Skip to content

Configuring a User Store

A user store is a repository that stores user credentials (user names and passwords). WSO2 Micro Integrator requires user credentials for the following scenarios:

  • Authentication for internal APIs

    Users accessing the management API and related tools (Micro Integrator dashboard/Micro Integrator CLI) for administration tasks should be authenticated.

  • Authentication for integration use cases

    Some integration use cases require authentication by dynamic username token and similar WS-Security options. User authentication is also required for securing REST API artifacts.

  • Authorization for internal APIs

    Certain resources of the management API are protected by authorization. Therefore, users should be granted admin privileges to operate those resources.

File-based user store (Default)

The default user store of the Micro Integrator is file-based. You can open the deployment.toml file and add new users to the file-based user store as shown below. You can encrypt the plain text using secure vault.

[[internal_apis.users]]
user.name = "user-1"
user.password = "pwd-1"

[[internal_apis.users]]
user.name = "user-2"
user.password = "pwd-2"

The users in this store can only access the management API and related tools (Micro Integrator dashboard/Micro Integrator CLI). That is, the file-based user store only supports user authentication for the management API. If you want to use authentication for integration use cases or authorization, you need an LDAP or RDBMS user store.

Disabling the file-based user store

To disable the file-based user store, add the following to the deployment.toml file.

[internal_apis.file_user_store]
enable = false

Configuring an LDAP user store

Before you begin:

Follow the steps given below to connect the Micro Integrator to your LDAP user store.

  1. Open the deployment.toml file stored in the <MI_HOME>/conf/ directory.
  2. Add the following configurations and update the required values.

    [user_store]
    connection_url = "ldap://localhost:10389"  
    connection_name = "uid=admin,ou=system"
    connection_password = "admin"  
    user_search_base = "ou=Users,dc=wso2,dc=org"
    type = "read_only_ldap"

    Parameters used above are explained below.

    Parameter Value
    connection_url The URL for connecting to the LDAP. If you are connecting over ldaps (secured LDAP), you need to import the certificate of the user store to the truststore (wso2truststore.jks by default). See the instructions on how to add certificates to the truststore.
    connection_name The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add, modify users and to perform search operations on the user store. The value you specify is used as the DN (Distinguish Name) attribute of the user who has sufficient permissions to perform operations on users and roles in LDAP.
    connection_password Password for the connection user name.
    user_search_base The DN of the context or object under which the user entries are stored in the user store. When the user store searches for users, it will start from this location of the directory.
    type Use one of the following values.

    read_only_ldap: The LDAP connection does not provide write access.
    read_write_ldap: The LDAP connection provides write access.

See the complete list of parameters you can configure for the ldap user store.

Configuring an RDBMS user store

Before you begin, disable the file-based user store.

Follow the steps given below to set up the RDBMS and connect it to the Micro Integrator.

  1. Set up an RDBMS. You can use one of the following types.

    Note

    Be sure to use the relevant database script stored in the <MI_HOME>/dbscripts/ directory when you create the database.

  2. Open the deployment.toml file (stored in the <MI_HOME>/conf directory).

  3. Add the relevant datasource configuration and update the values for your database.

    Tip

    If you are already using a JDBC user store (database) with another WSO2 product (WSO2 API Manager, WSO2 Identity Server, or an instance of WSO2 Enterprise Integrator 6.x.x), you can connect the same database to the Micro Integrator of WSO2 Enterprise Integrator 7 as explained below.

    [[datasource]]
    id = "WSO2CarbonDB"
    url= "jdbc:mysql://localhost:3306/userdb"
    username="root"
    password="root"
    driver="com.mysql.jdbc.Driver"
    pool_options.maxActive=50
    pool_options.maxWait = 60000
    pool_options.testOnBorrow = true
    [[datasource]]
    id = "WSO2CarbonDB"
    url= "jdbc:sqlserver://<IP>:1433;databaseName=userdb;SendStringParametersAsUnicode=false"
    username="root"
    password="root"
    driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
    pool_options.maxActive=50
    pool_options.maxWait = 60000
    pool_options.testOnBorrow = true
    [[datasource]]
    id = "WSO2CarbonDB"
    url= "jdbc:oracle:thin:@SERVER_NAME:PORT/SID"
    username="root"
    password="root"
    driver="oracle.jdbc.OracleDriver"
    pool_options.maxActive=50
    pool_options.maxWait = 60000
    pool_options.testOnBorrow = true
    [[datasource]]
    id = "WSO2CarbonDB"
    url= "jdbc:postgresql://localhost:5432/userdb"
    username="root"
    password="root"
    driver="org.postgresql.Driver"
    pool_options.maxActive=50
    pool_options.maxWait = 60000
    pool_options.testOnBorrow = true
    [[datasource]]
    id = "WSO2CarbonDB"
    url="jdbc:db2://SERVER_NAME:PORT/userdb"
    username="root"
    password="root"
    driver="com.ibm.db2.jcc.DB2Driver"
    pool_options.maxActive=50
    pool_options.maxWait = 60000
    pool_options.testOnBorrow = true

    Parameters used above are explained below.

    Parameter Value
    id The name given to the datasource. This is required to be WSO2CarbonDB.

    Note: If you replace 'WSO2CarbonDB' with a different id, you also need to list the id as a datasource under the [realm_manager] section in the deployment.toml file as shown below.
    [realm_manager]
    data_source = "new_id"
    Otherwise the user store database id defaults to 'WSO2CarbonDB' in the realm manager configurations.
    url The URL for connecting to the database. The type of database is determined by the URL string..
    username The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add, modify users and to perform search operations on the user store.
    password Password for the connection user name.
    driver The driver class specific to the JDBC user store.

    See the complete list of database connection parameters and their descriptions. Also, see the recommendations for tuning the JDBC connection pool.

  4. Add the JDBC user store manager under the [user_store] toml heading as shown below.

    Tip

    If you want to be able to modify the data in your user store, be sure to enable write access to the user store.

    [user_store]
    class = "org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager"
    type = "database"
    
    # Add the following parameter only if you want to disable write access to the user store.
    read_only = true
    The datasource configured under the [[datasource]] toml heading will now be the effective user store for the Micro Integrator.

What's next?

See Managing Users for instructions on adding, deleting, or viewing users in the user store.

Top