Set Up Federated Security Wizard: Configure registry

start of changeUse this page to select the type of registry for PowerHA® SystemMirror user and group authentication. You can use either a local registry or a Lightweight Directory Access Protocol (LDAP) server registry.end of change

start of changeWhich registry mode is appropriate for your PowerHA SystemMirror environment?end of change

start of changeYou can use one of two types of user registry configuration: end of change

Fields

Registry type
Select the type of registry that you want to use for storing user and group authentication information. You can select either of the following registry types:
LDAP
Stores all authentication information and credentials centrally in a directory on an LDAP server.

start of changeFor this option, you must provide configuration information for the LDAP server and the client on the cluster node. Additionally, you must provide information to establish a connection between the server and the client. The connection that you configure uses a key database and the Secure Sockets Layer (SSL) for secure communication. end of change

Local
Stores all authentication information and credentials in a local directory on a node in the cluster. With this option, PowerHA SystemMirror stores all information and credentials locally on each affected node in the cluster. If you select this option, you do not need to provide any other configuration information for the registry.

LDAP registry fields

New or existing LDAP server
Select whether to use a new LDAP server or an existing LDAP server for federated security:
start of changeNewend of change
Configures a new peer-to-peer LDAP server in the cluster. To use this option, you must have the required file sets installed. For better scalability, a peer-to peer configuration has a maximum four nodes.
Existing
start of changeAdds one or more existing LDAP servers to the cluster. Alternatively, you can manually specify the host names for the LDAP servers. PowerHA SystemMirror uses the information you provide to update the current configuration on the existing LDAP servers. Before you select this option, ensure that the LDAP servers that you select meet all prerequisite requirements for using them with PowerHA SystemMirror. end of change
LDAP servers or hostnames
start of changeSelect one or more listed nodes where you want to configure an LDAP server and to which you want to create a connection. Alternatively, you can specify the fully qualified host name of one or more LDAP servers. Use a comma to separate host names for an existing connection. end of change
LDAP admin DN
Specify the LDAP administrator distinguished name (DN) that PowerHA SystemMirror must use to bind to the LDAP server.

The DN that you specify must exist on the LDAP server.

The ability of the LDAP client to perform operations on entries in the LDAP server depends on the access permissions for this binding DN.

For example, you might specify a bind DN, such as cn=admin cn=proxy, o=ibm, cn=user, ou=people, cn=aixdata. The default value is cn=admin.

LDAP admin password
Specify the LDAP administrator password for the LDAP admin DN property by using only alphanumeric characters.

The password you use must match the password on the LDAP server for the specified DN.

DB2 instance password
Specify the DB2® instance password to access the database instance that stores security information for the cluster. The password must consist of only alphanumeric characters.
Suffix/base DN
Specify the suffix or base distinguished name (DN) to search on the LDAP server for users, groups, and other network information entities. This DN is the root for all other DNs that store information in the LDAP directory for the cluster.

The default value is cn=aixdata, o=ibm.

Server port number
Specify the port number on the LDAP server to use for communicating with the LDAP server.

The default port number is 636, which is the standard port for SSL communications on LDAP servers.

Encryption seed for key stash files
Specify a minimum of 12 alphanumeric characters to generate key stash files for the LDAP server.
Schema type
Shows the LDAP schema that PowerHA SystemMirror requires to represent user and group entries in the LDAP server.

The default value is rfc2307aix. This value indicates that the LDAP server must be configured to use RFC 2307 and the auxiliary AIX® schema. The LDAP server must have this configuration to provide full AIX attribute support.

LDAP version
Shows the LDAP version number of the specified LDAP server.
Authentication type
Select one of the following methods for authenticating users:
unix_auth
Retrieves the user password from the LDAP server and authenticates the user locally.
ldap_auth
Retrieves the user password and authenticates the user. This option is the default value.
start of changeServer SSLend of change
Server key path
Specify the full path to the SSL key server database.
Server key password
Specify the SSL key password for the SSL server.
start of changeClient SSLend of change
Client key path
Specify the full path to the SSL key client database.
Client key password
Specify the SSL key password for the SSL client.

If you do not specify a password, a password stash file must exist. This existing stash file must be in the same path as the server SSL key server database, and it must have an extension of .sth.

For more information about managing federated security, see the Federated security topic in the AIX Information Center.