Yes it does, but it creates now a problem for me to solve!
In a different post, I asked if I loose admin's password, how can I restore its password. You told me it is not possible, unless there is an additional user with the same privileges as admin's.
How is this possible, since I cannot create any additional user in /etc/passwd?
From your answer, you also referred to AAC. I'm just wondering if AAC is just another application running on the same instance as LMI, or are they running in different application servers instances?
How about the Policy Server? What is it really, a web application running also on an Application Server instance?
How about padmin, is it like wsadmin for WAS, but with different CLI API?
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------
Original Message:
Sent: Mon September 28, 2020 03:03 AM
From: Jon Harry
Subject: How many registries does ISAM have
Hi Joao,
I think you've identified the 4 account stores in Verify Access. 3 of these are "internal" and a storing management and connection-validation passwords.
Your description of /etc/passwd is accurate. Your description of System "Account Management" is accurate too.
The Fed/AAC User Registry is the Liberty user registry for the Runtime Liberty instance - where AAC and Federation code runs. This is distinct from the Liberty instance that runs the LMI. This registry isn't really used for management - it's mainly used for creating users to be used for connection security for connections to AAC/Fed runtime. Usually I'm only using "easuser" but you could create more users if the need arises. I would agree having an "admin" user in this registry is confusing. It may be that this is just created by default by Liberty. Not sure.
The other registry is the LDAP where your "real" users are stored - this is mostly used by the Policy Server and Reverse Proxy. There are some management users (sec_master) and groups (iv-admin) in here too. As you said, you can federate other LDAPs (and AD) here too.
The only other store of user data is the High Volume Database (sometimes also called Runtime Database). This is where information associated with authentication mechanisms supported by AAC Authentication Service are stored. It's indexed by username.
I hope this helps complete your understanding.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Sun September 27, 2020 05:33 PM
From: Joao Goncalves
Subject: How many registries does ISAM have
I believe there are at least 3 registries (likely 4) that ISAM is using:
- Appliance user, like admin. I believe this is defined in /etc/passwd of the appliance, but since I cannot check this, can someone validate it?
- Used when we ssh to the appliance
- Since no one can change /etc/passwd, we cannot create additional users of this type.
- LMI user registry. I believe LMI is based on Websphere Liberty Profile, and it has its own Repository.
- We can create users in the LMI interface using Manage system Settings -> System Settings -> Account Management
- We can create new users here and groups with different permissions for ISAM management.
- I can find the predefined group named isam-tenants.
- If I change the password of admin in LMI, it affects the password of the Appliance user.
- If I create a new user in this registry, it will not be recognized in CLI, but it can be used to login to LMI.
- Local LDAP (or remote)
- Used by the policy server for authentication and authorization, where we can find sec_master
Something that I don't understand is where does Secure Access Control -> Global Settings -> User Registry users are defined. Likely a 4th registry.
- Here I can find admin and easuser users and the adminGroup group. I can create additional users, but I have no clue where they are defined!
- If I create a new user what is it used for?
- I can't find a way to create new groups, but I can assign users to adminGroup group.
- The admin defined here, has no relationship with the admin user defined in the appliance, since I changed its password to a new one, and I can still login to the appliance using the old password!
Of course ISAM can use many other registries, and I can federate them, but that is not what I am looking for.
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------