Configuring a User Store¶
An external user store (such as an LDAP or RDBMS) can be used with the Micro Integrator for the following two scenarios:
-
When WS-Security is enabled for your integration artifacts, the user store will be used for authenticating the credentials of users invoking the artifacts.
See the following resources on how to enable WS security for integration artifacts:
-
Optionally, you can use the external user store for securing the management API. By default, the management API uses a file-based registry.
Configuring an LDAP user store¶
An LDAP user store is recommended for the Micro Integrator. Follow the instruction given below.
Step 1: Setting up an LDAP¶
See the documentation of your LDAP provider for instructions on setting up the LDAP, and for managing users and roles.
Note
The current release of the Micro Integrator does not offer user management functionality. Therefore, you must manage users and roles from your LDAP and then connect it to the Micro Integrator.
Step 2: Connecting to the LDAP¶
Follow the steps given below to connect the Micro Integrator to the LDAP user store.
Note
The following configuration defines read-only access to the LDAP from the Micro Integrator. The Micro Integrator does not require write access since it will not manage the user data in the LDAP.
- Open the
deployment.toml
file stored in the<MI_HOME>/conf/
directory. -
Add the following configurations and update the required values.
[user_store] connection_url = "ldap://localhost:10389" connection_name = "uid=admin,ou=system" connection_password = "admin" user_search_base = "ou=system"
Note
If you have taken a WUM update after 28/11/2019, you need to add the following configuration under
[user_store]
in addition to the above.type = "read_only_ldap"
Parameters used above are explained below.
Parameter Value connection_url
The URL for connecting to the LDAP. If you are connecting over ldaps (secured LDAP), you need to import the certificate of the user store to the truststore (wso2truststore.jks by default). See the instructions on how to add certificates to the truststore. connection_name
The username used to connect to the user store and perform various operations. This user does not need to be an administrator in the user store. However, the user requires permission to read the user list and user attributes, and to perform search operations on the user store. The value you specify is used as the DN (Distinguish Name) attribute of the user who has sufficient permissions to perform operations on users and roles in LDAP. connection_password
Password for the connection user name. user_search_base
The DN of the context or object under which the user entries are stored in the user store. When the user store searches for users, it will start from this location of the directory.
See the complete list of parameters you can configure for the ldap user store.
Configuring an RDBMS user store (Optional)¶
If you are already using a JDBC user store (database) with another WSO2 product (WSO2 API Manager, WSO2 Identity Server, or an instance of WSO2 Enterprise Integrator 6.x.x), you can connect the same database to the Micro Integrator of WSO2 Enterprise Integrator 7 as explained below.
Warning
You cannot manage users and roles when you use a JDBC user store with the Micro Integrator. Therefore, be sure that your database is already up-to-date before connecting it to the Micro Integrator. Alternatively, you can shift to an LDAP user store.
- Open the
deployment.toml
file (stored in the<MI_HOME>/conf
directory). -
Add the following datasource configuration and update the values for your database.
[[datasource]] id = "WSO2_CARBON_DB" url= "jdbc:h2:./repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000" username="username" password="password" driver="org.h2.Driver"
Parameters used above are explained below.
Parameter Value id
The name given to the datasource. url
The URL for connecting to the database. The type of database is determined by the URL string.. username
The username used to connect to the user store and perform various operations. This user does not need to be an administrator in the user store. However, the user requires permission to read the user list and user attributes, and to perform search operations on the user store. password
Password for the connection user name. driver
The driver class specific to the JDBC user store. See the complete list of database connection parameters and their descriptions. Also, see the recommendations for tuning the JDBC connection pool.
-
Add the JDBC user store manager under the
[user_store]
toml heading as shown below.
The datasource configured under the[user_store] class = "org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager"
[[datasource]]
toml heading will now be the effective user store for the Micro Integrator.Note
If you have taken a WUM update after 28/11/2019, you need to add the following configuration under
[user_store]
in addition to the above.type = "database"
Disabling lazy loading of user store configurations (Optional)¶
By default, the Micro Integrator initializes the user store configurations on demand (lazy loading). That is, user store configurations are initialized only when the configurations are engaged for the first time and not when the server starts. This behavior improves the server startup time; however, this first server request (that engages user store configurations) will experience a delay due to the initialization.
Tip
Note that only the first server request will experience a delay due to lazy loading. Subsequent server requests received during the server's run time will not be affected.
If you want the user store configurations to be initialized during server start up, you can disable lazy loading of user store configurations as explained below. This delays the server start up; however, the first server request that engages the user store configurations will not experience any delay.
- Open the
carbon.properties
file from the<MI_HOME>/conf
directory. - Add the following parameter and save the file:
mi.security.usermgt.lazy.init=false