Lesson 2.2: Configure catalog server security

A catalog server contains two different levels of security information: The security properties that are common to all the WebSphere® eXtreme Scale servers, including the catalog service and container servers, and the security properties that are specific to the catalog server.

About this task

The security properties that are common to the catalog servers and container servers are configured in the security XML descriptor file. An example of common properties is the authenticator configuration, which represents the user registry and authentication mechanism. See Security descriptor XML file for more information about the security properties.

To configure the security XML descriptor file, create a -Dobjectgrid.cluster.security.xml.url property in the Java™ virtual machine (JVM) argument. The file name specified for this property is in an URL format, such as file:///samples_home/security/securityWAS2.xml.

Related referenceServer properties fileThe server properties file contains several properties that define different settings for your server, such as trace settings, logging, and security configuration. The server properties file is used by both catalog service and container servers in both stand-alone servers and servers that are hosted in WebSphere Application Server.Related informationModule 2: Configure WebSphere eXtreme Scale to use WebSphere Application Server Authentication plug-insAfter you have created the WebSphere Application Server configuration, you can integrate WebSphere eXtreme Scale authentication with WebSphere Application Server.

securityWAS2.xml file

In this tutorial, the securityWAS2.xml file is in the samples_home/security directory. The content of the securityWAS2.xml file with the comments removed follows:

<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
	xmlns="http://ibm.com/ws/objectgrid/config/security">

	<security securityEnabled="true">
		<authenticator
	className="com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator">
		</authenticator>
	</security>
</securityConfig>

The following properties are defined in the securityWAS2.xml file:

securityEnabled: The securityEnabled property is set to true, which indicates to the catalog server that the WebSphere eXtreme Scale global security is enabled.
authenticator: The authenticator is configured as the com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator class. With this built-in implementation of the Authenticator plug-in, the WebSphere eXtreme Scale server can convert the security tokens to a Subject object. See Security integration with WebSphere Application Server for more information about how the security tokens are converted.

catServer2.props file

The server property file stores the server-specific properties, which include the server-specific security properties. See Server properties file for more information. You can configure the server property file with the -Dobjectgrid.server.props property in the JVM argument. Specify the file name value for this property is an absolute path, such as samples_home/security/catServer2.props. For this tutorial, a catServer2.props file is included in the samples_home/security directory. The content of the catServer2.props file with comments removed follows:

securityEnabled: The securityEnabled property is set to true to indicate that this catalog server is a secure server.
credentialAuthentication: The credentialAuthentication property is set to Required, so any client that is connecting to the server is required to provide a credential.
secureTokenManagerType: The secureTokenManagerType is set to none to indicate that the authentication secret is not encrypted when joining the existing servers.
authenticationSecret: The authenticationSecret property is set to ObjectGridDefaultSecret. This secret string is used to join the eXtreme Scale server cluster. When a server joins the data grid, it is challenged to present the secret string. If the secret string of the joining server matches the string in the catalog server, the joining server is accepted. If the string does not match, the join request is rejected.
transportType: The transportType property is set to TCP/IP initially. Later in the tutorial, transport security is enabled.

Setting the server properties file with JVM properties

Set the server properties file on the deployment manager server. If you are using a different topology than the topology for this tutorial, set the server properties file on all of the application servers that you are using to host catalog servers.

Procedure

Open the Java virtual machine configuration for the server.
In the administrative console, click System administration > Deployment manager > Java and Process Management > Process definition > Java Virtual Machine.

Add the following generic JVM arguments:

-Dobjectgrid.cluster.security.xml.url=file:///samples_home/security/securityWAS2.xml 
-Dobjectgrid.server.props=samples_home/security/catServer2.props

Click OK and save your changes.

Lesson checkpoint

You configured catalog server security by associating the securityWAS2.xml and catServer2.props files with the deployment manager, which hosts the catalog server process in the WebSphere Application Server configuration.