EIM registry definitions

An Enterprise Identity Mapping (EIM) registry definition is an entry within EIM that you create to represent an actual user registry that exists on a system within the enterprise. A user registry operates like a directory and contains a list of valid user identities for a particular system or application.

A basic user registry contains user identities and their passwords. One example of a user registry is the z/OS® Security Server Resource Access Control Facility (RACF®) registry. User registries can contain other information as well. For example, a Lightweight Directory Access Protocol (LDAP) directory contains bind distinguished names, passwords, and access controls to data that is stored in LDAP. Other examples of common user registries are the principals in a Kerberos realm or user identities in an Windows Active Directory domain, and the IBM® i user profiles registry.

You can also define user registries that exist within other user registries. Some applications use a subset of user identities within a single instance of a user registry. For example, the z/OS Security Server (RACF) registry can contain specific user registries that are a subset of users within the overall RACF user registry.

EIM registry definitions provide information regarding those user registries in an enterprise. The administrator defines these registries to EIM by providing the following information:

  • A unique, arbitrary EIM registry name. Each registry definition represents a specific instance of a user registry. Consequently, you should choose an EIM registry definition name that helps you to identify the particular instance of the user registry. For example, you could choose the TCP/IP host name for a system user registry, or the host name combined with the name of the application for an application user registry. You can use any combination of alphanumeric characters, mixed case, and spaces to create unique EIM registry definition names.
  • The type of user registry. There are a number of predefined user registry types that EIM provides to cover most operating system user registries. These include:
    • AIX®
    • Domino® - long name
    • Domino - short name
    • Kerberos
    • Kerberos - case sensitive
    • LDAP
    • - LDAP - short name
    • Linux®
    • Novell Directory Server
    • - Other
    • - Other - case sensitive
    • IBM i
    • Tivoli® Access Manager
    • RACF
    • Windows - local
    • Windows domain (Kerberos) (This type is case sensitive.)
    • X.509
    Although the predefined registry definition types cover most operating system user registries, you may need to create a registry definition for which EIM does not include a predefined registry type. You have two options in this situation. You can either use an existing registry definition which matches the characteristics of your user registry or you can define a private user registry type. For example in Figure 6, the administrator followed the process required and defined the type of registry as WebSphere LTPA for the System_A_WAS application registry definition.

In Figure 6, the administrator created EIM system registry definitions for user registries representing System A, System B, System C, and a Windows Active Directory that contains users' Kerberos principals with which users log into their desk top workstations. In addition, the administrator created an application registry definition for WebSphere® (R) Lightweight Third-Party Authentication (LTPA), which runs on System A. The registry definition name that the administrator uses helps to identify the specific occurrence of the type of user registry. For example, an IP address or host name is often sufficient for many types of user registries. In this example, the administrator uses System_A_WAS as the application registry definition name to identify this specific instance of the WebSphere LTPA application. He also specifies that the parent system registry for the application registry definition is the System_A registry.

Figure 6: EIM registry definitions for five user registries in an enterprise

Example of EIM registry definitions
Note: To further reduce the need to manage user passwords, the administrator in Figure 6 sets the IBM i user profile passwords on System A and on System C to *NONE. The administrator in this case is configuring a single sign-on environment and the only application that his users work with are EIM-enabled applications such IBM i Access Client Solutions. Consequently, the administrator wants to remove the passwords from their IBM i user profiles so that both the users and he have fewer passwords to manage.