Skip to content

Configure a User Store in WSO2 Integration Control Plane

File-based user store (default)

The default user store of the WSO2 Integration Control Plane (ICP) is file-based. You can open the <ICP_HOME>/conf/deployment.toml file and add new users to the file-based user store as shown below. You can encrypt the plain text using secure vault.

The default file-based user configuration is as follows:

[internal_apis.file_user_store]
enable = true
[[internal_apis.users]]
user.name = "admin"
user.password = "admin"
user.is_admin = true

If you want to add or update the file-based user store you can add users as follows.

[[internal_apis.users]]
user.name = "user-1"
user.password = "pwd-1"
user.is_admin = true
[[internal_apis.users]]
user.name = "user-2"
user.password = "pwd-2"
Parameter Description Required
user.name Username Yes
user.password Password Yes
user.is_admin Whether the user is given admin privileges Default value is false

Tip

Set user.is_admin to true to grant admin privileges to a user in the file-based user store.

Disable the file-based user store

To disable the file-based user store, add the following to the <ICP_HOME>/conf/deployment.toml file:

[internal_apis.file_user_store]
enable = false

Note

See the Integration Control Plane Configuration Catalog documentation to connect to the dashboard via Single Sign-On (SSO).

Configure an LDAP user store

Before you begin

  • See the documentation of your LDAP provider for instructions on setting up the LDAP.
  • Disable the file-based user store as shown below using the <ICP_HOME>/conf/deployment.toml file.

    [internal_apis.file_user_store]
    enable = false
    

Follow the steps below to connect the ICP to your LDAP user store.

  1. Open the deployment.toml file stored in the <ICP_HOME>/conf/ directory.
  2. Add the following configurations and update the required values.

Read write LDAP

[user_store]
connection_url = "ldap://localhost:10389"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
user_search_base = "ou=Users,dc=wso2,dc=org"
type = "read_write_ldap"

Read only LDAP

[user_store]
connection_url = "ldap://localhost:10389"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
user_search_base = "ou=Users,dc=wso2,dc=org"
type = "read_only_ldap"
read_groups = "true"

The parameters used above are explained below.

Parameter Value
connection_url The URL for connecting to the LDAP. If you are connecting over LDAPS (secured LDAP), you need to import the certificate of the user store to the truststore (client-truststore.jks by default). See the instructions on how to add certificates to the truststore.
connection_name The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add, modify users and perform search operations on the user store. The value you specify is used as the DN (Distinguish Name) attribute of the user who has sufficient permissions to perform operations on users and roles in LDAP.
connection_password Password for the connection username.
user_search_base The DN of the context or object under which the user entries are stored in the user store. When the user store searches for users, it will start from this location of the directory.
type Use one of the following values.

read_only_ldap: The LDAP connection does not provide write access.
read_write_ldap: The LDAP connection provides write access.

See the complete list of parameters you can configure for the LDAP user store.

Configure an RDBMS user store

Before you begin

Disable the file-based user store as shown below using the <ICP_HOME>/conf/deployment.toml file.

[internal_apis.file_user_store]
enable = false

If you are already using a JDBC user store (database) with another WSO2 product (WSO2 API Manager, WSO2 Identity Server, or an instance of WSO2 Enterprise Integrator 6.x.x), you can connect the same database to the ICP. Alternatively, you can create a new RDBMS user store and connect it to the ICP.

  1. To set up a new RDBMS, select the preferred RDBMS type and follow the instructions.

    Tip

    If you already have an RDBMS user store set up, you can skip this step.

  2. Be sure to add the JDBC driver to the <ICP_HOME>/lib folder.

  3. To connect the ICP to your RDBMS user store:

    1. Open the deployment.toml file (stored in the <ICP_HOME>/conf directory).
    2. Add the relevant configurations for your RDBMS type.

      [user_store]
      class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager"
      type = "database"
      driver_name = "com.mysql.jdbc.Driver"
      url = "jdbc:mysql://localhost:3306/userdb"
      username = ""
      password = ""
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      
      [user_store]
      class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager"
      type = "database"
      driver_name = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
      url = "jdbc:sqlserver://<IP>:1433;databaseName=userdb;SendStringParametersAsUnicode=false"
      username = ""
      password = ""
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      
      [user_store]
      class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager"
      type = "database"
      driver_name = "com.mysql.jdbc.Driver"
      url = "oracle.jdbc.OracleDriver"
      username = ""
      password = ""
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      
      [user_store]
      class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager"
      type = "database"
      driver_name = "org.postgresql.Driver"
      url = "jdbc:postgresql://localhost:5432/userdb"
      username = ""
      password = ""
      pool_options.maxActive=50
      pool_options.maxWait = 60000
      
      [user_store]
      class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager"
      type = "database"
      driver_name = "com.ibm.db2.jcc.DB2Driver"
      url = "jdbc:db2://SERVER_NAME:PORT/userdb"
      username = ""
      password = ""
      pool_options.maxActive=50
      pool_options.maxWait = 60000   
      

      The parameters used above are explained below.

      Parameter Value
      id The name given to the datasource. This is required to be WSO2CarbonDB.

      Note: If you replace WSO2CarbonDB with a different ID, you also need to list the ID as a datasource under the [realm_manager] section in the deployment.toml file as shown below.
      [realm_manager]
      data_source = "new_id"
      Otherwise, the user store database ID defaults to WSO2CarbonDB in the realm manager configurations.
      url The URL for connecting to the database. The type of database is determined by the URL string.
      username The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add users, modify users, and perform search operations on the user store.
      password Password for the connection username.
      driver The driver class specific to the JDBC user store.

      See the complete list of database connection parameters and their descriptions. Also, see the recommendations for tuning the JDBC connection pool.

      The datasource configured under the [[datasource]] TOML heading will now be the effective user store for the Micro Integrator.

What's next?

For instructions on adding, deleting, or viewing users in the user store, see Managing Users.