Configuring a User Store

A user store is a repository that stores user credentials (user names and passwords).

Users in the Micro Integrator

Find out about user credentials in the Micro Integrator.

File-based user store (Default)

The default user store of the Micro Integrator is file-based. You can open the deployment.toml file and add new users to the file-based user store as shown below. You can encrypt the plain text using secure vault.

Tip

Set user.is_admin to true to grant admin privileges to a user in the file-based user store.

[[internal_apis.users]]
user.name = "user-1"
user.password = "pwd-1"
user.is_admin = true

[[internal_apis.users]]
user.name = "user-2"
user.password = "pwd-2"

The users in this store can only access the management API and related tools (Micro Integrator dashboard/API Controller. That is, the file-based user store only supports user authentication and authorization for the management API. If you want to use authentication for integration use cases, you need an LDAP or RDBMS user store.

Disabling the file-based user store

To disable the file-based user store, add the following to the deployment.toml file.

[internal_apis.file_user_store]
enable = false

Configuring an LDAP user store

Before you begin

Follow the steps given below to connect the Micro Integrator to your LDAP user store.

  1. Open the deployment.toml file stored in the <MI_HOME>/conf/ directory.
  2. Add the following configurations and update the required values.

    Tip

    Note that the [user_store] section is enabled by default. Be sure to update the section without duplicating the [user_store] header.

    [user_store]
    connection_url = "ldap://localhost:10389"  
    connection_name = "uid=admin,ou=system"
    connection_password = "admin"  
    user_search_base = "ou=Users,dc=wso2,dc=org"
    type = "read_only_ldap"

    Parameters used above are explained below.

    Parameter Value
    connection_url The URL for connecting to the LDAP. If you are connecting over ldaps (secured LDAP), you need to import the certificate of the user store to the truststore (wso2truststore.jks by default). See the instructions on how to add certificates to the truststore.
    connection_name The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add, modify users and to perform search operations on the user store. The value you specify is used as the DN (Distinguish Name) attribute of the user who has sufficient permissions to perform operations on users and roles in LDAP.
    connection_password Password for the connection user name.
    user_search_base The DN of the context or object under which the user entries are stored in the user store. When the user store searches for users, it will start from this location of the directory.
    type Use one of the following values.

    read_only_ldap: The LDAP connection does not provide write access.
    read_write_ldap: The LDAP connection provides write access.

See the complete list of parameters you can configure for the ldap user store.

If hybrid role support is required, configure a Carbon datasource as in the following example (to create the datasource, use the relevant DB_TYPE_user.sql scripts in <MI_HOME>/dbscripts/ directory).

[[datasource]]
id = "WSO2CarbonDB"
url= "jdbc:mysql://localhost:3306/primaryDB"
username="root"
password="root"
driver="com.mysql.jdbc.Driver"
pool_options.maxActive=50
pool_options.maxWait = 60000
pool_options.testOnBorrow = true

Configuring an RDBMS user store

If you are already using a JDBC user store (database) with another MWARE product (MWARE ESB, MWARE IAM), you can connect the same database to the Micro Integrator of EI 7.1. Alternatively, you can create a new RDBMS user store and connect it to the Micro Integrator.

  1. To set up a new RDBMS, select the preferred RDBMS type and follow the instructions.

    Tip

    If you already have an RDBMS user store set up, you can skip this step.

  2. Be sure to add the JDBC driver to the <MI_HOME>/lib folder.

  3. To connect the Micro Integrator to your RDBMS user store:

    1. Open the deployment.toml file (stored in the <MI_HOME>/conf directory).
    2. Add the relevant configurations for your RDBMS type.

      [[datasource]]
      id = "WSO2CarbonDB"
      url= "jdbc:mysql://localhost:3306/userdb"
      username="root"
      password="root"
      driver="com.mysql.jdbc.Driver"
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      pool_options.testOnBorrow = true
      [[datasource]]
      id = "WSO2CarbonDB"
      url= "jdbc:sqlserver://<IP>:1433;databaseName=userdb;SendStringParametersAsUnicode=false"
      username="root"
      password="root"
      driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      pool_options.testOnBorrow = true
      [[datasource]]
      id = "WSO2CarbonDB"
      url= "jdbc:oracle:thin:@SERVER_NAME:PORT/SID"
      username="root"
      password="root"
      driver="oracle.jdbc.OracleDriver"
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      pool_options.testOnBorrow = true
      [[datasource]]
      id = "WSO2CarbonDB"
      url= "jdbc:postgresql://localhost:5432/userdb"
      username="root"
      password="root"
      driver="org.postgresql.Driver"
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      pool_options.testOnBorrow = true
      [[datasource]]
      id = "WSO2CarbonDB"
      url="jdbc:db2://SERVER_NAME:PORT/userdb"
      username="root"
      password="root"
      driver="com.ibm.db2.jcc.DB2Driver"
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      pool_options.testOnBorrow = true

      Parameters used above are explained below.

      Parameter Value
      id The name given to the datasource. This is required to be WSO2CarbonDB.

      Note: If you replace 'WSO2CarbonDB' with a different id, you also need to list the id as a datasource under the [realm_manager] section in the deployment.toml file as shown below.
      [realm_manager]
      data_source = "new_id"
      Otherwise the user store database id defaults to 'WSO2CarbonDB' in the realm manager configurations.
      url The URL for connecting to the database. The type of database is determined by the URL string..
      username The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add, modify users and to perform search operations on the user store.
      password Password for the connection user name.
      driver The driver class specific to the JDBC user store.

      See the complete list of database connection parameters and their descriptions. Also, see the recommendations for tuning the JDBC connection pool.

    3. Add the JDBC user store manager under the [user_store] toml heading as shown below.

      Tip

      • If you want to be able to modify the data in your user store, be sure to enable write access to the user store.
      • Note that the [user_store] section is enabled by default. Be sure to update the section without duplicating the [user_store] header.
      [user_store]
      class = "org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager"
      type = "database"
      
      # Add the following parameter only if you want to disable write access to the user store.
      read_only = true

      The datasource configured under the [[datasource]] toml heading will now be the effective user store for the Micro Integrator.

What's next?

For instructions on adding, deleting, or viewing users in the user store, see Managing Users.

Top