IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
    
     Home      Products      Services & solutions      Support & downloads      My account     
 
developerworks > My developerWorks >  Dashboard > WebSphere eXtreme Scale V6.1 User Guide > ... > J2SE security tutorial > J2SE security tutorial step 4 - transport security
developerWorks
Log In   View a printable version of the current page.
Overview Connect Spaces Forums Wikis
J2SE security tutorial step 4 - transport security
Browse space Browse Space    
Added by Chris.D.Johnson, last edited by saif.patel@us.ibm.com on Feb 17, 2009  (view change)
Labels: 
Getting Started Examples Reference API documentation

See the WebSphere eXtreme Scale Wiki for links to eXtreme Scale Version 7.0 documentation.
If you log in with your developerWorks ID, you can leave comments and feedback for the development team.

Previous step

ObjectGrid supports both Transport Layer Security/Secure Sockets Layer (TLS/SSL) for secure communication between ObjectGrid endpoints (client, container servers, and catalog servers ). This tutorial builds upon the J2SE security tutorial step 3 - client authorization and enables transport security.

Create TLS/SSL keys and key stores

In order to enable transport security, you must create a key store and trust store. This exercise only creates one key and trust-store pair. These stores are used for ObjectGrid clients, container servers, and catalog servers, and are created with the JDK keytool.

Create a private key in the key store

keytool -genkey -alias ogsample -keystore key.jks -storetype JKS -keyalg rsa -dname "CN=ogsample, OU=Your Organizational Unit, O=Your Organization, L=Your City, S=Your State, C=Your Country" -storepass ogpass -keypass ogpass -validity 3650

Using this command, a key store key.jks is created with a key "ogsample" stored in it. This key store key.jks will be used as the SSL key store.

Export the public certificate

keytool -export -alias ogsample -keystore key.jks -file temp.key -storepass ogpass

Using this command, the public certificate of key "ogsample" is extracted and stored in the file temp.key.

Import the client's public certificate to the trust store

keytool -import -noprompt -alias ogsamplepublic -keystore trust.jks -file temp.key -storepass ogpass

Using this command, the public certificate was added to key store trust.jks. This trust.jks is used as the SSL trust store.

Configure ObjectGrid property files.

In this step, you must configure the ObjectGrid property files to enable transport security.

First, copy the key.jks and trust.jks files into the objectgridRoot/security directory.

We set the following properties in the security.ogclient.prop and server.props file. 

transportType=SSL-Required

alias=ogsample
contextProvider=IBMJSSE2
protocol=SSL
keyStoreType=JKS
keyStore=../security/key.jks
keyStorePassword=ogpass
trustStoreType=JKS
trustStore=../security/trust.jks
trustStorePassword=ogpass
  • transportType: The value of transportType is set to "SSL-Required", which means the transport requires SSL. So all the ObjectGrid endpoints (clients, catalog servers, and container servers) should have SSL configuration set and all transport communication will be encrypted.

The other properties are used to set the SSL configurations. See Client server SSL support for a detailed explanation.

In the server.prop file, we add an additional property clientAuthentication and set it to false. The value of clientAuthentication is set to false so, on the server side, we do not need to trust the client. 

clientAuthentication=false

Execute the application

The commands are the same as the the commands on the J2SE security tutorial step 3 - client authorization topic. You can also download the updated application to get the updated files.

Run the following command to start a catalog server.

  1. cd objectgridRoot/bin
  2. Start the server.
    • startOgServer.sh catalogServer -clusterSecurityFile ../security/security.xml -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
    • startOgServer.bat catalogServer -clusterSecurityFile ../security/security.xml -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"

The security.xml and server.props are created in the J2SE security tutorial step 2 - client authentication page.

Run a secured ObjectGrid container server:

  1. cd objectgridRoot/bin
  2. Start the container.
    • startOgServer.sh c0 -objectGridFile ../xml/SecureSimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndpoints localhost:2809 -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config" -Djava.security.auth.policy="../security/og_auth.policy"
    • startOgServer.bat c0 -objectGridFile ../xml/SecureSimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndpoints localhost:2809 -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config" -Djava.security.auth.policy="../security/og_auth.policy"

Notice the following differences from the previous container server start command:

  • Use SecureSimpleApp.xml instead of SimpleApp.xml
  • Add another -Djava.security.auth.policy to set the JAAS authorization policy file to the container server process.

Run the following command to run the J2SE security tutorial step 2 - client authentication:

  1. cd objectgridRoot/bin
  2. javaHome/java -classpath ../lib/objectgrid.jar;../applib/secsample.jar com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp ../security/security.ogclient.props manager manager1

Because user "manager" has permission to all the maps in the accounting ObjectGrid, the application runs successfully.

Execute application with a wrong key store

If your trust store does not contain the public certificate of the private key in the key store, you will get an exception complaining that the key cannot be trusted.

In order to show this, create another key store key2.jks.

keytool -genkey -alias ogsample -keystore key2.jks -storetype JKS -keyalg rsa -dname "CN=ogsample, OU=Your Organizational Unit, O=Your Organization, L=Your City, S=Your State, C=Your Country" -storepass ogpass -keypass ogpass -validity 3650

Then modify the server.props to make the keyStore point to this new key store key2.jks:

keyStore=../security/key2.jks

Run the following command to start the catalog server:

  1. cd objectgridRoot/bin
  2. Start the catalog server:
    • startOgServer.sh c0 -objectGridFile ../xml/SecureSimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndpoints localhost:2809 -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config" -Djava.security.auth.policy="../security/og_auth.policy"
    • startOgServer.bat c0 -objectGridFile ../xml/SecureSimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndpoints localhost:2809 -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config" -Djava.security.auth.policy="../security/og_auth.policy"

You will see the following exception:

Caused by: com.ibm.websphere.objectgrid.ObjectGridRPCException:
    com.ibm.websphere.objectgrid.ObjectGridRuntimeException:
        SSL connection fails and plain socket cannot be used.

Finally, change the server.props back to use key.jks.

This updated sample contains all the three main aspects of ObjectGrid security:

  1. Client authentication
  2. Client authorization
  3. Transport security

Additional information

Wiki Disclaimer and License
© Copyright IBM Corporation 2007,2009. All Rights Reserved.

 
    About IBM      Privacy      Contact