External user registry for authentication
You can choose to use an external user registry instead of the default custom registry.
IBM Verify Identity Governance provides a default custom registry. You do not have to use this registry for authentication. You can choose to use an external registry. You can use an existing registry or configure a new one.
The IBM Verify Identity Governance
installation program prompts you whether you want to use the custom registry.
- If you use the custom registry, the IBM Verify Identity Governance installation program programmatically creates a security domain, enables application security, and configures it to the IBM Verify Identity Governance custom registry.
- If you use an external registry, you must manually configure application security.
To use an external user registry, you must complete specific configuration tasks.
The tasks are specific to either Configuration of a new
installation, Reconfiguration of an existing installation, or Upgrade from a previous
version.
Configuration of a new installation
The IBM Verify Identity Governance documentation describes how to configure external user registry for a new installation.
- Before you install IBM Verify Identity Governance, you must configure
the existing external user registry. You must also configure a WebSphere® security domain,
unless you previously configured one for WebSphere Liberty with the user
registry, or you previously configured WebSphere Liberty global security.
See the installation and configuration instructions in Preinstall configuration for authentication with an external user registry
Note: If you do not have an existing user registry, you must create and configure one. See User registry configuration for external user registry. - During the IBM Verify Identity Governance installation, you must
choose not to use the custom registry. See the instructions that fit your deployment:
- After installing IBM Verify Identity Governance,
complete the instructions in Postinstall
configuration of an external user registry for authentication.Note: To complete the configuration for external user registry, you must modify the value for theWebSphere account repository
attribute on the Service Information page for the ITIM Service. Be sure to complete the instructions
in Configuring the
WebSphere account repository setting
Reconfiguration of an existing installation
If you installed IBM® Security Identity Manager to use the default custom registry and want to switch to an external user registry, you must reconfigure middleware to support authentication with an external user registry. You must add required users to the external user registry and reconfigure the WebSphere security domain.
Follow the instructions in Reconfiguration for authentication with an external user registry
Upgrade from a previous version
If you upgrade IBM Verify Identity Governance from a previous release, and want to use an external user registry, you must add the new attribute errepositoryservice to the ITIM Service form.
Be sure to follow the upgrade instructions in Processes and settings that are not preserved, or require manual upgrade.
External user registry example deployment
IM_HOME/extensions/10.0/doc/authentication/:- Example installation of IBM Security Identity
Manager with an external LDAP user registry
An example configuration, including screen captures of middleware configuration.
- Example reconfiguration of IBM Security Identity
Manager to use an external LDAP user registry
An example reconfiguration, including screen captures of middleware configuration.
- Configuring and using IBM Security Identity Manager
with an external user registry
Configuration tips for best practice.