Unless clients are authenticated, access to grid data and JMX management operations that
control the grid are left unprotected. This is true even if SSL is enabled in the Liberty.
About this task
The authentication behavior that is required by eXtreme Scale clients is determined by the
credentialAuthentication=required setting in the
server.properties file, the KeyStoreLogin setting in the
og_jaas.config JAAS configuration file, and the
KeyStoreLoginAuthenticator setting in the security.xml
file. The server properties file is loaded by referring to it in the
server.xml file, as described in Authenticating eXtreme Scale server connections in Liberty. For
security, this file must have credentialAuthentication=Required
, just as in
stand-alone deployments.
Each of the configuration files is loaded by each catalog server.
Container servers use the JAAS configuration file and the security deployment descriptor files
only.
Use one of the following methods to authenticate clients.
Procedure
-
Reference a security descriptor XML file in each catalog
server.
When the catalog server is the
Liberty, you can point
to this file using the
clusterSecurityURL=
attribute in the
server.xml
file. See the following example, where
objectGridSecurity.xml is
the security descriptor XML
file:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>eXtremeScale.server-1.1</feature>
</featureManager>
<xsServer
isCatalog="true"
serverProps="server.xs.props"
clusterSecurityURL="file://C:/wlp/usr/servers/objectGridSecurity.xml"
/>
</server>
To enable security, this file must have securityEnabled=”true”
in the security
element. The security descriptor XML file must also contain a descriptor of the authenticator that
you want to use. WebSphere® eXtreme Scale includes the
LDAPAuthenticator
, the KeyStoreLoginAuthenticator
, and the
WSTokenAuthenticator
.
-
Reference a JAAS configuration file in each catalog and container server using the
-Djava.security.auth.login.config="path_name"
JVM argument in the
jvm.options file.
Edit or create the
jvm.options file in the
wlp_installdir/usr/servers/<server_name> directory.
Note: If you need to
create a
jvm.options file at the server configuration level, you need to copy
the version in the
wlp_install_root/etc/jvm.options file. The
jvm.options file has some options that are needed for
eXtreme Scale to run in the
Liberty.
When you create a
jvm.options file at the server level and enter the JVM argument to reference
the JAAS configuration file, your
jvm.options files looks like
this:
C:/wlp/usr/servers/simpCatalog>cat jvm.options
-Dorg.osgi.framework.bootdelegation=com.ibm.wsspi.runtime
-Djava.endorsed.dirs=C:/wlp/wxs/lib/endorsed
-Djava.security.auth.login.config=C:/wlp/usr/servers/og_jaas.config
Important: If you are using Windows, you must escape any backslash ( \ ) characters in the
path. For example, if you want to use the path C:\opt\ibm, enter C:\\opt\\ibm in the properties
file.
For
information about creating these files and configuring
eXtreme Scale servers to use them, see the tutorial,
Tutorial: Configuring Java SE security. The JAAS configuration file specifies a LoginModule. You can use the
KeyStoreLoginModule with the KeyStoreLoginAuthenticator. Use the SimpleLDAPLoginModule with the
LDAPAuthenticator. See
Enabling LDAP authentication in eXtreme Scale catalog and container servers in eXtreme Scale container and catalog
servers, or
Enabling keystore authentication in eXtreme Scale container and catalog servers.
-
Configure the client to pass the credentials that are required for authentication.