Enabling keystore authentication in eXtreme Scale container and catalog servers

Enable your WebSphere® eXtreme Scale servers and catalog servers for keystore authentication with a Java™ Authentication and Authorization Service (JAAS) policy file that is used for authorization.

About this task

In this task, you use a keystore file as an authentication mechanism that provides access to the data grid, according to the permissions that you set in the JAAS authorization policy configuration file.

Procedure

  1. Create a keystore with login aliases as described in the Java SE security tutorial - Step 4.
  2. Create a wxs_keystore.config file.
    Replace the principal with the user that logs in to the data grid. Optionally, replace the map and data grid names with the names from your configuration. Repeat this step as necessary for more users and data grids. See the following example:
    grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction" principal com.ibm.ws.objectgrid.test.jaas.authen.SimplePrincipal "manager1" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "*.*", "all";
    permission com.ibm.websphere.objectgrid.security.ObjectGridPermission "*", "all";
};
  3. Create a server-side security.xml file; for example: 
    <?xml version=”1.0” encoding=”UTF-8”?>
<securityConfig xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
    xsi:schemaLocation=”http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd”
xmlns=”http://ibm.com/ws/objectgrid/config/security”>
<security securityEnabled=”true” loginSessionExpirationTime=”300” >     
        <authenticator className=
					"com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator>
        </authenticator>
    </security>
</securityConfig>
  4. Edit your objectGridServer.properties file with the following properties.
    If you do not have an objectGridServer.properties file, you can use the sampleServer.properties file that is in the wxs_home/properties directory to create your properties file. For more information, see Configuring the quorum mechanism.
    securityEnabled=true

credentialAuthentication=Required
  5. Start your catalog servers.
    [Version 8.6 and later]Deprecated featureDeprecated: The startOgServer and stopOgServer commands start servers that use the Object Request Broker (ORB) transport mechanism. The ORB is deprecated, but you can continue using these scripts if you were using the ORB in a previous release. The IBM eXtremeIO (XIO) transport mechanism replaces the ORB. Use the startXsServer and stopXsServer scripts to start and stop servers that use the XIO transport.
    startOgServer.sh catalogServer -clusterSecurityFile /security/security.xml
-serverProps /security/objectGridServer.properties -jvmArgs
-Djava.security.auth.login.config=”/security/wxs_keystore.config”

-Djava.security.policy="/security/auth.policy”
    [Version 8.6 and later]
    startXsServer.sh catalogServer -clusterSecurityFile /security/security.xml
-serverProps /security/objectGridServer.properties -jvmArgs
-Djava.security.auth.login.config=”/security/wxs_keystore.config”

-Djava.security.policy=”/security/auth.policy”
  6. Start your container servers. 
    startOgServer.sh c0 -objectgridFile /xml/objectgrid.xml
-deploymentPolicyFile /xml/deployment.xml
-catalogServiceEndPoints cataloghostname:2809 
-serverProps /security/objectGridServer.properties
-jvmArgs -Djava.security.auth.login.config=”/security/wxs_keystore.config”

-Djava.security.policy=”/security/auth.policy”
    [Version 8.6 and later]
    startXsServer.sh c0 -objectgridFile /xml/objectgrid.xml
-deploymentPolicyFile /xml/deployment.xml
-catalogServiceEndPoints cataloghostname:2809 
-serverProps /security/objectGridServer.properties
-jvmArgs -Djava.security.auth.login.config=”/security/wxs_keystore.config”

-Djava.security.policy=”/security/auth.policy”
  7. Edit your client-side objectGridClient.properties file.
    If WebSphere Application Server is the client, then the file that you update is was_profile_dir/properties.
       securityEnabled=true

   credentialAuthentication=Supported

   transportType=TCP/IP    

   singleSignOnEnabled=false
  8. Modify your client application to pass the required keystore login credentials. 
    String userid = “UID=manager1,O=acme,OU=sample”;

String pw=”password”; 
// Creates a ClientSecurityConfiguration object using the specified file
ClientSecurityConfiguration clientSC = ClientSecurityConfigurationFactory
.getClientSecurityConfiguration(objectGridClient.properties);
       
// Creates a CredentialGenerator using the passed-in user and password.
CredentialGenerator credGen = new UserPasswordCredentialGenerator(userid,password);
clientSC.setCredentialGenerator(credGen);
       
// Create an ObjectGrid by connecting to the catalog server
ClientClusterContext ccContext = ogManager.connect(“cataloghostname:2809”, clientSC, null);
ObjectGrid og = ogManager.getObjectGrid(ccContext, “YourGridName”);’