Configure a User Store in WSO2 Integration Control Plane¶
File-based user store (default)¶
The default user store of the WSO2 Integration Control Plane (ICP) is file-based. You can open the <ICP_HOME>/conf/deployment.toml
file and add new users to the file-based user store as shown below. You can encrypt the plain text using secure vault.
The default file-based user configuration is as follows:
[internal_apis.file_user_store]
enable = true
[[internal_apis.users]]
user.name = "admin"
user.password = "admin"
user.is_admin = true
If you want to add or update the file-based user store you can add users as follows.
[[internal_apis.users]]
user.name = "user-1"
user.password = "pwd-1"
user.is_admin = true
[[internal_apis.users]]
user.name = "user-2"
user.password = "pwd-2"
Parameter | Description | Required |
---|---|---|
user.name |
Username | Yes |
user.password |
Password | Yes |
user.is_admin |
Whether the user is given admin privileges | Default value is false |
Tip
Set user.is_admin
to true
to grant admin privileges to a user in the file-based user store.
Disable the file-based user store¶
To disable the file-based user store, add the following to the <ICP_HOME>/conf/deployment.toml
file:
[internal_apis.file_user_store]
enable = false
Note
See the Integration Control Plane Configuration Catalog documentation to connect to the dashboard via Single Sign-On (SSO).
Configure an LDAP user store¶
Before you begin
- See the documentation of your LDAP provider for instructions on setting up the LDAP.
-
Disable the file-based user store as shown below using the
<ICP_HOME>/conf/deployment.toml
file.[internal_apis.file_user_store] enable = false
Follow the steps below to connect the ICP to your LDAP user store.
- Open the
deployment.toml
file stored in the<ICP_HOME>/conf/
directory. - Add the following configurations and update the required values.
Read write LDAP¶
[user_store]
connection_url = "ldap://localhost:10389"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
user_search_base = "ou=Users,dc=wso2,dc=org"
type = "read_write_ldap"
Read only LDAP¶
[user_store]
connection_url = "ldap://localhost:10389"
connection_name = "uid=admin,ou=system"
connection_password = "admin"
user_search_base = "ou=Users,dc=wso2,dc=org"
type = "read_only_ldap"
read_groups = "true"
The parameters used above are explained below.
Parameter | Value |
---|---|
connection_url
|
The URL for connecting to the LDAP. If you are connecting over LDAPS (secured LDAP), you need to import the certificate of the user store to the truststore (client-truststore.jks by default). See the instructions on how to add certificates to the truststore.
|
connection_name
|
The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add, modify users and perform search operations on the user store. The value you specify is used as the DN (Distinguish Name) attribute of the user who has sufficient permissions to perform operations on users and roles in LDAP. |
connection_password
|
Password for the connection username. |
user_search_base
|
The DN of the context or object under which the user entries are stored in the user store. When the user store searches for users, it will start from this location of the directory. |
type
|
Use one of the following values.
read_only_ldap : The LDAP connection does not provide write access.
read_write_ldap : The LDAP connection provides write access.
|
See the complete list of parameters you can configure for the LDAP user store.
Configure an RDBMS user store¶
Before you begin
Disable the file-based user store as shown below using the <ICP_HOME>/conf/deployment.toml
file.
[internal_apis.file_user_store]
enable = false
If you are already using a JDBC user store (database) with another WSO2 product (WSO2 API Manager, WSO2 Identity Server, or an instance of WSO2 Enterprise Integrator 6.x.x), you can connect the same database to the ICP. Alternatively, you can create a new RDBMS user store and connect it to the ICP.
-
To set up a new RDBMS, select the preferred RDBMS type and follow the instructions.
Tip
If you already have an RDBMS user store set up, you can skip this step.
-
Be sure to add the JDBC driver to the
<ICP_HOME>/lib
folder. -
To connect the ICP to your RDBMS user store:
- Open the
deployment.toml
file (stored in the<ICP_HOME>/conf
directory). -
Add the relevant configurations for your RDBMS type.
[user_store] class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager" type = "database" driver_name = "com.mysql.jdbc.Driver" url = "jdbc:mysql://localhost:3306/userdb" username = "" password = "" pool_options.maxActive=50 pool_options.maxWait = 60000
[user_store] class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager" type = "database" driver_name = "com.microsoft.sqlserver.jdbc.SQLServerDriver" url = "jdbc:sqlserver://<IP>:1433;databaseName=userdb;SendStringParametersAsUnicode=false" username = "" password = "" pool_options.maxActive=50 pool_options.maxWait = 60000
[user_store] class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager" type = "database" driver_name = "com.mysql.jdbc.Driver" url = "oracle.jdbc.OracleDriver" username = "" password = "" pool_options.maxActive=50 pool_options.maxWait = 60000
[user_store] class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager" type = "database" driver_name = "org.postgresql.Driver" url = "jdbc:postgresql://localhost:5432/userdb" username = "" password = "" pool_options.maxActive=50 pool_options.maxWait = 60000
[user_store] class = "org.wso2.dashboard.security.user.core.jdbc.JDBCUserStoreManager" type = "database" driver_name = "com.ibm.db2.jcc.DB2Driver" url = "jdbc:db2://SERVER_NAME:PORT/userdb" username = "" password = "" pool_options.maxActive=50 pool_options.maxWait = 60000
The parameters used above are explained below.
Parameter Value id
The name given to the datasource. This is required to be WSO2CarbonDB
. Note: If you replaceWSO2CarbonDB
with a different ID, you also need to list the ID as a datasource under the[realm_manager]
section in thedeployment.toml
file as shown below.[realm_manager] data_source = "new_id"
WSO2CarbonDB
in the realm manager configurations.url
The URL for connecting to the database. The type of database is determined by the URL string. username
The username used to connect to the user store and perform various operations. This user needs to be an administrator in the user store. That is, the user requires write permission to manage add users, modify users, and perform search operations on the user store. password
Password for the connection username. driver
The driver class specific to the JDBC user store. See the complete list of database connection parameters and their descriptions. Also, see the recommendations for tuning the JDBC connection pool.
The datasource configured under the
[[datasource]]
TOML heading will now be the effective user store for the Micro Integrator.
- Open the
What's next?¶
For instructions on adding, deleting, or viewing users in the user store, see Managing Users.