Administration guide > Secure the deployment environment
Security descriptor XML file
Use a security descriptor XML file to configure an eXtreme Scale deployment topology with security enabled. Use the elements in this file to configure different aspects of security.
securityConfig element
The securityConfig element is the top-level element of the ObjectGrid security XML file. This element sets up the namespace of the file and the schema location.
The schema is defined in the objectGridSecurity.xsd file.
- Number of occurrences: One
- Child elements: security
security element
Use the security element to define an ObjectGrid security.
- Number of occurrences: One
- Child elements: authenticator, adminAuthorization, and systemCredentialGenerator
Attributes
- securityEnabled
- Enables security for the grid when set to true. The default value is false. If the value is set to false, grid-wide security is disabled. (Optional)
- singleSignOnEnabled
- Enables a client to connect to any server after it has authenticated with one of the servers when the value is set to true. Otherwise, a client must authenticate with each server before the client can connect. The default value is false. (Optional)
- loginSessionExpirationTime
- Amount of time in seconds before the login session expires. If the login session expires, the client must authenticate again. (Optional)
- adminAuthorizationEnabled
- Enables administrative authorization. If the value is set to true, all of the administrative tasks need authorization. The authorization mechanism that is used is specified by the value of the adminAuthorizationMechanism attribute. The default value is false. (Optional)
- adminAuthorizationMechanism
- Indicates which authorization mechanism to use. WebSphere eXtreme Scale supports two authorization mechanisms...
- JAAS
- custom authorization
The JAAS authorization mechanism uses the standard JAAS policy-based approach.
To specify JAAS as the authorization mechanism, set the value to AUTHORIZATION_MECHANISM_JAAS.
The custom authorization mechanism uses a user-plugged-in AdminAuthorization implementation.
To specify a custom authorization mechanism, set the value to AUTHORIZATION_MECHANISM_CUSTOM.
(Optional)
The following security.xml file is a sample configuration to enable the data grid security.
<?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security/objectGridSecurity.xsd" xmlns="http://ibm.com/ws/objectgrid/config/security"> <security securityEnabled="true" singleSignOnEnabled="true" loginSessionExpirationTime="20" adminAuthorizationEnabled="true" adminAuthorizationMechanism="AUTHORIZATION_MECHANISM_JAAS" > <authenticator className="com.ibm.websphere.objectgrid.security.plugins. builtins.WSTokenAuthenticator"> </authenticator> <systemCredentialGenerator className="com.ibm.websphere.objectgrid.security. plugins.builtins.WSTokenCredentialGenerator"> <property name="properties" type="java.lang.String" value="runAs" description="Using runAs subject" /> </systemCredentialGenerator> </security> </securityConfig>
authenticator element
Authenticates clients to eXtreme Scale servers in the data grid. The class that is specified by the className attribute must implement the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.
The authenticator can use properties to call methods on the class that is specified by the className attribute. See property element for more information on using properties.
In the previous security.xml file example, the com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator class is specified as the authenticator. This class implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.
- Number of occurrences: zero or one
- Child element: property
Attributes
- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface. Use this class to authenticate clients to the servers in the eXtreme Scale grid. (Required)
adminAuthorization element
U se the adminAuthorization element to set up administrative access to the data grid.
- Number of occurrences: zero or one
- Child element: property
Attributes
- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.AdminAuthorization interface. (Required)
systemCredentialGenerator element
Use a systemCredentialGenerator element to set up a system credential generator. This element only applies to a dynamic environment. In the dynamic configuration model, the dynamic container server connects to the catalog server as an eXtreme Scale client and the catalog server can connect to the eXtreme Scale container server as a client too. This system credential generator is used to represent a factory for the system credential.
- Number of occurrences: zero or one
- Child element: property
Attributes
- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator interface. (Required)
See the previous security.xml file for an example of how to use a systemCredentialGenerator class.
In this example, the system credential generator is a com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator class, which retrieves the RunAs Subject object from the thread.
property element
Calls set methods on the authenticator and adminAuthorization classes.
The name of the property corresponds to a set method on the className attribute of the authenticator or adminAuthorization element.
- Number of occurrences: zero or more
- Child element: property
Attributes
- name
- Name of the property. The value that is assigned to this attribute must correspond to a set method on the class that is provided as the className attribute on the containing bean. For example, if the className attribute of the bean is set to com.ibm.MyPlugin, and the name of the property that is provided is size, then the com.ibm.MyPlugin class must have a setSize method. (Required)
- type
- Type of the property. The type of the parameter is passed to the set method that is identified by the name attribute.
The valid values are the Java primitives, their java.lang counterparts, and java.lang.String. The name and type attributes must correspond to a method signature on the className attribute of the bean. For example, if the name is size and the type is int, then a setSize(int) method must exist on the class that is specified as the className attribute for the bean. (Required)
- value
- Value of the property. This value is converted to the type that is specified by the type attribute, and is then used as a parameter in the call to the set method that is identified by the name and type attributes. The value of this attribute is not validated in any way. The plug-in implementor must verify that the value passed in is valid. (Required)
- description
- Provides a description of the property. (Optional)
See objectGridSecurity.xsd file for more information.
Parent topic:
Secure the deployment environment
Related concepts
Security integration with WAS
Data grid authentication
Data grid security
Application client authentication
Application client authorization
Transport layer security and secure sockets layer
Java Management Extensions (JMX) security
Security integration with external providers
Related tasks
Enable local security
Start and stop secure servers
Secure the REST data service
Start secure servers in a stand-alone environment
Start a stand-alone catalog service
Start container processes
Start secure servers in WAS
Start and stop servers in a WAS environment
Troubleshoot security
Related reference
Related information
Tutorial: Integrate WebSphere eXtreme Scale security with WAS
Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator
Java SE security tutorial
Lesson 2.2: Configure catalog server security
Lesson 2.3: Configure container server security