Building on the previous step, the following topic shows how to implement client authentication in a distributed eXtreme Scale environment.
Client credential
The SecureSimpleApp.java sample uses the following two plug-in implementations to obtain client credentials:
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredential
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
For more information about these plug-ins, see Client authentication programming.
Server authenticator
The example uses an eXtreme Scale built-in implementation: KeyStoreLoginAuthenticator, which is for testing and sample purposes (a keystore is a simple user registry and should not be used for production). For more information, see the topic on authenticator plug-in under Client authentication programming.
og_jaas.config
KeyStoreLogin{
com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required
keyStoreFile="../security/sampleKS.jks" debug = true;
};
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \
-alias manager -keypass manager1 \
-dname CN=manager,O=acme,OU=OGSample -validity 10000
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^
-alias manager -keypass manager1 ^
-dname CN=manager,O=acme,OU=OGSample -validity 10000
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 \
-alias cashier -keypass cashier1 \
-dname CN=cashier,O=acme,OU=OGSample -validity 10000
keytool -genkey -v -keystore sampleKS.jks -storepass sampleKS1 ^
-alias cashier -keypass cashier1 ^
-dname CN=cashier,O=acme,OU=OGSample -validity 10000
cp ../properties/sampleClient.properties client.properties
copy ..\properties\sampleClient.properties client.properties
cp ../properties/sampleServer.properties server.properties
copy ..\properties\sampleServer.properties server.properties
./startOgServer.sh catalogServer -clusterSecurityFile ../security/security.xml
-serverProps ../security/server.properties -jvmArgs
-Djava.security.auth.login.config="../security/og_jaas.config"
startOgServer.bat catalogServer -clusterSecurityFile ..\security\security.xml
-serverProps ..\security\server.properties -jvmArgs
-Djava.security.auth.login.config="..\security\og_jaas.config"
./startXsServer.sh catalogServer -clusterSecurityFile ../security/security.xml
-serverProps ../security/server.properties -jvmArgs
-Djava.security.auth.login.config="../security/og_jaas.config"
startXsServer.bat catalogServer -clusterSecurityFile ..\security\security.xml
-serverProps ..\security\server.properties -jvmArgs
-Djava.security.auth.login.config="..\security\og_jaas.config"
./startOgServer.sh c0 -objectgridFile ../xml/SimpleApp.xml
-deploymentPolicyFile ../xml/SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ../security/server.properties
-jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
startOgServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml
-deploymentPolicyFile ..\xml\SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ..\security\server.properties
-jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
./startXsServer.sh c0 -objectgridFile ../xml/SimpleApp.xml
-deploymentPolicyFile ../xml/SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ../security/server.properties
-jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
startXsServer.bat c0 -objectgridFile ..\xml\SimpleApp.xml
-deploymentPolicyFile ..\xml\SimpleDP.xml
-catalogServiceEndPoints localhost:2809
-serverProps ..\security\server.properties
-jvmArgs -Djava.security.auth.login.config="..\security\og_jaas.config"
java -classpath ../lib/objectgrid.jar:../applib/sec_sample.jar
com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp
../security/client.properties manager manager1
java -classpath ..\lib\objectgrid.jar;..\applib\sec_sample.jar
com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp
..\security\client.properties manager manager1
Use a colon (:) for the classpath separator
instead of a semicolon (;) as in the previous example.
After you issue the class, the following output results:
The customer name for ID 0001 is fName lName.
credentialGeneratorClass=com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
credentialGeneratorProps=manager manager1
Stop the container c0 with the following command.
If you do not provide the -clientSecurityFile option, you will see an exception with the following message.
>> SERVER (id=39132c79, host=9.10.86.47) TRACE START:
>> org.omg.CORBA.NO_PERMISSION: Server requires credential authentication but there is no security context from the client. This usually happens when the client does not pass a credential the server.
vmcid: 0x0
minor code: 0
completed: No
You can also shut down the catalog server using the following command. However, if you want to continue trying the next step tutorial, you can let the catalog server stay running.
If you do shutdown the catalog server, you will see the following output.
CWOBJ2512I: ObjectGrid server catalogServer stopped
Now, you have successfully made your system partially secure by enabling authentication. You configured the server to plug in the user registry, configured the client to provide client credentials, and changed the client property file and cluster XML file to enable authentication.
If you provide an invalidate password, you see an exception stating that the user name or password is not correct.
For more details about client authentication, see Authenticating application clients.