Shared user registry overview

If you configure IBM® InfoSphere® Information Server to use an external user registry, you might be able to share the user registry between InfoSphere Information Server and the InfoSphere Information Server engine.

Sharing the user registry allows the application server, InfoSphere Information Server, and the InfoSphere Information Server engine to access the same user names, passwords, and group definitions. When the user registry is shared, authentication to the engine occurs silently by using the same credentials (user ID and password) that the user uses to authenticate with InfoSphere Information Server. In this mode, no credential mapping is required.

Note: There are technical limitations that do not allow shared user registry to work when the system is configured for single sign-on. Applications, such as the Operations Console, that support single sign-on authentication and that require the engine credentials for part of their function will report errors.

You can share the user registry in any of the following scenarios:

  • The engine tier and the services tier are installed on the same computer, and InfoSphere Information Server is configured to use the local operating system user registry. In this case, they can share the local operating system user registry.
    Note: Sharing of the local operating system user registry is not supported in installations that include WebSphere® Application Server clustering.
  • Linux cue graphicUNIX cue graphicThe engine tier and the services tier both use the same Lightweight Directory Access Protocol (LDAP) user registry for authentication. In this scenario, you must configure Pluggable Authentication Module (PAM) for the engine.
  • Windows cue graphicThe engine tier and the services tier are installed on separate computers, but both use the same Microsoft Windows Active Directory user registry (which is an LDAP user registry) for authentication.
  • Windows cue graphicThe engine tier and the services tier are installed on separate computers, but the computers are within the same domain. This configuration may have performance issues, and is not recommended.
    Note: This configuration is not supported in installations that include WebSphere Application Server clustering.

If the engine tier and services tier cannot share a user registry, you must create a mapping between credentials in the user registry that InfoSphere Information Server is using and valid user credentials that exist in the local operating system user registry on the computer where the engine is installed.

The engine tier cannot use the InfoSphere Information Server internal user registry. If InfoSphere Information Server is configured to use the internal user registry, you must configure credential mapping.

The following figure shows a configuration in which the engine tier and services tier are installed on the same computer. They both share the local operating system user registry. Specifically, the InfoSphere Information Server engine is configured to use the local operating system user registry. InfoSphere Information Server is configured to use the WebSphere Application Server user registry and then access the same operating system user registry.

Figure 1. Example of architecture that uses a shared local operating system user registry
This figure is described in surrounding text.

The following figure shows a configuration in which the engine tier and services tier are installed on separate UNIX computers. They both share a common LDAP user registry. Specifically, the InfoSphere Information Server engine is configured to use the LDAP user registry. InfoSphere Information Server is configured to use the WebSphere Application Server user registry and then access the LDAP user registry. To provide the interface between the engine and the LDAP user registry, Pluggable Authentication Module (PAM) is configured on the engine tier computer.

Figure 2. Example of architecture that uses a shared LDAP user registry
This figure is described in surrounding text.

Windows cue graphicAfter you share the user registry, you must still grant the engine tier operating system users the required permissions. See Permissions and groups configuration.