How to configure a basic user registry

Configure a IBM® z/OS® Connect server to use a basic registry, with a predefined set of users and groups.

Before you begin

zosConnect-2.0 Applies to zosConnect-2.0.

You should be familiar with
- API provider authentication and identification when z/OS Connect is acting as an API provider.
- API requester authentication and identification when z/OS Connect is acting as an API requester.
You need to know the users and groups to be defined.
You must have write access to the server.xml configuration file.

About this task

Configure a basic user registry that defines a set of users and groups directly into the server.xml configuration file, which is used for authentication and authorization. This configuration is typically used in a development environment.

The user IDs are "gjones", "mlee", and "rkumar" and the groups are "administrators" and "students". The user "gjones" is a member of the "administrators" group and users "mlee" and "rkumar" are members of the "students" group.

Procedure

Add the basicRegistry element to the server.xml configuration file.

Add user and group subelements to define each of your users and groups.

<basicRegistry id="basic" realm="customRealm">
    <user name="gjones" password="mypassword1" />
    <user name="mlee" password="mypassword2" />
    <user name="rkumar" password="mypassword3" />
    <group name="administrators">
        <member name="gjones" />
    </group>
    <group name="students">
        <member name="mlee" />
        <member name="rkumar" />
    </group>
</basicRegistry>

For more information about basicRegistrty, see A launch icon to indicate a link opens a new tab or window.

Server configuration section in the WebSphere Application Server Liberty documentation.

Be aware of the following considerations when you use this code sample:

You must use unique names for your users and groups.
Remove all leading and trailing spaces from the user and group names.
If the user name or password contains characters other than US-ASCII, make sure that the file is saved by using UTF-8 character encoding.
You can use the WebSphere® Liberty profile securityUtility encode command to encode the password for each user. The securityUtility command-line tool is available in the <installation_path>/wlp/bin directory. When you run the securityUtility encode command, you either supply the password to encode as an input from the command line or, if no arguments are specified, the tool prompts you for the password. The tool returns the encoded value. Copy the encoded value and use it for the password attribute value. An example is shown on the entry for user "gjones" above.
For example, to encode the password openSesame, run the following command:
securityUtility encode openSesame

For more information, see securityUtility command in the WebSphere Application Server Liberty documentation.

Results

The pre-defined set of users and groups are now defined in the user registry. After the server configuration is updated, or the server is started, this user registry will be available for use.