Add the Login Module

Procedure

  1. Navigate to Security > Global security;
  2. Expand Java Authentication and Authorization Service entry in the Authentication section and select System logins;
  3. Select the relevant Alias from the list. The login module should be configured for the DEFAULT, WEB_INBOUND and RMI_INBOUND aliases;
  4. Click New to configure a new Login Module;
  5. Set the Module class name field to be curam.util.security.CuramLoginModule;
  6. Check the Use login module proxy option;
  7. Select REQUIRED in the Authentication strategy field;
  8. Enter into Custom properties table Name/Value pairs for any required properties as listed below, pressing New as needed.
    Table 1. CuramLoginModule Custom Properties

    Name

    Example Value

    Description

    exclude_usernames

    websphere, db2admin

    Required. A list of usernames to be excluded from authentication. The default delimiter is a comma, but may be overridden by exclude_usernames_delimiter. This list should include the WebSphere administration users and the database user. Any users listed here should be defined in the WebSphere Application Server user registry.

    exclude_usernames_delimiter

    |

    Optional. A delimiter for the list of usernames provided in exclude_usernames. A delimiter other than the default comma can be useful when usernames have embedded commas as with LDAP users.

    login_trace

    true

    Optional. This property should be set to true to debug the authentication process. If set to true the invocation of the login module will result in tracing information being added to the WebSphere Application Server SystemOut.log file.

    module_name

    DEFAULT, WEB_INBOUND or RMI_INBOUND

    Optional. This property should be set to one of DEFAULT, WEB_INBOUND or RMI_INBOUND depending on the configuration the login module is being defined for. It is used only when login_trace is set to true for tracing purposes.

    check_identity_only

    true

    Optional. If this property is set to true the login module will not perform the usual authentication verifications. Instead it will simply ensure that the user exists on the database table. In this case the configured WebSphere Application Server user registry will not be by-passed and will be queried after the login module. This option is intended where LDAP support is required or an alternative authentication mechanism is to be used.

    Note: If you are specifying identity only and using LDAP you may need to perform additional configuration steps; please see Special Configuration Steps When Using Identity Only and LDAP.

    user_registry_enabled

    true

    Optional. This property is used to override the behavior of by-passing the user registry. If this property is set to true the WebSphere Application Server user registry will be queried during the authentication process. If this property is set to false, the WebSphere Application Server user registry will not be queried.

    user_registry_enabled_types

    EXTERNAL

    Optional. This property is used to specify a comma-delimited list of external user types that will be processed against the WebSphere Application Server user registry (e.g. LDAP). See WebSphere Application Server User Registry for more information on the processing of the WebSphere Application Server user registry.

    user_registry_disabled_types

    EXTGEN,EXTAUTO

    Optional. This property is used to specify a comma-delimited list of external user types that will not be processed against the WebSphere Application Server user registry (e.g. LDAP). See WebSphere Application Server User Registry for more information on the processing of the WebSphere Application Server user registry.
  9. Click OK to confirm the addition of the new login module;
Parent topic: Set up the System JAAS Login Module