IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
    
     Home      Products      Services & solutions      Support & downloads      My account     
 
developerworks > My developerWorks >  Dashboard > WebSphere eXtreme Scale V6.1 User Guide > ... > ObjectGrid security overview > Gateway cluster security
developerWorks
Log In   View a printable version of the current page.
Overview Connect Spaces Forums Wikis
Gateway cluster security
Browse space Browse Space    
Added by Jian.Tang, last edited by courtneymauney on Jun 13, 2007  (view change)
Labels: 
Getting Started Examples Reference API documentation

See the WebSphere eXtreme Scale Wiki for links to eXtreme Scale Version 7.0 documentation.
If you log in with your developerWorks ID, you can leave comments and feedback for the development team.

ObjectGrid management gateway serves as a point to delegate the client administration requests to the ObjectGrid server in a static deployment topology. This topic describes how to secure access to the management gateway.

In the following diagram, the ObjectGrid client sends a request to the gateway to obtain the statistics from a cluster. The gateway sends this request to both servers to get the statistics and then combines the statistics. The combined statistics are sent back to the client.  

Figure 1. Gateway security

The gateway and server communication uses the ObjectGrid client server communication mechanism. The gateway is treated as an ObjectGrid client. The client and gateway communication can be secured by SSL. This capability is provided by the JMX connector layer, which is the open source project MX4J. ObjectGrid requires MX4J to make the gateway work.
For the authentication, the gateway propagates the credential, for example, a user ID and password that is presented by the client to the server. Both authentication and authorization are enforced on ObjectGrid servers.

Client certificate authentication for the gateway client is not supported.

Gateway server security

A gateway server is an ObjectGrid client. All the security aspects are the same as an ObjectGrid client. Refer to Start the management gateway serverfor more details on how to start a gateway server from a command line.

The following code snippet demonstrates how to start the secure gateway programmatically:

// Get the ClientSecurityConfiguration from the client security property file
ClientSecurityConfiguration csConfig = ClientSecurityConfigurationFactory
.getClientSecurityConfiguration("etc/test/security/security.client.props");
CredentialGenerator creGen = new UserPasswordCredentialGenerator("admin",
	"xxxxxx");
csConfig.setCredentialGenerator(credGen);

// Initialize the gateway
ManagementGateway gateway = ManagementGatewayFactory.getManagementGateway();
gateway.setConnectorPort(namingPort);
gateway.setClusterName("cluster1");
gateway.setHost("localhost");
gateway.setPort("12503");
gateway.setTraceEnabled(true);
gateway.setTraceSpec("ObjectGrid=all=enabled");
gateway.setTraceFile("logs/GatewayTrace.log");

// Set the ClientSecurityConfiguration object
gateway.setCsConfig(csConfig);

// Start the gateway
gateway.startConnector();

In this code, a ClientSecurityConfiguration object is created and set on the ManagementGateway instance.

Gateway client security

The gateway client needs to pass a credential to a gateway server at the connect time. The following code snippet demonstrates how to pass a credential:

/**
 * retrieve the server status from the gateway
 */
public boolean retrieveServerStatus()
throws Exception {

  String serverProtocol = "rmi";
  String serverHost = "host";
  String namingHost = "localhost";

  String jndiPath = "/jmxconnector";

  JMXServiceURL url = new JMXServiceURL("service:jmx:" + serverProtocol + "://"
  + serverHost + "/jndi/rmi://" + namingHost + ":" + namingPort + jndiPath);

  // Create the JMXConnectorServer
  JMXConnector cntor = JMXConnectorFactory.newJMXConnector(url, null);

  // The connection environment map
  Map environment = new HashMap();

  // create a credential
  UserPasswordCredential gatewayClientCred =
			new UserPasswordCredential("admin", "admin1");

  environment.put(JMXConnector.CREDENTIALS, gatewayClientCred);

  // Connect and invoke an operation on the remote MBeanServer
  try {
    cntor.connect(environment);
  }
  catch (SecurityException x) {
    // Uh-oh ! Bad credentials !
    throw x;
  }

  // Obtain a stub for the remote MBeanServer
  mbsc = cntor.getMBeanServerConnection();

  Iterator it = mbsc.queryMBeans(
  new ObjectName("ManagementServer:type=ObjectGrid,S=server1"),
  null).iterator();
  ObjectInstance oi = (ObjectInstance) it.next();
  server1MBean = oi.getObjectName();

  boolean status = ((Boolean) mbsc.invoke(
  server1MBean,
  "retrieveServerStatus",
  new Object[] {},
  new String[] {})).booleanValue();
  return status;
}

In this code snippet, a gatewayClientCred object is created and put in the environment. This environment is then used to connect to the gateway server.

If you want use SSL to connect from the gateway client to the gateway server, you have to use system properties to store the truststore and the truststore password. For example, you can pass in the following properties when you start a gateway client:

  • -Djavax.net.ssl.trustStore=etc/test/security/client.public
  • -Djavax.net.ssl.trustStorePassword=public

See MX4J - Open Source Java Management Extensions for more information.

Wiki Disclaimer and License
© Copyright IBM Corporation 2007,2009. All Rights Reserved.

 
    About IBM      Privacy      Contact