User registry considerations

Choose your user registry configuration based on the scale of your installation and the experience of your administrators.

The supported user registry configurations differ in the following areas:
  • Ease of installation and setup.
  • Ease of maintenance of users and groups, and the level of authentication required.
  • The number of sets of credentials that you must maintain.
  • How the credentials are stored.
  • Feature support.
  • Engine security considerations. The IBM® InfoSphere® Information Server engine performs user authentication separately from other InfoSphere Information Server components. Depending on your topology and the user registry that you choose, you might have to map credentials between the InfoSphere Information Server user registry and the local operating system user registry on the computer where the engine is installed.
Internal user registry: Least complex, suitable for small-scale installations
Consider the following information when determining whether to use the internal user registry:
  • The internal user registry is set up by the installation program. InfoSphere Information Server is configured to use this user registry by default.
  • To manage users and groups, you use the InfoSphere Information Server console or Web console. With other user registry configurations, you must have administrative access to the user registry.
  • Because the internal user registry is separate from other user registries, it requires that you maintain an independent set of credentials for each InfoSphere Information Server user that are unrelated to any other user registry that is maintained for other business applications.
  • User credentials are stored in the InfoSphere Information Server metadata repository database. User credential information is one-way encrypted in the database.
  • The internal user registry has no support for password policies, length, or expiration dates.
  • The InfoSphere Information Server engine cannot use the internal user registry for authentication. The installation program maps the initial engine administration operating system user (default is dsadm) with the InfoSphere Information Server administrator user (default is isadmin). If you want to create other engine users, you must map credentials between the users in the InfoSphere Information Server internal user registry with users in the operating system's user registry on the computer where the engine is installed. If the user names or passwords are changed in the operating system's user registry, an administrator must update the mapping.
  • The mapped user credentials are also stored in the InfoSphere Information Server metadata repository database. User credential information is strongly encrypted in the database.
  • The internal user registry is not considered an enterprise level user registry. For example, it does not contain any password policies or account lockout capabilities, and a run of AppScan would indicate that the application does not limit the number of false login attempts and report it as a medium issue. If this is a concern, an LDAP user registry is recommended.
Local operating system user registry: Suitable for small and self-contained installations, if the internal user registry is unsuitable
Consider the following information when determining whether to use a local operating system user registry:
  • If you plan to create a WebSphere® Application Server cluster for scalability or high-availability, you cannot use a local operating system user registry configuration because it is not supported.
  • If you plan to use IBM WebSphere Application Server Liberty Profile, you cannot use a local operating system user registry configuration because it is not supported.
  • Windows cue graphicYou might experience major performance issues if you use a local operating system user registry configuration on a Microsoft Windows computer when the computer is registered in a Windows domain.
  • To use a local operating system user registry configuration, you must perform additional configuration steps after software installation is complete.
  • To manage users and groups, you use standard operating system utilities. For this reason, you must have administrative access.
  • Unlike the internal user registry configuration, with this configuration you can maintain a single set of credentials for each user.
  • The local operating system user registry has support for features such as password policies, length, and expiration dates.
  • Linux cue graphicUNIX cue graphicIBM WebSphere Application Server must be run as root, because the application server authenticates passwords.
  • If the services tier and engine tier are installed on the same computer, you can configure both InfoSphere Information Server and the engine to share the local operating system user registry. In this case, credential mapping is not required. If the services tier and engine tier are installed on separate computers, you must map credentials between the InfoSphere Information Server user registry and the local operating system user registry on the computer where the engine is installed.
Lightweight Directory Access Protocol (LDAP) user registry: More complex, but the most powerful
  • To use an LDAP user registry configuration, you must perform additional configuration steps after the software installation is complete.
  • Setup and administration of an LDAP user registry is more technically complex than with the other user registry configurations.
  • An LDAP user registry has better performance than the other user registry configurations, and is more scalable.
  • Unlike the internal user registry configuration, with this configuration you can maintain a single set of credentials for each user.
  • An LDAP user registry has support for features such as password policies, length, and expiration dates.
  • To manage users and groups, you use utilities that are specific to the LDAP server. You must have LDAP server administrative access.
  • You can configure both InfoSphere Information Server and the engine to use the LDAP user registry. In this case, credential mapping is not required. However, in IBM AIX®, HP-UX, and Linux® installations, you must configure Pluggable Authentication Module (PAM) support on the engine tier computer.