Java SE security tutorial - Step 4
Building on the previous step, the following topic shows how to implement client authentication in a distributed eXtreme Scale environment.
Before you begin
About this task
Client credential
The SecureSimpleApp.java sample uses the following two plug-in implementations to obtain client credentials:
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredential
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
For more information about these plug-ins, see Client authentication programming.
Server authenticator
The example uses an eXtreme Scale
built-in implementation: KeyStoreLoginAuthenticator
, which is for testing and
sample purposes (a keystore is a simple user registry and should not be used for production). For
more information, see the topic on authenticator plug-in under Client authentication programming.
Procedure
- In a command line window, go to the wxs_home directory.
- Change to the wxs_home/security directory you had created in Java SE security tutorial - Step 3.
-
Create a JAAS configuration file that enforces a method of authentication to the server,
og_jaas.config.
The
KeyStoreLoginAuthenticator
referenced in the security.xml file uses a keystore by using the JAAS login module "KeyStoreLogin". The keystore can be configured as an option to the KeyStoreLoginModule class.og_jaas.config KeyStoreLogin{ com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required keyStoreFile="../security/sampleKS.jks" debug = true; };
Important: If you are using Windows, the directory path does not support backslashes. If you have used backslashes, you must escape any backslash ( \ ) characters in the path. For example, if you want to use the path C:\opt\ibm, enter C:\\opt\\ibm in the properties file. Windows directories with spaces are not supported. - Change to the java_home/bin directory and run the keytool.
-
Change to the wxs_home
/security directory, and create two users, "manager" and "cashier" with their
own passwords.
- Use the keytool to create a user "manager" with password "manager1" in the keystore sampleKS.jks.
-
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \ -alias manager -keypass manager1 \ -dname CN=manager,O=acme,OU=OGSample -validity 10000
-
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^ -alias manager -keypass manager1 ^ -dname CN=manager,O=acme,OU=OGSample -validity 10000
-
- Use the keytool to create a user "cashier" with password "cashier1" in the keystore sampleKS.jks.
-
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \ -alias cashier -keypass cashier1 \ -dname CN=cashier,O=acme,OU=OGSample -validity 10000
-
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^ -alias cashier -keypass cashier1 ^ -dname CN=cashier,O=acme,OU=OGSample -validity 10000
-
- Use the keytool to create a user "manager" with password "manager1" in the keystore sampleKS.jks.
-
Make a copy of the sampleClient.properties file located in
wxs_home/properties directory to
wxs_home/security/client.properties
-
cp ../properties/sampleClient.properties client.properties
-
copy ..\properties\sampleClient.properties client.properties
-
-
In the wxs_home/security
directory, save it as client.properties
Make the following changes to the client.properties file:
- securityEnabled: Set securityEnabled to true (default value) enables the client security, which includes authentication.
- credentialAuthentication: Set credentialAuthentication to Supported (default value), which means the client supports credential authentication.
- transportType: Set transportType to TCP/IP, which means no SSL will be used.
-
Copy the sampleServer.properties file into the wxs_home/security directory and save it as
server.properties.
-
cp ../properties/sampleServer.properties server.properties
-
copy ..\properties\sampleServer.properties server.properties
Make the following changes in the server.properties file:- securityEnabled: Set the securityEnabled attribute to true.
- transportType: Set transportType attribute to TCP/IP, which means no SSL is used.
- secureTokenManagerType: Set secureTokenManagerType attribute to none to not configure the secure token manager.
-
-
Go to the wxs_home/bin
directory and depending on your platform, issue one of the following commands to start a catalog
server.
You need to issue the-clusterSecurityFile and -serverProps command line options to pass in security properties:
-
./startOgServer.sh catalogServer -clusterSecurityFile ../security/security.xml -serverProps ../security/server.properties -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
-
startOgServer.bat catalogServer -clusterSecurityFile ..\security\security.xml -serverProps ..\security\server.properties -jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
-
./startXsServer.sh catalogServer -clusterSecurityFile ../security/security.xml -serverProps ../security/server.properties -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
-
startXsServer.bat catalogServer -clusterSecurityFile ..\security\security.xml -serverProps ..\security\server.properties -jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
-
-
Start a container server named
c0
with one of the following scripts. The server property file is passed by issuing -serverProps.-
-
./startOgServer.sh c0 -objectgridFile ../xml/SimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndPoints localhost:2809 -serverProps ../security/server.properties -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
-
startOgServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml -deploymentPolicyFile ..\xml\SimpleDP.xml -catalogServiceEndPoints localhost:2809 -serverProps ..\security\server.properties -jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
-
./startXsServer.sh c0 -objectgridFile ../xml/SimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndPoints localhost:2809 -serverProps ../security/server.properties -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
-
startXsServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml -deploymentPolicyFile ..\xml\SimpleDP.xml -catalogServiceEndPoints localhost:2809 -serverProps ..\security\server.properties -jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
-
-
-
After the catalog server and container server have been started, run the
sec_sample.jar sample as follows:
-
java -classpath ../lib/objectgrid.jar:../applib/sec_sample.jar com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp ../security/client.properties manager manager1
-
java -classpath ..\lib\objectgrid.jar;..\applib\sec_sample.jar com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp ..\security\client.properties manager manager1
Use a colon (:) for the classpath separator instead of a semicolon (;) as in the previous example.
After you issue the class, the following output results:
The customer name for
ID 0001 is fName lName
. -
-
Verify the size of the "customer" map inserted into the "accounting" grid, by issuing the
xscmd command utility as follows:
./xscmd.sh -c showMapSizes -g accounting -m customer -username manager -password manager1
xscmd.bat -c showMapSizes -g accounting -m customer -username manager -password manager1
-
Optional: To stop the container or catalog servers, you can use the
stopOgServer or stopXsServer command. However you need to
provide a security configuration file. The sample client property file defines the following two
properties to generate a userID/password credential (manager/manager1).
credentialGeneratorClass=com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
credentialGeneratorProps=manager manager1
Stop the container
c0
with the following command../stopOgServer.sh c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
stopOgServer.bat c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties
./stopXsServer.sh c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
stopXsServer.bat c0 -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties
If you do not provide the -clientSecurityFile option, you will see an exception with the following message.
>> SERVER (id=39132c79, host=9.10.86.47) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: Server requires credential authentication but there is no security context from the client. This usually happens when the client does not pass a credential the server.
vmcid: 0x0
minor code: 0
completed: No
You can also shut down the catalog server using the following command. However, if you want to continue trying the next step tutorial, you can let the catalog server stay running.
./stopOgServer.sh catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
stopOgServer.bat catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties
./stopXsServer.sh catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ../security/client.properties
stopXsServer.bat catalogServer -catalogServiceEndPoints localhost:2809 -clientSecurityFile ..\security\client.properties
If you do shutdown the catalog server, you will see the following output.
CWOBJ2512I: ObjectGrid server catalogServer stopped
Now, you have successfully made your system partially secure by enabling authentication. You configured the server to plug in the user registry, configured the client to provide client credentials, and changed the client property file and cluster XML file to enable authentication.
If you provide an invalidate password, you see an exception stating that the user name or password is not correct.
For more details about client authentication, see Authenticating application clients.