Enabling keystore authentication in eXtreme Scale container and catalog servers
Enable your WebSphere® eXtreme Scale servers and catalog servers for keystore authentication with a Java™ Authentication and Authorization Service (JAAS) policy file that is used for authorization.
About this task
Procedure
- Create a keystore with login aliases as described in the Java SE security tutorial - Step 4.
- Create a wxs_keystore.config file.
Replace the principal with the user that logs in to the data grid. Optionally, replace the map and data grid names with the names from your configuration. Repeat this step as necessary for more users and data grids. See the following example:
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction" principal com.ibm.ws.objectgrid.test.jaas.authen.SimplePrincipal "manager1" { permission com.ibm.websphere.objectgrid.security.MapPermission "*.*", "all"; permission com.ibm.websphere.objectgrid.security.ObjectGridPermission "*", "all"; };
- Create a server-side security.xml file;
for example:
<?xml version=”1.0” encoding=”UTF-8”?> <securityConfig xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd” xmlns=”http://ibm.com/ws/objectgrid/config/security”> <security securityEnabled=”true” loginSessionExpirationTime=”300” > <authenticator className= "com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator> </authenticator> </security> </securityConfig>
- Edit your objectGridServer.properties file
with the following properties. If you do not have an objectGridServer.properties file, you can use the sampleServer.properties file that is in the wxs_home/properties directory to create your properties file. For more information, see Configuring the quorum mechanism.
securityEnabled=true credentialAuthentication=Required
- Start your catalog servers. Deprecated: The startOgServer and stopOgServer commands start servers that use the Object Request Broker (ORB) transport mechanism. The ORB is deprecated, but you can continue using these scripts if you were using the ORB in a previous release. The IBM eXtremeIO (XIO) transport mechanism replaces the ORB. Use the startXsServer and stopXsServer scripts to start and stop servers that use the XIO transport.
startOgServer.sh catalogServer -clusterSecurityFile /security/security.xml -serverProps /security/objectGridServer.properties -jvmArgs -Djava.security.auth.login.config=”/security/wxs_keystore.config” -Djava.security.policy="/security/auth.policy”
startXsServer.sh catalogServer -clusterSecurityFile /security/security.xml -serverProps /security/objectGridServer.properties -jvmArgs -Djava.security.auth.login.config=”/security/wxs_keystore.config” -Djava.security.policy=”/security/auth.policy”
- Start your container servers.
startOgServer.sh c0 -objectgridFile /xml/objectgrid.xml -deploymentPolicyFile /xml/deployment.xml -catalogServiceEndPoints cataloghostname:2809 -serverProps /security/objectGridServer.properties -jvmArgs -Djava.security.auth.login.config=”/security/wxs_keystore.config” -Djava.security.policy=”/security/auth.policy”
startXsServer.sh c0 -objectgridFile /xml/objectgrid.xml -deploymentPolicyFile /xml/deployment.xml -catalogServiceEndPoints cataloghostname:2809 -serverProps /security/objectGridServer.properties -jvmArgs -Djava.security.auth.login.config=”/security/wxs_keystore.config” -Djava.security.policy=”/security/auth.policy”
- Edit your client-side objectGridClient.properties file.
If WebSphere Application Server is the client, then the file that you update is was_profile_dir/properties.
securityEnabled=true credentialAuthentication=Supported transportType=TCP/IP singleSignOnEnabled=false
- Modify your client application to pass the required keystore
login credentials.
String userid = “UID=manager1,O=acme,OU=sample”; String pw=”password”; // Creates a ClientSecurityConfiguration object using the specified file ClientSecurityConfiguration clientSC = ClientSecurityConfigurationFactory .getClientSecurityConfiguration(objectGridClient.properties); // Creates a CredentialGenerator using the passed-in user and password. CredentialGenerator credGen = new UserPasswordCredentialGenerator(userid,password); clientSC.setCredentialGenerator(credGen); // Create an ObjectGrid by connecting to the catalog server ClientClusterContext ccContext = ogManager.connect(“cataloghostname:2809”, clientSC, null); ObjectGrid og = ogManager.getObjectGrid(ccContext, “YourGridName”);’