Configuring a user registry
In this topic you can find information about how to configure a user registry.
About this task
By default, the Dynamic Workload Console is configured to use a local file-based user repository. For information about supported authentication mechanisms in WebSphere Application Server Liberty see the section about authenticating users in WebSphere Application Server Liberty documentation.
You can implement an OpenID Connect (OIDC) user registry, a Lightweight Directory Access Protocol (LDAP) user registry, or a basic user registry, by configuring the sample authentication templates provided in XML format. You can further customize the templates by adding additional elements to the XML files. For a full list of the elements that you can configure to complement or modify the configuration, see the related WebSphere Application Server Liberty documentation.
To configure an OIDC user registry, see Configuring an OIDC user registry .
To configure an LDAP user registry, for example as Active Directory, see Configuring an LDAP user registry.
To configure a basic user registry, see Configuring a basic user registry .
Configuring an OIDC user registry
About this task
You can implement an OIDC user registry by configuring the sample authentication template provided in XML format: openid_connect.xml.
To configure an OIDC user registry, enter the required values into the waconsole section of the values.yaml file, according to your OIDC provider. You can find an example below:
<server>
<featureManager>
<feature>openidConnectClient-1.0</feature>
</featureManager>
<authFilter id="restFilterOpenID">
<requestUrl id="restUrl" urlPattern="jwt/ibm/api|/dwc/rest/roles|/dwc/ServiceDispatcherServlet?ServiceName=PrefExport|/metrics" matchType="notContain"/>
</authFilter>
<openidConnectClient id="keycloak"
clientId: uno-service
clientSecret: put_oidc_secret_here
httpsRequired: true
userIdentifier: preferred_username
signatureAlgorithm: RS256
scope: openid
authFilterRef: restFilterOpenID
inboundPropagation: supported
groupIdentifier: groups
redirectToRPHostAndPort: https://dwc_ingress_hostname
discoveryEndpointUrl: https://<oidc ingress hostname>/realms/uno/.well-known/openid-configuration>
</openidConnectClient>
</server>
Configuring an LDAP user registry
About this task
- OpenLDAP: auth_OpenLDAP_config.xml
- IBM® Directory Server: auth_IDS_config.xml
- Windows Server Active Directory: auth_AD_config.xml
To configure a common authentication provider user registry, complete the following steps:
Procedure
-
Assign a role to your authentication provider user or group.
- Log in to the Dynamic Workload Console as administrator and access the Manage Roles page.
- Add a new Entity of type Group to the role you want to assign to your authentication provider user or group and click Save.
-
Update the authentication configuration template file with the details
about your authentication provider server.
Configuring a basic user registry
About this task
You might want to use a basic user registry by defining the users and groups information for authentication on WebSphere Application Server Liberty, even though this type of authentication is not recommended. This type of authentication cannot be used for production, but only for test purposes.
To configure basic user registry, complete the following steps:
Procedure
- Copy the auth_basicRegistry_config.xml template from the templates folder to a working folder.
-
Edit the template file in the working folder with the desired configuration
by adding users and groups as necessary.
To add a user, add an entry similar to the following in the basicRegistry section:
<user name="nonadminuser" password="{xor}Ozo5PiozKw=="/>
To add a group, add an entry similar to the following in the basicRegistry section:<group name="TWSUsers"> <member name="nonadminuser"/> </group>
- Store the password in xor format using the WebSphere Application Server Liberty securityUtility command, as described in WebSphere Application Server Liberty documentation.
- Create a backup copy of the configuration file in the overrides folder, if already present.
- Copy the updated template file to the overrides folder. Maintaining the original folder structure is not required.