Credential mapping overview

If IBM® InfoSphere® Information Server and the InfoSphere Information Server engine do not share the user registry, you create a mapping between credentials in the user registry that InfoSphere Information Server uses and user credentials that exist in the local operating system user registry on the engine tier computer.

Use credential mapping in the following scenarios:

  • InfoSphere Information Server is configured to use the internal user registry. The InfoSphere Information Server engine cannot use the internal user registry.
  • InfoSphere Information Server is configured to use LDAP, but you are unable to configure the engine to use LDAP (through PAM).
  • Linux cue graphicUNIX cue graphicThe services tier and engine tier are installed on separate computers. They do not share a user registry.
  • Windows cue graphicThe services tier and engine tier are installed on separate computers. The computers are not in the same domain.

The installation program automatically creates a user mapping between the InfoSphere Information Server administrator user (isadmin by default) and the engine administrator user name (dsadm by default). If this is the only mapping that you will use, no further credential mapping is necessary. However, if you want to assign other users engine access, then the InfoSphere Information Server user must grant the other user names the required roles and establish credential mappings with engine user names.

The credential mappings are stored with the internal user registry in the metadata repository. The passwords are strongly encrypted for increased security.

You can create individual user mappings, so that each InfoSphere Information Server user is associated with exactly one engine user. You also can create a default user mapping, so that all InfoSphere Information Server users who do not have individual credential mappings can access the engine through a shared user name.

In the following figure, the services tier and engine tier are installed on the same computer. However, InfoSphere Information Server is configured to use the internal user registry. Because the engine tier computer cannot use this user registry, credential mapping is configured between the internal user registry and the local operating system user registry.

Figure 1. Example of architecture where internal user registry is used. Credential mapping is configured
This figure is described in surrounding text.

In the following figure, the services tier and engine tier are installed on separate computers. InfoSphere Information Server is configured to use the local operating system user registry. Since the engine tier computer cannot share this user registry, credential mapping is configured between the local operating system user registry on the services tier computer and the local operating system user registry on the engine tier computer.

Figure 2. Example of architecture with separate services tier and engine tier computer. Credential mapping is configured
This figure is described in surrounding text.