Authenticating client requests in the OSGi framework

Unless clients are authenticated, access to grid data and JMX management operations that control the grid are left unprotected. This is true even if SSL is enabled in the OSGi framework.

Before you begin

You must install the OSGi framework before you secure the data grid. For more information, see Installing the Eclipse Equinox OSGi framework with Eclipse Gemini for clients and servers.

About this task

The authentication behavior that is required by eXtreme Scale clients is determined by the credentialAuthentication=required setting in the server.properties file, the KeyStoreLogin setting in the og_jaas.config JAAS configuration file, and the KeyStoreLoginAuthenticator setting in the security.xml file.

Use one of the following methods to authenticate clients.

Procedure

  • Reference a security descriptor XML file in each catalog server using -DclusterSecurityFile="path_name" JVM argument.

    Use this JVM argument on the OSGi command line when you start the catalog server.

    To enable security, this file must have securityEnabled=”true” in the security element. The security descriptor XML file must also contain a descriptor of the authenticator that you want to use. WebSphere eXtreme Scale includes the LDAPAuthenticator, the KeyStoreLoginAuthenticator, and the WSTokenAuthenticator. You cannot use the WSTokenAuthenticator authenticator in the stand-alone environments. You can only use this authenticator when eXtreme Scale clients and servers are both running with WebSphere Application Server. Alternatively, you can develop custom authenticators and login modules, according to the interfaces described in the API documentation.

  • Reference a JAAS configuration file in each catalog and container server using the -Djava.security.auth.login.config="path_name" JVM argument.
    For information about creating these files and configuring eXtreme Scale servers to use them, see the tutorial, Tutorial: Configuring Java SE security. The JAAS configuration file specifies a LoginModule. You can use the KeyStoreLoginModule with the KeyStoreLoginAuthenticator. Use the SimpleLDAPLoginModule with the LDAPAuthenticator. See Enabling LDAP authentication in eXtreme Scale catalog and container servers in eXtreme Scale container and catalog servers, or Enabling keystore authentication in eXtreme Scale container and catalog servers.
    Important: The directory path does not support Windows backslashes. If you have used backslashes, you must escape any backslash ( \ ) characters in the path. For example, if you want to use the path C:\opt\ibm, enter C:\\opt\\ibm in the properties file. Windows directories with spaces are not supported.
  • Configure the client to pass the credentials that are required for authentication.
    This is typically done by specifying values in a client properties file. For more information about enabling LDAP authentication in eXtreme Scale clients, see Enabling LDAP authentication in eXtreme Scale catalog and container servers, and for more information about enabling keystore authentication in eXtreme Scale clients, see Enabling keystore authentication in eXtreme Scale container and catalog servers.

What to do next

Authorizing access to the data grid in the OSGi framework