Enable your WebSphere® eXtreme Scale servers and catalog servers
for Lightweight Directory Access Protocol (LDAP) authentication with a Java™ Authentication and Authorization Service (JAAS) policy file used for
authorization.
About this task
In this task, you use LDAP as an authentication mechanism that provides access to the data
grid, according to the permissions that you set in the JAAS authorization policy configuration file.
Procedure
-
Create a wxs_ldap.config file; for example:
LDAPLogin {
com.ibm.websphere.objectgrid.security.plugins.builtins.SimpleLDAPLoginModule required
providerURL=”ldap://yourldapserver.yourcompany.com:389/”
factoryClass=”com.sun.jndi.ldap.LdapCtxFactory”;
};
-
Create a wxs_ldap.auth.config file.
Replace the principal with the user that logs in to the data grid. Also replace
YourGridName with the name of your data grid. Repeat this step as necessary for
additional users and data grids. See the following
example:
grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=sample" {
permission com.ibm.websphere.objectgrid.security.MapPermission "YourGridName.*", "all";
permission com.ibm.websphere.objectgrid.security.ObjectGridPermission "YourGridName", "all";
};
Alternatively,
you can grant permission to all data grids; for
example:
grant codebase “http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction”
principal javax.security.auth.x500.X500Principal “CN=manager,O=acme,OU=sample” {
permission com.ibm.websphere.objectgrid.security.MapPermission “*.*”, “all”;
permission com.ibm.websphere.objectgrid.security.ObjectGridPermission “*”, “all”;
};
-
Create a server-side security.xml file; for example:
<?xml version=”1.0” encoding=”UTF-8”?>
<securityConfig xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd”
xmlns=”http://ibm.com/ws/objectgrid/config/security”>
<security securityEnabled=”true” loginSessionExpirationTime=”300” >
<authenticator className=
”com.ibm.websphere.objectgrid.security.plugins.builtins.LDAPAuthenticator”>
</authenticator>
</security>
</securityConfig>
-
Edit your objectGridServer.properties file with the following
properties.
If you do not have an
objectGridServer.properties file, you can use the
sampleServer.properties file that is in the
wxs_home/properties directory to create your
properties file.
securityEnabled=true
credentialAuthentication=Required
-
Configure and start your catalog servers.
-
To configure LDAP in WebSphere Application Server, open the WebSphere Application Server administrative console. Click .
Enter the following values:
-Dobjectgrid.cluster.security.xml.url=file:///security/security.xml
-Dobjectgrid.server.props="/security/objectGridServer.properties"
-Djava.security.policy="/security/wxs_ldap_auth.config"
-Djava.security.auth.login.config=”/security/wxs_ldap.config"
You can alternatively configure the
java.security.auth.login.config property
using the following steps. In that case, you can omit the
-Djava.security.auth.login.config property, which is referenced in the previous
example. This change takes effect for all container and catalog servers that are running in
WebSphere Application Server.
Note: When you run in WebSphere Application Server use the -Djava.security.auth.policy
property, not the -Djava.security.policy property.
- In the administrative console, click .
- Click to add an entry with the alias, LDAPLogin, and click
Apply.
- Under JAAS login modules, click New. Enter
com.ibm.websphere.objectgrid.security.plugins.builtins.SimpleLDAPLoginModule
and Sufficient as the Authentication strategy.
- Under Custom properties, enter the provider URL
ldap://yourldapserver.yourcompany.com:389/, and for factory class, enter
com.sun.jndi.ldap.LdapCtxFactory.
- Click OK and Save.
Start your WebSphere Application Servers containing the catalog servers as you normally
would.
-
To configure LDAP in stand-alone environments, append the JVM arguments after the
-jvmArgs flag; for example:
startOgServer.[sh|bat] <catalog server arguments> \
-jvmArgs -Dobjectgrid.cluster.security.xml.url=file:///security/security.xml \
-Dobjectgrid.server.props="/security/objectGridServer.properties" \
-Djava.security.policy="/security/wxs_ldap_auth.config" \
-Djava.security.auth.login.config=”/security/wxs_ldap.config"
startXsServer.[sh|bat] <catalog server arguments> \
-jvmArgs -Dobjectgrid.cluster.security.xml.url=file:///security/security.xml \
-Dobjectgrid.server.props="/security/objectGridServer.properties" \
-Djava.security.policy="/security/wxs_ldap_auth.config" \
-Djava.security.auth.login.config=”/security/wxs_ldap.config"
![[Version 8.6 and later]](icons/v86plus.gif)
Deprecated: The
startOgServer and
stopOgServer commands start servers that use
the Object Request Broker (ORB) transport mechanism. The ORB is deprecated, but you can continue
using these scripts if you were using the ORB in a previous release. The IBM eXtremeIO (XIO)
transport mechanism replaces the ORB. Use the
startXsServer and
stopXsServer scripts to start and stop servers that use the XIO transport.
-
Configure and start your container servers.
Configure and start your container servers in the way that you did with your catalog servers,
except omit the objectgrid.cluster.security.xml.url JVM argument.
-
Edit your client-side objectGridClient.properties file.
If
WebSphere Application Server is the client, then the file that you update
is
was_profile_dir/properties.
securityEnabled=true
credentialAuthentication=Supported
-
Configure your client to pass the required LDAP login credentials.
Load a client properties file. This file can contain the user ID and password. If the
properties file does not include the user ID and password, add them to the configuration in the
client program. In the following example, a client properties file is loaded, and then, the user ID
and password are added to the configuration.
Note: Some lines of code are displayed on multiple lines
for publishing purposes
only.
String clientPropertiesFile = “/path/to/objectGridClient.properties”;
String userid = “CN=manager,O=acme,OU=sample”;
String pw=”password”;
//Creates a ClientSecurityConfiguration object using the specified file
ClientSecurityConfiguration clientSC =
ClientSecurityConfigurationFactory.getClientSecurityConfiguration(clientPropertiesFile);
//Creates a CredentialGenerator using the user and password.
CredentialGenerator credGen = new UserPasswordCredentialGenerator(userid,password);
clientSC.setCredentialGenerator(credGen);
// Create an ObjectGrid by connecting to the catalog server
ClientClusterContext ccContext = ogManager.connect(“cataloghostname:2809”, clientSC, null);
ObjectGrid og = ogManager.getObjectGrid(ccContext, “YourGridName”);’
What to do next
LDAP authentication over SSL is also supported. The wxs_ldap.config
file for this configuration might resemble the following
example:LDAPLogin {
com.ibm.websphere.objectgrid.security.plugins.builtins.SimpleLDAPLoginModule required
providerURL=”ldaps://yourldapserver.yourcompany.com:636/”
factoryClass=”com.sun.jndi.ldap.LdapCtxFactory”;
};
LDAP
over SSL requires that the truststore that is used by WebSphere eXtreme Scale
catalog and container servers be configured to trust the certificates that are used by the LDAP
servers. For example, if the certificates that the LDAP servers are issued by a local certificate
authority, then you must add the signer certificate for that certificate authority to the truststore
that is used by each eXtreme Scale process. This concept is true
whether eXtreme Scale is running in a stand-alone environment or
with WebSphere Application Server.