Enabling security with an operating system user registry

WebSphere Application Server global security can be configured to use the operating system user registry as its user registry.

Procedure

In the WebSphere Application Server Administration Console, modify the global security settings.

Log on as a user with administrative authority.
Start the WebSphere Application Server administration server.
Open the WebSphere Integrated Solutions Console.
Click Security and go to Global security. Under Available realm definitions, select Local operating system and click Configure.
Enter the primary administrative user name. Ensure that this ID has operating system administrative privileges.
Enter your server user identity:
1. Select Automatically generated server identity.
2. Click Apply and then Save.
Go back to Global security.
1. Select Enable administrative security.
2. Optional: You can enable application security. However, it is not a recommended approach due to performance implications.
  To enable application security:
  1. Select Enable Application Security.
3. Clear the selection of the Use Java 2 security to restrict application access to local resources option.
4. Click Apply and then Save.
Complete the following steps if you selected Enable application security:
- In the navigation pane, click Applications > Application Types > WebSphere enterprise applications
  1. Click Security role to user/group mapping.
  2. Select WCSecurity Role and click Look up users and locate the user whose role you want to map.
    Note: This user is the primary administrative user name that is specified in step 2e.
  3. Click OK and then Save.
  4. Click User RunAs roles.
  5. Select WCSecurityRole and specify the user name and password.
  6. Click Apply.
  7. Click OK and then Save.
- 1. Open WebSphere Commerce Developer.
  2. Open the META-INF\ibm-application-bnd.xml file in the WebSphere Commerce EAR project. Click the Design view.
  3. Expand and select Security Role (WCSecurityRole).
  4. Click Add, select User and click OK.
  5. Under the Details heading, enter the distinguished name of the RunAs ID user.
  6. Save your changes.
Open the Configuration Manager.
1. Select WebSphere Commerce > node_name > Commerce > Instance List > instance_name > Instance Properties > Security.
2. Optional: If you enable application security, select the Enable Application Security check box. Click Yes to any confirmation prompts that appear.
3. Optional: If you enable application security, select Operating System User Registry. Click Yes to any confirmation prompts that appear.
4. Optional: If you enable application security, enter the user ID and password for the user with the WCSecurityRole that you previously specified.
5. Select the Enable Administrative Security check box.
6. Enter the Server user ID and password that you use to login to the WebSphere Application Server administrative console.
7. Click Apply.
8. Close the Configuration Manager.
Alternately, for WebSphere Commerce Developer:
1. Modify the wc-server.xml file by completing these steps:
  1. Open a command-line utility and go to the directory WCDE_installdir/bin.
  2. Use the wcs_encrypt command to generate an encrypted string of your password. Record the ASCII encrypted string.
  3. Open the file WC_eardir/xml/config/wc-server.xml
  4. Update the Security section:
```
<Security  AdminPwd="OSUserPassword"
           AdminUser="OSUserName"
           AuthMode="OS"
           Realm=""
           RunAsID=""
           RunAsPwd=""
           enabled="false"
           enabledGlobal="true"
           passwordpolicy="true" />
```
    where:
    
    OSUserPassword
    
    The encrypted password that is generated by the wcs_encrypt command for the primary administrative user name that is specified in step 6e.
    
    OSUserName
    
    The WebSphere Application Server global security user ID for the primary administrative user name that is specified in step 6e.
  5. Optional: If application security is enabled, you must update the Security section with the following values, marked in bold:
```
<Security  AdminPwd="WASAdminPassword"
           AdminUser="WASAdminUserName"
           AuthMode=""
           Realm=""
           RunAsID="RunAsUserID"
           RunAsPwd="RunAsUserPassword"
           enabled="true"
           enabledGlobal="true"
           passwordpolicy="true" />
```
    where:
    
    RunAsUserID
    
    The user ID of the user in the operating system that is given the WCSecurityRole.
    
    RunAsUserPassword
    
    The ASCII encrypted string that is generated by the preceding wcs_encrypt command, for the RunAs user's password.
  6. Save your changes and close the file.
2. Manually configure these additional WebSphere Application Server security properties:
  1. Configure the WebSphere Commerce Test Server properties.
    1. Right-click on the server and select Open.
    2. Go to the Security panel.
    3. Select Security is enabled on this server.
    4. Enter the user ID and plain-text password for the current active authentication settings.
      Note: For the user ID and password, use the same as the WebSphere Application Server Primary Administrative User provided in previous steps.
Restart your WebSphere Commerce instance.

What to do next

WebSphere Commerce Developer If you are working in your development environment and you enabled application security, you must also enable application security on your search server. For more information, see Securing the WebSphere Commerce Search server.