Java SE security tutorial - Step 4

Building on the previous step, the following topic shows how to implement client authentication in a distributed eXtreme Scale environment.

Before you begin

Be sure that you have completed Java SE security tutorial - Step 3. You need to have created and complied the SecureSimpleApp.java sample into a sec_sample.jar file, and created a configuration file called security.xml.

About this task

With client authentication enabled, a client is authenticated before connecting to the eXtreme Scale server. This section demonstrates how client authentication can be done in an eXtreme Scale server environment, using the sample SecureSimpleApp.java.

Client credential

The SecureSimpleApp.java sample uses the following two plug-in implementations to obtain client credentials:

com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredential
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator

For more information about these plug-ins, see Client authentication programming.

Server authenticator

The example uses an eXtreme Scale built-in implementation: KeyStoreLoginAuthenticator, which is for testing and sample purposes (a keystore is a simple user registry and should not be used for production). For more information, see the topic on authenticator plug-in under Client authentication programming.

Procedure

  1. In a command line window, go to the wxs_home directory.
  2. Change to the wxs_home/security directory you had created in Java SE security tutorial - Step 3.
  3. Create a JAAS configuration file that enforces a method of authentication to the server, og_jaas.config.
    The KeyStoreLoginAuthenticator referenced in the security.xml file uses a keystore by using the JAAS login module "KeyStoreLogin". The keystore can be configured as an option to the KeyStoreLoginModule class.
    og_jaas.config
KeyStoreLogin{
com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required
     keyStoreFile="../security/sampleKS.jks" debug = true;
};
    [Windows]Important: If you are using Windows, the directory path does not support backslashes. If you have used backslashes, you must escape any backslash ( \ ) characters in the path. For example, if you want to use the path C:\opt\ibm, enter C:\\opt\\ibm in the properties file. Windows directories with spaces are not supported.
  4. Change to the java_home/bin directory and run the keytool.
  5. Change to the wxs_home /security directory, and create two users, "manager" and "cashier" with their own passwords.
    1. Use the keytool to create a user "manager" with password "manager1" in the keystore sampleKS.jks.
      • [Linux][Unix]
        keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \
-alias manager -keypass manager1 \
-dname CN=manager,O=acme,OU=OGSample -validity 10000
      • [Windows]
        keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^
-alias manager -keypass manager1 ^
-dname CN=manager,O=acme,OU=OGSample -validity 10000
    2. Use the keytool to create a user "cashier" with password "cashier1" in the keystore sampleKS.jks.
      • [Linux][Unix]
        keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \
-alias cashier -keypass cashier1 \
-dname CN=cashier,O=acme,OU=OGSample -validity 10000
      • [Windows]
        keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^
-alias cashier -keypass cashier1 ^
-dname CN=cashier,O=acme,OU=OGSample -validity 10000
  6. Make a copy of the sampleClient.properties file located in wxs_home/properties directory to wxs_home/security/client.properties
    • [Linux][Unix]
      cp ../properties/sampleClient.properties client.properties
    • [Windows]
      copy ..\properties\sampleClient.properties client.properties
  7. In the wxs_home/security directory, save it as client.properties
    Make the following changes to the client.properties file:
    1. securityEnabled: Set securityEnabled to true (default value) enables the client security, which includes authentication.
    2. credentialAuthentication: Set credentialAuthentication to Supported (default value), which means the client supports credential authentication.
    3. transportType: Set transportType to TCP/IP, which means no SSL will be used.
  8. Copy the sampleServer.properties file into the wxs_home/security directory and save it as server.properties.
    • [Linux][Unix]
      cp ../properties/sampleServer.properties server.properties
    • [Windows]
      copy ..\properties\sampleServer.properties server.properties
    Make the following changes in the server.properties file:
    1. securityEnabled: Set the securityEnabled attribute to true.
    2. transportType: Set transportType attribute to TCP/IP, which means no SSL is used.
    3. secureTokenManagerType: Set secureTokenManagerType attribute to none to not configure the secure token manager.
  9. Go to the wxs_home/bin directory and depending on your platform, issue one of the following commands to start a catalog server.
    You need to issue the-clusterSecurityFile and -serverProps command line options to pass in security properties:
    • [Linux][Unix] 
      ./startOgServer.sh catalogServer -clusterSecurityFile ../security/security.xml
-serverProps ../security/server.properties -jvmArgs
-Djava.security.auth.login.config="../security/og_jaas.config"
    • [Windows] 
      startOgServer.bat catalogServer -clusterSecurityFile ..\security\security.xml 
-serverProps ..\security\server.properties -jvmArgs 
-Djava.security.auth.login.config="..\security\og_jaas.config"
    • [Version 8.6 and later][Linux][Unix] 
      ./startXsServer.sh catalogServer -clusterSecurityFile ../security/security.xml
-serverProps ../security/server.properties -jvmArgs
-Djava.security.auth.login.config="../security/og_jaas.config"
    • [Version 8.6 and later][Windows] 
      startXsServer.bat catalogServer -clusterSecurityFile ..\security\security.xml 
-serverProps ..\security\server.properties -jvmArgs 
-Djava.security.auth.login.config="..\security\og_jaas.config"
  10. Start a container server named c0 with one of the following scripts. The server property file is passed by issuing -serverProps.
      • [Linux][Unix] 
        ./startOgServer.sh c0 -objectgridFile ../xml/SimpleApp.xml
-deploymentPolicyFile ../xml/SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ../security/server.properties
-jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
      • [Windows] 
        startOgServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml 
-deploymentPolicyFile ..\xml\SimpleDP.xml 
-catalogServiceEndPoints localhost:2809 
-serverProps ..\security\server.properties 
-jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
      • [Version 8.6 and later][Linux][Unix] 
        ./startXsServer.sh c0 -objectgridFile ../xml/SimpleApp.xml
-deploymentPolicyFile ../xml/SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ../security/server.properties
-jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
      • [Version 8.6 and later][Windows] 
        startXsServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml 
-deploymentPolicyFile ..\xml\SimpleDP.xml 
-catalogServiceEndPoints localhost:2809 
-serverProps ..\security\server.properties 
-jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
  11. After the catalog server and container server have been started, run the sec_sample.jar sample as follows:
    • [Linux][Unix]
      java -classpath ../lib/objectgrid.jar:../applib/sec_sample.jar
		com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp
		../security/client.properties manager manager1
    • [Windows]
      java -classpath ..\lib\objectgrid.jar;..\applib\sec_sample.jar
		com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp
		..\security\client.properties manager manager1

    [Linux]Use a colon (:) for the classpath separator instead of a semicolon (;) as in the previous example.

    After you issue the class, the following output results:

    The customer name for ID 0001 is fName lName.

  12. Verify the size of the "customer" map inserted into the "accounting" grid, by issuing the xscmd command utility as follows:
    • [Linux][Unix]./xscmd.sh -c showMapSizes -g accounting -m customer -username manager -password manager1
    • [Windows]xscmd.bat -c showMapSizes -g accounting -m customer -username manager -password manager1
  13. Optional: To stop the container or catalog servers, you can use the stopOgServer or stopXsServer command. However you need to provide a security configuration file. The sample client property file defines the following two properties to generate a userID/password credential (manager/manager1). 
    credentialGeneratorClass=com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator 
    credentialGeneratorProps=manager manager1

    Stop the container c0 with the following command.

    • [Linux][Unix]./stopOgServer.sh c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
    • [Windows]stopOgServer.bat c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties
    • [Version 8.6 and later][Linux][Unix]./stopXsServer.sh c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
    • [Version 8.6 and later][Windows]stopXsServer.bat c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties

    If you do not provide the -clientSecurityFile option, you will see an exception with the following message.

    >> SERVER (id=39132c79, host=9.10.86.47) TRACE START:

    >> org.omg.CORBA.NO_PERMISSION: Server requires credential authentication but there is no security context from the client. This usually happens when the client does not pass a credential the server.

    vmcid: 0x0

    minor code: 0

    completed: No

    You can also shut down the catalog server using the following command. However, if you want to continue trying the next step tutorial, you can let the catalog server stay running.

    • [Linux][Unix]./stopOgServer.sh catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
    • [Windows]stopOgServer.bat catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties
    • [Version 8.6 and later][Linux][Unix]./stopXsServer.sh catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
    • [Version 8.6 and later][Windows]stopXsServer.bat catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties

    If you do shutdown the catalog server, you will see the following output.

    CWOBJ2512I: ObjectGrid server catalogServer stopped

    Now, you have successfully made your system partially secure by enabling authentication. You configured the server to plug in the user registry, configured the client to provide client credentials, and changed the client property file and cluster XML file to enable authentication.

    If you provide an invalidate password, you see an exception stating that the user name or password is not correct.

    For more details about client authentication, see Authenticating application clients.

    Next step of tutorial