Lesson 2.2: Configure catalog server security
A catalog server contains two different levels of security information: The first level contains the security properties that are common to all the WebSphere® eXtreme Scale servers, including the catalog service and container servers. The second level contains the security properties that are specific to the catalog server.
About this task
To configure the security XML descriptor file in a Java SE environment, use a -clusterSecurityFile option when you run the startOgServer or startXsServer command. Specify a value in a file format, such as samples_home/security_extauth/security3.xml.
security3.xml file
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
xmlns="http://ibm.com/ws/objectgrid/config/security">
<security securityEnabled="true">
<authenticator
className="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator">
</authenticator>
</security>
</securityConfig>
The following properties are defined
in the security3.xml file: - securityEnabled
- The securityEnabled property is set to true, which indicates to the catalog server that the WebSphere eXtreme Scale global security is enabled.
- authenticator
- The authenticator is configured as the com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator class. With this built-in implementation of the Authenticator plug-in, the user ID and password is passed to verify that it is configured in the keystore file. The KeyStoreLoginAuthenticator class uses a KeyStoreLogin login module alias, so a Java Authentication and Authorization Service (JAAS) login configuration is required.
catServer3.props file
securityEnabled=true
credentialAuthentication=Required
transportType=TCP/IP
secureTokenManagerType=none
authenticationSecret=ObjectGridDefaultSecret
- securityEnabled
- The securityEnabled property is set to true to indicate that this catalog server is a secure server.
- credentialAuthentication
- The credentialAuthentication property is set to Required, so any client that is connecting to the server is required to provide a credential. Iin the client property file, the credentialAuthentication value is set to Supported, so the server receives the credentials that are sent by the client.
- secureTokenManagerType
- The secureTokenManagerType is set to none to indicate that the authentication secret is not encrypted when joining the existing servers.
- authenticationSecret
- The authenticationSecret property is set to ObjectGridDefaultSecret. This secret string is used to join the eXtreme Scale server cluster. When a server joins the data grid, it is challenged to present the secret string. If the secret string of the joining server matches the string in the catalog server, the joining server is accepted. If the string does not match, the join request is rejected.
- transportType
- The transportType property is set to TCP/IP initially. Later in the tutorial, transport security is enabled.
xsjaas3.config file
Because the KeyStoreLoginAuthenticator implementation uses a login module, you must configure the login model with a JAAS authentication login configuration file. The contents of the xsjaas3.config file follows:
KeyStoreLogin{
com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required
keyStoreFile="samples_home/security_extauth/sampleKS3.jks" debug = true;
};
If you used a location for samples_home other than /wxs_samples/,
you need to update the location of the keyStoreFile. This login configuration
indicates that the com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule
module is used as the login module. The keystore file is set to the sampleKS3.jks file.The sampleKS3.jks sample keystore file stores two user IDs and the passwords: manager/manager1 and cashier/cashier1.
keytool -genkey -v -keystore ./sampleKS3.jks -storepass sampleKS1 -alias manager -keypass manager1 -dname CN=manager,O=acme,OU=OGSample -validity 10000
keytool -genkey -v -keystore ./sampleKS3.jks -storepass sampleKS1 -alias operator -keypass operator1 -dname CN=operator,O=acme,OU=OGSample -validity 10000
Start the catalog server with security enabled
To start the catalog server, issue the startOgServer or startXsServer command with the -clusterSecurityFile and -serverProps parameters to pass in the security properties.
Before you begin
set JAVA_HOME=was_root/IBM/WebSphere/AppServer/java/
Procedure
Results
Stop a catalog server that has security enabled
You can use the stopOgServer or stopXsServer command to stop the catalog server.
Procedure
Lesson checkpoint
You configured catalog server security by associating the security3.xml, catServer3.props, xsjaas3.config files with the catalog service.