Administration guide > Secure the deployment environment
Application client authentication
Application client authentication consists of enabling client-server security and credential authentication, and configuring an authenticator and a system credential generator.
Enable client-server security
You must enable security on both the client and server to successfully authenticate with the ObjectGrid.
Enable client securityWebSphere eXtreme Scale provides a client property sample file, the sampleClient.properties file, in the was_root/optionalLibraries/ObjectGrid/properties directory for a WebSphere Extended Deployment installation, or the /ObjectGrid/properties directory in a mixed-server installation. You can modify this template file with appropriate values. Set the securityEnabled property in the objectgridClient.properties file to true. The securityEnabled property indicates if security is enabled. When a client connects to a server, the value on the client and server side must be set both true or both false. For example, if the connected server security is enabled, the property value must be set to true on the client side for the client to connect to the server.
The com.ibm.websphere.objectgrid.security.config.ClientSecurityConfiguration interface represents the security.ogclient.props file. Use the com.ibm.websphere.objectgrid.security.config.ClientSecurityConfigurationFactory public API to create an instance of this interface with default values, or you can create an instance by passing the ObjectGrid client security property file. The security.ogclient.props file contains other properties. See the ClientSecurityConfiguration API Documentation and ClientSecurityConfigurationFactory API Documentation for more details.
Enable server securityTo enable the security on the server side, you can set the securityEnabled property in the security.xml file to true. Use a security descriptor XML file to specify the data grid security configuration to isolate the grid-wide security configuration from the non-security configuration.
Enable credential authentication
After the eXtreme Scale client retrieves the Credential object using the CredentialGenerator object, the Credential object is sent along with the client request to the eXtreme Scale server. The server authenticates the Credential object before processing the request. If the Credential object is authenticated successfully, a Subject object is returned to represent this Credential object. This Subject object is then used for authorizing the request.
Set the credentialAuthentication property on the client and server properties files to enable the credential authentication. For more information, see Client properties file and Server properties file.
The following table provides which authentication mechanism to use under different settings.
Table 1. Credential authentication under client and server settings Client credential authentication Server credential authentication Result No Never Disabled No Supported Disabled No Required Error case Supported Never Disabled Supported Supported Enabled Supported Required Enabled Required Never Error case Required Supported Enabled Required Required Enabled
Configure an authenticator
The eXtreme Scale server uses the Authenticator plug-in to authenticate the Credential object. An implementation of the Authenticator interface gets the Credential object and then authenticates it to a user registry, for example, a Lightweight Directory Access Protocol (LDAP) server, and so on. eXtreme Scale does not provide a registry configuration. Connecting to a user registry and authenticating to it must be implemented in this plug-in.
For example, one Authenticator implementation extracts the user ID and password from the credential, uses them to connect and validate to an LDAP server, and creates a Subject object as a result of the authentication. The implementation can use Java™ Authentication and Authorization Service (JAAS) login modules. A Subject object is returned as a result of authentication.
You can configure the authenticator in the security descriptor XML file, as shown in the following example:
<?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd" xmlns="http://ibm.com/ws/objectgrid/config/security"> <security securityEnabled="true" loginSessionExpirationTime="300"> <authenticator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator"> </authenticator> </security> </securityConfig>
Use the -clusterSecurityFile option when starting a secure server to set the security XML file. See the Java SE security tutorial - Step 2 for samples on how to start a secure server.
Configure a system credential generator
The system credential generator is used to represent a factory for the system credential. A system credential is similar to an administrator credential. You can configure the SystemCredentialGenerator element in the catalog security XML, as shown in the following example:
<systemCredentialGenerator className ="com.ibm.websphere.objectgrid.security.plugins. builtins.UserPasswordCredentialGenerator"> <property name="properties" type="java.lang.String" value="manager manager1" description="username password" /> </systemCredentialGenerator>For demonstration purposes, the user name and password are stored in clear text. Do not store the user name and password in clear text in a production environment.
WebSphere eXtreme Scale provides a default system credential generator, which uses the server credentials. If you do not explicitly specify the system credential generator, this default system credential generator is used.
Parent topic:
Secure the deployment environment
Related concepts
Application client authorization
Transport layer security and secure sockets layer
Java Management Extensions (JMX) security
Security integration with external providers
Related tasks
Related reference
Related information
Tutorial: Integrate WebSphere eXtreme Scale security with WAS