Configuring a user registry

In this topic you can find information about how to configure a user registry.

By default, the dynamic domain manager, the Dynamic Workload Console, and the master domain manager are configured to use a local file-based user repository. For more information about supported authentication mechanisms, see Available configurations.

You can implement an OpenID Connect (OIDC) user registry, a Lightweight Directory Access Protocol (LDAP) user registry, or a basic user registry by configuring the sample authentication templates provided in XML format. You can further customize the templates by adding additional elements to the XML files. For a full list of the elements that you can configure to complement or modify the configuration, see the related WebSphere Application Server Liberty Base documentation, for example LDAP User Registry (ldapRegistry).

To configure an OIDC user registry, see Configuring an OIDC user registry .

To configure an LDAP user registry, for example as Active Directory, see Configuring an LDAP user registry.

To configure a basic user registry, see Configuring a basic user registry.

Configuring an OIDC user registry

You can implement an OIDC user registry by configuring the sample authentication template provided in XML format: openid_connect.xml.

To configure an OIDC user registry, complete the following steps:
  1. Copy the following template to a working directory:
    

<server>
    <featureManager>
        <feature>openidConnectClient-1.0</feature>
    </featureManager>

    <authFilter id="restFilterOpenID">
        <requestUrl id="restUrl" urlPattern="jwt/ibm/api|/dwc/rest/roles|/dwc/
ServiceDispatcherServlet?ServiceName=PrefExport|/metrics" matchType="notContain"/>
    </authFilter>

    <openidConnectClient id="keycloak"
        clientId="wa-service"
        clientSecret="put_oidc_secret_here"
        httpsRequired="true"
        userIdentifier="preferred_username"
        signatureAlgorithm="RS256"
        scope="openid"
        authFilterRef="restFilterOpenID"
        inboundPropagation="supported"
        groupIdentifier="groups"
        accessTokenAttributeName="groups"
        groupNameAttribute="groups"
        hostNameVerificationEnabled="false"
        realmName = "your_realm_name"
        redirectToRPHostAndPort="https://dwc_ingress_hostname"
        discoveryEndpointUrl="https://oidc ingress hostname/realms/wa
                    /.well-known/openid-configuration">
    </openidConnectClient>
</server>
  2. Edit the template file in the working folder with the desired configuration by adding users and groups as necessary.
  3. Optionally, create a backup copy of the configuration file in the overrides folder, if already present.
  4. Copy the updated template file to the overrides folder.
  5. To upload the certificates of the OIDC provider, browse to <DWC_home>/java/jre/bin and run the following command:
    keytool -importcert -file ingress-cert.pem -keystore <DWC_home>/usr/servers/dwcServer/resources/security/TWSServerTrustFile.p12 -alias ingress-cert -storepass <password_keystore>
    where
    ingress-cert.pem
    The certificates file to be imported into the Dynamic Workload Console.
    ingress-cert
    The alias defined during the import of the certificate.
  6. On Keycloak, ensure you define the group with the same name present in the OpenID file.
Note: If one or more messages similar to the following are displayed, perform the steps listed below.
CWPKI0819I: The default keystore is not created because a password is not configured on the 
<keyStore id="defaultKeyStore"/> element, and the 'keystore_password' environment variable is not set. 
CWOAU0073E: An authentication error occurred. Try closing the web browser and authenticating again, 
or contact the site administrator if the problem persists.
  1. On the workstation where the Dynamic Workload Console is installed, browse to the server.xml file located in <dwc_installation_directory>/usr/servers/dwcServer.
  2. Open the file with a text editor and change the value of the sameSiteCookie parameter from Strict to lax.
  3. Optionally, trust the Dynamic Workload Console certificate with the keycloak certificate.

Configuring an LDAP user registry

You can implement an LDAP based user repository by configuring the following sample authentication templates provided in XML format. The following are the supported authentication methods and the corresponding sample template that can be configured to replace the configuration file currently in use:
  • OpenLDAP: auth_OpenLDAP_config.xml
  • IBM® Directory Server: auth_IDS_config.xml
  • Windows Server Active Directory: auth_AD_config.xml

To configure a common authentication provider for both the IBM® Workload Scheduler and the Dynamic Workload Console, complete the following steps:

  1. Assign a role to your authentication provider user or group.
    1. Log in to the Dynamic Workload Console as administrator and access the Manage Roles page.
    2. Add a new Entity of type Group to the role you want to assign to your authentication provider user or group and click Save.
  2. Update the authentication configuration template file with the details about your authentication provider server.
    1. Copy the template file to a working directory. The templates are located in the following path:
      Dynamic Workload Console
      DWC_DATA_dir/usr/servers/dwcServer/configDropins/templates/authentication
      master domain manager
      TWA_DATA_DIR/usr/servers/engineServer/configDropins/templates/authentication
      Dynamic Workload Console
      DWC_home\usr\servers\dwcServer\configDropins\templates\authentication
      master domain manager
      TWA_home\usr\servers\engineServer\configDropins\templates\authentication
    2. Edit the template file in the working directory with the desired configuration.
    3. Optionally, create a backup copy of the configuration file in a different directory, if the file is already present. To avoid conflicts, ensure the backup copy is in a directory different from the following directories: configDropins/templates and configDropins/overrides.
    4. Copy the updated template file to the overrides directory.
    5. The overrides directory is located in the following path:
      Dynamic Workload Console
      DWC_DATA_dir/usr/servers/dwcServer/configDropins/overrides
      master domain manager
      TWA_DATA_DIR/usr/servers/engineServer/configDropins/overrides
      Dynamic Workload Console
      DWC_home\usr\servers\dwcServer\configDropins\overrides
      master domain manager
      TWA_home\usr\servers\engineServer\configDropins\overrides
    6. Stop and restart WebSphere Application Server Liberty Base using the stopappserver and startappserver commands located in TWA_home/appservertools.

    For more information about configuring an LDAP registry, see the WebSphere Application Server Liberty Base documentation, for example: Configuring LDAP user registries in Liberty and Federation of user registries.

Configuring a basic user registry

You might want to use a basic user registry by defining the users and groups information for authentication on WebSphere Application Server Liberty Base, even though this type of authentication is not recommended. This type of authentication cannot be used for production, but only for test purposes.

To configure basic user registry, complete the following steps:

  1. Copy the auth_basicRegistry_config.xml template from the templates folder to a working folder.
  2. Edit the template file in the working folder with the desired configuration by adding users and groups as necessary.
    To add a user, add an entry similar to the following in the basicRegistry section:
    <user name="nonadminuser" password="{xor}Ozo5PiozKw=="/>
    To add a group, add an entry similar to the following in the basicRegistry section:
    <group name="TWSUsers">
        <member name="nonadminuser"/>
        </group>
  3. Store the password in xor, aes, or hash formats using the WebSphere Application Server Liberty Base securityUtility command, as described in securityUtility command.
    This utility requires the JAVA_HOME environment variable to be set. If you do not have Java installed, you can optionally use the Java version provided with the product and available in:
    IBM Workload Scheduler
    <INST_DIR>/TWS/JavaExt/jre/jre
    Dynamic Workload Console
    <DWC_INST_DIR>/java/jre/bin
  4. Create a backup copy of the configuration file in the overrides folder, if already present.
  5. Copy the updated template file to the overrides folder. Maintaining the original folder structure is not required.