See the WebSphere eXtreme Scale Wiki for links to eXtreme Scale Version 7.0 documentation.
If you log in
with your developerWorks ID, you can leave comments and feedback for the development team.
ObjectGrid supports both TCP/IP and Transport Layer Security/Secure Sockets Layer (TLS/SSL) for secure communication between client and server in both the static and dynamic deployment models. See ObjectGrid architecture for an overview of the different ObjectGrid deployment topologies that are available.
Overview
TLS/SSL support is available in the the dynamic deployment topology in ObjectGrid version 6.1.0.5 and later.
TLS/SSL provides secure communication between the client and server. The communication mechanism that is used depends on the value of the transportType parameter in the client and server configuration files.
For the static deployment model, you can set the transportType property in the following client and server security configuration files:
For the dynamic deployment model, you can set the transportType property in the following client and server security configuration files:
Table 1. Transport protocol to use under client transport and server transport settings
| Client transportType property |
Server transportType property |
Resulting protocol |
| TCP/IP |
TCP/IP |
TCP/IP |
| TCP/IP |
SSL-Supported |
TCP/IP |
| TCP/IP |
SSL-Required |
Error |
| SSL-Supported |
TCP/IP |
TCP/IP |
| SSL-Supported |
SSL-Supported |
SSL (if SSL fails, then TCP/IP) |
| SSL-Supported |
SSL-Required |
SSL |
| SSL-Required |
TCP/IP |
Error |
| SSL-Required |
SSL-Supported |
SSL |
| SSL-Required |
SSL-Required |
SSL |
When SSL is used, the SSL configuration must be provided on both the client and server side.
Configuring SSL parameters for ObjectGrid clients
SSL parameters for clients can be configured in the following ways:
- Create a com.ibm.websphere.objectgrid.security.config.SSLConfiguration object by using the factory class com.ibm.websphere.objectgrid.security.config.ClientSecurityConfigurationFactory. For more details, refer to the ClientSecurityConfigurationFactory API Documentation.
- Configure the parameters in the security.ogclient.props file, and then use the ClientSecurityConfigurationFactory.getClientSecurityConfiguration(String) method to populate the object instance.
The following properties are for SSL configurations in the security.ogclient.props file:
- provider: Specifies the SSL Java Secure Socket Extension (JSSE) provider. Possible values are: IBMJSSE, IBMJSSE2, SunJSSE, and others. Set this value based on the Software Development Kit (SDK) that you use.
- protocol: Specifies the SSL protocol. Possible values are: SSL, SSLV2, SSLV3, TLS, TLSv1, and others. Set this protocol value based on which Java Secure Socket Extension (JSSE) provider you use.
- alias: Represents the alias in the key store. No default value exists. This property is used if the key store has multiple key pair certificates and you want to select one of the certificates.
- keyStoreType: Specifies the SSL key store type. Possible values are: JKS, JCEK, PKCS12, and others. Set this value based on which JSSE provider you use.
- keyStore: Specifies the key store path file name that has the client public certificates and private keys. For example,[OBJECTGRID_HOME]/properties/DummyClientKeyFile.jks. Hardware key store support is not supported.
- keyStorePassword: Specifies the password to protect the key store path. The password is encoded by using the xor algorithm by ObjectGrid. Use the PropFilePasswordEncoder tool to encode this property file. Here is an example of an encoded password: {x0r}CDo9Hgw.
- trustStoreType: Specifies the trust store type. Possible values are: JKS, JCEK, PKCS12, and others. You can set this value based on which JSSE provider you use.
- trustStore: Specifies the trust store path file name that has the server public certificates. For example,[OBJECTGRID_HOME]/properties/DummyClientTrustFile.jks.
- trustStorePassword: Specifies the password to use to protect the trust store path. The password is encoded by using the x0r algorithm by ObjectGrid. Use the PropFilePasswordEncoder tool to encode this property file. Here is an example of an encoded password:{x0r}CDo9Hgw
- certReqSubjectDN: This string is required in the certificate subject distinguished name (DN) from the server. A client is allowed to connect to the server only if the server certificate DN contains this string. If the value is null, the client does not require a particular subject DN in the server certificate.
For example, if the certificate subject DN is "CN=Server1, OU=Your Organizational Unit, O=Your Organization, S=Your State,C=Your Country", then "CN=server1", "O=Your Organization", "OU=Your Organizational Unit, O=Your Organization, S=Your State,C=Your Country" results in a match, but "CN=server2" and "OU=Your Organizational Unit, L=something, O=Your Organization, S=Your State,C=Your Country" does not match. Wild card matching is not supported.
Configuring SSL parameters for ObjectGrid servers
SSL parameters are configured for servers using a security.ogserver.props file. This property file can be passed as a parameter when starting an ObjectGrid server.
The server side SSL configuration has an additional property:
- clientAuthentication(true, false). If the property is set to true, the SSL client must be authenticated. Authenticating the SSL client is different from the client certificate authentication. Client certificate authentication means authenticating a client to a user registry based on the certificate chain. This property ensures that the server connects to the right client.
Configuring orb.properties for transport security support
ObjectGrid Version 6.1.0.1 and later supports TLS/SSL in the dynamic deployment topology when using a transportType property with a value of "SSL-Supported".
Starting from ObjectGrid Version 6.1.0.5, "SSL-Required" is supported in the dynamic deployment model.
In order to support secure transport in JSE environment for the dynamic deployment topology , you need to modify the orb.properties to include the following properties:
# IBM JDK properties
org.omg.CORBA.ORBClass=com.ibm.CORBA.iiop.ORB
org.omg.CORBA.ORBSingletonClass=com.ibm.rmi.corba.ORBSingleton
javax.rmi.CORBA.StubClass=com.ibm.rmi.javax.rmi.CORBA.StubDelegateImpl
javax.rmi.CORBA.PortableRemoteObjectClass=com.ibm.rmi.javax.rmi.PortableRemoteObject
javax.rmi.CORBA.UtilClass=com.ibm.ws.orb.WSUtilDelegateImpl
# WS Plugins
com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.transport.WSTransport
com.ibm.CORBA.ORBPluginClass.com.ibm.ws.orbimpl.WSORBPropertyManager
com.ibm.CORBA.ORBPluginClass.com.ibm.ISecurityUtilityImpl.SecurityPropertyManager
# WS Interceptors
org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ws.objectgrid.corba.ObjectGridInitializer
org.omg.PortableInterceptor.ORBInitializerClass.com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityComponentFactory
# WS ORB & Plugins properties
com.ibm.ws.orb.transport.ConnectionInterceptorName=com.ibm.ISecurityLocalObjectBaseL13Impl.SecurityConnectionInterceptor
com.ibm.ws.orb.transport.WSSSLClientSocketFactoryName=com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl
com.ibm.CORBA.TransportMode=Pluggable
com.ibm.CORBA.ServerName=ogserver
Transport Security Support in WebSphere Application Server
When an ObjectGrid client, container server, or catalog server is running in a WebSphere Application Server process, ObjectGrid transport security is managed by the Application Server CSIV2 transport settings. You should not use ObjectGrid client or server properties to configure the SSL settings. All the SSL settings should be done in the WebSphere Application Server configuration.
For more details on WebSphere Application Server transport setting, refer to Configuring inbound transports in WebSphere Application Server.
Additional information
© Copyright IBM Corporation 2007,2009. All Rights Reserved.
