If you want to use the i5/OS user registry to represent the principals who access your WebSphere resources, no special user registry setup is necessary.
The i5/OS user registry is used for authentication of WebSphere users and for authorization of WebSphere users who access WebSphere resources, but not for WebSphere users who access i5/OS resources. A WebSphere application server does not run under the i5/OS user profile of the WebSphere users. Instead, the WebSphere application server runs under the i5/OS profile that is configured by the WebSphere administrator.
If you want to authorize a user for any WebSphere resource, a user profile must exist on the iSeries system for that user. Use the Create User Profile (CRTUSRPRF) command on your iSeries server to create new user IDs that can be used by WebSphere.
As installed, security is disabled for WebSphere Application Server - Express. It is necessary to take these steps to enable security. These steps will set up security based on the local operating system user registry on the iSeries system on which WebSphere Application Server - Express is installed.
Perform these steps in the WebSphere administrative console:
In the navigation menu, click Security --> User Registries --> LocalOS.
Enter a valid iSeries user profile name in the Server User ID field. The Server User ID specifies the iSeries user profile to use when the server authenticates to the underlying operating system. This is also the user that has initial authority to access the administrative application through the administrative console. The administrative user ID is common to all user registries.
The administrative user ID is common to all user registries. The administrative ID is a member of the chosen user registry, and it has special privileges in WebSphere Application Server - Express. However, it has no special privileges in the user registry that it represents. In other words, you can select any valid user ID in the registry to use as the administrative user ID (Server User ID).
For the Server User ID field, you can specify any iSeries user profile that meets this criteria:
Note: A group profile is assigned a unique group ID number, which is not assigned to a regular user profile. Run the Display User Profile (DSPUSRPRF) command to determine if the user profile you want to use as the Server User ID has a defined group ID number. If the Group ID field is set to *NONE, the user profile can be used as the administrative user ID.
In the Server User Password field, enter the valid password for the user profile you specified as the Server User ID.
Click OK.
Validation of the user and password does not happen in this panel. Validation is only done when you click OK or Apply in the Global Security panel. If you are in the process of enabling security for the first time, complete the other steps and then go to the Global Security panel, make sure that Local OS is selected as the Active User Registry. If your changes are not validated the server may not be able to start.
Note: Until you authorize other users to perform administrative functions, you can only access the administrative console with the Server User ID and Password you specified. For more information, see Assign users to administrative roles.