If multiple instances of that user are found in
the combined repositories, an error message displays.
In addition, the federated repositories functionality in WebSphere Application Server supports the logical joining of entries across multiple user repositories when the Application Server searches and retrieves entries from the repositories. For example, when an application calls for a sorted list of people whose age is greater than twenty, WebSphere Application searches all of the repositories in the federated repositories configuration. The results are combined and sorted before the Application Server returns the results to the application.
Unlike the local operating system, standalone LDAP registry, or custom registry options, federated repositories provide user and group management with read and write capabilities. When you configure federated repositories, you can use one of the following methods to add, create, and delete users and groups:
Use the user management application programming interfaces (API).
Use the administrative console. To manage users and groups within the administrative console, click Users and Groups > Manage Users or Users and Groups > Manage Groups. For information on user and group management, click the Help link that displays in the upper right corner of the window. From the left navigation pane, click Users and Groups.
wsadmin commands. For more information, see the
WIMManagementCommands command group for the