Authenticating client requests in stand-alone environments

Unless clients are authenticated, access to grid data and JMX management operations that control the grid are left unprotected. This is true even if SSL is enabled.

About this task

The authentication behavior that eXtreme Scale servers require of eXtreme Scale clients is determined by the credentialAuthentication=required setting in the server.properties file.

When credentialAuthentication is set to Required or Supported, more configuration is needed, as described in the following steps. These steps are described in more detail, with examples of the changes to the configuration files in Java SE security tutorial - Step 3.

Procedure

  • Reference a security descriptor XML file in each catalog server.

    When the catalog server is started in a stand-alone environment, you can point to this file using the -clusterSecurityFile parameter of the startXsServer or startOgServer command.

    To enable security, this file must have securityEnabled=”true” in the security element. The security descriptor XML file must also contain a descriptor of the authenticator that you want to use. WebSphere® eXtreme Scale includes the LDAPAuthenticator, the KeyStoreLoginAuthenticator, and the WSTokenAuthenticator. You cannot use the WSTokenAuthenticator authenticator in the stand-alone environments. You can only use this authenticator when eXtreme Scale clients and servers are both running with WebSphere Application Server. Alternatively, you can develop custom authenticators and login modules, according to the interfaces described in the API documentation.

  • Reference a JAAS configuration file in each catalog and container server using the -Djava.security.auth.login.config="path_name" JVM argument.
    For information about creating these files and configuring eXtreme Scale servers to use them, see the tutorial, Tutorial: Configuring Java SE security. The JAAS configuration file specifies a LoginModule. You can use the KeyStoreLoginModule with the KeyStoreLoginAuthenticator. Use the SimpleLDAPLoginModule with the LDAPAuthenticator. See Enabling LDAP authentication in eXtreme Scale catalog and container servers in eXtreme Scale container and catalog servers, or Enabling keystore authentication in eXtreme Scale container and catalog servers.
  • Configure the client to pass the credentials that are required for authentication.
    This is typically done by the client loading a client security configuration that is defined in a client security properties file. For more information about enabling LDAP authentication in eXtreme Scale clients, see Enabling LDAP authentication in eXtreme Scale catalog and container servers, and for more information about enabling keystore authentication in eXtreme Scale clients, see Enabling keystore authentication in eXtreme Scale container and catalog servers.
  • Optional: [Version 8.6.0.5 and later] Configure clients for NIST SP800-131a or FIPS.

    You can configure the data grid for FIPS or NIST SP800-131a compliance. The SP800-131a specification requires longer key lengths and stronger cryptography. The NIST SP800-131a compliance has three different modes: SP800-131a transition, SP800-131a strict and off. The modes, transition and strict, allow you to move to a strict enforcement of SP800-131a or to use the transition mode first, if needed.

    • For a client to connect to data grids configured for FIPS, you must configure Java system properties for the client in the java.security file, and specify valid keystore and truststore values in the client.properties file. The Java system properties you need to configure depends on the Java version you are using.

      For Java 6 SR 10 and later, or Java 7, specify the -Dcom.ibm.jsse2.usefipsprovider=true argument when you start the client process. For earlier Java versions, use the com.ibm.jsse2.JSSEFIPS=true argument.

      Deprecated featureNote: Use the IBMJSSE2 value when you have a Java runtime environment that is provided by IBM®. The values, IBMJSSE and IBMJSSEFIPS, are deprecated. Use a JRE from IBM to run an eXtreme Scale server when SSL security is used with the eXtremeIO (XIO) transport. If you use SSL security with the ORB transport and a JRE that is not provided by IBM, then see the documentation from your JRE vendor for an appropriate context provider setting.

      For more information on the java.security file and valid keystore and truststore files see Configuring WebSphere eXtreme Scale to use FIPS 140-2.

    • For a client to connect to data grids that are configured for NIST SP800-131a, you must configure Java system properties for the client in the java.security file, and specify valid keystore and truststore values in the client.properties file. Specify the -Dcom.ibm.jsse2.sp800-131 Java system property when you start the client process. You can specify transition or strict mode; for example:
      • For SP800-131a transition mode, specify the -Dcom.ibm.jsse2.sp800-131=transition JVM argument when you start the server.
      • For SP800-131a strict mode, specify the -Dcom.ibm.jsse2.sp800-131=strict JVM argument when you start the server.
      For more information about the java.security file and valid keystore and truststore files see Configuring WebSphere eXtreme Scale to use NIST SP800-131a.
    Use the following example to configure the client Transport Layer Security configuration for FIPS and SP800-131a in the client.properties file:
    transportType=SSL-Required
alias=serverprivate
contextProvider=IBMJSSE2
protocol=TLSv1
keyStoreType=JKS
keyStore=../security/server.private
keyStorePassword=serverpw
trustStoreType=JKS
trustStore=../security/clientserver.public
trustStorePassword=public

What to do next

Authorizing access to the data grid in stand-alone environments