Local Authentication Realm

This topic discusses the Local Authentication security realm.


The local realm stores its user information in its node's transactional memory. A local realm configuration is specified in a LocalAuthenticationRealm root object and is part of the security configuration type.

Each user in the realm has a password, a set of roles, and an account lock status. The password has an optional expiration time in days, after which the password must be changed; the default is for passwords to never expire. If an account is locked by an administrator, access is always denied.

Passwords are one-way hashed in shared memory.

The realm configuration can specify a set of initial users. When the realm is first activated, these users are placed in the realm, allowing administrators to bulk-load users rather than creating them individually. These users can only be added in the initial version of the configuration; subsequent versions ignore the users because you can also manage the realm by command line and it is preferable to avoid colliding intentions between the initial user list and any management commands invoked earlier.

The configuration can enable secure communication client authentication, which means that if a request is transported over a secure communication connection such as TLS and that connection uses client (mutual) authentication, then no password is required. The server network listener provides the authenticated user, which is responsible for mapping the client X.509 certificate's subject DN to a user name. See Secure Transport with TLS for more information on TLS security.

The configuration can require a password even if the request originates from a trusted host, if the administrator desires extra security. This behavior effectively disables trusted hosts unless the realm is configured to require that all requests originate from a trusted host. In that case, the configuration becomes a white list with required passwords, for maximum security.

User Management

The epadmin command supports user management in any local realm. The realm name is provided as a command line argument and defaults to the default realm named default-realm if not specified.

epadmin add user

Create a new user. If the password is not supplied on the command line, epadmin prompts for it.

epadmin remove user

Remove an existing user.

epadmin update user

Changes the user account lock status, role set, and password expiration period.

epadmin display user

Displays users in one or more realms.

epadmin change password

Changes the user password. If the new password is not supplied on the command line, epadmin prompts for it.

Realm Management

epadmin backup realm

Backs up the specified local realm to the console. You must redirect the backup stream to a file or pipe it to another command. TIBCO strongly recommends making local realm backups so that command line changes to the realm are not lost if the node is removed or corrupted.

epadmin restore realm

Restores from a file on the node's file system. The command replaces the entire contents of the specified realm with the contents of the backup.