WebSphere Extended Deployment Compute Grid, Version 6.1
             Operating Systems: AIX, HP-UX, Linux, Solaris, Windows, z/OS


Securing the external scheduler integration interface

Securing the external scheduler integration interface requires securing the JobSchedulerMDI system application and the JMS resources it uses.

About this task

The following diagram shows the actions required and the environmental artifacts to which they apply:


Securing the job scheduler message-driven interface

The following steps show you how to secure the external scheduler integration interface:

Procedure

  1. Enable bus security. Enable security for the JobSchedulerBus in the WebSphere administrative console:
    1. Click Security > Bus security > bus_name.
    2. Check the Enable bus security check box.
    3. Click OK, then Save your configuration.
  2. Define a JAAS alias. The JobSchedulerMDI application’s JMS activationSpec requires a JAAS alias. Give the JAAS alias a name of your choice. The User ID and password defined to this alias represents the job scheduler’s access to its inbound JMS queue, com.ibm.ws.grid.InputQueue. The JAAS alias is also used programmatically by the JobSchedulerMDI application for authenticating to the outbound queue that the job scheduler uses to communicate with its clients. The outbound queue is com.ibm.ws.grid.OutputQueue. Define the JAAS alias in the WebSphere administrative console:
    1. Select Security > Secure administration, applications, and infrastrucure > Java Authentication and Authorization Server > J2C authentication data.
    2. Save your configuration.
    3. Assign the JAAS alias t to the activationSpec, com.ibm.ws.grid.ActivationSpec
  3. Assign roles. Roles must be assigned to authorize access to the bus and input and output bus destinations. These role assignments can be performed in the WebSphere administrative console: Security > Bus security > bus_name > Disabled > Users and groups in the bus connector role. This can also be done through wsadmin commands:

    $AdminTask addUserToBusConnectorRole {-bus busName -user username} or

    $AdminTask addGroupToBusConnectorRole {-bus busName –group groupname}

    The following role assignments must be made:

    1. JobSchedulerBus Assign the BusConnector role to the following user IDs:
      • Identity assigned to com.ibm.ws.grid.ActivationSpec. This permits the JobScheduler to access the bus.
      • Each identity used by WSGrid to authenticate client access to the input queue (see step 4 below). This permits the WSGrid invoker to access the bus.
    2. com.ibm.ws.grid.InputQueue Permit access to this destination by assigning sender, receiver, and browser roles to the same user IDs to which you assigned the BusConnector role in the previous step. This can only be done through wsadmin commands:
      $AdminTask addUserToDestinationRole {-type queue –bus
      JobSchedulerBus -destination com.ibm.ws.grid.InputQueue -role Sender -user userName}
      
      $AdminTask addGroupToDestinationRole {-type queue –bus
      JobSchedulerBus -destination com.ibm.ws.grid.InputQueue -role Sender –group groupName}
      
       AdminTask.setInheritDefaultsForDestination('-bus WSS.JobScheduler.Bus -type queue -destination com.ibm.ws.grid.InputQueue -inherit false'

      Repeat for receiver and browser roles.

    3. com.ibm.ws.grid.OutputQueue

      Permit access to this destination by assigning the same roles to destination com.ibm.ws.grid.OutputQueue as were assigned for com.ibm.ws.grid.InputQueue in the previous step.

  4. Authenticate client access to input queue. Specify user ID and password properties in the WSGrid input control properties file. For example, submitter-userid=username, submitter-password=password. The password can be encoded using the WebSphere PropFilePasswordEncoder utility.



Related information
Integrating the job scheduler with external schedulers
Configuring the Compute Grid environment
Setting up the external scheduler interface
Task topic    

Terms of Use | Feedback

Last updated: Oct 30, 2009 6:22:31 PM EDT
http://publib.boulder.ibm.com/infocenter/wxdinfo/v6r1/index.jsp?topic=/com.ibm.websphere.gridmgr.doc/info/scheduler/tcgexsched.html