Configuring access to WebSphere Service Registry and repository

Configure access to the WebSphere Service Registry and Repository for users and groups defined in the LDAP user registry

Brief introduction

JKHL Enterprises (hereinafter referred to as Jkhle) is a fictitious company that wants to use its own external LDAP user registry configuration for IBM? Websphere? Service Registry and Repository (hereinafter referred to as WSRR) access. Jkhle uses the WebSphere application Server chain repository option and enables security. It also uses the WSRR Governance Enablement profile (hereinafter referred to as GEP). The 6 Jkhle targets for this project are listed below, and their solutions are described in section 1-6 below:

Identify and define groups in LDAP that will have access to WSRR.

Prevents WSRR users from managing the WebSphere application Server.

Enables users to access WSRR even if LDAP is not available.

Restrict WSRR Web UI access to the WSRR group.

Restrict Business space access to the WSRR group, allowing only users with the Business spaces superuser role to create a room and update the Business widget in WSRR.

Jkhle uses the EJB API to develop a WSRR client and needs to block users who can run this WSRR client from logging on to Business space and WSRR Web UI.

Jkhle Run time environment

WSRR V8.0 in a stand-alone configuration, using DB2 V9.7 Enterprise Server Edition with Fix Pack 4

WebSphere application Server V8.0 with Fix Pack 3

IBM Tivoli Directory Server LDAP

Although Jkhle uses WSRR V8.0, the steps in this article apply to both WSRR V7.5 and V8.0.

1. Identify and define groups in LDAP that will have access to WSRR

The best way to manage security using LDAP is to use groups. For example, a good way to grant WSRR administrative access is to add a predefined user group to WSRR from the external LDAP user registry. Then, when changes are required, the LDAP administrator can simply add or remove users from the groups that exist in their LDAP. This process ensures that security maintenance performed within the LDAP does not require any additional work in the WSRR or WebSphere application Server.

Therefore, the first step is to identify the LDAP group to use for WSRR from the Jkhle requirements listed above. Jkhle uses GEP, in WSRR, an activity GEP defines 6 roles:

Business

Development

Operations

Soagovernance

Wsrruser

Wsrradmin

WSRR Business space defines a super user role with administrative privileges. Jkhle wants to limit the Business space Super User role to a handful of selected users, which defines an LDAP group called Wsrrbusinessspacesuperusers to implement.

Jkhle also wants to restrict users who are able to run the WSRR client that it created using the EJB API to log on to Business space and WSRR Web UI. The role associated with this activity is called Wsrrbatchuser. The WSRR group that corresponds to this role is defined in LDAP.

The roles identified above relate to specific activities in WSRR. Therefore, each role should define a corresponding group in LDAP, and these LDAP groups will be assigned to an appropriate role in the WSRR to coordinate with the activities they will perform. Table 1 shows the WSRR groups defined in Jkhle in LDAP:

At the end of the first section, Jkhle identifies and defines the WSRR group in LDAP.