Authorizing access for administrative operations in the Liberty profile

You can authorize users to access the data grid for administrative tasks, such as in the Liberty.

About this task

Administrative security determines whether security is enabled, whether you decide to authenticate with LDAP or keystore login, and other values, which are mostly default values. Since you must specify an authentication mechanism before you authorize access for administrative operations, keystore login authentication is referenced in this procedure. For more information about configuring LDAP as an alternative authentication mechanism, see Enabling LDAP authentication in eXtreme Scale catalog and container servers.

Most data grid deployers restrict administrative access to only a subset of the users who can access grid data.

Important: To enable authorization for management (MBean) access, Java Security Manager must be activated. Deployed applications cannot be co-located on the same Liberty server with any catalog servers or container servers with MBean authorization enabled because those applications do not start with the Java Security Manager enabled. Authentication and data grid authorization can be enabled without using the Java Security Manager. However, if the Java Security Manager is not enabled, any authenticated user can run MBean management operations. Therefore, such a configuration is not ideal.

Procedure

Create a Java security policy in the wlp_install_root/usr/shared/config directory named dg.policy. Use the following permissions. Update the installation paths, maps and principal, which must match the users and maps that you grant access to.

grant codeBase "file:<wlp_install_root>/lib/-" {
        permission java.security.AllPermission;
    };

    grant codeBase "file:<wlp_install_root>/dev/-" {
        permission java.security.AllPermission;
    };

    grant    principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample" {
      permission javax.management.MBeanPermission "*", "getAttribute,setAttribute,invoke,queryNames,addNotificationListener,removeNotificationListener";
    };

    grant codeBase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction",
          principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample" {
      permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "all";
      permission com.ibm.websphere.objectgrid.security.MapPermission "Grid.*", "all";
    };

Add the following JVM properties to the Java security policy file, wlp_install_root/usr/servers/server_name/jvm.options, for each server that contains an eXtreme Scale container or catalog server. Set the value of the java.security.policy property to point to the dg.policy file created in the previous step.
```
-Djava.security.manager  
-Djava.security.policy=<wlp_install_root>/usr/shared/config/dg.policy
```
Install the keystore that contains the authentication credentials into the wlp_install_root/usr/shared/config directory as ogkeystore.jks.
Create a Java Authentication and Authorization Service (JAAS) configuration file in the wlp_install_root/usr/shared/config directory, and name it ogjaas.config. The keyStoreFile attribute must point to the keystore file that you installed previously.
```
KeyStoreLogin{
       com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required
             keyStoreFile="<wlp_install_root>/usr/shared/config/ogkeystore.jks" debug = true;
    };
```
Add the following JVM property to the wlp_install_root/usr/servers/server_name/jvm.options file for each server that contains an eXtreme Scale container or catalog server. Set the value of java.security.auth.login.config property to point to the ogjaas.config file that you created in the previous step.
```
-Djava.security.auth.login.config=<wlp_install_root>/usr/shared/config/ogjaas.config
```

Create a security configuration settings XML file in the wlp_install_root/usr/shared/config directory as the security.xml file. This configuration settings XML file specifies that you are using a keystore login authentication.

<?xml version="1.0" encoding="UTF-8"?>
    <securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
          xmlns="http://ibm.com/ws/objectgrid/config/security">

        <security securityEnabled="true" singleSignOnEnabled="true" loginSessionExpirationTime="30" >
       
            <authenticator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator">
            </authenticator>
        </security>
   
    </securityConfig>

Create a server properties file to contain some security settings in the wlp_install_root/usr/shared/config directory, and name it server.properties.
```
securityEnabled=true
secureTokenManagerType=autoSecret
authenticationSecret=OurGridServersExampleSecret
credentialAuthentication=required
```
Note: You can set the credentialAuthentication property to either required or supported for administrative access. If you set the property to supported, you cannot be authenticated for data grid access. However, you are authenticated for administrative access.

Modify the server.xml file for each catalog server to set the serverProps attribute to the server.properties file, and set the clusterSecurityURL attribute to the security.xml file.

<server description="eXtreme Scale Catalog Server">

        <featureManager>
            <feature>eXtremeScale.server-1.1</feature>
        </featureManager>

        <xsServer catalogServer="true" listenerPort="${com.ibm.ws.xs.server.listenerPort}"
                  serverProps="<wlp_install_root>/usr/shared/config/server.properties"
                  clusterSecurityURL="file://<wlp_install_root>/usr/shared/config/security.xml" />

        <logging traceSpecification="*=info" maxFileSize="200" maxFiles="10" />

    </server>

Modify the server.xml file for each container server to set the serverProps attribute to the server.properties file.

<server description="eXtreme Scale Container Server">

        <featureManager>
            <feature>eXtremeScale.server-1.1</feature>
        </featureManager>

        <xsServer isCatalog="false" serverProps="<wlp_install_root>/usr/shared/config/server.properties" />

        <logging traceSpecification="*=info" maxFileSize="200" maxFiles="10" />

    </server>

What to do next

Securing data that flows between eXtreme Scale and Liberty with SSL encryption