Application client authentication consists of enabling client-server security and credential authentication, and configuring an authenticator and a system credential generator.
You must enable security on both the client and server to successfully authenticate with the ObjectGrid.
WebSphere® eXtreme Scale provides a client property sample file, the sampleClient.properties file, in the was_root/optionalLibraries/ObjectGrid/properties directory for a WebSphere Application Server installation, or the /ObjectGrid/properties directory in a mixed-server installation. You can modify this template file with appropriate values. Set the securityEnabled property in the objectgridClient.properties file to true. The securityEnabled property indicates if security is enabled. When a client connects to a server, the value on the client and server side must be set both true or both false. For example, if the connected server security is enabled, the property value must be set to true on the client side for the client to connect to the server.
Default: 3
Example: IBM.WebSphere.Caching.CredentialGenerator, Version=8.6.0.0, Culture=neutral, PublicKeyToken=b439a24ee43b0816
Default: no value
Example: c:\tmp\wxs\serverA.cer
Valid values: SSL, SSLv3, TLS, TLSv1, and so on.
Valid values: SSLv2, SSLv3, TLS or Default (SSLv3 or TLS1.0)
The com.ibm.websphere.objectgrid.security.config.ClientSecurityConfiguration interface represents the security.ogclient.props file. You can use the com.ibm.websphere.objectgrid.security.config.ClientSecurityConfigurationFactory public API to create an instance of this interface with default values, or you can create an instance by passing the ObjectGrid client security property file. The security.ogclient.props file contains other properties. See the ClientSecurityConfiguration API Documentation and ClientSecurityConfigurationFactory API Documentation for more details.
To enable the security on the server side, you can set the securityEnabled property in the security.xml file to true. Use a security descriptor XML file to specify the data grid security configuration to isolate the grid-wide security configuration from the non-security configuration.
After the eXtreme Scale client retrieves the Credential object using the CredentialGenerator object, the Credential object is sent along with the client request to the eXtreme Scale server. The server authenticates the Credential object before processing the request. If the Credential object is authenticated successfully, a Subject object is returned to represent this Credential object. This Subject object is then used for authorizing the request.
Set the credentialAuthentication property on the client and server properties files to enable the credential authentication. For more information, see Client properties file and Server properties file.
The following table provides which authentication mechanism to use under different settings.
Client credential authentication | Server credential authentication | Result |
---|---|---|
No | Never | Disabled |
No | Supported | Disabled |
No | Required | Error case |
Supported | Never | Disabled |
Supported | Supported | Enabled |
Supported | Required | Enabled |
Required | Never | Error case |
Required | Supported | Enabled |
Required | Required | Enabled |
The eXtreme Scale server uses the Authenticator plug-in to authenticate the Credential object. An implementation of the Authenticator interface gets the Credential object and then authenticates it to a user registry, for example, a Lightweight Directory Access Protocol (LDAP) server, and so on. eXtreme Scale does not provide a registry configuration. Connecting to a user registry and authenticating to it must be implemented in this plug-in.
For example, one Authenticator implementation extracts the user ID and password from the credential, uses them to connect and validate to an LDAP server, and creates a Subject object as a result of the authentication. The implementation can use Java™ Authentication and Authorization Service (JAAS) login modules. A Subject object is returned as a result of authentication.
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
xmlns="http://ibm.com/ws/objectgrid/config/security">
<security securityEnabled="true"
loginSessionExpirationTime="300">
<authenticator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginAuthenticator">
</authenticator>
</security>
</securityConfig>
Use the -clusterSecurityFile option when starting a secure server to set the security XML file. See the Java SE security tutorial - Step 2 for samples on how to start a secure server.
<systemCredentialGenerator className ="com.ibm.websphere.objectgrid.security.plugins.
builtins.UserPasswordCredentialGenerator">
<property name="properties" type="java.lang.String" value="manager manager1"
description="username password" />
</systemCredentialGenerator>
For demonstration purposes,
the user name and password are stored in clear text. Do not store
the user name and password in clear text in a production environment.WebSphere eXtreme Scale provides a default system credential generator, which uses the server credentials. If you do not explicitly specify the system credential generator, this default system credential generator is used.