ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/sec/seccur.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Configure a user registry</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h4><a name="seccur"></a>Configure a user registry</h4>

<p>Though different types of user registries are supported, only one active registry can be used by all of the processes in WebSphere Application Server - Express. Configuring the correct registry is a prerequiste to assigning users and groups to roles for applications. LocalOS is the default registry. However, you still need to configure the registry as the first step in enabling global security, after which you restart the servers, and then assign users and groups to roles for all your applications. For more information, see <a href="secdpmap.htm">Assign users and groups to roles</a>.</p>

<p>If you select a different user registry after users and groups are assigned to roles for your applications, it is recommended that you delete all the users and groups from the applications and reassign them after you change the registry. Deleting all the users and groups can be done through the administrative console or through wsadmin scripting.</p>

<p>This wsadmin command removes all the users and groups from any application:</p>

<pre>  $AdminApp deleteUserAndGroupEntries <em>yourAppName</em></pre>
<p>where <em>yourAppName</em> is the name of the application. Backing up the old application is advised before performing this operation.</p>

<p>If all of the user and group names are the same in both the registries and if the application bindings file does not contain the accessIDs (which are unique for each registry, even for the same user or group name), you may be able to change the registries without having to delete the users and groups information. By default, an application does not contain accessIDs in the bindings file (they are generated on the fly when the applications are started). However, if you have migrated an existing application from an earlier release or if you used the wsadmin script to add accessIDs for the applications (to improve performance), you must remove the existing user and group information and add them after you configure the new registry.</p>

<p>The administrative user ID is common to all user registries. The administrative ID is a member of the chosen user registry, and it has special privileges in WebSphere Application Server - Express. However, it has no special privileges in the user registry that it represents. In other words, you can choose any user ID in the registry to use as the administrative user ID. However, for LDAP user registries, ensure that the administrative user ID is a member of the registry and is not the LDAP administrative ID. Also, for LDAP registries, the member you use must be searchable.</p>

<p>See these topics for instructions about configuring particular types of user registries:</p>

<blockquote>
<p><strong><a href="seccloc.htm">Configure the local operating system user registry</a></strong>
<br>If you want WebSphere security to use i5/OS user profiles to perform authentication, see this topic for instructions.</p>

<p><strong><a href="seccldap.htm">Configure the LDAP user registry</a></strong>
<br>If you want to use a supported third-party user registry, see this topic.</p>

<p><strong><a href="secccur.htm">Configure the custom user registry</a></strong>
<br>If your user registry product is not one of the officially supported registries or if you want to create your own registry, see this topic for more information.</p>
</blockquote>

</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">`
			`<html>`
			`<head>`
			`<META http-equiv="Content-Type" content="text/html; charset=utf-8">`
			`<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">`

			`<title>Configure a user registry</title>`
			`</head>`

			`<BODY>`
			`<!-- Java sync-link -->`
			`<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>`

			`<h4><a name="seccur"></a>Configure a user registry</h4>`

			<p>Though different types of user registries are supported, only one active registry can be used by all of the processes in WebSphere Application Server - Express. Configuring the correct registry is a prerequiste to assigning users and groups to roles for applications. LocalOS is the default registry. However, you still need to configure the registry as the first step in enabling global security, after which you restart the servers, and then assign users and groups to roles for all your applications. For more information, see <a href="secdpmap.htm">Assign users and groups to roles</a>.</p>

			`<p>If you select a different user registry after users and groups are assigned to roles for your applications, it is recommended that you delete all the users and groups from the applications and reassign them after you change the registry. Deleting all the users and groups can be done through the administrative console or through wsadmin scripting.</p>`

			`<p>This wsadmin command removes all the users and groups from any application:</p>`

			`<pre> $AdminApp deleteUserAndGroupEntries <em>yourAppName</em></pre>`
			`<p>where <em>yourAppName</em> is the name of the application. Backing up the old application is advised before performing this operation.</p>`

			<p>If all of the user and group names are the same in both the registries and if the application bindings file does not contain the accessIDs (which are unique for each registry, even for the same user or group name), you may be able to change the registries without having to delete the users and groups information. By default, an application does not contain accessIDs in the bindings file (they are generated on the fly when the applications are started). However, if you have migrated an existing application from an earlier release or if you used the wsadmin script to add accessIDs for the applications (to improve performance), you must remove the existing user and group information and add them after you configure the new registry.</p>

			<p>The administrative user ID is common to all user registries. The administrative ID is a member of the chosen user registry, and it has special privileges in WebSphere Application Server - Express. However, it has no special privileges in the user registry that it represents. In other words, you can choose any user ID in the registry to use as the administrative user ID. However, for LDAP user registries, ensure that the administrative user ID is a member of the registry and is not the LDAP administrative ID. Also, for LDAP registries, the member you use must be searchable.</p>

			`<p>See these topics for instructions about configuring particular types of user registries:</p>`

			`<blockquote>`
			`<p><strong><a href="seccloc.htm">Configure the local operating system user registry</a></strong>`
			`<br>If you want WebSphere security to use i5/OS user profiles to perform authentication, see this topic for instructions.</p>`

			`<p><strong><a href="seccldap.htm">Configure the LDAP user registry</a></strong>`
			`<br>If you want to use a supported third-party user registry, see this topic.</p>`

			`<p><strong><a href="secccur.htm">Configure the custom user registry</a></strong>`
			`<br>If your user registry product is not one of the officially supported registries or if you want to create your own registry, see this topic for more information.</p>`
			`</blockquote>`

			`</body>`
			`</html>`