Use a security descriptor XML file to configure an eXtreme Scale deployment
topology with security enabled. You can use the elements in this file
to configure different aspects of security.
securityConfig element
The securityConfig element
is the top-level element of the ObjectGrid security XML file. This
element sets up the namespace of the file and the schema location.
The schema is defined in the
objectGridSecurity.xsd file.
- Number of occurrences: One
- Child elements: security
security element
Use the security element to
define an ObjectGrid security.
- Number of occurrences: One
- Child elements: authenticator, adminAuthorization, and systemCredentialGenerator
Attributes- securityEnabled
- Enables security for the grid when set to true. The default value
is false. If the value is set to false, grid-wide security is disabled.
For more information, see Data grid security. (Optional)
- singleSignOnEnabled
- Enables a client to connect to any server after it has authenticated
with one of the servers when the value is set to true. Otherwise, a client must authenticate with each server before the
client can connect. The default value is false. (Optional)
- loginSessionExpirationTime
- Specifies the amount of time in seconds before the login session
expires. If the login session expires, the client must authenticate
again. (Optional)
- adminAuthorizationEnabled
- Enables administrative authorization. If the value is set to true,
all of the administrative tasks need authorization. The authorization
mechanism that is used is specified by the value of the adminAuthorizationMechanism attribute. The default value
is false. (Optional)
- adminAuthorizationMechanism
- Indicates which authorization mechanism to use. WebSphere® eXtreme Scale supports two
authorization mechanisms, Java™ Authentication and Authorization Service (JAAS) and custom authorization.
The JAAS authorization mechanism uses the standard JAAS policy-based
approach. To specify JAAS as the authorization mechanism, set the
value to AUTHORIZATION_MECHANISM_JAAS. The custom authorization mechanism
uses a user-plugged-in AdminAuthorization implementation. To specify
a custom authorization mechanism, set the value to AUTHORIZATION_MECHANISM_CUSTOM.
For more information on how these two mechanisms are used, see Authorizing application clients. (Optional)
The following security.xml file is a sample configuration to enable
the data grid security.
security.xml
<?xml version="1.0" encoding="UTF-8"?>
<securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ibm.com/ws/objectgrid/config/security ../objectGridSecurity.xsd"
xmlns="http://ibm.com/ws/objectgrid/config/security">
<security securityEnabled="true" singleSignOnEnabled="true"
loginSessionExpirationTime="20"
adminAuthorizationEnabled="true"
adminAuthorizationMechanism="AUTHORIZATION_MECHANISM_JAAS" >
<authenticator className ="com.ibm.websphere.objectgrid.security.plugins.
builtins.WSTokenAuthenticator">
</authenticator>
<systemCredentialGenerator className ="com.ibm.websphere.objectgrid.security.
plugins.builtins.WSTokenCredentialGenerator">
<property name="properties" type="java.lang.String" value="runAs"
description="Using runAs subject" />
</systemCredentialGenerator>
</security>
</securityConfig>
authenticator element
Authenticates clients
to eXtreme Scale servers in the data grid. The class that is specified
by the className attribute must implement the
com.ibm.websphere.objectgrid.security.plugins.Authenticator interface. The authenticator can use properties to call methods
on the class that is specified by the className attribute. See property
element for more information on using properties.
In the previous security.xml file example, the com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenAuthenticator class is specified as the authenticator. This class implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface.
- Number of occurrences: zero or one
- Child element: property
Attributes- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.Authenticator interface. Use this class to authenticate clients to the servers
in the eXtreme Scale grid. (Required)
adminAuthorization element
Use the adminAuthorization
element to set up administrative access to the data grid.
- Number of occurrences: zero or one
- Child element: property
Attributes- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.AdminAuthorization interface. (Required)
systemCredentialGenerator element
Use a systemCredentialGenerator
element to set up a system credential generator. This element only
applies to a dynamic environment. In the dynamic configuration model,
the dynamic container server connects to the catalog server as an
eXtreme Scale client
and the catalog server can connect to the eXtreme Scale container
server as a client too. This system credential generator is used to
represent a factory for the system credential.
- Number of occurrences: zero or one
- Child element: property
Attributes- className
- Specifies a class that implements the com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator
interface. (Required)
See the previous security.xml file for an example of how to use a systemCredentialGenerator class. In this example, the system credential generator is a com.ibm.websphere.objectgrid.security.plugins.builtins.WSTokenCredentialGenerator class, which retrieves the RunAs Subject object from the thread.
property element
Calls
set methods on the authenticator and
adminAuthorization classes. The name of the property corresponds to a set method on
the
className attribute of the authenticator
or adminAuthorization element.
- Number of occurrences: zero or more
- Child element: property
Attributes- name
- Specifies the name of the property. The value that is assigned
to this attribute must correspond to a set method on the class that
is provided as the className attribute on the containing bean. For
example, if the className attribute of the bean is set to com.ibm.MyPlugin,
and the name of the property that is provided is size, then the com.ibm.MyPlugin
class must have a setSize method. (Required)
- type
- Specifies the type of the property. The type of the parameter
is passed to the set method that is identified by the name attribute.
The valid values are the Java primitives, their java.lang counterparts, and java.lang.String.
The name and type attributes must correspond to a method signature
on the className attribute of the bean. For example, if the name is
size and the type is int, then a setSize(int) method must exist on
the class that is specified as the className attribute for the bean.
(Required)
- value
- Specifies the value of the property. This value is converted to
the type that is specified by the type attribute, and is then used
as a parameter in the call to the set method that is identified by
the name and type attributes. The value of this attribute is not validated
in any way. The plug-in implementor must verify that the value passed
in is valid. (Required)
- description
- Provides a description of the property. (Optional)
See objectGridSecurity.xsd file for more information.