Security descriptor XML file

Use a security descriptor XML file to configure an eXtreme Scale deployment topology with security enabled. You can use the elements in this file to configure different aspects of security.

securityConfig element

The securityConfig element is the top-level element of the ObjectGrid security XML file. This element sets up the namespace of the file and the schema location. The schema is defined in the objectGridSecurity.xsd file.
  • Number of occurrences: One
  • Child elements: security

security element

Use the security element to define an ObjectGrid security.
  • Number of occurrences: One
  • Child elements: authenticator, adminAuthorization, and systemCredentialGenerator
Attributes
securityEnabled
Enables security for the grid when set to true. The default value is false. If the value is set to false, grid-wide security is disabled. For more information, see Data grid security. (Optional)
singleSignOnEnabled
Enables a client to connect to any server after it has authenticated with one of the servers when the value is set to true. Otherwise, a client must authenticate with each server before the client can connect. The default value is false. (Optional)
loginSessionExpirationTime
Specifies the amount of time in seconds before the login session expires. If the login session expires, the client must authenticate again. (Optional)
adminAuthorizationEnabled
Enables administrative authorization. If the value is set to true, all of the administrative tasks need authorization. The authorization mechanism that is used is specified by the value of the adminAuthorizationMechanism attribute. The default value is false. (Optional)
adminAuthorizationMechanism
Indicates which authorization mechanism to use. WebSphere® eXtreme Scale supports two authorization mechanisms, Java™ Authentication and Authorization Service (JAAS) and custom authorization. The JAAS authorization mechanism uses the standard JAAS policy-based approach. To specify JAAS as the authorization mechanism, set the value to AUTHORIZATION_MECHANISM_JAAS. The custom authorization mechanism uses a user-plugged-in AdminAuthorization implementation. To specify a custom authorization mechanism, set the value to AUTHORIZATION_MECHANISM_CUSTOM. For more information on how these two mechanisms are used, see Authorizing application clients. (Optional)

The following security.xml file is a sample configuration to enable the data grid security.

security.xml

<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
	xmlns="http://ibm.com/ws/objectgrid/config/security">

    <security securityEnabled="true" singleSignOnEnabled="true" 
        loginSessionExpirationTime="20"
        adminAuthorizationEnabled="true"
        adminAuthorizationMechanism="AUTHORIZATION_MECHANISM_JAAS" >
	
        <authenticator className ="com.ibm.websphere.objectgrid.security.plugins.
						builtins.WSTokenAuthenticator">
        </authenticator>
        
        <systemCredentialGenerator className ="com.ibm.websphere.objectgrid.security.
						plugins.builtins.WSTokenCredentialGenerator">
            <property name="properties" type="java.lang.String" value="runAs"
								description="Using runAs subject" />
        </systemCredentialGenerator>

    </security>
</securityConfig>

authenticator element

Authenticates clients to eXtreme Scale servers in the data grid. The class that is specified by the className attribute must implement the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface. The authenticator can use properties to call methods on the class that is specified by the className attribute. See property element for more information on using properties.

In the previous security.xml file example, the com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator class is specified as the authenticator. This class implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.

  • Number of occurrences: zero or one
  • Child element: property
Attributes
className
Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface. Use this class to authenticate clients to the servers in the eXtreme Scale grid. (Required)

adminAuthorization element

Use the adminAuthorization element to set up administrative access to the data grid.
  • Number of occurrences: zero or one
  • Child element: property
Attributes
className
Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.AdminAuthorization interface. (Required)

systemCredentialGenerator element

Use a systemCredentialGenerator element to set up a system credential generator. This element only applies to a dynamic environment. In the dynamic configuration model, the dynamic container server connects to the catalog server as an eXtreme Scale client and the catalog server can connect to the eXtreme Scale container server as a client too. This system credential generator is used to represent a factory for the system credential.
  • Number of occurrences: zero or one
  • Child element: property
Attributes
className
Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator interface. (Required)

See the previous security.xml file for an example of how to use a systemCredentialGenerator class. In this example, the system credential generator is a com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator class, which retrieves the RunAs Subject object from the thread.

property element

Calls set methods on the authenticator and adminAuthorization classes. The name of the property corresponds to a set method on the className attribute of the authenticator or adminAuthorization element.
  • Number of occurrences: zero or more
  • Child element: property
Attributes
name
Specifies the name of the property. The value that is assigned to this attribute must correspond to a set method on the class that is provided as the className attribute on the containing bean. For example, if the className attribute of the bean is set to com.ibm.MyPlugin, and the name of the property that is provided is size, then the com.ibm.MyPlugin class must have a setSize method. (Required)
type
Specifies the type of the property. The type of the parameter is passed to the set method that is identified by the name attribute. The valid values are the Java primitives, their java.lang counterparts, and java.lang.String. The name and type attributes must correspond to a method signature on the className attribute of the bean. For example, if the name is size and the type is int, then a setSize(int) method must exist on the class that is specified as the className attribute for the bean. (Required)
value
Specifies the value of the property. This value is converted to the type that is specified by the type attribute, and is then used as a parameter in the call to the set method that is identified by the name and type attributes. The value of this attribute is not validated in any way. The plug-in implementor must verify that the value passed in is valid. (Required)
description
Provides a description of the property. (Optional)

See objectGridSecurity.xsd file for more information.