Lesson 2.2: Configure catalog server security
A catalog server contains two different levels of security information: The first level contains the security properties that are common to all the WebSphere® eXtreme Scale servers, including the catalog service and container servers. The second level contains the security properties that are specific to the catalog server.
About this task
To configure the
security XML descriptor file in a Java SE environment, use a -clusterSecurityFile option
when you run the startOgServer ![[Version 8.6 and later]](icons/v86plus.gif){kind=icon}
or startXsServer command.
Specify a value in a file format, such as samples_home/security_extauth/security3.xml.
security3.xml file
In this tutorial, the security3.xml file
is in the samples_home/security_extauth directory.
The content of the security3.xml file with the
comments removed follows:
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
xmlns="http://ibm.com/ws/objectgrid/config/security">
<security securityEnabled="true">
<authenticator
className="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator">
</authenticator>
</security>
</securityConfig>- securityEnabled
- The securityEnabled property is set to true, which indicates to the catalog server that the WebSphere eXtreme Scale global security is enabled.
- authenticator
- The authenticator is configured as the com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator class. With this built-in implementation of the Authenticator plug-in, the user ID and password is passed to verify that it is configured in the keystore file. The KeyStoreLoginAuthenticator class uses a KeyStoreLogin login module alias, so a Java Authentication and Authorization Service (JAAS) login configuration is required.
catServer3.props file
The server property file stores the server-specific
properties, which include the server-specific security properties.
See Server properties file for more information. You
can use -serverProps option to specify the catalog
server property when you run the startOgServer or startXsServer command.
For this tutorial, a catServer3.props file
is in the c directory. The content of the catServer3.props file
with the comments removed follows:
or startXsServer command.
For this tutorial, a catServer3.props file
is in the c directory. The content of the catServer3.props file
with the comments removed follows:securityEnabled=true
credentialAuthentication=Required
transportType=TCP/IP
secureTokenManagerType=none
authenticationSecret=ObjectGridDefaultSecret- securityEnabled
- The securityEnabled property is set to true to indicate that this catalog server is a secure server.
- credentialAuthentication
- The credentialAuthentication property is set to Required, so any client that is connecting to the server is required to provide a credential. Iin the client property file, the credentialAuthentication value is set to Supported, so the server receives the credentials that are sent by the client.
- secureTokenManagerType
- The secureTokenManagerType is set to none to indicate that the authentication secret is not encrypted when joining the existing servers.
- authenticationSecret
- The authenticationSecret property is set to ObjectGridDefaultSecret. This secret string is used to join the eXtreme Scale server cluster. When a server joins the data grid, it is challenged to present the secret string. If the secret string of the joining server matches the string in the catalog server, the joining server is accepted. If the string does not match, the join request is rejected.
- transportType
- The transportType property is set to TCP/IP initially. Later in the tutorial, transport security is enabled.
xsjaas3.config file
Because the KeyStoreLoginAuthenticator implementation uses a login module, you must configure the login model with a JAAS authentication login configuration file. The contents of the xsjaas3.config file follows:
KeyStoreLogin{
com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required
keyStoreFile="samples_home/security_extauth/sampleKS3.jks" debug = true;
};![[Windows]](icons/ngwin.gif){kind=icon}
Important: If you are using Windows, the
directory path does not support backslashes. If you have used backslashes,
you must escape any backslash ( \ ) characters in the path. For example,
if you want to use the path C:\opt\ibm, enter C:\\opt\\ibm in the
properties file. Windows directories with spaces are not supported.The sampleKS3.jks sample keystore file stores two user IDs and the passwords: manager/manager1 and cashier/cashier1.
You
can use the following keytool commands to create
this keystore:
keytool -genkey -v -keystore ./sampleKS3.jks -storepass sampleKS1 -alias manager -keypass manager1 -dname CN=manager,O=acme,OU=OGSample -validity 10000keytool -genkey -v -keystore ./sampleKS3.jks -storepass sampleKS1 -alias operator -keypass operator1 -dname CN=operator,O=acme,OU=OGSample -validity 10000
Start the catalog server with security enabled
To start the catalog server, issue the startOgServer or startXsServer command
with the -clusterSecurityFile and -serverProps parameters
to pass in the security properties.
Before you begin
set JAVA_HOME=was_root/IBM/WebSphere/AppServer/java/Procedure
- Run the startOgServer or startXsServer command.
![[Linux]](icons/nglinux.gif)
![[Unix]](icons/ngunix.gif)
./startOgServer.sh cs1 -listenerPort 16809 -JMXServicePort 16099 -catalogServiceEndPoints cs1:[HOST_NAME]:16601:16602 -clusterSecurityFile samples_home/security_extauth/security3.xml -serverProps samples_home/security_extauth/catServer3.props -jvmArgs -Djava.security.auth.login.config="samples_home/security_extauth/xsjaas3.config"startOgServer.bat cs1 -listenerPort 16809 -JMXServicePort 16099 -catalogServiceEndPoints cs1:[HOST_NAME]:16601:16602 -clusterSecurityFile samples_home/security_extauth/security3.xml -serverProps samples_home/security_extauth/catServer3.props -jvmArgs -Djava.security.auth.login.config="samples_home/security_extauth/xsjaas3.config"./startXsServer.sh cs1 -listenerPort 16809 -JMXServicePort 16099 -catalogServiceEndPoints cs1:[HOST_NAME]:16601:16602 -clusterSecurityFile samples_home/security_extauth/security3.xml -serverProps samples_home/security_extauth/catServer3.props -jvmArgs -Djava.security.auth.login.config="samples_home/security_extauth/xsjaas3.config"startXsServer.bat cs1 -listenerPort 16809 -JMXServicePort 16099 -catalogServiceEndPoints cs1:[HOST_NAME]:16601:16602 -clusterSecurityFile samples_home/security_extauth/security3.xml -serverProps samples_home/security_extauth/catServer3.props -jvmArgs -Djava.security.auth.login.config="samples_home/security_extauth/xsjaas3.config"
Results
or startXsServer command,
a secure server starts with listener port 16809, client port 16601,
peer port 16602, and JMX port 16099. If a port conflict exists, change
the port number to an unused port number.Stop a catalog server that has security enabled
You can use the stopOgServer or stopXsServer command
to stop the catalog server.
Procedure
- Run the stopOgServer or stopXsServer command.
stopOgServer.sh cs1 -catalogServiceEndPoints localhost:16809 -clientSecurityFile samples_home/security_extauth/client3.propsstopOgServer.bat cs1 -catalogServiceEndPoints localhost:16809 -clientSecurityFile samples_home/security_extauth/client3.propsstopXsServer.sh cs1 -catalogServiceEndPoints localhost:16809 -clientSecurityFile samples_home/security_extauth/client3.propsstopXsServer.bat cs1 -catalogServiceEndPoints localhost:16809 -clientSecurityFile samples_home/security_extauth/client3.props
Lesson checkpoint
You configured catalog server security by associating the security3.xml, catServer3.props, xsjaas3.config files with the catalog service.